From 2f6701bc6047fc55676891b038c93f121c857b3d Mon Sep 17 00:00:00 2001
From: Sreeparna Singhal <Sreeparna.Singhal@netwrix.com>
Date: Wed, 16 Jul 2025 16:36:51 +0100
Subject: [PATCH 1/2] Script updates complete for PingCastle 3.3

---
 docs/pingcastle/3.3/enterpriseinstall.md | 108 +++++++++-------
 docs/pingcastle/3.3/enterpriseupgrade.md |  10 +-
 docs/pingcastle/3.3/enterpriseuser.md    |  66 +++++-----
 docs/pingcastle/3.3/index.md             | 157 ++++++++++++-----------
 docs/pingcastle/3.3/proinstall.md        |  46 ++++---
 docs/pingcastle/3.3/proupgrade.md        |   2 +-
 docs/pingcastle/3.3/prouser.md           |  14 +-
 7 files changed, 216 insertions(+), 187 deletions(-)

diff --git a/docs/pingcastle/3.3/enterpriseinstall.md b/docs/pingcastle/3.3/enterpriseinstall.md
index bc5ee23fa2..3bdec92645 100644
--- a/docs/pingcastle/3.3/enterpriseinstall.md
+++ b/docs/pingcastle/3.3/enterpriseinstall.md
@@ -11,7 +11,7 @@ management, thus improving over time.
 
 # Requirements
 
-System Specifications
+**System Specifications**
 
 The Operating systems supported are:
 
@@ -78,7 +78,7 @@ include subdomains of a forest.
 Enterprise licenses are bundled in packs of 10 domains, up to 60, with
 an unlimited license thereafter.
 
-Example
+**Example**
 
 If you have consto.com with two subdomains called uk.consto.com and
 us.consto.com, then you would require the 10-domain licensing pack.
@@ -175,7 +175,7 @@ to the database to IIS (application pool)
 
 # Various options
 
-Custom login message
+**Custom login message**
 
 You can define a custom message at the login page. You have to use the
 custom option "customLoginMessage".
@@ -195,7 +195,7 @@ JAVASCRIPT.
 
 # Post Installation - Scheduler
 
-Quick installation
+**Quick installation**
 
 PingCastle allows the possibility to the administrator of the
 application to schedule scans. It is useful when the solution is
@@ -228,9 +228,11 @@ the access to the task scheduler cannot be delegated.
 
 ## Custom installation
 
-Note: PingCastle is using behing the hood a folder named "PingCastle" in
+:::note
+PingCastle is using behing the hood a folder named "PingCastle" in
 the task scheduler. We will use the COM api as it exposes the security
 descriptor -- which is not the case of the native PowerShell APIL
+:::
 
 If you want PingCastle to be able to start or stop tasks but not being
 able to edit them (it requires that the account is local admin), you
@@ -240,21 +242,21 @@ the following actions as admin in powershell:
 ```powershell
 # connect to the task scheduler service
 
-$scheduleObject = New-Object -ComObject schedule.service
+**$scheduleObject = New-Object -ComObject schedule.service**
 
 $scheduleObject.connect()
 
-$rootFolder = $scheduleObject.GetFolder("")
+**$rootFolder = $scheduleObject.GetFolder("")**
 
 $PingCastleFolder = $rootFolder.GetFolder("PingCastle")
 
-$PingCastleFolder.GetTasks(1) | Foreach-Object {
+**$PingCastleFolder.GetTasks(1) | Foreach-Object {**
 
 $sddl = $_.GetSecurityDescriptor(1+2+4+8)
 
 # add full control to the task
 
-$sddl += "(A;S-1-XXX-XXX-XXX;FA;;;SY)"
+**$sddl += "(A;S-1-XXX-XXX-XXX;FA;;;SY)"**
 
 $_.SetSecurityDescriptor($sddl, 0)
 
@@ -291,11 +293,11 @@ core 8.0 middleware.
 
 Microsoft has procedures to install the dotnet core 2 framework:
 
-Linux installation
+**Linux installation**
 
 - https://docs.microsoft.com/en-us/dotnet/core/linux-prerequisites?tabs=netcore2x
 
-Windows installation
+**Windows installation**
 
 - https://docs.microsoft.com/en-us/dotnet/core/windows-prerequisites?tabs=netcore2x
 
@@ -350,13 +352,13 @@ The following SQL can grant these permissions:
 ```sql
 If not Exists (select loginname from master.dbo.syslogins
 
-where loginname = 'IIS APPPOOL\PingCastleEnterprise')
+**where loginname = 'IIS APPPOOL\PingCastleEnterprise')**
 
 Begin
 
 CREATE LOGIN [IIS APPPOOL\PingCastleEnterprise] FROM WINDOWS;
 
-End
+**End**
 
 use PingCastleEnterprise;
 
@@ -373,7 +375,9 @@ sudo apt-get install postgresql postgresql-contrib
 sudo /etc/init.d/postgresql start
 ```
 
-Note: by default no password for the user postgres
+:::note
+By default no password for the user postgres
+:::
 
 ```bash
 sudo -u postgres createuser pingcastle
@@ -390,7 +394,7 @@ sudo -u postgres createdb -O pingcastle pingcastle
 
 ## Using a Database Hosted on Anther Server
 
-Configure SQL Server with a local DB account
+**Configure SQL Server with a local DB account**
 
 ![](/img/product_docs/pingcastle/enterpriseinstall/image18.png)
 
@@ -406,7 +410,7 @@ later the password inside the application.Production.json file)
 
 ![](/img/product_docs/pingcastle/enterpriseinstall/image20.png)
 
-Then create a database
+**Then create a database**
 
 Do not forget to set the owner as the user you created before.
 
@@ -445,7 +449,7 @@ need to be escaped as they are located inside a json string.
 
 ![Une image contenant texte, Police, nombre, logiciel Description générée automatiquement](/img/product_docs/pingcastle/enterpriseinstall/image26.png)
 
-Configure SQL Server with an Active Directory user
+**Configure SQL Server with an Active Directory user**
 
 You need to first create this Windows user.
 
@@ -514,13 +518,13 @@ For the license, the parameter is stored in the \"License\" setting.
 
 Here are some connection string examples:
 
-Sql Local DB
+**Sql Local DB**
 
 ```json
 "Server=(localdb)\\mssqllocaldb;Database=aspnet-PingCastleEnterprise-9521AD04-BA3A-41DC-A454-F2BD464E9391;Trusted_Connection=True;MultipleActiveResultSets=true"
 ```
 
-PostGres
+**PostGres**
 
 ```json
 "DefaultConnection":
@@ -541,7 +545,7 @@ PingCastle supports:
 
 - SAML2 authentication
 
-Configure active directory authentication
+**Configure active directory authentication**
 
 The asp.net core middleware requires IIS to provide the authentication
 layer. As a consequence, the application do not access directly the
@@ -604,7 +608,7 @@ API calls will need in addition to their API key a Windows account.
     directive, as incidated on
     https://docs.microsoft.com/en-us/iis/manage/configuring-security/understanding-iis-url-authorization
 
-Configure OpenID Authentication
+**Configure OpenID Authentication**
 
 PingCastle Enterprise supports natively OpenID authentication. It is using the asp.net core API whose configuration file is [defined here](https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.builder.openidconnectoptions?view=aspnetcore-1.1&viewFallbackFrom=aspnetcore-8.0).
 The proxy settings rely on the current user proxy configuration (which
@@ -631,7 +635,7 @@ property in the appsettings.json file.
 
 ![](/img/product_docs/pingcastle/enterpriseinstall/image42.png)
 
-Configure AzureAD authentication as OpenID
+**Configure AzureAD authentication as OpenID**
 
 Connect to https://portal.azure.com to go to "App registrations". Then register an application.
 
@@ -649,7 +653,7 @@ Clic on "Grant admin consent for " the application
 
 ![Une image contenant texte Description générée automatiquement](/img/product_docs/pingcastle/enterpriseinstall/image45.png)
 
-After the action, the Status is changed
+**After the action, the Status is changed**
 
 ![Une image contenant texte Description générée automatiquement](/img/product_docs/pingcastle/enterpriseinstall/image46.png)
 
@@ -669,16 +673,16 @@ to the following one:
 ```json
 "OpenIdConnect": {
 
-"DisplayName": "AzureAD",
+**"DisplayName": "AzureAD",**
 
 "ClientId": "<ClientID>",
 
-"Authority": "https://login.microsoftonline.com/<tenant-id>/",
+**"Authority": "https://login.microsoftonline.com/<tenant-id>/",**
 
 }
 ```
 
-Configure header authentication
+**Configure header authentication**
 
 You need to edit the appsettings.json file.
 
@@ -700,7 +704,7 @@ property in the appsettings.json file.
 
 ![](/img/product_docs/pingcastle/enterpriseinstall/image38.png)
 
-Configure SAML2 authentication
+**Configure SAML2 authentication**
 
 If you want to hide the internal accounts, you can set the following
 property in the appsettings.json file.
@@ -711,7 +715,7 @@ PingCastle Enterprise supports natively SAML2 authentication.
 
 PingCastle is using behind the scenes the component [ITfoxtec Identity SAML 2.0](https://www.itfoxtec.com/IdentitySaml2). The advanced and explicit configuration settings documentation can be [found here](https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/master/src/ITfoxtec.Identity.Saml2/Configuration/Saml2Configuration.cs). The proxy settings rely on the current user proxy configuration (which can be defined [using netsh for IIS running as SYSTEM](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/configure-proxy-internet?view=o365-worldwide)).
 
-Easy configuration
+**Easy configuration**
 
 This option requires that the IdP can be accessed directly by the
 server. This may conflict with one premise deployment where the server
@@ -747,7 +751,7 @@ Give your app a name and click Next.
 
 ![Config App](/img/product_docs/pingcastle/enterpriseinstall/image55.png)
 
-In Single Sign on URL, enter https://yourPingCastleServer/Saml2/AssertionConsumerService
+**In Single Sign on URL, enter https://yourPingCastleServer/Saml2/AssertionConsumerService**
 
 In Audience URI, enter PingCastle or the value that will be used in the "Issuer" setting.
 
@@ -773,7 +777,7 @@ You are now ready to use SAML2 as authentication.
 
 ![](/img/product_docs/pingcastle/enterpriseinstall/image58.png)
 
-Advanced configuration
+**Advanced configuration**
 
 To remove the need for the IdP metadata query to the remote server, the
 saml configuration can be set manually. For this procedure, we follow
@@ -803,14 +807,14 @@ certificate. It can be seen also in the metadata:
 
 The configuration relies on the ITFoxTec SAML2 provider and thus, advanced settings can be seen [here](https://github.com/ITfoxtec/ITfoxtec.Identity.Saml2/blob/ede215bda2fd163367d475ca6104ec8ccb7642d3/src/ITfoxtec.Identity.Saml2/Configuration/Saml2Configuration.cs)
 
-ADFS
+**ADFS**
 
 When using ADFS, the well known configuration is:
 
 ```json
 "Saml2": {
 
-"Issuer": "https://xxx/Saml2/Login",
+**"Issuer": "https://xxx/Saml2/Login",**
 
 "IdPMetadata":
 "https://xxx/FederationMetadata/2007-06/FederationMetadata.xml"
@@ -818,11 +822,13 @@ When using ADFS, the well known configuration is:
 },
 ```
 
-Note: you can customize the "SAML2" name in the login page by setting
+:::note
+You can customize the "SAML2" name in the login page by setting
 the field DisplayName in the Saml2 section in the configuration file to
 the value you want.
+:::
 
-Configure Client certificate authentication
+**Configure Client certificate authentication**
 
 The first step is to configure the webserver to require a client
 certificate when establishing the SSL connection. It requires SSL (aka a
@@ -849,9 +855,11 @@ webserver sent a certificate. Then the certificate will be evaluated to
 verify it is trusted (chain building, online verification) and map it to
 a user account.
 
-Note: if no CRL or OCSP endpoint is available on all certificate, or if
+:::note
+If no CRL or OCSP endpoint is available on all certificate, or if
 they cannot be joined, the verification will have to be turned OFF using
 the setting CertificateAuthNoRevocation.
+:::
 
 ![](/img/product_docs/pingcastle/enterpriseinstall/image65.png)
 
@@ -872,7 +880,7 @@ dns form). Please note that no password needs to be submitted.
 
 ![](/img/product_docs/pingcastle/enterpriseinstall/image67.png)
 
-Email
+**Email**
 
 PingCastle requires a configuration to be able to send emails.
 
@@ -980,7 +988,7 @@ shown to create the first user. This user is given the \"Admin\" role.
 
 For more details please see the user documentation.
 
-Entities
+**Entities**
 
 PingCastle configures by default an entity named \"Default\". It is the
 entity where Auto Created domains are assigned.
@@ -995,7 +1003,7 @@ to edit a base hierarchy using an Excel file.
 
 This Excel file is the same used in the PingCastleReporting tool.
 
-Encryption
+**Encryption**
 
 PingCastle Enterprise comes by default with the PingCastle default
 encryption key.
@@ -1003,12 +1011,12 @@ encryption key.
 If you decided to add a custom ciphering key, you can add it in Advanced
 -\> Decryption.
 
-Bulk Import of existing reports
+**Bulk Import of existing reports**
 
 You can import existing report using the bulk import functionality of
 the Advanced -\> Interoperability menu.
 
-Agents
+**Agents**
 
 You can configure PingCastle program to send their report to the
 program.
@@ -1032,7 +1040,7 @@ To avoid any hole in security architecture, it was chosen to not run
 PingCastle scans from the web application. That means that the local
 domains have to push their information into PingCastle Enterprise.
 
-Program
+**Program**
 
 It is recommended to run the latest official version of PingCastle. The
 PingCastle.exe program delivered in the same directory than the
@@ -1043,7 +1051,7 @@ audit program at a higher or lower version. If new features have been
 added, they will not be visible unless the PingCastle Enterprise program
 is updated, but no data will be lost in the mean time.
 
-Schedule
+**Schedule**
 
 The best way to schedule it is to run your own scheduler. Indeed, you
 may have purchase a batch product which is looking for failure or
@@ -1056,7 +1064,7 @@ scheduler.
 The recommended frequency is every week, using a normal user account
 (not privileged) running on a batch server (not a DC).
 
-Command
+**Command**
 
 You need to create an API key with the upload right (the \"Agent\" page
 as admin).
@@ -1078,11 +1086,11 @@ PingCastle Enterprise supports a synchronization mode to implement a
 security zone model (used within the Defense). Ony domains are
 synchronized (no AzureAD).
 
-PingCastle Enterprise high trust
+**PingCastle Enterprise high trust**
 
 PingCastle Enterprise high trust
 
-PingCastle Enterprise low trust
+**PingCastle Enterprise low trust**
 
 PingCastle audits
 
@@ -1205,7 +1213,7 @@ The method to run the application manually is to run the command:
 dotnet.exe PingCastleEnterprise.dll
 ```
 
-(dotnet.exe is stored by default on c:\\program files\\dotnet)
+**(dotnet.exe is stored by default on c:\\program files\\dotnet)**
 
 Additionnally, you can choose to open the application on the network by
 specifying the \--server.urls parameter:
@@ -1221,7 +1229,7 @@ service connect under IIS APPPool\\AppName. We recommend to look at the
 following page to grant right to the application pool account on Sql
 Server:
 
-https://blogs.msdn.microsoft.com/ericparvin/2015/04/14/how-to-add-the-applicationpoolidentity-to-a-sql-server-login
+**https://blogs.msdn.microsoft.com/ericparvin/2015/04/14/how-to-add-the-applicationpoolidentity-to-a-sql-server-login**
 
 Then depending on the platform additional logs can be stored.
 
@@ -1270,7 +1278,9 @@ Solution:
 identify the correct version of the framework and install it. Do not
 forget to install the IIS middleware is you are installing on IIS.
 
-Note: the last error was related to the missing KB KB2533623
+:::note
+The last error was related to the missing KB KB2533623
+:::
 
 ## Missing web.config
 
@@ -1381,7 +1391,7 @@ Follow the steps to enable debug logging.
 5.  From the same directory, open the **web.config** file and edit the
     **aspNetCore** tag so **stdoutLogEnabled=true**.
 
-Example
+**Example**
 
 ```xml
 <aspNetCore processPath="dotnet"
diff --git a/docs/pingcastle/3.3/enterpriseupgrade.md b/docs/pingcastle/3.3/enterpriseupgrade.md
index e573980e41..341deb159f 100644
--- a/docs/pingcastle/3.3/enterpriseupgrade.md
+++ b/docs/pingcastle/3.3/enterpriseupgrade.md
@@ -2,7 +2,7 @@
 
 ## Before proceeding to the upgrade
 
-Version check
+**Version check**
 
 You can check the existing version using the About link at the bottom of
 each page.
@@ -11,7 +11,7 @@ each page.
 
 ![Une image contenant texte Description générée automatiquement](/img/product_docs/pingcastle/enterpriseupgrade/rId12.png)
 
-Database backup
+**Database backup**
 
 We highly recommend to backup the data before proceeding to an upgrade.
 
@@ -31,7 +31,7 @@ requirements for versions.
 
 # Performing the upgrade
 
-Download the software
+**Download the software**
 
 You have to download the .zip file of the program.
 
@@ -39,7 +39,7 @@ The .msi file has not been designed for upgrade.
 
 ![Une image contenant texte Description générée automatiquement](/img/product_docs/pingcastle/enterpriseupgrade/rId17.png)
 
-Recommended installation on Windows
+**Recommended installation on Windows**
 
 If the program was installed through the MSI, the upgrade path is simple. IIS must be stopped.
 
@@ -49,7 +49,7 @@ Untouched files should be configuration files (appsettings.\* and the web.config
 
 Then IIS must be started.
 
-Other installations
+**Other installations**
 
 You must upgrade the program files and ensure that the library requirements (dotnet version, ...) are fulfilled.
 
diff --git a/docs/pingcastle/3.3/enterpriseuser.md b/docs/pingcastle/3.3/enterpriseuser.md
index bb087db8aa..ff73731d0a 100644
--- a/docs/pingcastle/3.3/enterpriseuser.md
+++ b/docs/pingcastle/3.3/enterpriseuser.md
@@ -77,9 +77,11 @@ Authentication using login/password:
 
 ![](/img/product_docs/pingcastle/enterpriseuser/image4.png)
 
-Note: When the login / password method is configured (by default), a
+:::note
+When the login / password method is configured (by default), a
 password recovery mechanism by email and a two-factor authentication
 method are provided.
+:::
 
 ## Authorization
 
@@ -90,7 +92,7 @@ The permissions can be set on the detail of the Entities
 
 ![Une image contenant texte, capture d'écran, logiciel, Page web Description générée automatiquement](/img/product_docs/pingcastle/enterpriseuser/image5.png)
 
-And on the Domain / AzureAD objects
+**And on the Domain / AzureAD objects**
 
 ![Une image contenant texte, capture d'écran, logiciel, Page web Description générée automatiquement](/img/product_docs/pingcastle/enterpriseuser/image6.png)
 
@@ -117,7 +119,7 @@ see what claims have been pushed to Ping Castle.
 
 # Ping Castle Enterprise features
 
-Main pages overview
+**Main pages overview**
 
 The application is divided is 4 different areas:
 
@@ -132,11 +134,11 @@ The application is divided is 4 different areas:
 ![A logo with a triangle and dots Description automatically
 generated](/img/product_docs/pingcastle/enterpriseuser/image10.png)![](/img/product_docs/pingcastle/enterpriseuser/image11.png)
 
-Configuration
+**Configuration**
 
 Account / User management
 
-Technical view
+**Technical view**
 
 Management view
 
@@ -243,7 +245,7 @@ Indeed, a lot of detailed analysis can be performed through the
 
 ## Maturity Assessment
 
-Global view
+**Global view**
 
 The \"Maturity Assessment\" is based on a maturity evaluation divided in
 several steps. To summarize, it consists 5 main areas, each containing 4
@@ -257,7 +259,7 @@ total, ending in a score on 20 that can be viewed in a radar chart.
 To go into more details, this score is computed on the 2 first levels of
 the CMMI methodology applied to the AD:
 
-Initial
+**Initial**
 
 - Domain Coverage - ensure all domains have been reviewed
 
@@ -267,7 +269,7 @@ Initial
 - External Trusts - ensure all domains are not connected to external
   companies
 
-Repeatable
+**Repeatable**
 
 - Internal trusts - ensure that the risk of cross domain contamination
   is limited
@@ -312,7 +314,7 @@ This section covers the following pages:
 It can be used to have an idea of the work performed as well as the work
 remaining to be done regarding the AD securing.
 
-Detailed view per area
+**Detailed view per area**
 
 Each area has its dedicated page, with a lot of information regarding
 what is being well done and what can be improved.
@@ -424,14 +426,14 @@ of AD security as well as how to improve it
 
 It consists of the following pages:
 
-Report Analysis
+**Report Analysis**
 
 Consolidation of all the possible reports that PingCastle Enterprise can
 generate with the information it has in the selected perimeter. There
 are a lot of features enabling the user to filter data if needed.
 Additional reports may be added in the future or if requested.
 
-Staled Objects
+**Staled Objects**
 
 The \"Staled Objects\" are one of the 4 main components of the Risk
 Score (the 2.2 area)
@@ -440,7 +442,7 @@ This section will give a lot of details on how the Stale Objects
 influence your overall Risk Score, as well as guidelines on how to
 reduce the risk and improve the overall Risk Score.
 
-Privileged accounts
+**Privileged accounts**
 
 The \"Privileged accounts\" are one of the 4 main components of the Risk
 Score (the 2.2 area)
@@ -449,7 +451,7 @@ This section will give a lot of details on how the Stale Objects
 influence your overall Risk Score, as well as guidelines on how to
 reduce the risk and improve the overall Risk Score.
 
-Trusts
+**Trusts**
 
 The \"Trusts\" are one of the 4 main components of the Risk Score (the
 2.2 area)
@@ -458,7 +460,7 @@ This section will give a lot of details on how the Stale Objects
 influence your overall Risk Score, as well as guidelines on how to
 reduce the risk and improve the overall Risk Score.
 
-Anomalies
+**Anomalies**
 
 The \"Anomalies\" are one of the 4 main components of the Risk Score
 (the 2.2 area)
@@ -486,7 +488,7 @@ monitored.
 
 ## Domains
 
-List of domains
+**List of domains**
 
 The objective of this page is to display the list of all the domains in
 the perimeter. This list can be filtered based on parameter to switch
@@ -502,7 +504,7 @@ filtered by default.
 A click on the domain open the domain view and a click on the entity
 full name open the management view for the entity.
 
-Detail information on a domain
+**Detail information on a domain**
 
 This view displays detailed information on the domain, as well as many
 other information such the results of the last report, some history,
@@ -551,7 +553,7 @@ Cartography tab:
 
 ![](/img/product_docs/pingcastle/enterpriseuser/image40.png)
 
-Creation and suppression of a domain
+**Creation and suppression of a domain**
 
 There are two ways to create a Domain in PingCastle Enterprise:
 
@@ -590,7 +592,7 @@ mistake, meaning that it is in no way connected to any other existing
 domain or report). Though, it is possible to soft delete a domain by
 changing its status.
 
-Status of a domain
+**Status of a domain**
 
 The status of the domain is managed using a basic lifecycle, as shown in
 the graph below.
@@ -632,7 +634,7 @@ discovered is displayed and a special view is available.
 
 ## Cartography
 
-Navigation
+**Navigation**
 
 Each cartography can be used to navigate between domain. A mouse over on
 a domain displays a tooltip containing many information regarding the
@@ -643,7 +645,7 @@ The cartography is domain relative, which means that one cartography is
 created for each report. Doing so, PingCastle Enterprise can display the
 list of all the domains that a specific domain can see.
 
-Methodology used to build the maps
+**Methodology used to build the maps**
 
 PingCastle is using the data included in the report from the most
 reliable source to the less reliable source, in the following order:
@@ -674,14 +676,14 @@ reliable source to the less reliable source, in the following order:
     service](https://technet.microsoft.com/en-us/library/cc961830.aspx) and
     guess forest trusts.
 
-Detailed Cartography
+**Detailed Cartography**
 
 A general cartography is available. It displays all the domains and its
 trust relationship that the user can see in its scope.
 
 ![](/img/product_docs/pingcastle/enterpriseuser/image44.png)
 
-Simplified Cartography
+**Simplified Cartography**
 
 Because the general cartography can be difficult to read, a simplified
 view exists. The program identifies by default the domain with the most
@@ -750,13 +752,13 @@ configuration.
     administrator for specific perimeter, meaning that these
     administrators will be operating on defined domains.
 
-Add new entity
+**Add new entity**
 
 ![](/img/product_docs/pingcastle/enterpriseuser/image47.png)
 
 ![](/img/product_docs/pingcastle/enterpriseuser/image48.png)
 
-Reorganize the tree view of entities
+**Reorganize the tree view of entities**
 
 The PingCastle Enterprise solution proposes an ergonomic view to
 reorganize the various entities that may compose your Company. This view
@@ -766,7 +768,7 @@ Example to show how to reorganize entities:
 
 ![](/img/product_docs/pingcastle/enterpriseuser/image49.png)
 
-Details of an Entity
+**Details of an Entity**
 
 Each entity has a dedicated \"Details\" page that contains information.
 It is on this page that you can have access to all the information of
@@ -799,7 +801,7 @@ the projected evolution of the maturity level based on the action items.
 
 ![](/img/product_docs/pingcastle/enterpriseuser/image53.png)
 
-Exceptions management
+**Exceptions management**
 
 This part enables administrator to configure PingCastle Enterprise so
 that it adapts to the company specific context. It is indeed possible to
@@ -808,7 +810,7 @@ perimeter.
 
 ![](/img/product_docs/pingcastle/enterpriseuser/image54.png)
 
-Rule exceptions
+**Rule exceptions**
 
 \"Rule exceptions\" can be set in order to completely disable a rule
 within a specific domain. It means that this rule will not be applied
@@ -826,14 +828,14 @@ end date, the exception is applied starting the start date. Same for the
 opposite case. When both start and end date are defined, the exception
 is applied only during a limited moment.
 
-Migration
+**Migration**
 
 In the same idea you can set exceptions for specific domain, you can
 inform it in the application when one of your domains is migrating. It
 will automatically put in place a set of exceptions during the timetable
 the migration is happening.
 
-Bulk actions
+**Bulk actions**
 
 If many exceptions needs to be created or removed, there is an option
 available to create or remove exceptions in bulk. Please note that if an
@@ -841,9 +843,11 @@ exception already exists, it will not be created again.
 
 ![Une image contenant texte Description générée automatiquement](/img/product_docs/pingcastle/enterpriseuser/image55.png)
 
-Note: Since PingCastle 2.11, all exceptions, migration or action plans
+:::note
+Since PingCastle 2.11, all exceptions, migration or action plans
 are tracked with their creation or last modification date and the user
 which performed this change.
+:::
 
 ![Une image contenant texte Description générée automatiquement](/img/product_docs/pingcastle/enterpriseuser/image56.png)
 
@@ -860,7 +864,7 @@ take decisions and such.
 
 There are two way for doing so:
 
-Option 1: Importing the file manually
+**Option 1: Importing the file manually**
 
 From the \"Configuration\" tab, open \"Import one or more report(s).
 Once you are on the page, you can simply drag and drop any file produced
diff --git a/docs/pingcastle/3.3/index.md b/docs/pingcastle/3.3/index.md
index c3111bbac6..9e3a390bee 100644
--- a/docs/pingcastle/3.3/index.md
+++ b/docs/pingcastle/3.3/index.md
@@ -2,7 +2,7 @@
 
 ## About PingCastle
 
-"For CISO, by CISO"
+**"For CISO, by CISO"**
 
 PingCastle was born based on a finding: security based only on
 technology does not work. That\'s why the company focuses on process and
@@ -17,7 +17,7 @@ PingCastle\'s objective is not to reach a perfect security but to
 impulse changes using the management. And with low effort, I think
 you\'ll get support to change the situation !
 
-Vincent LE TOUX
+**Vincent LE TOUX**
 
 ## License
 
@@ -32,7 +32,7 @@ Software License ("Non-Profit OSL") 3.0.
 The program is allowed to run only during its support date. Support can
 be extended by purchasing additional support.
 
-Methodology
+**Methodology**
 
 The PingCastle tool is just one part of a global methodology aiming at
 securing Active Directories.
@@ -50,7 +50,7 @@ The following sections describe how to use PingCastle.
 
 ## Requirements
 
-Active Directory Account
+**Active Directory Account**
 
 The PingCastle program needs an Active Directory account to connect to
 the AD to audit. No requirements is needed for this account. It can be
@@ -58,7 +58,7 @@ an account without any privileges or even an account from a trusted
 domain. This account doesn't require to be part of the local
 administrators group.
 
-Server Side
+**Server Side**
 
 There is no requirement on the server side.
 
@@ -72,7 +72,7 @@ to compute the report by a factor of 10.
 ADWS can be installed manually on [Windows 2003 and Windows 2008](http://www.microsoft.com/fr-fr/download/details.aspx?id=2852) [require .NET Framework 3.5SP1](https://www.microsoft.com/en-us/download/details.aspx?id=25150).
 The hot fix that may be needed for these OS is located [here](http://hotfixv4.microsoft.com/.NET%20Framework%203.5%20-%20Windows%202000,%20Windows%20Server%202003,%20Windows%20XP,%20Windows%20Vista,%20Windows%20Server%202008%20%28MSI%29/sp1/DevDiv758402/30729.4174/free/392858_intl_x64_zip.exe).
 
-Client side
+**Client side**
 
 1.  PingCastle requires .Net 4, available on all modern OS. However it
     can be compiled to run manually on .Net2. It fulfill then the
@@ -108,7 +108,7 @@ produces reports for human or machine.
 PingCastle reads its own machine readable reports to build analysis or
 dashboard.
 
-Installation
+**Installation**
 
 PingCastle Basic Edition is provided in a zip file. You need a program
 such as 7zip or the native unzip program to decompress the file.
@@ -158,7 +158,7 @@ twitter \@mysmartlogon
 
 ## Generating log file for support requests
 
-PingCastle can collect logs with the \--log switch
+**PingCastle can collect logs with the \--log switch**
 
 However when a command line argument is submitted, the interactive mode
 is disabled and the module has to be launched manually. To avoid that,
@@ -182,7 +182,7 @@ It can be run using the command:
 PingCastle --healthcheck --server mydomain.com
 ```
 
-Active Directory risk level analysis
+**Active Directory risk level analysis**
 
 When the health check is run, an html file and an xml file are
 generated. The html file represent the report of the active directory.
@@ -197,7 +197,7 @@ active directories. It is designed to be computer read (PingCastle).
 
 The report is divided in 3 parts:
 
-1 -- Scores
+**1 -- Scores**
 
 The Score is computed by the maximum of the 4 sub scores:
 
@@ -224,11 +224,11 @@ some indication on how to solve the situation.
 
 ![](/img/product_docs/pingcastle/basicuser/image12.png)
 
-2 -- General information
+**2 -- General information**
 
 - Contains the generated date, domain
 
-3 -- Details
+**3 -- Details**
 
 - The Detail zone shows general information about users, computers,
   trusts, group policies, ...
@@ -242,7 +242,7 @@ link. It contains data to help identify the underlying objects.
 
 # Perform domain discovery
 
-Option 1: performing multiple health check reports (recommended)
+**Option 1: performing multiple health check reports (recommended)**
 
 If you want to get a quick status of your infrastructure, [run the program](#run-the-program) with the "healthcheck" mode (just press enter) and enter as domain the asterisk (*).
 
@@ -256,7 +256,7 @@ Then open the cartography reports (see below).
 
 3.  Xml reports generated from multiple point of view can be used to have a consolidated map. Do not forget to check the [Getting an overview](#getting-an-overview-with-multiple-reports) or [dashboard](#performing-an-active-directory-health-check) section.
 
-Option 2: when having existing health check reports
+**Option 2: when having existing health check reports**
 
 **The map can be generated in the interactive mode by choosing
 "conso".** This mode performs the consolidation report and build the
@@ -298,7 +298,7 @@ state.
 The full domain map is represented by the files xxx_full_node_map.html.
 Each map is a dynamic map. Each node can be moved.
 
-Example of graph produced by the tool
+**Example of graph produced by the tool**
 
 ![https://www.pingcastle.com/wp/wp-content/uploads/2018/09/img3.png](/img/product_docs/pingcastle/basicuser/image19.png)
 
@@ -403,7 +403,7 @@ kind of project:
 - The tool returns anomalies which 80% of them can be fixed within 5
   minutes
 
-Decision to take
+**Decision to take**
 
 We recommend that the decision made by the management is about:
 
@@ -423,7 +423,7 @@ We recommend that the decision made by the management is about:
   - For example set a monthly follow up meeting with the people
     involved.
 
-Getting to 100%
+**Getting to 100%**
 
 Below is a list of reasons an entity can invoke (or remain silent) to be
 excepted:
@@ -460,7 +460,7 @@ Then for domains without a trust, you can formally transfer the
 responsibility of the Active Directory compromise and put the domain
 status to "Out Of Scope".
 
-Deploying PingCastle in decentralized locations
+**Deploying PingCastle in decentralized locations**
 
 PingCastle can be run on every domain of a company using the command:
 
@@ -531,7 +531,7 @@ least X days
 
 ## Centralizing reports
 
-Encryption
+**Encryption**
 
 Sometimes, domains are unconnected or it is not possible to make the
 schedule tasks centralize in a single share all the reports. To deal
@@ -550,29 +550,29 @@ public key in the .config file to be deployed.
 PingCastle.exe --generate-key
 ```
 
-Starting the task: Generate Key
+**Starting the task: Generate Key**
 
 Public Key (used on the encryption side):
 
 ```xml
 <encryptionSettings encryptionKey="default">
 
-<RSAKeys>
+**<RSAKeys>**
 
 <!-- encryption key -->
 
 <KeySettings name="default"
 publicKey="<RSAKeyValue><Modulus>h
 
-4smrLAZZ30QwWXHcT1oNz3hH3Ax2R9T75DlioGFCIdLb0QhUn3N8NWgJ2ZgyUNXn4qU1b0DslOIhK+Cq
+**4smrLAZZ30QwWXHcT1oNz3hH3Ax2R9T75DlioGFCIdLb0QhUn3N8NWgJ2ZgyUNXn4qU1b0DslOIhK+Cq**
 
 oqCPvXuHjK6TGrMyphtcbZvvgbLxfyalJemczx1+pOuBlqqVdalE94rnnnBr761WIJJnkJdZ0rzYsebn
 
-DwGuk9kiw8=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue
+**DwGuk9kiw8=</Modulus><Exponent>AQAB</Exponent></RSAKeyValue**
 
 >"/>
 
-<!-- end -->
+**<!-- end -->**
 
 </RSAKeys>
 
@@ -584,47 +584,47 @@ Private Key (used on the decryption side):
 ```xml
 <encryptionSettings encryptionKey="default">
 
-<RSAKeys>
+**<RSAKeys>**
 
 <!-- decryption key -->
 
 <KeySettings name="39b5d076-17be-4999-b43e-b894a55446a1"
 privateKey="<R
 
-SAKeyValue><Modulus>h4smrLAZZ30QwWXHcT1oNz3hH3Ax2R9T75DlioGFCIdLb0QhUn3
+**SAKeyValue><Modulus>h4smrLAZZ30QwWXHcT1oNz3hH3Ax2R9T75DlioGFCIdLb0QhUn3**
 
 N8NWgJ2ZgyUNXn4qU1b0DslOIhK+CqoqCPvXuHjK6TGrMyphtcbZvvgbLxfyalJemczx1+pOuBlqqVda
 
-lE94rnnnBr761WIJJnkJdZ0rzYsebnDwGuk9kiw8=</Modulus><Exponent>AQAB<
+**lE94rnnnBr761WIJJnkJdZ0rzYsebnDwGuk9kiw8=</Modulus><Exponent>AQAB<**
 
 /Exponent><P>uwgX794pe7O3vIiQR5v03WK3Ug5LUAbXpPF6Xq4qGb3TGprZaJQq5rZ2u
 
-J4qwRanOa5pI/zv7RhG/4ItesBuAw==</P><Q>uYaNLEp9Vh8F29tSH+M4z+OjxPl+UL
+**J4qwRanOa5pI/zv7RhG/4ItesBuAw==</P><Q>uYaNLEp9Vh8F29tSH+M4z+OjxPl+UL**
 
 LRjLrssFLTTNsdnrHgAtdJ1lxfIm/gTUa0qPLa9Y/xkUb1khK/+tV3BQ==</Q><DP>Fd
 
-feI8+IfMACh2xTnWljca+jxVuSBCioasUhC4m/tP3sd8D5/zK+x+8rcmhWifKBWUU7Vk6mHsSlFhY4BY
+**feI8+IfMACh2xTnWljca+jxVuSBCioasUhC4m/tP3sd8D5/zK+x+8rcmhWifKBWUU7Vk6mHsSlFhY4BY**
 
 wPzQ==</DP><DQ>gzfwh8AT0CLXEP6ZomYi257lST8xoUAoyEG5gKjEPJrJ42Fp0HiXB
 
-9+Dhibc3atBwjEqvv5VXGx06iEK2g27RQ==</DQ><InverseQ>HRKFjYwrXqgO4v8Q+J
+**9+Dhibc3atBwjEqvv5VXGx06iEK2g27RQ==</DQ><InverseQ>HRKFjYwrXqgO4v8Q+J**
 
 SOqR6lSvQ15Z6V4AE23i4xfeuIYWwVf0t8AwgkDfFRQnEyh24byuh5PPzUbDOsUY+eYg==</Inver
 
-seQ><D>QQ6pIXnkt6dvw2P2toOi4eDxjQVs56oBv5rske5YzB8kNeOdmtqHXnEqzb519iQ8
+**seQ><D>QQ6pIXnkt6dvw2P2toOi4eDxjQVs56oBv5rske5YzB8kNeOdmtqHXnEqzb519iQ8**
 
 incZuP1gKNevTwBu1yxkFuFh0dzjS3iBjHvYGtDo5mARiZ1nN8QNI2zKE+Q6qXF8Z+wN3Fv3oBDQXATI
 
-6IQbgkAxLTMo4CUmtUQ6GvjwFwE=</D></RSAKeyValue>"/>
+**6IQbgkAxLTMo4CUmtUQ6GvjwFwE=</D></RSAKeyValue>"/>**
 
 <!-- end -->
 
-</RSAKeys>
+**</RSAKeys>**
 
 </encryptionSettings>
 ```
 
-Done
+**Done**
 
 Task Generate Key completed
 
@@ -642,8 +642,10 @@ PingCastle --reload-report report.xml --encrypt
 PingCastle --reload-report encrypted-report.xml
 ```
 
-Note: Only one key can be specified for encryption but multiple keys can
+:::note
+Only one key can be specified for encryption but multiple keys can
 be used for decryption. Their selection is automatic.
+:::
 
 ### Email
 
@@ -677,7 +679,7 @@ This is the kind of questions you can answer with the simplest
 consolidation. Indeed, the program can be used to aggregate the report
 results.
 
-Operations to perform
+**Operations to perform**
 
 The consolidation process is working on the xml files generated by the
 consolidation report. By default, the files are picked in the directory
@@ -699,7 +701,7 @@ PingCastle --hc-conso
 4.  This report is generated automatically when the healthcheck is
     performed with the server "\*"
 
-Consolidation report
+**Consolidation report**
 
 The consolidation report is a concatenation of all data contained in the
 report, without the detail. It follows the same plan than a simple
@@ -709,7 +711,7 @@ report.
 
 When the consolidation is made, 3 html files are generated.
 
-File ad_hc_summary.html
+**File ad_hc_summary.html**
 
 The first one contains the summary of all the reports: It keeps the same
 structure than the detailed reports but with a higher level of detail.
@@ -739,7 +741,7 @@ a scanner description is shown.
 
 ![](/img/product_docs/pingcastle/basicuser/image29.png)
 
-Here are the main scanners
+**Here are the main scanners**
 
 Check for specific user in global permissions
 
@@ -751,7 +753,7 @@ objects on a domain. It is default to the \"authenticated users\",
 PingCastle --scanner aclcheck --server <domainToExplore>
 ```
 
-Local administrators
+**Local administrators**
 
 The local administrator accounts can be used in an attack to recover
 passwords in memory with tools like mimikatz. You can enumerate most of
@@ -761,7 +763,7 @@ them without any privilege with PingCastle with the following command:
 PingCastle --scanner localadmin --server <domainToExplore>
 ```
 
-Local shares
+**Local shares**
 
 Local shares can be opened to everyone and be storing confidential
 information like login and passwords or backups. PingCastle can do a
@@ -772,7 +774,7 @@ following command:
 PingCastle --scanner share --server <domainToExplore>
 ```
 
-Start time
+**Start time**
 
 Any authenticated users can get the start time of a computer in the
 domain and even unauthenticated ones if SMB v2 is activated. PingCastle
@@ -783,7 +785,7 @@ all computers of the domain:
 PingCastle --scanner startup --server <domainToExplore>
 ```
 
-SMB version
+**SMB version**
 
 PingCastle can do a quick scan without any privilege to know which
 version is supported as server for each computer of a domain:
@@ -792,7 +794,7 @@ version is supported as server for each computer of a domain:
 PingCastle --scanner smb --server <domainToExplore>
 ```
 
-Null sessions
+**Null sessions**
 
 Null sessions are an old Windows NT4 problem. It should have been
 disappears but is still present on 20-30% of the domains. When it is
@@ -808,7 +810,7 @@ using this functionality. Run the following command:
 PingCastle --scanner nullsession --server <servertotest>
 ```
 
-foreignusers
+**foreignusers**
 
 A inbound trust ( an unidirectional trust) is understood as a diode.
 Nothing is supposed to be extracted. But this is not true. PingCastle
@@ -828,11 +830,11 @@ PingCastle --scanner foreignusers --foreigndomain <remote domain or sid> --serve
 
 # Annex
 
-Command line reference
+**Command line reference**
 
 Here is a short description of the main tasks performed by the program.
 
-Health check
+**Health check**
 
 run the health check :
 
@@ -913,14 +915,14 @@ switch:
 ```
 --help : display this message
 
---interactive : force the interactive mode
+**--interactive : force the interactive mode**
 
 --log : generate a log file
 
 --log-console : add log to the console
 ```
 
-Common options when connecting to the AD
+**Common options when connecting to the AD**
 
 ```
 --server <server> : use this server (default: current domain
@@ -939,11 +941,11 @@ prompt)
 --protocol <proto> : selection the protocol to use among LDAP or ADWS
 (fastest)
 
-: ADWSThenLDAP (default), ADWSOnly, LDAPOnly, LDAPThenADWS
+**: ADWSThenLDAP (default), ADWSOnly, LDAPOnly, LDAPThenADWS**
 
 --carto : perform a quick cartography with domains surrounding
 
---healthcheck : perform the healthcheck (step1)
+**--healthcheck : perform the healthcheck (step1)**
 
 --api-endpoint <> : upload report via api call eg: http://server
 
@@ -955,7 +957,7 @@ hc on all trusted domains except domains of the forest and forest trusts
 --explore-forest-trust : on root domain of a forest, after the
 healthcheck, do the hc on all forest trusts discovered
 
---explore-trust and --explore-forest-trust can be run together
+**--explore-trust and --explore-forest-trust can be run together**
 
 --explore-exception <domains> : comma separated values of domains
 that will not be explored automatically
@@ -965,7 +967,7 @@ content of the xml report
 
 --level <level> : specify the amount of data found in the xml file
 
-: level: Full, Normal, Light
+**: level: Full, Normal, Light**
 
 --no-enum-limit : remove the max 100 users limitation in html report
 
@@ -974,7 +976,7 @@ content of the xml report
 --sendXmlTo <emails>: send xml reports to a mailbox (comma separated
 email)
 
---sendHtmlTo <emails>: send html reports to a mailbox
+**--sendHtmlTo <emails>: send html reports to a mailbox**
 
 --sendAllTo <emails>: send html reports to a mailbox
 
@@ -988,11 +990,11 @@ received
 --smtptls : enable TLS/SSL in SMTP if used on other port than 465 and
 587
 
---skip-null-session: do not test for null session
+**--skip-null-session: do not test for null session**
 
 --webdirectory <dir>: upload the xml report to a webdav server
 
---webuser <user> : optional user and password
+**--webuser <user> : optional user and password**
 
 --webpassword <password>
 
@@ -1002,11 +1004,11 @@ Do not forget PingCastleReporting includes a similar option but for
 
 --generate-key : generate and display a new RSA key for encryption
 
---hc-conso : consolidate multiple healthcheck xml reports (step2)
+**--hc-conso : consolidate multiple healthcheck xml reports (step2)**
 
 --center-on <domain> : center the simplified graph on this domain
 
-default is the domain with the most links
+**default is the domain with the most links**
 
 --xmls <path> : specify the path containing xml (default: current
 directory)
@@ -1021,7 +1023,7 @@ any healthcheck switches (send email, ..) can be reused
 
 --level <level> : specify the amount of data found in the xml file
 
-: level: Full, Normal, Light (default: Normal)
+**: level: Full, Normal, Light (default: Normal)**
 
 --encrypt : use an RSA key stored in the .config file to crypt the
 content of the xml report
@@ -1041,68 +1043,68 @@ content of the xml report
 
 --node <node> : create a report based on a object
 
-: example: "cn=name" or "name"
+**: example: "cn=name" or "name"**
 
 --nodes <file> : create x report based on the nodes listed on a file
 
 --scanner <type> : perform a scan on one of all computers of the
 domain (using --server)
 
-aclcheck
+**aclcheck**
 
 Check authorization related to users or groups. Default to everyone,
 authenticated users and domain users
 
-antivirus
+**antivirus**
 
 Check for computers without known antivirus installed. It is used to
 detect unprotected computers but may also report computers with unknown
 antivirus.
 
-corruptADDatabase
+**corruptADDatabase**
 
 Try to detect corrupted AD database. To run only when requested by
 PingCastle support.
 
-foreignusers
+**foreignusers**
 
 Use trusts to enumerate users located in domain denied such as bastion
 or domains too far away.
 
-laps_bitlocker
+**laps_bitlocker**
 
 Check on the AD if LAPS and/or BitLocker has been enabled for all
 computers on the domain.
 
-localadmin
+**localadmin**
 
 Enumerate the local administrators of a computer.
 
-nullsession
+**nullsession**
 
 Check if null sessions are enabled and provide example(s).
 
-nullsession-trust
+**nullsession-trust**
 
 Dump the trusts of a domain via null session if possible
 
-share
+**share**
 
 List all shares published on a computer and determine if the share can
 be accessed by anyone
 
-smb
+**smb**
 
 Scan a computer and determine the smb version available. Also if SMB
 signing is active.
 
-spooler
+**spooler**
 
 Check if the spooler service is remotely active. The spooler can be
 abused to get computer tokens when unconstrained delegations are
 exploited.
 
-startup
+**startup**
 
 Get the last startup date of a computer. Can be used to determine if
 latest patches have been applied.
@@ -1117,7 +1119,7 @@ options for scanners:
 --foreigndomain <sid> : foreign domain targeted using its FQDN or
 sids
 
-Example of SID: S-1-5-21-4005144719-3948538632-2546531719
+**Example of SID: S-1-5-21-4005144719-3948538632-2546531719**
 
 --upload-all-reports: use the API to upload all reports in the current
 directory
@@ -1125,10 +1127,13 @@ directory
 --api-endpoint <> : upload report via api call eg: http://server
 
 --api-key <key> : and using the api key as registered
+```
 
-Note: do not forget to set --level Full to send all the information
+:::note
+Do not forget to set --level Full to send all the information
 available
-```
+:::
+
 
 ## List of open source software used
 
@@ -1186,7 +1191,7 @@ This can be modified in the security policies:
 
 ![](/img/product_docs/pingcastle/basicuser/image37.png)
 
-Select \"Local Policies\" in MSC snap in
+**Select \"Local Policies\" in MSC snap in**
 
 Select \"User Rights Assignment\"
 
diff --git a/docs/pingcastle/3.3/proinstall.md b/docs/pingcastle/3.3/proinstall.md
index d7f6b99f35..aab74f7582 100644
--- a/docs/pingcastle/3.3/proinstall.md
+++ b/docs/pingcastle/3.3/proinstall.md
@@ -11,7 +11,7 @@ improving over time.
 
 # Requirements
 
-System Specifications
+**System Specifications**
 
 The Operating systems supported are:
 
@@ -76,7 +76,7 @@ domains include subdomains of a forest.
 2.  The number of Domain Controllers are not used for licensing, only
     domains.
 
-Example
+**Example**
 
 If you have consto.com with two subdomains called uk.consto.com and
 us.consto.com, then you would require three licenses.
@@ -107,7 +107,7 @@ it in the database.
 
 Add the end of the procedure, you will get "Tenant ID" and "Client ID".
 
-Connect to \"Azure Portal\" located at https://portal.azure.com
+**Connect to \"Azure Portal\" located at https://portal.azure.com**
 
 ![](/img/product_docs/pingcastle/proinstall/image4.png)
 
@@ -138,8 +138,10 @@ ClientID and TenantID and keep it with you.
 
 ![Une image contenant texte Description générée automatiquement](/img/product_docs/pingcastle/proinstall/image9.png)
 
-Note: the permission can be granted implicitly by the first user
+:::note
+The permission can be granted implicitly by the first user
 connecting to the application.
+:::
 
 # SQL Express installation
 
@@ -148,7 +150,7 @@ any edition of SQL Server is working.
 
 Download SQL Express 2019 here:
 
-https://www.microsoft.com/en-us/Download/details.aspx?id=101064
+**https://www.microsoft.com/en-us/Download/details.aspx?id=101064**
 
 Select "Basic"and let the installation proceed.
 
@@ -386,7 +388,9 @@ sudo apt-get install postgresql postgresql-contrib
 sudo /etc/init.d/postgresql start
 ```
 
-Note: by default no password for the user postgres
+:::note
+By default no password for the user postgres
+:::
 
 ```bash
 sudo -u postgres createuser pingcastle
@@ -401,7 +405,7 @@ sudo -u postgres createdb -O pingcastle pingcastle
 
 ## Using a Database hosted on another server
 
-Configure SQL Server with a local DB account
+**Configure SQL Server with a local DB account**
 
 You first need to create a local account inside Sql Server.
 
@@ -419,7 +423,7 @@ Then create a database.
 
 ![](/img/product_docs/pingcastle/proinstall/image37.png)
 
-Then create a database
+**Then create a database**
 
 ![](/img/product_docs/pingcastle/proinstall/image38.png)
 
@@ -458,7 +462,7 @@ need to be escaped as they are located inside a json string.
 
 ![Une image contenant texte, Police, nombre, logiciel Description générée automatiquement](/img/product_docs/pingcastle/proinstall/image43.png)
 
-Configure SQL Server with an Active Directory user
+**Configure SQL Server with an Active Directory user**
 
 You need to first create this Windows user.
 
@@ -527,13 +531,13 @@ For the license, the parameter is stored in the \"License\" setting.
 
 Here are some connection string examples:
 
-Sql Local DB
+**Sql Local DB**
 
 ```json
 "Server=(localdb)\\mssqllocaldb;Database=aspnet-PingCastlePro-9521AD04-BA3A-41DC-A454-F2BD464E9391;Trusted_Connection=True;MultipleActiveResultSets=true"
 ```
 
-PostGres
+**PostGres**
 
 ```json
 "DefaultConnection": "Server=localhost;username=pingcastle;password=pingcastle;database=pingcastle"
@@ -581,7 +585,7 @@ Azure.
 
 ![](/img/product_docs/pingcastle/proinstall/image51.png)
 
-It then display the welcome screen
+**It then display the welcome screen**
 
 ![](/img/product_docs/pingcastle/proinstall/image52.png)
 
@@ -623,7 +627,7 @@ pingcastle.exe --upload-all-reports --api-endpoint https://endpoint.com --api-ke
 
 # Post Installation - Scheduler
 
-Quick installation
+**Quick installation**
 
 PingCastle allows the possibility to the administrator of the
 application to schedule scans. It is useful when the solution is
@@ -656,9 +660,11 @@ the access to the task scheduler cannot be delegated.
 
 ## Custom installation
 
-Note: PingCastle is using behing the hood a folder named "PingCastle" in
+:::note 
+PingCastle is using behing the hood a folder named "PingCastle" in
 the task scheduler. We will use the COM api as it exposes the security
 descriptor -- which is not the case of the native PowerShell APIL
+:::
 
 If you want PingCastle to be able to start or stop tasks but not being
 able to edit them (it requires that the account is local admin), you
@@ -725,7 +731,7 @@ scheduler.
 The recommended frequency is every week, using a normal user account
 (not privileged) running on a batch server (not a DC).
 
-Command
+**Command**
 
 You need to create an API key with the upload right (the \"Agent\" page
 as admin).
@@ -756,7 +762,7 @@ The method to run the application manually is to run the command:
 dotnet.exe PingCastlePro.dll
 ```
 
-(dotnet.exe is stored by default on c:\\program files\\dotnet)
+**(dotnet.exe is stored by default on c:\\program files\\dotnet)**
 
 Additionnally, you can choose to open the application on the network by
 specifying the \--server.urls parameter:
@@ -772,7 +778,7 @@ service connect under IIS APPPool\\AppName. We recommend to look at the
 following page to grant right to the application pool account on Sql
 Server:
 
-https://blogs.msdn.microsoft.com/ericparvin/2015/04/14/how-to-add-the-applicationpoolidentity-to-a-sql-server-login
+**https://blogs.msdn.microsoft.com/ericparvin/2015/04/14/how-to-add-the-applicationpoolidentity-to-a-sql-server-login**
 
 Then depending on the platform additional logs can be stored.
 
@@ -815,7 +821,9 @@ And the message when running on the command line:
 identify the correct version of the framework and install it. Do not
 forget to install the IIS middleware is you are installing on IIS.
 
-Note: the last error was related to the missing KB KB2533623
+:::note
+The last error was related to the missing KB KB2533623
+:::
 
 ## Error at the application startup
 
@@ -911,7 +919,7 @@ Follow the steps to enable debug logging.
 5.  From the same directory, open the **web.config** file and edit the
     **aspNetCore** tag so **stdoutLogEnabled=true**.
 
-Example
+**Example**
 
 ```xml
 <aspNetCore processPath="dotnet" arguments=".\PingCastlePro.dll" stdoutLogEnabled="true" stdoutLogFile=".\logs\stdout" hostingModel="InProcess" />
diff --git a/docs/pingcastle/3.3/proupgrade.md b/docs/pingcastle/3.3/proupgrade.md
index c300171a09..79ff0ec5cc 100644
--- a/docs/pingcastle/3.3/proupgrade.md
+++ b/docs/pingcastle/3.3/proupgrade.md
@@ -2,7 +2,7 @@
 
 ## Before proceeding to the upgrade
 
-Version check
+**Version check**
 
 You can check the existing version using the About link at the bottom of
 each page.
diff --git a/docs/pingcastle/3.3/prouser.md b/docs/pingcastle/3.3/prouser.md
index 16a09535e5..a968168aa6 100644
--- a/docs/pingcastle/3.3/prouser.md
+++ b/docs/pingcastle/3.3/prouser.md
@@ -60,7 +60,7 @@ PingCastle Pro provides authentication through:
 
 # Ping Castle Pro features
 
-Main pages overview
+**Main pages overview**
 
 The application is divided is 2 different areas:
 
@@ -78,7 +78,7 @@ and its data.
 
 ## Domains
 
-Detail information on a domain
+**Detail information on a domain**
 
 This view displays detailed information on the domain, as well as many
 other information such the results of the last report, some history,
@@ -149,7 +149,7 @@ perimeter.
 
 ![](/img/product_docs/pingcastle/prouser/image9.png)
 
-Rule exceptions
+**Rule exceptions**
 
 \"Rule exceptions\" can be set in order to completely disable a rule
 within a specific domain. It means that this rule will not be applied
@@ -159,7 +159,7 @@ your organization. Do not hesitate to contact the PingCastle editors if
 you have doubts or require extra assistance regarding how the exceptions
 are managed.
 
-Migration
+**Migration**
 
 In the same idea you can set exceptions for specific domain, you can
 inform it in the application when one of your domains is migrating. It
@@ -225,8 +225,10 @@ pingcastle --healthcheck --api-endpoint <endpoint> --api-key <key>
 
 ![](/img/product_docs/pingcastle/prouser/image14.png)
 
-Important note: By default, all detailed information will be filtered.
-To avoid this behavior, the command line can to be changed to:
+:::note
+By default, all detailed information will be filtered.
+To avoid this behavior, the command line can to be changed as follows.
+:::
 
 ```bash
 pingcastle --healthcheck --api-endpoint <endpoint> --api-key <key> --level Full

From f98b763c7138c28755476a9a7d0993ac37e354d0 Mon Sep 17 00:00:00 2001
From: sreeparnas <sreeparna.singhal@netwrix.com>
Date: Thu, 17 Jul 2025 13:07:33 +0100
Subject: [PATCH 2/2] Apply suggestions from code review

Commit changes accepted

Co-authored-by: stuart-jaeckel-netwrix <stuart.jaeckel@netwrix.com>
---
 docs/pingcastle/3.3/enterpriseinstall.md | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/docs/pingcastle/3.3/enterpriseinstall.md b/docs/pingcastle/3.3/enterpriseinstall.md
index 3bdec92645..557af9fb89 100644
--- a/docs/pingcastle/3.3/enterpriseinstall.md
+++ b/docs/pingcastle/3.3/enterpriseinstall.md
@@ -242,21 +242,21 @@ the following actions as admin in powershell:
 ```powershell
 # connect to the task scheduler service
 
-**$scheduleObject = New-Object -ComObject schedule.service**
+$scheduleObject = New-Object -ComObject schedule.service
 
 $scheduleObject.connect()
 
-**$rootFolder = $scheduleObject.GetFolder("")**
+$rootFolder = $scheduleObject.GetFolder("")
 
 $PingCastleFolder = $rootFolder.GetFolder("PingCastle")
 
-**$PingCastleFolder.GetTasks(1) | Foreach-Object {**
+$PingCastleFolder.GetTasks(1) | Foreach-Object {
 
 $sddl = $_.GetSecurityDescriptor(1+2+4+8)
 
 # add full control to the task
 
-**$sddl += "(A;S-1-XXX-XXX-XXX;FA;;;SY)"**
+$sddl += "(A;S-1-XXX-XXX-XXX;FA;;;SY)"
 
 $_.SetSecurityDescriptor($sddl, 0)
 
@@ -352,13 +352,13 @@ The following SQL can grant these permissions:
 ```sql
 If not Exists (select loginname from master.dbo.syslogins
 
-**where loginname = 'IIS APPPOOL\PingCastleEnterprise')**
+where loginname = 'IIS APPPOOL\PingCastleEnterprise')
 
 Begin
 
 CREATE LOGIN [IIS APPPOOL\PingCastleEnterprise] FROM WINDOWS;
 
-**End**
+End
 
 use PingCastleEnterprise;
 
@@ -673,11 +673,11 @@ to the following one:
 ```json
 "OpenIdConnect": {
 
-**"DisplayName": "AzureAD",**
+"DisplayName": "AzureAD",
 
 "ClientId": "<ClientID>",
 
-**"Authority": "https://login.microsoftonline.com/<tenant-id>/",**
+"Authority": "https://login.microsoftonline.com/<tenant-id>/",
 
 }
 ```
@@ -814,7 +814,7 @@ When using ADFS, the well known configuration is:
 ```json
 "Saml2": {
 
-**"Issuer": "https://xxx/Saml2/Login",**
+"Issuer": "https://xxx/Saml2/Login",
 
 "IdPMetadata":
 "https://xxx/FederationMetadata/2007-06/FederationMetadata.xml"