MicrosoftDocs
diff --git a/‎microsoft-365/managed-desktop/service-description/app-control.md‎
Lines changed: 30 additions & 30 deletions b/‎microsoft-365/managed-desktop/service-description/app-control.md‎
Lines changed: 30 additions & 30 deletions
diff --git a/‎microsoft-365/managed-desktop/service-description/customizing.md‎
Lines changed: 31 additions & 23 deletions b/‎microsoft-365/managed-desktop/service-description/customizing.md‎
Lines changed: 31 additions & 23 deletions
@@ -15,35 +15,30 @@ ms.collection: M365-modern-desktop
 
 # App control
 
-App control is an optional security practice in Microsoft Managed Desktop that restricts the execution of code on client devices. This control mitigates the risk of malware or malicious scripts by requiring that only code signed by a customer-approved list of publishers can run. There are many security benefits from this control, but it primarily aims to protect data and identity from client-based exploits.
+App control is an optional security practice in Microsoft Managed Desktop that restricts the execution of code on client devices.
 
-Microsoft Managed Desktop simplifies the management of app control policies by creating a base policy that enables core productivity scenarios. You can extend trust to other signers that are specific to the apps and scripts in your environment. 
+This control mitigates the risk of malware or malicious scripts. The control requires that only codes signed by a customer-approved list of publishers can run. There are many security benefits from this control, but it primarily aims to protect data and identity from client-based exploits.
 
+Microsoft Managed Desktop simplifies the management of app control policies by creating a base policy that enables core productivity scenarios. You can extend trust to other signers that are specific to the apps and scripts in your environment.
 
-Any security technology requires a balance among user experience, security, and cost. App control reduces the threat of malicious software in your environment, but there are consequences to the user and further actions for your IT administrator.
-
-**Additional security:**
-
-Apps or scripts that are not trusted by the app control policy are blocked from running on devices.
-
-**Your additional responsibilities:**
-
-- You are responsible for testing your apps to identify whether they would be blocked by the application control policy.
-- If an app is (or would be) blocked, you are responsible for identifying the needed signer details and requesting a change through the Admin portal.
-
-**Microsoft Managed Desktop responsibilities:**
-
-- Microsoft Managed Desktop maintains the base policy that enables core Microsoft products like M365 Apps, Windows, Teams, OneDrive, and so on.
-- Microsoft Managed Desktop inserts your trusted signers and deploys the updated policy to your devices.
+Any security technology requires a balance amongst user experience, security, and cost. App control reduces the threat of malicious software in your environment, but there are consequences to the user and further actions for your IT administrator.
 
+| Additional security and responsibilities | Description |
+| ------ | ------ |
+| Additional security | Apps or scripts that aren't trusted by the app control policy are blocked from running on devices. |
+| Your additional responsibilities | <ul><li>You're responsible for testing your apps to identify whether they would be blocked by the application control policy.</li><li>If an app is (or would be) blocked, you're responsible for identifying the required signer details. You must request a change through the Admin portal.</li></ul>
+| Microsoft Managed Desktop responsibilities | <ul><li>Microsoft Managed Desktop maintains the base policy that enables core Microsoft products like Microsoft 365 Apps, Windows, Teams, OneDrive, and so on.</li><li>Microsoft Managed Desktop inserts your trusted signers and deploys the updated policy to your devices.</li></ul>
 
 ## Managing trust in applications
 
-Microsoft Managed Desktop curates a base policy that trusts the core components of Microsoft technologies. You then *add* trust for your own applications and scripts by informing Microsoft Managed Desktop which of them you already trust.
+Microsoft Managed Desktop curates a base policy that trusts the core components of Microsoft technologies. You then *add* trust for your own applications and scripts by informing Microsoft Managed Desktop which apps and scripts you already trust.
 
 ### Base policy
 
-Microsoft Managed Desktop, in collaboration with Microsoft cybersecurity experts, creates, and maintains a standard policy that enables most apps deployed through Microsoft Intune while blocking dangerous activities like code compilation or execution of untrusted files.
+Microsoft Managed Desktop, in collaboration with Microsoft cybersecurity experts, creates and maintains a standard policy. This standard policy:
+
+- Enables most apps deployed through Microsoft Intune.
+- Blocks dangerous activities like code compilation or execution of untrusted files.
 
 The base policy takes the following approach to restricting software execution:
 
@@ -52,28 +47,33 @@ The base policy takes the following approach to restricting software execution:
 - Files are signed by a [trusted signer](#signer-requests).
 - Most files signed by Microsoft will run, however some are blocked to prevent high-risk actions like code compilation.
 
+If a user, other than an administrator, could have added an app or script to a device (that is, it's in a user-writable directory), we won't allow it to execute. We'll allow the execution if the app or script has already been allowed by an administrator.
+
+Our policy will stop the execution of apps in the following scenarios:
 
-If a user other than an administrator could have added an app or script to a device (that is, it's in a user-writable directory), we won't allow it to execute unless it has already been specifically allowed by an administrator. If a user is tricked into trying to install malware, if a vulnerability in an app the user runs attempts to install malware, or if a user intentionally tries to run an unauthorized app or script, our policy will stop execution.
+- If a user is tricked into trying to install malware.
+- If a vulnerability in an app the user runs attempts to install malware.
+- If a user intentionally tries to run an unauthorized app or script.
 
 ### Signer requests
 
-You inform us of which apps are provided by software publishers you trust by filing a *signer request*. By doing so, we add that trust information into the baseline application control policy and allow any software signed with that publisher's certificate to run on your devices.
+You inform us which apps are provided by software publishers you trust by filing a *signer request*. By doing so, we:
+
+- Add that trust information into the baseline application control policy.
+- Allow any software signed with that publisher's certificate to run on your devices.
 
 ## Audit and Enforced policies
 
-Microsoft Managed Desktop uses two Microsoft Intune policies to provide app control:
+Microsoft Managed Desktop uses Microsoft Intune policies to provide app control:
 
 ### Audit policy
-This policy creates logs to record whether an app or script would be blocked by the Enforced policy. Audit policies don't enforce app control rules and are meant for testing purposes to identify whether an application will require a publisher exemption. It logs warnings (8003 or 8006 events) in Event Viewer instead of blocking the execution or installation of specified apps or script.
-
-### Enforced policy
-This policy blocks untrusted apps and scripts from running and creates logs whenever an app or script is blocked. Enforced policies prevent standard users from executing apps or scripts stored in user-writable directories.
-
-Devices in the Test group have an Audit policy applied so that you can use them to validate whether any applications will cause issues. All other groups (First, Fast, and Broad) use an Enforced policy, so users in those groups won't be able to run untrusted apps or scripts.
-
-
 
+This policy creates logs to record whether an app or script would be blocked by the Enforced policy.
 
+Audit policies don't enforce app control rules. They're meant for testing purposes to identify whether an application will require a publisher exemption. It logs warnings (8003 or 8006 events) in the Event Viewer instead of blocking the execution or installation of specified apps or script.
 
+### Enforced policy
 
+This policy blocks untrusted apps and scripts from running, and creates logs whenever an app or script is blocked. Enforced policies prevent standard users from executing apps or scripts stored in user-writable directories.
 
+Devices in the Test group have an Audit policy applied to validate whether any applications will cause issues. All other groups (First, Fast, and Broad) use an Enforced policy. Users in those groups won't be able to run untrusted apps or scripts.
@@ -13,38 +13,42 @@ ms.topic: article
 
 # Exceptions to the service plan
 
-Microsoft Managed Desktop provides a curated device list, [standard device settings](device-policies.md), applications requirements, and certain [configurable settings](../working-with-managed-desktop/config-setting-overview.md)—all designed to provide a secure, productive, and pleasant experience for users. It's best to always stay with the service as provided. However, we recognize that some details of the service might not fit exactly with your organization's needs. If you feel you need to alter the service in some way, it's important that you follow the following processes to request those changes.
+Microsoft Managed Desktop provides a curated device list, [standard device settings](device-policies.md), applications requirements, and certain [configurable settings](../working-with-managed-desktop/config-setting-overview.md)—all designed to provide a secure, productive, and pleasant experience for users.
+
+It's best to always stay with the service as provided. However, we recognize that some details of the service might not fit exactly with your organization's needs. If you feel you need to alter the service in some way, it's important that you follow the following processes to request those changes.
 
 ## Types of exceptions
 
-An exception is any addition or change to the Microsoft Managed Desktop base configuration; examples range from USB ports configuration to deploying a new device driver. We group various exceptions as follows:
+An exception is any addition or change to the Microsoft Managed Desktop base configuration. Examples range from USB ports configuration to deploying a new device driver. We group various exceptions as follows:
 
-| Type | Description |
+| Exception types | Description |
 | ----- | ----- |
-| Productivity software |  Foreground software needed by users, restricted by the [application requirements](mmd-app-requirements.md). |
-| Security agents & VPNs |  Software used to secure, monitor, or change the behavior of the device or network. |
-| Digital experience monitoring |  Software used to track data on a user's device to report to IT. |
-| Hardware or software drivers |   Device drivers, restricted by the [application requirements](mmd-app-requirements.md). |
+| Productivity software | Foreground software needed by users, restricted by the [application requirements](mmd-app-requirements.md). |
+| Security agents & VPNs | Software used to secure, monitor, or change the behavior of the device or network. |
+| Digital experience monitoring | Software used to track data on a user's device to report to IT. |
+| Hardware or software drivers | Device drivers, restricted by the [application requirements](mmd-app-requirements.md). |
 | Policies | Windows 10 or Microsoft 365 Apps for enterprise settings on a managed device. |
-| Devices | Devices that are not on the Microsoft Managed Desktop [device list](device-list.md). |
+| Devices | Devices that aren't on the Microsoft Managed Desktop [device list](device-list.md). |
 | Other | Anything not covered by the other areas. |
 
 ## Request an exception
 
 Submit requests through the Microsoft Managed Desktop Admin portal by creating a change request. Be sure to include these details:
 
-- Exemption type: Which category of exception is it? (see the previous table)
-- Requirement: What is the specific business requirement for the exception?
-- Proposal: Which solution is your business requesting?
-- Timeline: How long do you want this exception to last?
+| Change request detail | Description |
+| ----- | ----- |
+| Exemption type | Which type of exception is it? (see the [previous table](#types-of-exceptions)) |
+| Requirement | What is the specific business requirement for the exception? |
+| Proposal | Which solution is your business requesting? |
+| Timeline | How long do you want this exception to last? |
 
 ## How we assess an exception request
 
 When we review exception requests, we assess these factors in this order:
 
-1. Some applications and policies which Microsoft Managed Desktop deploys to all devices aren't negotiable, so your request must not affect those. See [Device configuration](device-policies.md) for more information.
+1. Some applications and policies which Microsoft Managed Desktop deploys to all devices aren't negotiable. Your request must not affect those applications and policies. For more information, see [Device configuration](device-policies.md).
 2. Restricted productivity software required by a user to do their job will likely be approved.
-3. If we can meet your requirement by using Microsoft technology, we'll likely approve your request for an exception migration period of three to 12 months (depending on the scope of the project).
+3. If we can meet your requirement by using Microsoft technology, we'll likely approve your request for an exception migration period of three to 12 months. The migration period depends on the scope of the project.
 4. If we can't meet your requirement by using Microsoft technology, we'll likely approve your request unless it violates one of the [Key conditions](#key-conditions).  
 
 These principles ensure that Microsoft Managed Desktop can always meet your needs while tracking deviations from our standard template.
@@ -53,22 +57,26 @@ These principles ensure that Microsoft Managed Desktop can always meet your need
 
 We review exceptions to ensure they don't violate any of these conditions:
 
-- An exception must not adversely impact system security.
+- An exception must not adversely affect system security.
 - Maintaining the exception must not incur a significant cost for either Microsoft Managed Desktop operations or support.
 - An exception must not affect system stability, for example, by causing kernel mode crashes or hangs.
 - The change must not restrict us from operating the service or conflict with core Microsoft Managed Desktop technology.
-- The exception cannot involve personalizing the user experience, such as changing the Start menu or Taskbar.
+- The exception can't involve personalizing the user experience, such as changing the Start menu or Taskbar.
 
-These conditions could change in the future. If we do make such changes, we’ll provide 30 days notice prior to those conditions coming into effect.  If Microsoft Managed Desktop delivers an alternative way to meet an approved exception, Microsoft Managed Desktop will notify the customer should Microsoft Managed Desktop alter the way in supporting the exception.
+These conditions could change in the future. If we do make such changes, we'll provide 30 days notice prior to those conditions coming into effect.  If Microsoft Managed Desktop delivers an alternative way to meet an approved exception, Microsoft Managed Desktop will notify the customer should Microsoft Managed Desktop alter the way it supports the exception.
 
 ## Revoking approval for an exception
 
 After a requested exception is approved and deployed, it's possible that we might discover problems that violate the key conditions that weren't evident when we approved the change in the first place. In this situation, we might have to revoke approval for the exception.
 
-If this happens, we'll notify you by using the Microsoft Managed Desktop admin portal. From the first time we notify you, you have 90 days to remove the exception before the devices with the exception are no longer bound by Microsoft Managed Desktop service level agreements. We'll send you several notifications according to a strict timeline--however, a severe incident or threat might require us to change the timeline or our decisions about an exception. We won't *remove* an exception without your consent, but any device with a revoked exception will no longer be bound by our service level agreement. Here is the timeline of notifications we will send you:
+If we must revoke approval for the exception, we'll notify you by using the Microsoft Managed Desktop admin portal. From the first time we notify you, you have 90 days to remove the exception before the devices with the exception are no longer bound by Microsoft Managed Desktop service level agreements.
 
-- **First notice:** We provide the first notice of our decision to revoke approval, including information about why we're revoking it, the actions we advise you to take, the deadline for those actions, and steps to follow if you want to appeal the decision. This notice occurs 90 days in advance before the exception needs to be removed from all devices.
-- **Second notice (30 days later):** We provide a second notice, including the same information provided in the first notice.
-- **Third notice (60 days after the first notice):** We provide a third notice, including the same information provided in the first notice.
-- **Final notice (one week before the 90-day deadline):** We provide a fourth notice, including the same information provided in the first notice.
-- **90 days after first notice:** Microsoft Managed Desktop service level agreements no longer apply to any devices that have the revoked exception. At any time, you can challenge the decision and provide additional information for consideration, including upgrade, configuration changes, or change of software.
+We'll send you several notifications according to a strict timeline. However, a severe incident or threat might require us to change the timeline of our decisions about an exception. We won't *remove* an exception without your consent. However, any device with a revoked exception will no longer be bound by our service level agreement. The following table is the timeline of notifications we'll send you:
+
+| Notice type | Description |
+| ----- | ----- |
+| First notice | We provide the following information in the first notice: <ul><li>Information about why we're revoking it.</li><li>The actions we advise you to take.</li><li>The deadline for those actions.</li><Li>Steps to follow if you want to appeal the decision.</li></ul> <br>This notice occurs 90 days in advance before the exception must be removed from all devices. |
+| Second notice (30 days later) | We provide a second notice, including the same information provided in the first notice. |
+| Third notice (60 days after the first notice) | We provide a third notice, including the same information provided in the first notice. |
+| Final notice (one week before the 90-day deadline) | We provide a fourth notice, including the same information provided in the first notice. |
+| 90 days after first notice| Microsoft Managed Desktop service level agreements no longer apply to any devices that have the revoked exception. At any time, you can challenge the decision and provide additional information for consideration, including upgrade, configuration changes, or change of software. |