From 14262ec09b7d2778a7bae52304e41b30acf0cfab Mon Sep 17 00:00:00 2001
From: fattala <avfattal@microsoft.com>
Date: Tue, 8 Nov 2016 15:17:03 +0200
Subject: [PATCH 1/8] Update
 configure-endpoints-sccm-windows-defender-advanced-threat-protection.md

---
 ...points-sccm-windows-defender-advanced-threat-protection.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 8faa5dafdb..9561881c05 100644
--- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -50,6 +50,10 @@ You can use System Center Configuration Manager’s existing functionality to cr
 4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
 
     a. Choose a predefined device collection to deploy the package to.
+    
+> [!NOTE]
+> Onboarding couldn't be completed during OOBE. Make sure users pass OOBE after running Windows installation or upgrade.
+
 
 ### Configure sample collection settings
 For each endpoint, you can set a configuration value to state whether samples can be collected from the endpoint when a request is made through the Windows Defender ATP portal to submit a file for deep analysis.

From b938378cbfbade5f0e7c36a03b74184ecef7a108 Mon Sep 17 00:00:00 2001
From: Andreas Stenhall <andreas.stenhall@coligo.se>
Date: Wed, 9 Nov 2016 18:12:26 +0100
Subject: [PATCH 2/8] Update windows-defender-block-at-first-sight.md

---
 windows/keep-secure/windows-defender-block-at-first-sight.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/windows/keep-secure/windows-defender-block-at-first-sight.md b/windows/keep-secure/windows-defender-block-at-first-sight.md
index 8abf7c0806..a31f43f6ee 100644
--- a/windows/keep-secure/windows-defender-block-at-first-sight.md
+++ b/windows/keep-secure/windows-defender-block-at-first-sight.md
@@ -30,6 +30,9 @@ It is enabled by default when certain pre-requisite settings are also enabled. I
 
 When a Windows Defender client encounters a suspicious but undetected file, it queries our cloud protection backend. The cloud backend will apply heuristics, machine learning, and automated analysis of the file to determine the files as malicious or clean.
 
+> [!NOTE]
+> The Block at first sight feature only use the cloud protection backend for executable files that are downloaded from the Internet, or originating from the Internet zone. A hash value of the EXE file is checked via the cloud backend to determine if this is a previously undetected file.
+
 If the cloud backend is unable to make a determination, the file will be locked by Windows Defender while a copy is uploaded to the cloud. Only after the cloud has received the file will Windows Defender release the lock and let the file run. The cloud will perform additional analysis to reach a determination, blocking all future encounters of that file. 
 
 In many cases this process can reduce the response time to new malware from hours to seconds.

From 3642b8c5bffdcb6132b1b07f4ddf782eaf1cddf8 Mon Sep 17 00:00:00 2001
From: tonyartisan <tonyartisan@gmail.com>
Date: Thu, 1 Dec 2016 09:39:10 -0600
Subject: [PATCH 3/8] Update
 implement-microsoft-passport-in-your-organization.md

I am managing a server with Windows Server 2012 R2 Essentials (build 9600) and this text misled me to believe that **Turn on PIN sign-in** group policy did not affect the convenience PIN for computers running version 1607. This was upsetting because group policies relevant to the Windows Hello for Business component are not available until Windows Server 2016. After further research and experimentation, I found that **Turn on PIN sign-on** group policy object set by the server does override the **Turn on convenience PIN sign-in** local policy.
---
 .../implement-microsoft-passport-in-your-organization.md      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
index e4de8535f1..2f52f12e2b 100644
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@@ -20,7 +20,7 @@ localizationpriority: high
 You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
 
 >[!IMPORTANT]
->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507 and 1511. 
+>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507, 1511, and 1607. 
 >
 >Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. 
 >
@@ -376,4 +376,4 @@ The PIN is managed using the same Windows Hello for Business policies that you c
 [Event ID 300 - Windows Hello successfully created](passport-event-300.md)
 
 [Windows Hello biometrics in the enterprise](windows-hello-in-enterprise.md)
- 
\ No newline at end of file
+ 

From e2ecf7ebd09153e414b025279ac6d10c4792bf27 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Thu, 1 Dec 2016 11:49:26 -0800
Subject: [PATCH 4/8] rewrite note

---
 .../implement-microsoft-passport-in-your-organization.md        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
index 2f52f12e2b..6bfc3d1c03 100644
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@@ -20,7 +20,7 @@ localizationpriority: high
 You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
 
 >[!IMPORTANT]
->The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. It still prevents or enables the creation of a convenience PIN for Windows 10, version 1507, 1511, and 1607. 
+>The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. Use the **Turn on PIN sign-in** setting to allow or deny the use of a convenience PIN for Windows 10, versions 1507, 1511, and 1607. 
 >
 >Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. 
 >

From 9a3f432133bc7a792eed4c17d6a6aa8a56184394 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Thu, 1 Dec 2016 14:19:05 -0800
Subject: [PATCH 5/8] update based on sme feedback

---
 ...points-sccm-windows-defender-advanced-threat-protection.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 9561881c05..8b193b46c6 100644
--- a/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/keep-secure/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -50,9 +50,9 @@ You can use System Center Configuration Manager’s existing functionality to cr
 4. Deploy the package by following the steps in the [How to Deploy Packages and Programs in Configuration Manager](https://technet.microsoft.com/library/gg682178.aspx) topic.
 
     a. Choose a predefined device collection to deploy the package to.
-    
+
 > [!NOTE]
-> Onboarding couldn't be completed during OOBE. Make sure users pass OOBE after running Windows installation or upgrade.
+> Onboarding couldn't be completed during Out-Of-Box Experience (OOBE). Make sure users pass OOBE after running Windows installation or upgrading.
 
 
 ### Configure sample collection settings

From 28c4c005d747172ddde051eea36d8dce5f5ba260 Mon Sep 17 00:00:00 2001
From: Zach Dvorak <zadvor@microsoft.com>
Date: Thu, 1 Dec 2016 14:34:17 -0800
Subject: [PATCH 6/8] Update upgrade-analytics-get-started.md

---
 windows/deploy/upgrade-analytics-get-started.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deploy/upgrade-analytics-get-started.md b/windows/deploy/upgrade-analytics-get-started.md
index 188a73c081..dde993a2ec 100644
--- a/windows/deploy/upgrade-analytics-get-started.md
+++ b/windows/deploy/upgrade-analytics-get-started.md
@@ -117,7 +117,7 @@ To ensure that user computers are receiving the most up to date data from Micros
 
 To automate many of the steps outlined above and to troubleshoot data sharing issues, you can run the [Upgrade Analytics deployment script](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409), developed by Microsoft.
 
-> The following guidance applies to version 11.30.16 or later of the Upgrade Analytics deployment script. If you are using an older version, please download the latest from [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
+> The following guidance applies to version 11.11.16 or later of the Upgrade Analytics deployment script. If you are using an older version, please download the latest from [Download Center](https://go.microsoft.com/fwlink/?LinkID=822966&clcid=0x409).
 
 The Upgrade Analytics deployment script does the following:
 

From 5d35cb877539f493a5c1d25ac6b2d76186668b54 Mon Sep 17 00:00:00 2001
From: Justinha <Justinha@Microsoft.com>
Date: Thu, 1 Dec 2016 14:48:41 -0800
Subject: [PATCH 7/8] removed two more references to TPM 2.0

---
 ...s-by-controlling-the-health-of-windows-10-based-devices.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index b2d8f3634a..ac0409286d 100644
--- a/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -364,7 +364,7 @@ The following table details the hardware requirements for both virtualization-ba
 <td align="left"><p>Support for the IOMMU in Windows 10 enhances system resiliency against DMA attacks.</p></td>
 </tr>
 <tr class="odd">
-<td align="left"><p>Trusted Platform Module (TPM) 2.0</p></td>
+<td align="left"><p>Trusted Platform Module (TPM) </p></td>
 <td align="left"><p>Required to support health attestation and necessary for additional key protections for virtualization-based security.</p></td>
 </tr>
 </tbody>
@@ -455,7 +455,7 @@ The device health attestation solution involves different components that are TP
 
 ### <a href="" id="trusted-platform-module-"></a>Trusted Platform Module
 
-*It’s all about TPM 2.0 and endorsement certificates.* This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
+This section describes how PCRs (that contain system configuration data), endorsement key (EK) (that act as an identity card for TPM), SRK (that protect keys) and AIKs (that can report platform state) are used for health attestation reporting.
 
 In a simplified manner, the TPM is a passive component with limited resources. It can calculate random numbers, RSA keys, decrypt short data, store hashes taken when booting the device.
 

From a82b87f5d15ad0780688a55d7764cdc1c40b2b69 Mon Sep 17 00:00:00 2001
From: jdeckerMS <jdecker@microsoft.com>
Date: Thu, 1 Dec 2016 11:52:55 -0800
Subject: [PATCH 8/8] add link

---
 .../implement-microsoft-passport-in-your-organization.md        | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
index 6bfc3d1c03..6f24db9595 100644
--- a/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
+++ b/windows/keep-secure/implement-microsoft-passport-in-your-organization.md
@@ -22,7 +22,7 @@ You can create a Group Policy or mobile device management (MDM) policy that will
 >[!IMPORTANT]
 >The Group Policy setting **Turn on PIN sign-in** does not apply to Windows Hello for Business. Use the **Turn on PIN sign-in** setting to allow or deny the use of a convenience PIN for Windows 10, versions 1507, 1511, and 1607. 
 >
->Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. 
+>Beginning in version 1607, Windows Hello as a convenience PIN is disabled by default on all domain-joined computers. To enable a convenience PIN for Windows 10, version 1607, enable the Group Policy setting **Turn on convenience PIN sign-in**. Learn more in the blog post [Changes to Convenience PIN/Windows Hello Behavior in Windows 10, version 1607](https://blogs.technet.microsoft.com/ash/2016/08/13/changes-to-convenience-pin-and-thus-windows-hello-behaviour-in-windows-10-version-1607/).
 >
 >Use **Windows Hello for Business** policy settings to manage PINs for Windows Hello for Business.