PPE fixes and new KB article

[toniop-netwrix]

No description provided.

[github-actions]

Auto-Fix Summary

2 issues fixed, 3 skipped across 1 files

Category	Fixes
Dale: wordiness	2

Skipped (needs manual review)	Reason

| docs/passwordpolicyenforcer/11.2/installation/upgrading.md:32 — Dale: wordiness | 'You will have the best experience when using all the components from one version together' is borderline marketing-toned but rewriting risks changing meaning or introducing passive voice |
| docs/passwordpolicyenforcer/11.2/installation/upgrading.md:24 — Dale: wordiness | 'Failure to do so may lead to inconsistent enforcement' is formal but a clear rewrite would either introduce passive voice or alter meaning |
| docs/passwordpolicyenforcer/11.2/installation/upgrading.md:18 — Dale: wordiness | 'you should immediately open' is acceptable in a warning context — converting to imperative would lose the conditional 'should' nuance for a major-upgrade scenario |

Ask @claude on this PR if you'd like an explanation of any fix.

[github-actions]

⚠️ Broken Anchor Links

1 broken anchor link(s) found — these will cause the build to fail.

  docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:132
    If no events appear after a few minutes, see [Troubleshooting](#launches-the-installation-wizard).
    #launches-the-installation-wizard not found in docs/accessanalyzer/2601/configurations/activity-monitor-integration.md
    Available: #activity-monitor-integration · #overview · #architecture · #event-types · #security-model · #prerequisites · #setup · #step-1-verify-the-listener-is-running · #step-2-generate-an-enrollment-token · #step-3-add-the-aa2601-output-in-netwrix-activity-monitor · #step-4-verify-enrollment · #application-settings-reference · #connection-settings · #performance-and-throughput-settings · #security-and-enrollment-settings · #shutdown-settings · #best-practices · #port-configuration · #tls-certificate-management · #enrollment-token-practices · #performance-tuning · #kubernetes-shutdown-considerations · #disabling-the-integration · #troubleshooting · #the-listener-isnt-starting · #a-nam-agent-cant-connect · #an-agent-connected-but-isnt-sending-data · #events-arent-appearing-in-reports · #an-agent-keeps-getting-banned · #enrolled-agents-list-has-stale-entries · #settings-quick-reference · #related-resources

Auto-Fix Summary

9 issues fixed, 9 skipped across 2 files

Category	Fixes
Dale: passive-voice	9

Skipped (needs manual review)	Reason

| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:11 — Dale: misplaced-modifiers | 'Once configured, these events populate...' is a dangling participle (the integration is configured, not the events), but this construction is idiomatic in technical writing and rewriting risks changing the meaning |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:48 — Dale: passive-voice | 'as long as the key pair is unchanged' — 'is unchanged' reads as state of being; rewriting to 'as long as the key pair doesn't change' could subtly alter the meaning |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:55 — Dale: passive-voice | 'must be installed' in prerequisites list — agent is unknown/unimportant, and 'must install' would require restructuring the bullet |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:57 — Dale: passive-voice | 'TLS certificates must be provisioned' — agent (admin/team) is implied; rewriting could change the imperative tone of the prerequisite |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:138 — Dale: passive-voice | 'when changed from the default' is terse table-prose convention; rewriting could bloat the cell |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:144 — Dale: passive-voice | 'the port configured in NAM agent settings' — past participle as noun modifier, acceptable as adjectival use |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:155 — Dale: passive-voice | 'Events grouped per internal processing batch' — past participle as adjective, not finite passive |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:234 — Dale: passive-voice | 'while disabled' is acceptable shorthand; expanding to 'while ingestion is disabled' adds wordiness without clarity benefit |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:277 — Dale: passive-voice | 'Agents that have been decommissioned or reinstalled' — agent is unknown/varies, passive is appropriate |

Ask @claude on this PR if you'd like an explanation of any fix.

[github-actions]

⚠️ Broken Anchor Links

1 broken anchor link(s) found — these will cause the build to fail.

  docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:132
    If no events appear after a few minutes, see [Troubleshooting](#launches-the-installation-wizard).
    #launches-the-installation-wizard not found in docs/accessanalyzer/2601/configurations/activity-monitor-integration.md
    Available: #activity-monitor-integration · #overview · #architecture · #event-types · #security-model · #prerequisites · #setup · #step-1-verify-the-listener-is-running · #step-2-generate-an-enrollment-token · #step-3-add-the-aa2601-output-in-netwrix-activity-monitor · #step-4-verify-enrollment · #application-settings-reference · #connection-settings · #performance-and-throughput-settings · #security-and-enrollment-settings · #shutdown-settings · #best-practices · #port-configuration · #tls-certificate-management · #enrollment-token-practices · #performance-tuning · #kubernetes-shutdown-considerations · #disabling-the-integration · #troubleshooting · #the-listener-isnt-starting · #a-nam-agent-cant-connect · #an-agent-connected-but-isnt-sending-data · #events-arent-appearing-in-reports · #an-agent-keeps-getting-banned · #enrolled-agents-list-has-stale-entries · #settings-quick-reference · #related-resources

Auto-Fix Summary

3 issues fixed, 6 skipped across 2 files

Category	Fixes
Dale: misplaced-modifiers	1
Dale: passive-voice	1
Dale: wordiness	1

Skipped (needs manual review)	Reason

| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:56 — Dale: passive-voice | 'Netwrix Activity Monitor must be installed and monitoring the hosts...' uses the conventional 'must be' prerequisite-list pattern; rewriting in active voice would either change the meaning (turning a precondition into an instruction) or break parallelism with the other prerequisite bullets in the same list. |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:57 — Dale: passive-voice | 'TLS certificates must be provisioned' / 'paths are set via the environment variables' follow the same prerequisite-list convention as line 56; same parallelism concern. |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:154 — Dale: passive-voice | Table-cell description column ('Maximum events held in memory at once', 'Events grouped per internal processing batch') uses noun-phrase shorthand throughout the table; converting to active voice would break the consistent column style and likely change subjects. |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:164 — Dale: passive-voice | 'after a new connection is established' is conventional and rewriting risks ambiguity about which side establishes the connection (agent connects, listener accepts). |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:244 — Dale: passive-voice | 'environment variables ... are set' is a precondition check; rewriting would either become an instruction or change the verification semantics. |
| docs/passwordpolicyenforcer/11.2/installation/upgrading.md:24 — Dale: wordiness | 'for an extended time' could be tightened to 'for long', but the current phrasing is clear and the trade-off in tone is subjective. |

Ask @claude on this PR if you'd like an explanation of any fix.

[hilram7]

Review Notes

I reviewed and updated the new KB article (password-policy-client-generic-message-windows-rules.md) before approving. Here is a summary of changes applied and testing results.

Changes Applied

• Fixed contraction (didn't → did not) per KB style guide
• Rewrote passive voice instances throughout
• Changed third-person ("a user") to second-person ("you") per KB style guide
• Reformatted the Cause section into two paragraphs for readability
• Rewrote the intro to the How Password Changes Are Processed section to active voice
• Broke up the dense numbered steps with sub-bullets for readability
• Broke up the Effect on the Password Policy Client section with bullets
• Fixed both internal links to use pathname:// protocol and 11_2 URL format — these were causing build errors because the KB copy script distributes the article to hidden older versions (11.1, 11.0, 10.2), which Docusaurus still compiles even though they are not visible in navigation
• Added Related Links section at the bottom

Testing

• Ran npm run kb:clean && npm run start
• Confirmed article appears in PPE sidebar under Troubleshooting and Errors
• Confirmed both links (Similarity, Disable Windows Rules) resolve correctly
• Dev build passed with no errors

Build Errors to Address

The production build (npm run build) fails on two broken anchors unrelated to the KB article:

• /docs/accessanalyzer/2601/configurations/activity-monitor-integration — links to #launches-the-installation-wizard which does not exist
• /docs/accessanalyzer/2601/install/quickinstall — links to #bring-your-own-certificate-file-requirements which does not exist

These must be fixed before this PR can merge cleanly. The anchor targets should either be added to the destination pages, or the links updated to point to the correct anchors.

[jeremymoskowitz-netwrix]

Great. Thanks.

[github-actions]

Auto-Fix Summary

2 issues fixed, 11 skipped across 3 files

Category	Fixes
OnceUsage (rewrite)	1
Dale: positional-references	1

Skipped (needs manual review)	Reason

| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:11 — Dale: undefined-acronyms | AA2601 is a Netwrix product short name (Access Analyzer 26.01); 'Access Analyzer' appears in the same paragraph, so the rule's product short-name exclusion applies |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:43 — Dale: undefined-acronyms | SPKI is partially explained inline ('hashes of each other's certificate public key (SPKI hash)') — uncertain about canonical expansion to apply |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:56 — Dale: passive-voice | 'must be installed' in a prerequisites list — conventional phrasing where rewriting changes structure |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:57 — Dale: passive-voice | 'must be provisioned' / 'are set via' — system-state descriptions where active rewrite would change meaning or actor |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:263 — Dale: wordiness | 'there is a short delay between an event occurring and appearing in a report' — multiple valid rewrites with subtle meaning shifts |
| docs/accessanalyzer/2601/install/quickinstall.md:26 — Dale: positional-references | 'falls below these thresholds' — 'below' is comparative (numeric), not spatial; not a positional reference |
| docs/accessanalyzer/2601/install/quickinstall.md:137 — Dale: passive-voice | 'where user accounts are stored' — table description cell; conventional phrasing, rewrite is borderline |
| docs/accessanalyzer/2601/install/quickinstall.md:216 — Dale: positional-references | 'lower ... below your NAM polling interval' — 'below' is comparative (numeric value), not a spatial direction reference |
| docs/accessanalyzer/2601/install/quickinstall.md:264 — Dale: positional-references | 'all required domains listed earlier' — 'earlier' is sequential/temporal, rule scopes to spatial direction words |
| docs/accessanalyzer/2601/install/quickinstall.md:286 — Dale: passive-voice | 'where user accounts are stored' — table description cell; conventional phrasing |
| docs/passwordpolicyenforcer/11.2/installation/upgrading.md:24 — Dale: idioms | 'roll out the new version' — 'roll out' is standard IT/deployment vocabulary, not a culturally specific idiom |

Ask @claude on this PR if you'd like an explanation of any fix.

[jeremymoskowitz-netwrix]

Approved !

[github-actions]

Documentation PR Review

Editorial Review

docs/accessanalyzer/2601/configurations/activity-monitor-integration.md

• No issues found. The added lines convert passive constructions to active voice and name AA2601 as the explicit actor — consistent with Netwrix style.

docs/passwordpolicyenforcer/11.2/installation/upgrading.md

• Clarity — Lines 2 and 7: The title and H1 changed from "Upgrading Password Policy Enforcer" to just "Upgrading". A bare "Upgrading" is uninformative when surfaced in search results, browser tabs, sidebar breadcrumbs, or external links — a reader landing on this page from search needs to know which product they're upgrading. Suggested fix: keep title: "Upgrading Password Policy Enforcer" and # Upgrading Password Policy Enforcer. The new frontmatter description is fine as is.

• Completeness — Line 11: "distribution point" appears without definition. The previous KB content (now removed in this PR) used to explain that a distribution point is a shared network folder accessible to the target computers. Readers new to Group Policy software deployment will not know what this term means. Suggested fix: add a brief parenthetical on first use, e.g., "copy the new .msi files to the distribution point (the shared network folder accessible to the domain controllers) and add them to the same Group Policy Object (GPO) you used to install the older version."

• Completeness — Line 11: msiexec is mentioned with no context, code formatting, or link. Readers unfamiliar with command-line MSI installation get no direction. Suggested fix: format as code (msiexec) and either add a brief note ("by running msiexec from the command line") or link to a relevant procedure/silent-install topic.

• Structure — Lines 17–25: This single :::warning admonition combines four distinct topics: configuration-import for major upgrades, license-key verification, the server-before-client upgrade order, and the risks of running multiple major versions concurrently. The first two are procedural follow-ups (things to do after upgrading), not warnings; the last two are the genuine warnings. Mixing them under one block makes scanning harder and dilutes the warning's signal. Suggested fix: split the procedural guidance (config import + license check) into a regular numbered list under "Upgrade the server components", and keep only the "upgrade servers before clients" + "don't run multiple major versions" content inside a tighter :::warning.

• Completeness — Section coverage: The new structure has two H2s (server components, Password Policy Client) but does not mention the Mailer Service. The previous version had an explicit "Upgrading the Mailer" section. Readers responsible for the Mailer will not find guidance here and won't know whether the server installer covers it or whether they need a separate procedure. Suggested fix: add a one-sentence note in the server section confirming that the server installer also detects and upgrades any installed Mailer Service, with a link to the Mailer installation topic — or add a short third subsection if the procedure differs.

• Completeness — Section coverage: The previous version's "Upgrade Notes" called out that "Versions 9.x and above don't support perpetual license keys." If that constraint still applies to a 9.x → 11.x upgrade path, removing it leaves customers with perpetual licenses to discover the change mid-upgrade. The new license-check paragraph (line 20) discusses Evaluation expiry but does not address perpetual-key compatibility. Suggested fix: if the perpetual-key limitation is still in effect, restore that note (a sentence in the license paragraph at line 20 is enough, e.g., "Perpetual license keys aren't supported in 9.x and above — contact Customer Support if your existing license is perpetual.").

• Clarity — Line 24: "for an extended time" and "for a short time while you roll out the new version" are both vague. A reader trying to plan a phased rollout has no measurable target. Suggested fix: replace with a concrete window where possible (for example, "no longer than a single rollout window — typically days to a few weeks, not months") or remove the time framing and rely on the cause-and-effect statement that follows.

Summary

7 editorial suggestions across 2 files (1 file clean, 6 issues on upgrading.md). Vale and Dale issues are auto-fixed separately.

---

What to do next:

Comment @claude on this PR followed by your instructions to get help:

• @claude fix all issues — fix all editorial issues
• @claude help improve the flow of this document — get writing assistance
• @claude explain the voice issues — understand why something was flagged

You can ask Claude anything about the review or about Netwrix writing standards.

Automated fixes are only available for branches in this repository, not forks.

[github-actions]

Auto-Fix Summary

2 issues fixed, 6 skipped across 2 files

Category	Fixes
Dale: passive-voice	1
Dale: undefined-acronyms	1

Skipped (needs manual review)	Reason

| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:56 — Dale: passive-voice | 'must be installed' is the natural phrasing for prerequisite list bullets; rewriting would force awkward imperative or change meaning |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:71 — Dale: passive-voice | 'is enabled' describes a stable state of a feature flag — the stative passive is idiomatic and rewriting would be unnatural |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:76 — Dale: passive-voice | 'is set to true' is the documentation convention for verifying setting values; rewriting risks ambiguity |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:164 — Dale: passive-voice | 'after a new connection is established' — natural protocol description; rewriting requires inferring which actor establishes (could be agent or AA2601) |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:244 — Dale: passive-voice | 'are set' in the troubleshooting bullet refers to env-var configuration state; rewriting changes the verification action |
| docs/accessanalyzer/2601/configurations/activity-monitor-integration.md:268 — Dale: passive-voice | '(governed by activitymonitor_enrollment_ban_duration_seconds)' parenthetical — rewriting to active would require restructuring the sentence and could alter the focus on protocol violations |

Ask @claude on this PR if you'd like an explanation of any fix.