MicrosoftDocs
diff --git a/‎articles/governance/machine-configuration/how-to/assign-built-in-policies.md‎
Lines changed: 7 additions & 6 deletions b/‎articles/governance/machine-configuration/how-to/assign-built-in-policies.md‎
Lines changed: 7 additions & 6 deletions
diff --git a/‎articles/governance/machine-configuration/how-to/assign-security-baselines/deploy-a-baseline-policy-assignment.md‎
Lines changed: 3 additions & 2 deletions b/‎articles/governance/machine-configuration/how-to/assign-security-baselines/deploy-a-baseline-policy-assignment.md‎
Lines changed: 3 additions & 2 deletions
diff --git a/‎articles/governance/machine-configuration/how-to/assign-security-baselines/overview-page.md‎
Lines changed: 9 additions & 9 deletions b/‎articles/governance/machine-configuration/how-to/assign-security-baselines/overview-page.md‎
Lines changed: 9 additions & 9 deletions
@@ -3,6 +3,7 @@ title: Discover And Assign Built In Machine Configuration Policies
 description: Learn how to discover, configure, and assign built-in Azure Machine Configuration policies to audit and enforce compliance across Windows and Linux machines in your environment.
 ms.date: 11/07/2025
 ms.topic: conceptual
+ms.custom: references_regions
 ---
 
 # Discover and Assign Built-In Machine Configuration Policies
@@ -24,7 +25,7 @@ To view and explore these built-in policies:
 
 3.  Open the **Category** filter and select **Guest Configuration** and **Built-in** on Policy Type to display all built-in policies related to OS auditing and compliance.
 
-![Azure Policy Definitions page with Guest Configuration filter applied showing built-in policies](../media/discover-and-assign-built-in-machine-configuration-policies/azure-policy-definitions-guest-config-filter.png)
+[![Screenshot of Azure Policy Definitions page with Guest Configuration filter applied.](../media/discover-and-assign-built-in-machine-configuration-policies/azure-policy-definitions-guest-config-filter.png)](../media/discover-and-assign-built-in-machine-configuration-policies/azure-policy-definitions-guest-config-filter.png#lightbox)
 
 4.  Browse the list to review available definitions, such as:
 
@@ -42,7 +43,7 @@ To view and explore these built-in policies:
 
     3.  Metadata such as category, mode, and required providers
 
-![Policy definition details page showing JSON definition and parameters for a Machine Configuration policy](../media/discover-and-assign-built-in-machine-configuration-policies/policy-definition-details-json-parameters.png)
+[![Screenshot of policy definition details page showing JSON definition and parameters.](../media/discover-and-assign-built-in-machine-configuration-policies/policy-definition-details-json-parameters.png)](../media/discover-and-assign-built-in-machine-configuration-policies/policy-definition-details-json-parameters.png#lightbox)
 
 ## Assign a Built-In Machine Configuration Policy
 
@@ -66,22 +67,22 @@ Let’s use one of the built-in Machine Configuration policies—**Audit Windows
 
     3.  Optionally specify exclusions if certain resources shouldn't be evaluated.
 
-![Policy assignment Basics tab showing scope selection and prerequisites configuration](../media/discover-and-assign-built-in-machine-configuration-policies/policy-assignment-basics-scope-prerequisites.png)
+[![Screenshot of policy assignment Basics tab showing scope selection and prerequisites.](../media/discover-and-assign-built-in-machine-configuration-policies/policy-assignment-basics-scope-prerequisites.png)](../media/discover-and-assign-built-in-machine-configuration-policies/policy-assignment-basics-scope-prerequisites.png#lightbox)
 
 4.  In the **Parameters** tab:
 
     1.  Set **Include Arc connected servers** to true if your environment includes Arc-enabled machines.
 
     2.  Choose the desired **Time zone** (for example, "Pacific Time (US & Canada)").
 
-![Policy assignment Parameters tab showing Arc servers option and time zone selection](../media/discover-and-assign-built-in-machine-configuration-policies/policy-assignment-parameters-arc-timezone.png)
+[![Screenshot of policy assignment Parameters tab showing Arc servers option and time zone selection.](../media/discover-and-assign-built-in-machine-configuration-policies/policy-assignment-parameters-arc-timezone.png)](../media/discover-and-assign-built-in-machine-configuration-policies/policy-assignment-parameters-arc-timezone.png#lightbox)
 
 5.  Review your configuration under **Review + create**, then click **Create**.
 
 Once assigned, the policy will automatically begin evaluating machines within scope. Compliance results will surface in the **Policy → Compliance** view, where you can drill down to specific resources or export results.
 
-*Note:* The same process applies to other built-in Machine Configuration policies—such as those auditing Linux baselines, password settings, or required applications.  
-Parameters vary by definition and allow you to customize the audit scope without creating new policies.
+> [!NOTE]
+> The same process applies to other built-in Machine Configuration policies—such as those auditing Linux baselines, password settings, or required applications. Parameters vary by definition and allow you to customize the audit scope without creating new policies.
 
 ## Programmatic Access and Automation
 
 
@@ -3,6 +3,7 @@ title: Deploy A Baseline Policy Assignment
 description: Learn how to deploy a security baseline policy assignment for continuous security compliance tracking across Azure and Arc-enabled machines using Azure Policy and Machine Configuration.
 ms.date: 11/07/2025
 ms.topic: conceptual
+ms.custom: references_regions
 ---
 
 # Deploy a Security Baseline Policy Assignment
@@ -63,7 +64,7 @@ Use this file later when creating the assignment.
 
 3.  Under the **Parameters** tab, locate **Baseline Settings**. You may need to uncheck *"Only show parameters that need input or review"*
 
-![Baseline Settings parameter configuration](../../media/deploy-a-baseline-policy-assignment/baseline-settings-parameter-configuration.png)
+[![Screenshot of Baseline Settings parameter configuration.](../../media/deploy-a-baseline-policy-assignment/baseline-settings-parameter-configuration.png)](../../media/deploy-a-baseline-policy-assignment/baseline-settings-parameter-configuration.png#lightbox)
 
 4.  Click **Browse** → Upload the JSON file you downloaded earlier.
 
@@ -107,7 +108,7 @@ You can find other examples in [Assign policy with Azure CLI][04].
 
 After deploying your customized baseline, you can verify its status and scope in the **Assignments** tab under **Policy → Machine Configuration** in the Azure portal.
 
-![Policy assignments view showing deployed baseline policies](../../media/deploy-a-baseline-policy-assignment/policy-assignments-view-deployed-baselines.png)
+[![Screenshot of policy assignments view showing deployed baseline policies.](../../media/deploy-a-baseline-policy-assignment/policy-assignments-view-deployed-baselines.png)](../../media/deploy-a-baseline-policy-assignment/policy-assignments-view-deployed-baselines.png#lightbox)
 
 This view lists all baseline policy assignments, including their policy definition, management group or subscription, and resource group. You can use filters (for example, by policy name, subscription, or scope) to quickly locate your assignment. Selecting a specific assignment opens its details, where you can review parameter input (such as your imported JSON file), scope, and compliance status once evaluations complete.
 
 
@@ -11,19 +11,19 @@ Customizable security baselines built on Azure Policy and Machine Configuration
 
 This capability introduces *audit* baselines for both Windows and Linux, empowering customers to align security posture with internal compliance frameworks and regulatory standards. By passing custom baseline parameter input directly into Azure Policy, you can now represent organization-specific controls at scale.
 
-These baselines deliver a cloud-native governance experience for both Azure machines and non-Azure machines connected through [Azure Arc][01], including machines running on-premises, in other public clouds, or at the edge. Together, Policy and Machine Configuration establish a unified control plane for compliance visibility, enabling you to assess, monitor, and enforce consistent security standards across your entire estate, regardless of location or platform. This approach reflects Microsoft's Secure by Design and Secure by Default principles, ensuring robust security and compliance everywhere your workloads run.
+These baselines deliver a cloud-native governance experience for both Azure machines and non-Azure machines connected through [Azure Arc][01]. This includes machines running on-premises, in other public clouds, or at the edge. Together, Policy and Machine Configuration establish a unified control plane for compliance visibility. This approach enables you to assess, monitor, and enforce consistent security standards across your entire estate, regardless of location or platform. This approach reflects Microsoft's Secure by Design and Secure by Default principles, ensuring robust security and compliance everywhere your workloads run.
 
 ## Key Scenarios
 
 ### Baseline Customization  
-Create tailored baselines using the *Modify Settings* wizard under **Policy \> Machine Configuration**. Administrators can enable, exclude, or adjust rules from industry benchmarks (like CIS Benchmarks or Microsoft baselines) to match internal standards. Each customization builds a downloadable JSON file that captures configuration intent — a reusable artifact compatible for policy-as-code workflows.
+Create tailored baselines using the *Modify Settings* wizard under **Policy \> Machine Configuration**. Administrators can enable, exclude, or adjust rules from industry benchmarks (like CIS Benchmarks or Microsoft baselines) to match internal standards. Each customization builds a downloadable JSON file that captures configuration intent—a reusable artifact compatible for policy-as-code workflows.
 
 ### Assign Audit Policies
 
-Use Azure Policy to deploy your customized baseline parameters across Azure and Arc-connected machines. When an audit policy is assigned, Azure Policy evaluates configuration states against selected benchmarks, reports compliance in real time, and surfaces findings across Azure Policy, Azure Resource Graph (ARG), and the Guest Assignments view.
+Use Azure Policy to deploy your customized baseline parameters across Azure and Arc-connected machines. Azure Policy evaluates configuration states against selected benchmarks when an audit policy is assigned. It reports compliance in real time and surfaces findings across Azure Policy, Azure Resource Graph (ARG), and the Guest Assignments view.
 
 ### Integration and Automation  
-Integrate baselines into CI/CD pipelines or configuration management workflows. Each baseline produces a declarative settings catalog (JSON) that can be version-controlled and deployed using CLI, ARM, or Bicep templates — ensuring reproducible compliance configurations across environments.
+Integrate baselines into CI/CD pipelines or configuration management workflows. Each baseline produces a declarative settings catalog (JSON) that can be version-controlled and deployed using CLI, ARM, or Bicep templates—ensuring reproducible compliance configurations across environments.
 
 ## Supported Standards
 
@@ -33,14 +33,14 @@ Integrate baselines into CI/CD pipelines or configuration management workflows.
 | **Azure Compute Security Baseline for Windows** | Applies customized values for Windows Server 2022 and Windows Server 2025. |
 | **Azure Compute Security Baseline for Linux** | Enforces consistent security controls aligned with Azure Compute guidance. |
 
-Additional standards (e.g., STIG), operating systems, and remediation capabilities will be introduced in future releases.
+More standards (for example, STIG), operating systems, and remediation capabilities are planned for future releases.
 
 ## Availability
 
 All public Azure regions are supported.
 
 > [!NOTE]
-> Support for Azure Government and Sovereign Clouds will be added closer to General Availability.
+> Support for Azure Government and Sovereign Clouds is planned for General Availability.
 
 ## Getting Started
 
@@ -50,17 +50,17 @@ The end-to-end experience for configuring Customizable Security Baselines follow
 
 1.  **Select a baseline** from the *Machine Configuration* blade under Azure Policy.
 
-2.  **Modify settings** — enable, exclude, or parameterize rules to match your internal requirements.
+2.  **Modify settings**—enable, exclude, or parameterize rules to match your internal requirements.
 
 3.  **Download the JSON file** representing your configured baseline.
 
-4.  **Assign the baseline policy** using the Azure Portal, CLI, or CI/CD integration.
+4.  **Assign the baseline policy** using the Azure portal, CLI, or CI/CD integration.
 
 5.  **Review compliance results** through Azure Policy, Azure Resource Graph, or the Guest Assignments page.
 
 ### Prerequisites
 
-- Azure Machine Configuration prerequisite policy initiative must be deployed. This enables Guest Configuration policies and installs the required extension on VMs.
+- Azure Machine Configuration prerequisite policy initiative must be deployed. The capability enables Guest Configuration policies and installs the required extension on VMs.
 
 - An Azure subscription or management group containing supported Windows and Linux VMs.