Merge pull request #1641 from MicrosoftDocs/repo_sync_working_branch

Confirm merge from repo_sync_working_branch to master to sync with https://github.com/MicrosoftDocs/windows-itpro-docs (branch public)

devices/hololens/hololens-known-issues.md

@@ -123,15 +123,6 @@ If your device is still unable to load apps, you can sideload a version of the .
 
 We appreciate your patience as we have gone through the process to get this issue resolved, and we look forward to continued working with our community to create successful Mixed Reality experiences.
 
-## Connecting to WiFi
-
-During HoloLens Setup, there is a credential timeout of 2 minutes. The username/password needs to be entered within 2 minutes otherwise the username field will be automatically cleared.
-
-We recommend using a Bluetooth keyboard for entering long passwords.
-
-> [!NOTE]
-> If the wrong network is selected during HoloLens Setup, the device will need to be fully reset. Instructions can be found [here.](hololens-restart-recover.md)  
-
 ## Device Update
 
 - 30 seconds after a new update, the shell may disappear one time. Please perform the **bloom** gesture to resume your session.

devices/hololens/hololens2-language-support.md

@@ -29,15 +29,15 @@ HoloLens 2 supports the following languages. This support includes voice command
 - German (Germany)
 - Italian (Italy)
 - Japanese (Japan)
-- Spanish (Mexico)
 - Spanish (Spain)
 
-Windows Mixed Reality is also available in the following languages. However, this support does not include speech commands or dictation features.
+HoloLens 2 is also available in the following languages. However, this support does not include speech commands or dictation features.
 
 - Chinese Traditional (Taiwan and Hong Kong)
 - Dutch (Netherlands)
 - Korean (Korea)
-- Changing language or keyboard
+
+## Changing language or keyboard
 
 > [!NOTE]
 > Your speech and dictation language depends on the Windows display language.

devices/hololens/hololens2-start.md

@@ -26,9 +26,9 @@ Before you get started, make sure you have the following available:
 
 **A network connection**. You'll need to connect your HoloLens to a network to set it up. With HoloLens 2, you can connect with Wi-Fi or by using ethernet (you'll need a USB-C-to-Ethernet adapter). The first time you connect, you'll need an open or password-protected network that doesn't require navigating to a website or using certificates to connect. [Learn more about the websites that HoloLens uses](hololens-offline.md).
 
-**A Microsoft account**. You'll also need to sign in to HoloLens with a Microsoft account (or with your work account, if your organization owns the device). If you don't have a Microsoft account, go to [account.microsoft.com](http://account.microsoft.com) and set one up for free.
+**A Microsoft account**. You'll also need to sign in to HoloLens with a Microsoft account (or with your work account, if your organization owns the device). If you don't have a Microsoft account, go to [account.microsoft.com](https://account.microsoft.com) and set one up for free.
 
-**A safe, well-lit space with no tripping hazards**. [Health and safety info](http://go.microsoft.com/fwlink/p/?LinkId=746661).
+**A safe, well-lit space with no tripping hazards**. [Health and safety info](https://go.microsoft.com/fwlink/p/?LinkId=746661).
 
 **The optional comfort accessories** that came with your HoloLens, to help you get the most comfortable fit. [More on fit and comfort](hololens2-setup.md#adjust-fit).
 
@@ -58,6 +58,10 @@ HoloLens 2 will walk you through the following steps:
      HoloLens sets your time zone automatically based on information obtained from the Wi-Fi network. After setup finishes, you can change the time zone by using the Settings app.
 
     ![Connect to Wi-Fi](images/11-network.png)
+> [!NOTE] 
+> If you progress past the Wi-Fi step and later need to switch to a different network while still in setup, you can press the **Volume Down** and **Power** buttons simultaneously to return to this step if you are running an OS version from October 2019 or later. For earlier versions, you may need to [reset the device](hololens-recovery.md) or restart it in a location where the Wi-Fi network is not available to prevent it from automatically connecting.
+> 
+> Also note that during HoloLens Setup, there is a credential timeout of two minutes. The username/password needs to be entered within two minutes otherwise the username field will be automatically cleared.
 
 1. Sign in to your user account. You'll choose between **My work or school owns it** and **I own it**.
     - When you choose **My work or school owns it**, you sign in with an Azure AD account. If your organization uses Azure AD Premium and has configured automatic MDM enrollment, HoloLens automatically enrolls in MDM. If your organization does not use Azure AD Premium, automatic MDM enrollment isn't available. In that case, you need to [manually enroll HoloLens in device management](hololens-enroll-mdm.md#enroll-through-settings-app).

devices/surface-hub/index.md

@@ -30,6 +30,7 @@ Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platfor
                         <p><a href="https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Behind-the-design-Surface-Hub-2S/ba-p/464099" target="_blank">Behind the design: Surface Hub 2S</a></p>
                         <p><a href="surface-hub-2s-whats-new.md">What's new in Surface Hub 2S</a></p>
                         <p><a href="differences-between-surface-hub-and-windows-10-enterprise.md">Operating system essentials</a></p>
+                        <p><a href="https://support.office.com/article/use-microsoft-whiteboard-on-a-surface-hub-5c594985-129d-43f9-ace5-7dee96f7621d">Enable Microsoft Whiteboard on Surface Hub</a></p>
                     </div>
                 </div>
             </div>

devices/surface/support-solutions-surface.md

@@ -20,7 +20,7 @@ ms.audience: itpro
 # Top support solutions for Surface devices
 
 > [!Note]
-> **Home users**: This article is only intended for use by IT professionals and  technical support agents. If you're looking for help with a problem with your home device, please see [Surface Devices Help](https://support.microsoft.com/products/surface-devices).
+> **Home users**: This article is only intended for use by IT professionals and  technical support agents, and applies only to Surface devices. If you're looking for help with a problem with your home device, please see [Surface Devices Help](https://support.microsoft.com/products/surface-devices).
 
 Microsoft regularly releases both updates and solutions for Surface devices. To ensure your devices can receive future updates, including security updates, it's important to keep your Surface devices updated.  For a complete listing of the update history, see [Surface update history](https://www.microsoft.com/surface/support/install-update-activate/surface-update-history) and [Install Surface and Windows updates](https://www.microsoft.com/surface/support/performance-and-maintenance/install-software-updates-for-surface?os=windows-10&=undefined).
 

mdop/dart-v10/planning-to-create-the-dart-10-recovery-image.md

@@ -49,7 +49,7 @@ The following items are required or recommended for creating the DaRT recovery i
 </tr>
 <tr class="odd">
 <td align="left"><p>Windows Debugging Tools for your platform</p></td>
-<td align="left"><p>Required when you run the <strong>Crash Analyzer</strong> to determine the cause of a computer failure. We recommend that you specify the path of the Windows Debugging Tools at the time that you create the DaRT recovery image. You can download the Windows Debugging Tools here: <a href="https://go.microsoft.com/fwlink/?LinkId=99934" data-raw-source="[Download and Install Debugging Tools for Windows](https://go.microsoft.com/fwlink/?LinkId=99934)">Download and Install Debugging Tools for Windows</a>.</p></td>
+<td align="left"><p>Required when you run the <strong>Crash Analyzer</strong> to determine the cause of a computer failure. We recommend that you specify the path of the Windows Debugging Tools at the time that you create the DaRT recovery image. You can download the Windows Debugging Tools here: <a href="https://docs.microsoft.com/windows-hardware/drivers/debugger/" data-raw-source="[Download and Install Debugging Tools for Windows](https://docs.microsoft.com/windows-hardware/drivers/debugger/)">Download and Install Debugging Tools for Windows</a>.</p></td>
 </tr>
 <tr class="even">
 <td align="left"><p>Optional: Windows symbols files for use with <strong>Crash Analyzer</strong></p></td>
@@ -62,7 +62,6 @@ The following items are required or recommended for creating the DaRT recovery i
 
 ## Related topics
 
-
 [Planning to Deploy DaRT 10](planning-to-deploy-dart-10.md)
 
  
@@ -72,4 +71,3 @@ The following items are required or recommended for creating the DaRT recovery i
 
 
 
-

windows/deployment/update/waas-servicing-differences.md

@@ -39,7 +39,7 @@ Windows 10 provided an opportunity to end the era of infinite fragmentation. Wit
 
 This helps simplify servicing. Devices with the original Release to Market (RTM) version of a feature release installed could get up to date by installing the most recent LCU. 
 
-Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security and Internet Explorer 11 (IE11) fixes. The security classification, by definition, requires a reboot of the device to complete installation of the update.
+Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security, and Internet Explorer 11 (IE11) fixes. A reboot of the device might be required to complete installation of the update.
 
 
 ![High level cumulative update model](images/servicing-cadence.png)

windows/deployment/usmt/usmt-general-conventions.md

@@ -50,7 +50,7 @@ Before you modify the .xml files, become familiar with the following guidelines:
 
 -   **File names with brackets**
 
-    If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named File.txt, you must specify `<pattern type="File">c:\documents\mydocs [file^].txt]</pattern>` instead of `<pattern type="File">c:\documents\mydocs [file].txt]</pattern>`.
+    If you are migrating a file that has a bracket character (\[ or \]) in the file name, you must insert a carat (^) character directly before the bracket for the bracket character to be valid. For example, if there is a file named **file].txt**, you must specify `<pattern type="File">c:\documents\mydocs [file^].txt]</pattern>` instead of `<pattern type="File">c:\documents\mydocs [file].txt]</pattern>`.
 
 -   **Using quotation marks**
 

windows/deployment/usmt/usmt-hard-link-migration-store.md

@@ -113,6 +113,9 @@ For example, a company has decided to deploy Windows 10 on all of their compute
 
 3.  An administrator runs the LoadState command-line tool on each computer. The LoadState tool restores user state back on each computer.
 
+> [!NOTE]
+> During the update of a domain-joined computer, the profiles of users whose SID cannot be resolved will not be migrated. When using a hard-link migration store, it could cause a data loss.
+     
 ## <a href="" id="bkmk-hardlinkstoredetails"></a>Hard-Link Migration Store Details
 
 
@@ -233,4 +236,3 @@ The following XML sample specifies that files locked by an application under the
 
 
 
-

windows/security/identity-protection/credential-guard/credential-guard-protection-limits.md

@@ -22,9 +22,6 @@ ms.reviewer:
 -   Windows 10
 -   Windows Server 2016
 
-Prefer video? See [Credentials protected by Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=pdc37LJyC_1204300474)
-in the Deep Dive into Windows Defender Credential Guard video series.
-
 Some ways to store credentials are not protected by Windows Defender Credential Guard, including:
 
 -   Software that manages credentials outside of Windows feature protection
@@ -46,4 +43,6 @@ do not qualify as credentials because they cannot be presented to another comput
 
 **Deep Dive into Windows Defender Credential Guard: Related videos**
 
-[Protecting privileged users with Windows Defender Credential Guard](https://mva.microsoft.com/en-us/training-courses/deep-dive-into-credential-guard-16651?l=JNbjYMJyC_8104300474)
+[Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection: Manage Credential Guard](https://www.linkedin.com/learning/microsoft-cybersecurity-stack-advanced-identity-and-endpoint-protection/manage-credential-guard?u=3322)
+> [!NOTE]
+> - Note: Requires [LinkedIn Learning subscription](https://www.linkedin.com/learning/subscription/products) to view the full video

windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md

@@ -69,7 +69,7 @@ Sign-in to a certificate authority or management workstations with _Domain Admin
 4. On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
 5. On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name.  Adjust the validity and renewal period to meet your enterprise’s needs.   
     **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
-6. On the **Subject** tab, select the **Build from this Active Directory information** button if it is not already selected.  Select **None** from the **Subject name format** list.  Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
+6. On the **Subject Name** tab, select the **Build from this Active Directory information** button if it is not already selected.  Select **None** from the **Subject name format** list.  Select **DNS name** from the **Include this information in alternate subject** list. Clear all other items.
 7. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.  Click **OK**. 
 8. Close the console.
 
@@ -104,7 +104,7 @@ Sign-in to a certificate authority or management workstations with _Domain Admin
 5. On the **General** tab, type **Internal Web Server** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise’s needs.   
     **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
 6. On the **Request Handling** tab, select **Allow private key to be exported**.
-7. On the **Subject** tab, select the **Supply in the request** button if it is not already selected.
+7. On the **Subject Name** tab, select the **Supply in the request** button if it is not already selected.
 8. On the **Security** tab, Click **Add**. Type **Domain Computers** in the **Enter the object names to select** box.  Click **OK**. Select the **Allow** check box next to the **Enroll** permission.
 9. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list.  Select **RSA** from the **Algorithm name** list.  Type **2048** in the **Minimum key size** text box.  Select **SHA256** from the **Request hash** list.  Click **OK**. 
 10. Close the console.

windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md

@@ -36,6 +36,8 @@ You can create a Group Policy or mobile device management (MDM) policy that will
 
 The following table lists the Group Policy settings that you can configure for Windows Hello use in your workplace. These policy settings are available in both **User configuration** and **Computer Configuration** under **Policies** > **Administrative Templates** > **Windows Components** > **Windows Hello for Business**.
 
+> [!NOTE]
+> Starting with Windows 10, version 1709, the location of the PIN complexity section of the Group Policy is: **Computer Configuration** > **Administrative Templates** > **System** > **PIN Complexity**.
  
 <table>
 <tr>
@@ -320,4 +322,3 @@ If you want to use Windows Hello for Business with certificates, you’ll need a
 - [Windows Hello errors during PIN creation](hello-errors-during-pin-creation.md)
 - [Event ID 300 - Windows Hello successfully created](hello-event-300.md)
 - [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md)
-

windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md

@@ -23,22 +23,22 @@ The ideal for BitLocker management is to eliminate the need for IT admins to set
 Though much Windows BitLocker [documentation](bitlocker-overview.md) has been published, customers frequently ask for recommendations and pointers to specific, task-oriented documentation that is both easy to digest and focused on how to deploy and manage BitLocker. This article links to relevant documentation, products, and services to help answer this and other related frequently-asked questions, and also provides BitLocker recommendations for different types of computers.
 
 
->[!IMPORTANT]
+> [!IMPORTANT]
-> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities will be offered from [SCCM in on-prem scenarios](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/viewing-mbam-25-reports-for-the-configuration-manager-integration-topology) in the future.
+> Microsoft BitLocker Administration and Monitoring (MBAM) capabilities will be offered from [ConfigMgr in on-prem scenarios](https://docs.microsoft.com/configmgr/core/get-started/2019/technical-preview-1909#bkmk_bitlocker/) in the future.
 
 ## Managing domain-joined computers and moving to cloud  
 
-Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx).
+Companies that image their own computers using Microsoft System Center 2012 Configuration Manager SP1 (SCCM) or later can use an existing task sequence to [pre-provision BitLocker](https://docs.microsoft.com/configmgr/osd/understand/task-sequence-steps#BKMK_PreProvisionBitLocker) encryption while in Windows Preinstallation Environment (WinPE) and can then [enable protection](https://docs.microsoft.com/configmgr/osd/understand/task-sequence-steps#BKMK_EnableBitLocker). This can help ensure that computers are encrypted from the start, even before users receive them. As part of the imaging process, a company could also decide to use SCCM to pre-set any desired [BitLocker Group Policy](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings/).
 
-Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201) or they can receive extended support until July 2024. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
+Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/) to manage client computers with BitLocker that are domain-joined on-premises until [mainstream support ends in July 2019](https://support.microsoft.com/lifecycle/search?alpha=Microsoft%20BitLocker%20Administration%20and%20Monitoring%202.5%20Service%20Pack%201/) or they can receive extended support until April 2026. Thus, over the next few years, a good strategy for enterprises will be to plan and move to cloud-based management for BitLocker. Refer to the [PowerShell examples](#powershell-examples) to see how to store recovery keys in Azure Active Directory (Azure AD).
 
 ## Managing devices joined to Azure Active Directory
 
-Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
+Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online.
 
-Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows phones.
+Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows phones.
 
-For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
+For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD.
 
 This is applicable to Azure Hybrid AD as well. 
 
@@ -52,9 +52,9 @@ For Windows PCs and Windows Phones that enroll using **Connect to work or school
 
 Servers are often installed, configured, and deployed using PowerShell, so the recommendation is to also use [PowerShell to enable BitLocker on a server](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell), ideally as part of the initial setup. BitLocker is an Optional Component (OC) in Windows Server, so follow the directions in [BitLocker: How to deploy on Windows Server 2012 and later](bitlocker-how-to-deploy-on-windows-server.md) to add the BitLocker OC. 
 
-The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-core) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) and [How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/).  
+The Minimal Server Interface is a prerequisite for some of the BitLocker administration tools. On a [Server Core](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-core/) installation, you must add the necessary GUI components first. The steps to add shell components to Server Core are described in [Using Features on Demand with Updated Systems and Patched Images](https://blogs.technet.microsoft.com/server_core/2012/11/05/using-features-on-demand-with-updated-systems-and-patched-images/) and [How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/).  
 
-If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience) is the easiest path because you can avoid performing the steps to add a GUI to Server Core.
+If you are installing a server manually, such as a stand-alone server, then choosing [Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience/) is the easiest path because you can avoid performing the steps to add a GUI to Server Core.
 
  Additionally, lights out data centers can take advantage of the enhanced security of a second factor while avoiding the need for user intervention during reboots by optionally using a combination of BitLocker (TPM+PIN) and BitLocker Network Unlock. BitLocker Network Unlock brings together the best of hardware protection, location dependence, and automatic unlock, while in the trusted location. For the configuration steps, see [BitLocker: How to enable Network Unlock](bitlocker-how-to-enable-network-unlock.md). 
 
@@ -65,64 +65,60 @@ If you are installing a server manually, such as a stand-alone server, then choo
 For Azure AD-joined computers, including virtual machines, the recovery password should be stored in Azure Active Directory.  
 
 *Example: Use PowerShell to add a recovery password and back it up to Azure AD before enabling BitLocker*
-``` 
+```powershell
-PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
+Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
 
-PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:"
+$BLV = Get-BitLockerVolume -MountPoint "C:"
 
-PS C:\>BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
+BackupToAAD-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
 ```
+
 For domain-joined computers, including servers, the recovery password should be stored in Active Directory Domain Services (AD DS). 
 
 *Example: Use PowerShell to add a recovery password and back it up to AD DS before enabling BitLocker*
+```powershell
+Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
+
+$BLV = Get-BitLockerVolume -MountPoint "C:"
+
+Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
 ```
-PS C:\>Add-BitLockerKeyProtector -MountPoint "C:" -RecoveryPasswordProtector
-
-PS C:\>$BLV = Get-BitLockerVolume -MountPoint "C:"
-
-PS C:\>Backup-BitLockerKeyProtector -MountPoint "C:" -KeyProtectorId $BLV.KeyProtector[0].KeyProtectorId
- ```
 
 Subsequently, you can use PowerShell to enable BitLocker. 
 
 *Example: Use PowerShell to enable BitLocker with a TPM protector*
- ```
+```powershell
-PS C:\>Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector 
+Enable-BitLocker -MountPoint "D:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -TpmProtector 
- ```
+```
-*Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456*
- ```
-PS C:\>$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
 
-PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
+*Example: Use PowerShell to enable BitLocker with a TPM+PIN protector, in this case with a PIN set to 123456*
-  ``` 
+```powershell
+$SecureString = ConvertTo-SecureString "123456" -AsPlainText -Force
+
+Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pin $SecureString -TPMandPinProtector
+``` 
 
 ## Related Articles
 
 [BitLocker: FAQs](bitlocker-frequently-asked-questions.md)
 
-[Microsoft BitLocker Administration and Management (MBAM)](https://technet.microsoft.com/windows/hh826072.aspx)
+[Microsoft BitLocker Administration and Management (MBAM)](https://docs.microsoft.com/microsoft-desktop-optimization-pack/mbam-v25/)
 
 [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) 
 
-[System Center 2012 Configuration Manager SP1](https://technet.microsoft.com/library/hh846237.aspx#BKMK_PreProvisionBitLocker) *(Pre-provision BitLocker task sequence)*
+[BitLocker Group Policy Reference](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings) 
 
-[Enable BitLocker task sequence](https://technet.microsoft.com/library/hh846237.aspx#BKMK_EnableBitLocker)
+[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune/)
-
-[BitLocker Group Policy Reference](https://technet.microsoft.com/library/ee706521(v=ws.10).aspx) 
-
-[Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune) 
 *(Overview)*
 
 [Configuration Settings Providers](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider)
 *(Policy CSP: See [Security-RequireDeviceEncryption](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-security#security-policies))*
 
-[BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp)
+[BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp/)
-
-<br />
 
 **Windows Server setup tools**
 
-[Windows Server Installation Options](https://technet.microsoft.com/library/hh831786(v=ws.11).aspx)
+[Windows Server Installation Options](https://docs.microsoft.com/windows-server/get-started-19/install-upgrade-migrate-19/)
 
 [How to update local source media to add roles and features](https://blogs.technet.microsoft.com/joscon/2012/11/14/how-to-update-local-source-media-to-add-roles-and-features/)
 
@@ -134,10 +130,9 @@ PS C:\> Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpace
 
 [Shielded VMs and Guarded Fabric](https://blogs.technet.microsoft.com/windowsserver/2016/05/10/a-closer-look-at-shielded-vms-in-windows-server-2016/) 
 
-<br />
 
-**Powershell**
+**PowerShell**
 
 [BitLocker cmdlets for Windows PowerShell](bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md#bitlocker-cmdlets-for-windows-powershell) 
 
-[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs)
+[Surface Pro Specifications](https://www.microsoft.com/surface/support/surface-pro-specs/)

windows/security/threat-protection/microsoft-defender-atp/find-machines-by-ip.md

@@ -38,8 +38,9 @@ Delegated (work or school account) | Machine.ReadWrite | 'Read and write machine
 
 >[!Note]
 > When obtaining a token using user credentials:
->- The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+> - Response will include only machines that the user have access to based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
->- Response will include only machines,that the user have access to, based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
+> - The user needs to have at least the following role permission: 'View Data' (See [Create and manage roles](user-roles.md) for more information)
+> - Response will include only machines that the user have access to based on machine group settings (See [Create and manage machine groups](machine-groups.md) for more information)
 
 ## HTTP request
 ```

windows/security/threat-protection/windows-defender-application-guard/faq-wd-app-guard.md

@@ -8,7 +8,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: denisebmsft
 ms.author: deniseb
-ms.date: 03/28/2019
+ms.date: 12/04/2019
 ms.reviewer: 
 manager: dansimp
 ms.custom: asr
@@ -51,7 +51,7 @@ Currently, the Application Guard Edge session doesn't support Extensions. Howeve
 
 ### How do I configure Windows Defender Application Guard to work with my network proxy (IP-Literal Addresses)? 
 
-Windows Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition, 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. 
+Windows Defender Application Guard requires proxies to have a symbolic name, not just an IP address. IP-Literal proxy settings such as `192.168.1.4:81` can be annotated as `itproxy:81` or using a record such as `P19216810010` for a proxy with an IP address of `192.168.100.10`. This applies to Windows 10 Enterprise edition 1709 or higher. These would be for the proxy policies under Network Isolation in Group Policy or Intune. 
 
 ### Which Input Method Editors (IME) in 19H1 are not supported? 
 
@@ -91,4 +91,4 @@ Yes, both the Enterprise Resource domains hosted in the cloud and the Domains ca
 
 ### Why does my encryption driver break Windows Defender Application Guard?
 
-Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work.
+Windows Defender Application Guard accesses files from a VHD mounted on the host that needs to be written during setup. If an encryption driver prevents a VHD from being mounted or from being written to, WDAG will not work and result in an error message ("0x80070013 ERROR_WRITE_PROTECT"). 

windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md

@@ -54,6 +54,9 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** >
 
 ![Secure Launch Registry](images/secure-launch-registry.png)
 
+> [!IMPORTANT]
+> If System Guard is enabled with a registry key, standard hardware security is not available for the Intel i5 7200U processor.
+
 ## How to verify System Guard Secure Launch is configured and running
 
 To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.

windows/whats-new/whats-new-windows-10-version-1909.md

@@ -116,7 +116,7 @@ This release adds the ability for Narrator and other assistive technologies to r
 
 This version of Windows 10 will include optimizations to how instructions are processed by the CPU in order to increase the performance and reliability of the operating system and its applications.
 
-When a CPU is manufactured, not all of the cores are created equal. Some of the cores may have slightly different voltage and power characteristics that could allow them to get a "boost" in performance. These cores are called "favored cores" as they can offer better performance then the other cores on the die.
+When a CPU is manufactured, not all of the cores are created equal. Some of the cores may have slightly different voltage and power characteristics that could allow them to get a "boost" in performance. These cores are called "favored cores" as they can offer better performance than the other cores on the die.
 
 With Intel Turbo Boost Max Technology 3.0, an operating system will use information stored in the CPU to identify which cores are the fastest and then push more of the CPU intensive tasks to those cores. According to Intel, this technology "delivers more than 15% better single-threaded performance".