from master

windows/security/identity-protection/hello-for-business/hello-cert-trust-policy-settings.md

@@ -131,7 +131,7 @@ In the Windows 10, version 1703, the PIN complexity Group Policy settings have m
 ## Review
 
 Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions)
+* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Windows 10 Creators Editions)
 * Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User)
 * Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting.
 * Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User)

windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md

@@ -104,7 +104,7 @@ In the Windows 10, version 1703, the PIN complexity Group Policy settings have m
 ## Review
 
 Before you continue with the deployment, validate your deployment progress by reviewing the following items:
-* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Widows 10 Creators Editions)
+* Confirm you authored Group Policy settings using the latest ADMX/ADML files (from the Windows 10 Creators Editions)
 * Confirm you configured the Enable Windows Hello for Business to the scope that matches your deployment (Computer vs. User)
 * Confirm you configure the Use Certificate enrollment for on-premises authentication policy setting.
 * Confirm you configure automatic certificate enrollment to the scope that matches your deployment (Computer vs. User)

windows/security/information-protection/TOC.md

@@ -48,7 +48,7 @@
 ### [How to collect WIP audit event logs](windows-information-protection\collect-wip-audit-event-logs.md)
 ### [General guidance and best practices for WIP](windows-information-protection\guidance-and-best-practices-wip.md)
 #### [Enlightened apps for use with WIP](windows-information-protection\enlightened-microsoft-apps-and-wip.md)
-#### [Unenlightened and enlightened app behavior while using WI)](windows-information-protection\app-behavior-with-wip.md)
+#### [Unenlightened and enlightened app behavior while using WIP](windows-information-protection\app-behavior-with-wip.md)
 #### [Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP](windows-information-protection\recommended-network-definitions-for-wip.md)
 #### [Using Outlook Web Access with WIP](windows-information-protection\using-owa-with-wip.md)
 ### [Fine-tune WIP Learning](windows-information-protection\wip-learning.md)

windows/security/information-protection/index.md

@@ -6,7 +6,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 09/17/2018
+ms.date: 10/10/2018
 ---
 
 # Information protection
@@ -16,7 +16,7 @@ Learn more about how to secure documents and other data across your organization
 | Section | Description |
 |-|-|
 | [BitLocker](bitlocker/bitlocker-overview.md)| Provides information about BitLocker, which is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. |
-| [Encrypted Hard Drive](bitlocker/bitlocker-overview.md)| Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. |
+| [Encrypted Hard Drive](encrypted-hard-drive.md)| Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management. |
 | [Kernel DMA Protection for Thunderbolt™ 3](kernel-dma-protection-for-thunderbolt.md)| Kernel DMA Protection protects PCs against drive-by Direct Memory Access (DMA) attacks using PCI hot plug devices connected to Thunderbolt™ 3 ports. |
 | [Protect your enterprise data using Windows Information Protection (WIP)](windows-information-protection/protect-enterprise-data-using-wip.md)|Provides info about how to create a Windows Information Protection policy that can help protect against potential corporate data leakage.|
 | [Secure the Windows 10 boot process](secure-the-windows-10-boot-process.md)| Windows 10 supports features to help prevent rootkits and bootkits from loading during the startup process. |

windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md

@@ -19,7 +19,7 @@ Drive-by DMA attacks can lead to disclosure of sensitive information residing on
 
 This feature does not protect against DMA attacks via 1394/FireWire, PCMCIA, CardBus, ExpressCard, and so on.
 
-For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to Intel documentation.
+For Thunderbolt DMA protection on earlier Windows versions and other platforms that lack support for Kernel DMA Protection, please refer to [Intel Thunderbolt™ 3 Security documentation](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf).
 
 ## Background
 
@@ -75,12 +75,14 @@ Systems running Windows 10 version 1803 that do support Kernel DMA Protection do
    - Turn on Intel Virtualization Technology.
    - Turn on Intel Virtualization Technology for I/O (VT-d). In Windows 10 version 1803, only Intel VT-d is supported. Other platforms can use DMA attack mitigations described in [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md).
    - Reboot system into Windows 10.
-4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature.   
+4. If the state of **Kernel DMA Protection** remains Off, then the system does not support this feature. 
+
+For systems that do not support Kernel DMA Protection, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
 
 ## Frequently asked questions
 
 ### Do in-market systems support Kernel DMA Protection for Thunderbolt™ 3?
-In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees.
+In market systems, released with Windows 10 version 1709 or earlier, will not support Kernel DMA Protection for Thunderbolt™ 3 after upgrading to Windows 10 version 1803, as this feature requires the BIOS/platform firmware changes and guarantees. For these systems, please refer to the [BitLocker countermeasures](bitlocker/bitlocker-countermeasures.md) or [Thunderbolt™ 3 and Security on Microsoft Windows® 10 Operating system](https://thunderbolttechnology.net/security/Thunderbolt%203%20and%20Security.pdf) for other means of DMA protection.
 
 ### Does Kernel DMA Protection prevent drive-by DMA attacks during Boot?
 No, Kernel DMA Protection only protects against drive-by DMA attacks after the OS is loaded. It is the responsibility of the system firmware/BIOS to protect against attacks via the Thunderbolt™ 3 ports during boot. 

windows/security/information-protection/tpm/how-windows-uses-the-tpm.md

@@ -75,7 +75,7 @@ The adoption of new authentication technology requires that identity providers a
 
 Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials. The ability to distinguish a TPM from malware acting like a TPM requires the following TPM capabilities (see Figure 1):
 
-•	**Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that that manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM.
+•	**Endorsement key**. The TPM manufacturer can create a special key in the TPM called an *endorsement key*. An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. Solutions can use the certificate with the TPM containing the endorsement key to confirm a scenario really involves a TPM from a specific TPM manufacturer (instead of malware acting like a TPM.
 
 •	**Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
 

windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md

@@ -136,4 +136,4 @@ This table includes info about how enlightened apps might behave, based on your
 </table>
 
 >[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md

@@ -70,4 +70,4 @@ After you’ve created your VPN policy, you'll need to deploy it to the same gro
     ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png)
 
 >[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune.md

@@ -113,7 +113,7 @@ The final step to making your VPN configuration work with WIP, is to link your t
 
 
 >[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
 
 
 

windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md

@@ -546,4 +546,4 @@ Optionally, if you don’t want everyone in your organization to be able to shar
 - [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
 
 >[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md

@@ -476,4 +476,4 @@ After you've decided where your protected apps can access enterprise data on you
 - [What is Azure Rights Management?]( https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms)
 
 >[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: justinha
 ms.localizationpriority: medium
-ms.date: 09/11/2017
+ms.date: 10/15/2018
 ---
 
 # Deploy your Windows Information Protection (WIP) policy using the Azure portal for Microsoft Intune
@@ -22,19 +22,17 @@ After you’ve created your Windows Information Protection (WIP) policy, you'll
 
 **To deploy your WIP policy**
 
-1.  On the **App policy** pane, click your newly-created policy, click **User groups** from the menu that appears, and then click **Add user group**.
-
-    A list of user groups, made up of all of the security groups in your Azure Active Directory, appear in the **Add user group** pane.
+1. On the **App protection policies** pane, click your newly-created policy, click **Assignments**, and then select groups to include or exclude from the policy.
 
 2. Choose the group you want your policy to apply to, and then click **Select** to deploy the policy.
 
-    The policy is deployed to the selected users' devices.
+   The policy is deployed to the selected users' devices.
 
-    ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png)
+   ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png)
 
 
 >[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
 
 ## Related topics
 - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)

windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune.md

@@ -35,7 +35,7 @@ The added people move to the **Selected Groups** list on the right-hand pane.
 The policy is deployed to the selected users' devices.
 
 >[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
 
 ## Related topics
 - [Create a Windows Information Protection (WIP) policy using Microsoft Intune](create-wip-policy-using-intune.md)

windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: justinha
 ms.localizationpriority: medium
-ms.date: 10/05/2018
+ms.date: 10/11/2018
 ---
 
 # List of enlightened Microsoft apps for use with Windows Information Protection (WIP)
@@ -32,7 +32,7 @@ Apps can be enlightened or unenlightened:
 
     -   Windows **Save As** experiences only allow you to save your files as enterprise.
 
-- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions.
+- **WIP-work only apps** are unenlightened line-of-business apps that have been tested and deemed safe for use in an enterprise with WIP and Mobile App Management (MAM) solutions without device enrollment. Unenlightened apps that are targeted by WIP without enrollment run under personal mode. 
 
 ## List of enlightened Microsoft apps
 Microsoft has made a concerted effort to enlighten several of our more popular apps, including the following:
@@ -97,4 +97,4 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
 
 
 >[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/security/information-protection/windows-information-protection/guidance-and-best-practices-wip.md

@@ -29,4 +29,4 @@ This section includes info about the enlightened Microsoft apps, including how t
 |[Using Outlook on the web with Windows Information Protection (WIP)](using-owa-with-wip.md) |Options for using Outlook on the web with Windows Information Protection (WIP). |
 
 >[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/security/information-protection/windows-information-protection/how-wip-works-with-labels.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: justinha
 ms.localizationpriority: medium
-ms.date: 10/04/2018
+ms.date: 10/12/2018
 ---
 
 # How Windows Information Protection protects files with a sensitivity label 
@@ -29,7 +29,7 @@ Microsoft information protection technologies include:
 
 - [Windows Information Protection (WIP)](protect-enterprise-data-using-wip.md) is built in to Windows 10 and protects data at rest on endpoint devices, and manages apps to protect data in use.
 
-- [Office 365 Information Protection](https://docs.microsoft.com/office365/securitycompliance/office-365-info-protection-for-gdpr-overview) is a solution to classify, protect, and monitor personal data in Office 365 and other Software-as-a-Service (SaaS) apps.
+- [Office 365 Information Protection](https://docs.microsoft.com/office365/securitycompliance/office-365-info-protection-for-gdpr-overview) is a solution to classify, protect, and monitor personal data in Office 365 and other first-party or third-party Software-as-a-Service (SaaS) apps.
 
 - [Azure Information Protection](https://docs.microsoft.com/azure/information-protection/what-is-information-protection) is a cloud-based solution that can be purchased either standalone or as part of Microsoft 365 Enterprise. It helps an organization classify and protect its documents and emails by applying labels. End users can choose and apply sensitivity labels from a bar that appears below the ribbon in Office apps:
 
@@ -50,7 +50,7 @@ For more information about labels, see [Overview of labels](https://docs.microso
 
 ## Use cases 
 
-This sections covers how WIP works with sensitivity labels in specific use cases. 
+This section covers how WIP works with sensitivity labels in specific use cases. 
 
 ### User downloads from or creates a document on a work site
 
@@ -60,7 +60,7 @@ If the document also has a sensitivity label, which can be Office or PDF files,
 
 ### User downloads a confidential Office or PDF document from a personal site 
 
-Windows Defender ATP scans for any file that gets modified or created, including files that were created on a personal site. 
+Windows Defender Advanced Threat Protection (Windows Defender ATP) scans for any file that gets modified or created, including files that were created on a personal site. 
 If the file has a sensitivity label, the corresponding WIP protection gets applied even though the file came from a personal site. 
 For example: 
 
@@ -74,9 +74,11 @@ The PDF file doesn't need any work context beyond the sensitivity label.
 ## Prerequisites
 
 - Windows 10, version 1809
-- [Windows Defender Advanced Threat Protection (WDATP)](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) scans content for a label and applies corresponding WIP protection
+- [Windows Defender ATP](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection) scans content for a label and applies corresponding WIP protection
 - [Sensitivity labels](https://docs.microsoft.com/office365/securitycompliance/labels) need to be configured in the Office 365 Security & Compliance Center
-- [WIP policy](create-wip-policy-using-intune-azure.md) needs to be applied to endpoint devices.
+- WIP policy needs to be applied to endpoint devices by using [Intune](create-wip-policy-using-intune-azure.md) or [System Center Configuration Manager (SCCM)](overview-create-wip-policy-sccm.md).
+
+
 
 
 

windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md

@@ -33,4 +33,4 @@ This list provides all of the tasks and settings that are required for the opera
 
 
 >[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md

@@ -147,4 +147,4 @@ After deciding to use WIP in your enterprise, you need to:
 
 
 >[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/security/information-protection/windows-information-protection/testing-scenarios-for-wip.md

@@ -170,4 +170,4 @@ You can try any of the processes included in these scenarios, but you should foc
 </table>
 
 >[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/security/information-protection/windows-information-protection/wip-learning.md

@@ -8,9 +8,10 @@ ms.prod: w10
 ms.mktglfcycl:
 ms.sitesec: library
 ms.pagetype: security
-author: coreyp-at-msft
+author: justinha
+ms.author: justinha
 ms.localizationpriority: medium
-ms.date: 08/08/2018
+ms.date: 10/15/2018
 ---
 
 # Fine-tune Windows Information Protection (WIP) with WIP Learning
@@ -27,19 +28,17 @@ In the **Website learning report**, you can view a summary of the devices that h
 
 ## Access the WIP Learning reports
 
-1. Open the [Azure portal](http://portal.azure.com/). Choose **All services**. Type **Intune** in the text box filter.
+1. Open the [Azure portal](http://portal.azure.com/). 
 
-2. Choose **Intune** > **Mobile Apps**.
+1. Click **All services**, type **Intune** in the text box filter, and click the star to add it to **Favorites**.
 
-3. Choose **App protection status**.
+1. Click **Intune** > **Client apps** > **App protection status** > **Reports**.
 
-4. Choose **Reports**. 
+   ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) 
 
-    ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) 
+1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**. 
 
-5. Finally, select either **App learning report for Windows Information Protection**, or **Website learning report for Windows Information Protection**. 
-
-    ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) 
+   ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) 
 
 Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. Next, we'll look at how to do that in Operations Management Suite (OMS).
 
@@ -98,4 +97,4 @@ Here, you can copy the **WipAppid** and use it to adjust your WIP protection pol
 When working with WIP-enabled apps and WIP-unknown apps, it is recommended that you start with **Silent** or **Allow overrides** while verifying with a small group that you have the right apps on your allowed apps list. After you're done, you can change to your final enforcement policy, **Block**. For more information about WIP modes, see: [Protect enterprise data using WIP: WIP-modes](protect-enterprise-data-using-wip.md#bkmk-modes)
 
 >[!NOTE]
->Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
+>Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).

windows/security/threat-protection/TOC.md

@@ -17,10 +17,6 @@
 #### [Endpoint detection and response](windows-defender-atp/overview-endpoint-detection-response.md)
 ##### [Security operations dashboard](windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md)
 
-##### [Incidents queue](windows-defender-atp/incidents-queue.md)
-###### [View and organize the Incidents queue](windows-defender-atp/view-incidents-queue.md)
-###### [Manage incidents](windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md)
-###### [Investigate incidents](windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md)
 
 
 
@@ -551,10 +547,10 @@
 #### [Software developer FAQ](intelligence/developer-faq.md)
 #### [Software developer resources](intelligence/developer-resources.md)
 
-## Certifications
+## Windows Certifications
 
-### [FIPS 140 Validation](fips-140-validation.md)
-### [Windows Platform Common Criteria Certification](windows-platform-common-criteria.md)
+### [FIPS 140 Validations](fips-140-validation.md)
+### [Common Criteria Certifications](windows-platform-common-criteria.md)
 
 
 ## More Windows 10 security
@@ -612,6 +608,7 @@
 ##### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
 ##### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
 ###### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
+###### [How to list XML elements in <EventData>](auditing/how-to-list-xml-elements-in-eventdata.md)
 
 ###### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
 ####### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md)
@@ -650,7 +647,7 @@
 ####### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md)
 ####### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md)
 ###### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md)
-####### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md)
+####### [Event 4782 S: The password hash of an account was accessed.](auditing/event-4782.md)
 ####### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md)
 ###### [Audit Security Group Management](auditing/audit-security-group-management.md)
 ####### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md)

windows/security/threat-protection/auditing/audit-other-account-management-events.md

@@ -30,13 +30,13 @@ This subcategory allows you to audit next events:
 
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                          |
 |-------------------|-----------------|-----------------|------------------|------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | No              | Yes              | No               | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash an account was accessed.”<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.                                                             |
+| Domain Controller | Yes             | No              | Yes              | No               | The only reason to enable Success auditing on domain controllers is to monitor “[4782](event-4782.md)(S): The password hash of an account was accessed.”<br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.                                                             |
 | Member Server     | No              | No              | No               | No               | The only event which is generated on Member Servers is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
 | Workstation       | No              | No              | No               | No               | The only event which is generated on Workstations is “[4793](event-4793.md)(S): The Password Policy Checking API was called.”, this event is a typical information event with little to no security relevance. <br>This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.   |
 
 **Events List:**
 
--   [4782](event-4782.md)(S): The password hash an account was accessed.
+-   [4782](event-4782.md)(S): The password hash of an account was accessed.
 
 -   [4793](event-4793.md)(S): The Password Policy Checking API was called.
 

windows/security/threat-protection/auditing/event-4778.md

@@ -23,7 +23,7 @@ ms.date: 04/19/2017
 
 ***Event Description:***
 
-This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using [Fast User Switching](https://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/fast_user_switching.mspx?mfr=true).
+This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using [Fast User Switching](https://docs.microsoft.com/en-us/windows-hardware/drivers/display/fast-user-switching).
 
 This event also generates when user reconnects to virtual host Hyper-V Enhanced Session, for example.
 

windows/security/threat-protection/auditing/event-4782.md

@@ -1,6 +1,6 @@
 ---
-title: 4782(S) The password hash an account was accessed. (Windows 10)
-description: Describes security event 4782(S) The password hash an account was accessed.
+title: 4782(S) The password hash of an account was accessed. (Windows 10)
+description: Describes security event 4782(S) The password hash of an account was accessed.
 ms.pagetype: security
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -10,7 +10,7 @@ author: Mir0sh
 ms.date: 04/19/2017
 ---
 
-# 4782(S): The password hash an account was accessed.
+# 4782(S): The password hash of an account was accessed.
 
 **Applies to**
 -   Windows 10
@@ -108,7 +108,7 @@ Typically **“Subject\\Security ID”** is the SYSTEM account.
 
 ## Security Monitoring Recommendations
 
-For 4782(S): The password hash an account was accessed.
+For 4782(S): The password hash of an account was accessed.
 
 -   Monitor for all events of this type, because any actions with account’s password hashes should be planned. If this action was not planned, investigate the reason for the change.
 

windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md

@@ -0,0 +1,84 @@
+---
+title: How to get a list of XML elements in <EventData> (Windows 10)
+description: This reference topic for the IT professional explains how to use PowerShell to get a list of XML elements that can appear in <EventData>.
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: tedhardyMSFT
+ms.date: 10/15/2018
+---
+
+# How to get a list of XML elements in EventData
+
+**Applies to**
+-   Windows 10
+
+The Security log uses a manifest where you can get all of the event schema.
+
+Run the following from an elevated PowerShell prompt:
+
+```powershell
+$secEvents = get-winevent -listprovider "microsoft-windows-security-auditing"
+```
+
+The .events property is a collection of all of the events listed in the manifest on the local machine.
+
+For each event, there is a .Template property for the XML template used for the event properties (if there are any).
+
+For example:
+
+```powershell
+PS C:\WINDOWS\system32> $SecEvents.events[100]
+
+
+Id          : 4734
+Version     : 0
+LogLink     : System.Diagnostics.Eventing.Reader.EventLogLink
+Level       : System.Diagnostics.Eventing.Reader.EventLevel
+Opcode      : System.Diagnostics.Eventing.Reader.EventOpcode
+Task        : System.Diagnostics.Eventing.Reader.EventTask
+Keywords    : {}
+Template    : <template xmlns="http://schemas.microsoft.com/win/2004/08/events">
+                <data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
+                <data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
+                <data name="TargetSid" inType="win:SID" outType="xs:string"/>
+                <data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
+                <data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
+                <data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
+                <data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
+                <data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
+              </template>
+
+Description : A security-enabled local group was deleted.
+
+              Subject:
+                Security ID:            %4
+                Account Name:           %5
+                Account Domain:         %6
+                Logon ID:               %7
+
+              Group:
+                Security ID:            %3
+                Group Name:             %1
+                Group Domain:           %2
+
+              Additional Information:
+                Privileges:             %8
+
+
+
+PS C:\WINDOWS\system32> $SecEvents.events[100].Template
+<template xmlns="http://schemas.microsoft.com/win/2004/08/events">
+  <data name="TargetUserName" inType="win:UnicodeString" outType="xs:string"/>
+  <data name="TargetDomainName" inType="win:UnicodeString" outType="xs:string"/>
+  <data name="TargetSid" inType="win:SID" outType="xs:string"/>
+  <data name="SubjectUserSid" inType="win:SID" outType="xs:string"/>
+  <data name="SubjectUserName" inType="win:UnicodeString" outType="xs:string"/>
+  <data name="SubjectDomainName" inType="win:UnicodeString" outType="xs:string"/>
+  <data name="SubjectLogonId" inType="win:HexInt64" outType="win:HexInt64"/>
+  <data name="PrivilegeList" inType="win:UnicodeString" outType="xs:string"/>
+</template>
+
+```

windows/security/threat-protection/index.md

@@ -30,7 +30,7 @@ Windows Defender Advanced Threat Protection (Windows Defender ATP) is a unified
 <a href="#apis"><center><b>Management and APIs</a></b></center></td>
 </tr>
 <tr>
-<td colspan="6"><a href="#mtp"><center><b>Microsoft threat protection</a></center></b></td>
+<td colspan="6"><a href="#mtp"><center><b>Microsoft Threat Protection</a></center></b></td>
 </tr>
 </table>
 <br>
@@ -55,11 +55,12 @@ The attack surface reduction set of capabilities provide the first line of defen
 **[Next generation protection](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)**<br>
 To further reinforce the security perimeter of your network, Windows Defender ATP uses next generation protection designed to catch all types of emerging threats.
 
-- [Windows Defender Antivirus](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) 
-- [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md) 
+- [Behavior monitoring](/windows/security/threat-protection/windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus)
+- [Cloud-based protection](/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus)
+- [Machine learning](windows-defender-antivirus/utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+- [URL Protection](/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus)
 - [Automated sandbox service](windows-defender-antivirus/configure-block-at-first-sight-windows-defender-antivirus.md)
 
-
 <a name="edr"></a>
 
 **[Endpoint protection and response](windows-defender-atp/overview-endpoint-detection-response.md)**<br>
@@ -111,8 +112,8 @@ Integrate Windows Defender Advanced Threat Protection into your existing workflo
 
 <a name="mtp"></a>
 
-**[Microsoft threat protection](windows-defender-atp/threat-protection-integration.md)** <br>
-Bring the power of Microsoft threat protection to your organization.
+**[Microsoft Threat Protection](windows-defender-atp/threat-protection-integration.md)** <br>
+Bring the power of Microsoft threat protection to your organization. Windows Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace.
 - [Conditional access](windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md)
 - [O365 ATP](windows-defender-atp/threat-protection-integration.md)
 - [Azure ATP](windows-defender-atp/threat-protection-integration.md)

windows/security/threat-protection/intelligence/safety-scanner-download.md

@@ -21,6 +21,8 @@ Safety Scanner only scans when manually triggered and is available for use 10 da
 
 > **NOTE:** This tool does not replace your antimalware product. For real-time protection with automatic updates, use [Windows Defender Antivirus on Windows 10 and Windows 8](https://www.microsoft.com/en-us/windows/windows-defender) or [Microsoft Security Essentials on Windows 7](https://support.microsoft.com/en-us/help/14210/security-essentials-download). These antimalware products also provide powerful malware removal capabilities. If you are having difficulties removing malware with these products, you can refer to our help on [removing difficult threats](https://www.microsoft.com/en-us/wdsi/help/troubleshooting-infection).
 
+> **NOTE:** Safety scanner is a portable executable and does not appear in the Windows Start menu or as an icon on the desktop. Note where you saved this download.
+
 ## System requirements
 Safety Scanner helps remove malicious software from computers running Windows 10, Windows 10 Tech Preview, Windows 8.1, Windows 8, Windows 7, Windows Server 2016, Windows Server Tech Preview, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008. Please refer to the [Microsoft Lifecycle Policy](https://support.microsoft.com/en-us/lifecycle).
 

windows/security/threat-protection/intelligence/supply-chain-malware.md

@@ -17,6 +17,8 @@ Supply chain attacks are an emerging kind of threat that target software develop
 
 ## How supply chain attacks work
 
+[!video https://www.youtube.com/embed/uXm2XNSavwo]
+
 Attackers hunt for unsecure network protocols, unprotected server infrastructures, and unsafe coding practices. They break in, change source codes, and hide malware in build and update processes.  
 
 Because software is built and released by trusted vendors, these apps and updates are signed and certified. In software supply chain attacks, vendors are likely unaware that their apps or updates are infected with malicious code when they’re released to the public. The malicious code then runs with the same trust and permissions as the app.  

windows/security/threat-protection/intelligence/support-scams.md

@@ -40,7 +40,7 @@ It is also important to keep the following in mind:
 
 * Use [Microsoft Edge](https://www.microsoft.com/windows/microsoft-edge) when browsing the internet. It blocks known support scam sites using Windows Defender SmartScreen (which is also used by Internet Explorer). Furthermore, Microsoft Edge can stop pop-up dialogue loops used by these sites.
 
-* Enable Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware.
+* Enable [Windows Defender Antivirus](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10) in Windows 10. It detects and removes known support scam malware.
 
 ## What to do if information has been given to a tech support person
 
@@ -60,4 +60,4 @@ Help Microsoft stop scammers, whether they claim to be from Microsoft or from an
 
 **www.microsoft.com/reportascam**
 
-You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site) or using built in web browser functionality.
+You can also report any **unsafe website** that you suspect is a phishing website or contains malicious content directly to Microsoft by filling out a [Report an unsafe site form](https://www.microsoft.com/en-us/wdsi/support/report-unsafe-site) or using built in web browser functionality.

windows/security/threat-protection/security-policy-settings/account-lockout-policy.md

@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: brianlic-msft
-ms.date: 04/19/2017
+ms.date: 10/11/2018
 ---
 
 # Account Lockout Policy
@@ -22,6 +22,9 @@ Someone who attempts to use more than a few unsuccessful passwords while trying
 
 The following topics provide a discussion of each policy setting's implementation and best practices considerations, policy location, default values for the server type or Group Policy Object (GPO), relevant differences in operating system versions, and security considerations (including the possible vulnerabilities of each policy setting), countermeasures that you can implement, and the potential impact of implementing the countermeasures.
 
+>[!NOTE]
+>Account lockout settings for remote access clients can be configured separately by editing the Registry on the server that manages the remote access. For more information, see [How to configure remote access client account lockout](https://support.microsoft.com/help/816118/how-to-configure-remote-access-client-account-lockout-in-windows-serve).
+
 ## In this section
 
 | Topic | Description |

windows/security/threat-protection/security-policy-settings/increase-scheduling-priority.md

@@ -84,11 +84,11 @@ A user who is assigned this user right could increase the scheduling priority of
 
 ### Countermeasure
 
-Verify that only Administrators and and Window Manager/Window Manager Group have the **Increase scheduling priority** user right assigned to them.
+Verify that only Administrators and Window Manager/Window Manager Group have the **Increase scheduling priority** user right assigned to them.
 
 ### Potential impact
 
-None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and and Window Manager/Window Manager Group is the default configuration.
+None. Restricting the **Increase scheduling priority** user right to members of the Administrators group and Window Manager/Window Manager Group is the default configuration.
 
 ## Related topics
 

windows/security/threat-protection/windows-defender-application-guard/configure-wd-app-guard.md

@@ -24,7 +24,7 @@ Application Guard uses both network isolation and application-specific settings.
 These settings, located at **Computer Configuration\Administrative Templates\Network\Network Isolation**, help you define and manage your company's network boundaries. Application Guard uses this information to automatically transfer any requests to access the non-corporate resources into the Application Guard container.
 
 >[!NOTE]
->You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode.
+>You must configure either the Enterprise resource domains hosted in the cloud or Private network ranges for apps settings on your employee devices to successfully turn on Application Guard using enterprise mode. 
 
 
 |Policy name|Supported versions|Description|
@@ -38,10 +38,13 @@ These settings, located at **Computer Configuration\Administrative Templates\Win
 
 |Name|Supported versions|Description|Options|
 |-----------|------------------|-----------|-------|
-|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<ul><li>Disable the clipboard functionality completely when Virtualization Security is enabled.</li><li>Enable copying of certain content from Application Guard into Microsoft Edge.</li><li>Enable copying of certain content from Microsoft Edge into Application Guard.<br><br>**Important**<br>Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.</li></ul>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
-|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<ul><li>Enable Application Guard to print into the XPS format.</li><li>Enable Application Guard to print into the PDF format.</li><li>Enable Application Guard to print to locally attached printers.</li><li>Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.</ul>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
-|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.<br><br>**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
-|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>|
+|Configure Windows Defender Application Guard clipboard settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the clipboard functionality.|**Enabled.** Turns On the clipboard functionality and lets you choose whether to additionally:<ul><li>Disable the clipboard functionality completely when Virtualization Security is enabled.</li><li>Enable copying of certain content from Application Guard into Microsoft Edge.</li><li>Enable copying of certain content from Microsoft Edge into Application Guard.<br><br>**Important**<br>Allowing copied content to go from Microsoft Edge into Application Guard can cause potential security risks and isn't recommended.</li></ul>**Disabled or not configured.** Completely turns Off the clipboard functionality for Application Guard.|
+|Configure Windows Defender Application Guard print settings|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Application Guard can use the print functionality.|**Enabled.** Turns On the print functionality and lets you choose whether to additionally:<ul><li>Enable Application Guard to print into the XPS format.</li><li>Enable Application Guard to print into the PDF format.</li><li>Enable Application Guard to print to locally attached printers.</li><li>Enable Application Guard to print from previously connected network printers. Employees can't search for additional printers.</ul>**Disabled or not configured.** Completely turns Off the print functionality for Application Guard.|
+|Block enterprise websites to load non-enterprise content in IE and Edge|Windows 10 Enterprise, 1709 or higher|Determines whether to allow Internet access for apps not included on the **Allowed Apps** list.|**Enabled.** Prevents network traffic from both Internet Explorer and Microsoft Edge to non-enterprise sites that can't render in the Application Guard container.**Note** This may also block assets cached by CDNs and references to analytics sites. Please add them to the trusted enterprise resources to avoid broken pages.<br><br>**Disabled or not configured.** Allows Microsoft Edge to render network traffic to non-enterprise sites that can't render in Application Guard. |
+|Allow Persistence|Windows 10 Enterprise, 1709 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether data persists across different sessions in Windows Defender Application Guard.|**Enabled.** Application Guard saves user-downloaded files and other items (such as, cookies, Favorites, and so on) for use in future Application Guard sessions.<br><br>**Disabled or not configured.** All user data within Application Guard is reset between sessions.<br><br>**Note**<br>If you later decide to stop supporting data persistence for your employees, you can use our Windows-provided utility to reset the container and to discard any personal data.<br>**To reset the container:**<ol><li>Open a command-line program and navigate to Windows/System32.</li><li>Type `wdagtool.exe cleanup`.<br>The container environment is reset, retaining only the employee-generated data.</li><li>Type `wdagtool.exe cleanup RESET_PERSISTENCE_LAYER`.<br>The container environment is reset, including discarding all employee-generated data.</li></ol>|
 |Turn on Windows Defender Application Guard in Enterprise Mode|Windows 10 Enterprise, 1709 or higher|Determines whether to turn on Application Guard for Microsoft Edge.|**Enabled.** Turns on Application Guard for Microsoft Edge, honoring the network isolation settings, rendering non-enterprise domains in the Application Guard container. Be aware that Application Guard won't actually be turned On unless the required prerequisites and network isolation settings are already set on the device.<br><br>**Disabled.** Turns Off Application Guard, allowing all apps to run in Microsoft Edge.|
-|Allow files to download to host operating system|Windows 10 Enterprise, 1803|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.<br><br>**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.|
-|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, version 1803<br><br>(experimental only)|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.<br><br><ul>**Important**<br>Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br></ul>**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.<br><br>**Note**<br>This is an experimental feature in Windows 10 Enterprise, version 1803 and will not function without the presence of an additional registry key provided by Microsoft. If you would like to evaluate this feature on deployments of Windows 10 Enterprise, version 1803, please contact Microsoft for further information.|
+|Allow files to download to host operating system|Windows 10 Enterprise, 1803 or higher|Determines whether to save downloaded files to the host operating system from the Windows Defender Application Guard container.|**Enabled.** Allows users to save downloaded files from the Windows Defender Application Guard container to the host operating system.<br><br>**Disabled or not configured.** Users are not able to saved downloaded files from Application Guard to the host operating system.|
+|Allow hardware-accelerated rendering for Windows Defender Application Guard|Windows 10 Enterprise, 1803 or higher<br><br>Windows 10 Pro, 1803 or higher|Determines whether Windows Defender Application Guard renders graphics using hardware or software acceleration.|**Enabled.** Windows Defender Application Guard uses Hyper-V to access supported, high-security rendering graphics hardware (GPUs). These GPUs improve rendering performance and battery life while using Windows Defender Application Guard, particularly for video playback and other graphics-intensive use cases. If this setting is enabled without connecting any high-security rendering graphics hardware, Windows Defender Application Guard will automatically revert to software-based (CPU) rendering.<br><br><ul>**Important**<br>Be aware that enabling this setting with potentially compromised graphics devices or drivers might pose a risk to the host device.<br><br></ul>**Disabled or not configured.** Windows Defender Application Guard uses software-based (CPU) rendering and won’t load any third-party graphics drivers or interact with any connected graphics hardware.|
+|Allow camera and microphone access in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|Determines whether to allow camera and microphone access inside Windows Defender Application Guard.|**Enabled.** Applications inside Windows Defender Application Guard are able to access the camera and microphone on the user's device.<br><br></ul>**Important**<br>Be aware that enabling this policy with a potentially compromised container could bypass camera and microphone permissions and access the camera and microphone without the user's knowledge.<br><br></ul>**Disabled or not configured.** Applications inside Windows Defender Application Guard are unable to access the camera and microphone on the user's device.|
+|Allow Windows Defender Application Guard to use Root Certificate Authorities from users's device|Windows 10 Enterprise, 1809 or higher<br><br>Windows 10 Pro, 1809 or higher|Determines whether Root Certificates are shared with Windows Defender Application Guard.|**Enabled.** Certificates matching the specified thumbprint are transferred into the container. Multiple certificates can be specified by using a common to separate.<br><br></ul>**Disabled or not configured.** Certificates are not shared with Windows Defender Application Guard.<br><br>.|
+|Allow users to trust files that open in Windows Defender Application Guard|Windows 10 Enterprise, 1809 or higher|Determines whether users are able to manually trust untrusted files to open them on the host.|**Enabled.** Users are able to manually trust files or trust files after an antivirus check.<br><br></ul>**Disabled or not configured.** Users are unable to manually trust files and files continue to open in Windows Defender Application Guard.|

windows/security/threat-protection/windows-defender-application-guard/test-scenarios-wd-app-guard.md

@@ -8,7 +8,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: justinha
 ms.author: justinha
-ms.date: 10/19/2017
+ms.date: 10/16/2018
 ---
 
 # Application Guard testing scenarios
@@ -66,9 +66,9 @@ Before you can use Application Guard in enterprise mode, you must install Window
 
     ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png)
 
-4.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting.
+4.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Turn on Windows Defender Application Guard in Enterprise Mode** setting.
 
-5.	Click **Enabled**.
+5.	Click **Enabled** and click **OK**.
 
     ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png)
 
@@ -104,10 +104,11 @@ You have the option to change each of these settings to work with your enterpris
 - Windows 10 Enterpise edition, version 1709 or higher
 - Windows 10 Professional edition, version 1803
 
-**To change the copy and paste options**
-1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**.
+#### Copy and paste options
 
-2.	Click **Enabled**.
+1.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard clipboard settings**.
+
+2.	Click **Enabled** and click **OK**.
  
     ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png)
 
@@ -129,10 +130,11 @@ You have the option to change each of these settings to work with your enterpris
 
 5.	Click **OK**.
 
-**To change the print options**
-1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings.
+#### Print options
 
-2.	Click **Enabled**.
+1.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Configure Windows Defender Application Guard print** settings.
+
+2.	Click **Enabled** and click **OK**.
 
     ![Group Policy editor Print options](images/appguard-gp-print.png)
 
@@ -140,10 +142,11 @@ You have the option to change each of these settings to work with your enterpris
 
 4. Click **OK**.
 
-**To change the data persistence options**
-1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting.
+#### Data persistence options
 
-2.	Click **Enabled**.
+1.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow data persistence for Windows Defender Application Guard** setting.
+
+2.	Click **Enabled** and click **OK**.
 
     ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png)
  
@@ -164,10 +167,11 @@ You have the option to change each of these settings to work with your enterpris
 - Windows 10 Enterpise edition, version 1803
 - Windows 10 Professional edition, version 1803
 
-**To change the download options**
-1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting.
+#### Download options
 
-2.	Click **Enabled**.
+1.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow files to download and save to the host operating system from Windows Defender Application Guard** setting.
+
+2.	Click **Enabled** and click **OK**.
 
     ![Group Policy editor Download options](images/appguard-gp-download.png)
  
@@ -177,16 +181,57 @@ You have the option to change each of these settings to work with your enterpris
 
 5.	Check to see the file has been downloaded into This PC > Downloads > Untrusted files.
 
-**To change hardware acceleration options**
-1.	Go to the **Administrative Templates\System\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting.
+#### Hardware acceleration options
 
-2.	Click **Enabled**.
+1.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow hardware-accelerated rendering for Windows Defender Application Guard** setting.
+
+2.	Click **Enabled** and click **OK**.
 
     ![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png)
  
-3.	Contact Microsoft for further information to fully enable this setting. 
+3.	Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. 
 
-4.	Once you have fully enabled this experimental feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session. 
+4.	Assess the visual experience and battery performance. 
 
-5.	Assess the visual experience and battery performance. 
+**Applies to:**
+- Windows 10 Enterpise edition, version 1809
+- Windows 10 Professional edition, version 1809
+
+#### File trust options
+
+1.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow users to trust files that open in Windows Defender Application Guard** setting.
+
+2.	Click **Enabled**, set **Options** to 2, and click **OK**.
+
+    ![Group Policy editor Download options](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png)
+ 
+3.	Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+
+4.	Open a file in Edge, such an Office 365 file. 
+
+5.	Check to see that an antivirus scan completed before the file was opened.
+
+#### Camera and microphone options
+
+1.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow camera and microphone access in Windows Defender Application Guard** setting.
+
+2.	Click **Enabled** and click **OK**.
+
+    ![Group Policy editor Download options](images/appguard-gp-allow-camera-and-mic.png)
+ 
+3.	Log out and back on to your device, opening Microsoft Edge in Application Guard again.
+
+4.	Open an application with video or audio capability in Edge. 
+
+5.	Check that the camera and microphone work as expected.
+
+#### Root certificate sharing options
+
+1.	Go to the **Computer Configuration\Administrative Templates\Windows Components\Windows Defender Application Guard\Allow Windows Defender Application Guard to use Root Certificate Authorities from the user's device** setting.
+
+2.	Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**.
+
+    ![Group Policy editor Download options](images/appguard-gp-allow-root-certificates.png)
+ 
+3.	Log out and back on to your device, opening Microsoft Edge in Application Guard again.
 

windows/security/threat-protection/windows-defender-atp/configure-mssp-support-windows-defender-advanced-threat-protection.md

@@ -20,7 +20,7 @@ ms.date: 09/03/2018
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-mssp-support-abovefoldlink)
 
-[!include[Prerelease<EFBFBD>information](prerelease.md)]
+[!include[Prerelease information](prerelease.md)]
 
 You'll need to take the following configuration steps to enable the managed security service provider (MSSP) integration.
 
@@ -58,7 +58,7 @@ This action is taken by the MSSP. It allows MSSPs to fetch alerts using APIs.
 
 >[!NOTE] 
 > These set of steps are directed towards the MSSP customer. <br>
-> Access to the portal can can only be done by the MSSP customer.
+> Access to the portal can only be done by the MSSP customer.
 
 As a MSSP customer, you'll need to take the following configuration steps to grant the MSSP access to Windows Defender Security Center. 
 
@@ -269,7 +269,7 @@ You'll need to have **Manage portal system settings** permission to whitelist th
 
 You can now download the relevant configuration file for your SIEM and connect to the Windows Defender ATP API. For more information see, [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md).
 
-- In the ArcSight configuration file / Splunk Authentication Properties file <EFBFBD> you will have to write your application key manually by settings the secret value.
+- In the ArcSight configuration file / Splunk Authentication Properties file – you will have to write your application key manually by settings the secret value.
 - Instead of acquiring a refresh token in the portal, use the script from the previous step to acquire a refresh token (or acquire it by other means).
 
 ## Fetch alerts from MSSP customer's tenant using APIs

windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md

@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/06/2018
+ms.date: 10/09/2018
 ---
 
 # Onboard servers to the Windows Defender ATP service

windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md

@@ -10,14 +10,12 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 04/24/2018
+ms.date: 10/08/2018
 ---
 
 # Enable SIEM integration in Windows Defender ATP
 
 **Applies to:**
-
-
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
@@ -54,7 +52,8 @@ Enable security information and event management (SIEM) integration so you can p
 
 You can now proceed with configuring your SIEM solution or connecting to the alerts REST API through programmatic access. You'll need to use the tokens when configuring your SIEM solution to allow it to receive alerts from Windows Defender Security Center.
 
-
+## Integrate Windows Defender ATP with IBM QRadar 
+You can configure IBM QRadar to collect alerts from Windows Defender ATP. For more information, see [IBM Knowledge Center](https://www.ibm.com/support/knowledgecenter/SS42VS_DSM/c_dsm_guide_MS_Win_Defender_ATP_overview.html?cp=SS42VS_7.3.1).
 
 ## Related topics
 - [Configure Splunk to pull Windows Defender ATP alerts](configure-splunk-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/get-cvekbmap-collection-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,77 @@
+---
+title: Get CVE-KB map API
+description: Retrieves a map of CVE's to KB's.
+keywords: apis, graph api, supported apis, get, cve, kb
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: leonidzh
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 10/07/2018
+---
+
+# Get CVE-KB map API
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Retrieves a map of CVE's to KB's and CVE details.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/cvekbmap
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+## Request body
+Empty
+
+## Response
+If successful and map exists - 200 OK.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/CveKbMap
+Content-type: application/json
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#CveKbMap",
+    "@odata.count": 4168,
+    "value": [
+        {
+            "cveKbId": "CVE-2015-2482-3097617",
+            "cveId": "CVE-2015-2482",
+            "kbId":"3097617",
+            "title": "Cumulative Security Update for Internet Explorer",
+            "severity": "Critical"
+        },
+    …
+}
+
+```

windows/security/threat-protection/windows-defender-atp/get-kbinfo-collection-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,76 @@
+---
+title: Get KB collection API
+description: Retrieves a collection of KB's.
+keywords: apis, graph api, supported apis, get, kb
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: leonidzh
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 10/07/2018
+---
+
+# Get KB collection API
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Retrieves a collection of KB's and KB details.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/kbinfo
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+## Request body
+Empty
+
+## Response
+If successful - 200 OK.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/KbInfo
+Content-type: application/json
+```
+
+**Response**
+
+Here is an example of the response.
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context": "https://graph.microsoft.com/testwdatppreview/$metadata#KbInfo",
+    "@odata.count": 271,
+    "value":[
+        {
+            "id": "KB3097617 (10240.16549) Amd64",
+            "release": "KB3097617 (10240.16549)",
+            "publishingDate": "2015-10-16T21:00:00Z",
+            "version": "10.0.10240.16549",
+            "architecture": "Amd64"
+        },
+        …
+}
+```

windows/security/threat-protection/windows-defender-atp/get-machinegroups-collection-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,76 @@
+---
+title: Get RBAC machine groups collection API
+description: Retrieves a collection of RBAC machine groups.
+keywords: apis, graph api, supported apis, get, RBAC, group
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: leonidzh
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 10/07/2018
+---
+
+# Get KB collection API
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Retrieves a collection of RBAC machine groups.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/machinegroups
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+## Request body
+Empty
+
+## Response
+If successful - 200 OK.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/machinegroups
+Content-type: application/json
+```
+
+**Response**
+
+Here is an example of the response.
+Field id contains machine group **id** and equal to field **rbacGroupId** in machines info. 
+Field **ungrouped** is true only for one group for all machines that have not been assigned to any group. This group as usual has name "UnassignedGroup".
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineGroups",
+    "@odata.count":7,
+    "value":[
+        {
+            "id":86,
+            "name":"UnassignedGroup",
+            "description":"",
+            "ungrouped":true},
+        …
+}
+```

windows/security/threat-protection/windows-defender-atp/get-machinesecuritystates-collection-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,83 @@
+---
+title: Get machines security states collection API
+description: Retrieves a collection of machines security states.
+keywords: apis, graph api, supported apis, get, machine, security, state
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: leonidzh
+author: mjcaparas
+ms.localizationpriority: medium
+ms.date: 10/07/2018
+---
+
+# Get Machines security states collection API
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Retrieves a collection of machines security states.
+
+## Permissions
+User needs read permissions.
+
+## HTTP request
+```
+GET /testwdatppreview/machinesecuritystates
+```
+
+## Request headers
+
+Header | Value 
+:---|:---
+Authorization | Bearer {token}. **Required**.
+Content type | application/json
+
+## Request body
+Empty
+
+## Response
+If successful - 200 OK.
+
+## Example
+
+**Request**
+
+Here is an example of the request.
+
+```
+GET https://graph.microsoft.com/testwdatppreview/machinesecuritystates
+Content-type: application/json
+```
+
+**Response**
+
+Here is an example of the response.
+Field *id* contains machine id and equal to the field *id** in machines info. 
+
+```
+HTTP/1.1 200 OK
+Content-type: application/json
+{
+    "@odata.context":"https://graph.microsoft.com/testwdatppreview/$metadata#MachineSecurityStates",
+    "@odata.count":444,
+    "@odata.nextLink":"https://graph.microsoft.com/testwdatppreview/machinesecuritystates?$skiptoken=[continuation token]",
+    "value":[
+        {
+            "id":"000050e1b4afeee3742489ede9ad7a3e16bbd9c4",
+            "build":14393,
+            "revision":2485,
+            "architecture":"Amd64",
+            "osVersion":"10.0.14393.2485.amd64fre.rs1_release.180827-1809",
+            "propertiesRequireAttention":[
+                "AntivirusNotReporting",
+                "EdrImpairedCommunications"
+            ]
+        },
+        …
+    ]
+}
+```

windows/security/threat-protection/windows-defender-atp/get-started.md

@@ -14,6 +14,10 @@ ms.date: 09/03/2018
 ---
 
 # Get started with Windows Defender Advanced Threat Protection
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
 Learn about the minimum requirements and initial steps you need to take to get started with Windows Defender ATP.
 
 The following capabilities are available across multiple products that make up the Windows Defender ATP platform. 
@@ -40,7 +44,7 @@ Advanced hunting allows you to hunt for possible threats across your organizatio
 Integrate Windows Defender Advanced Threat Protection into your existing workflows.
 
 **Microsoft threat protection**<br>
-Bring the power of Microsoft threat protection to your organization.
+Bring the power of Microsoft Threat Protection to your organization.
 
 ## In this section 
 Topic | Description 

windows/security/threat-protection/windows-defender-atp/incidents-queue.md

@@ -1,35 +0,0 @@
----
-title: Incidents queue in Windows Defender ATP
-description:
-keywords: incidents, aggregate, investigations, queue, ttp
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-ms.date: 10/08/2018
----
-
-# Incidents queue in Windows Defender ATP
-**Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-[!include[Prerelease information](prerelease.md)]
-
-When a cybersecurity threat is emerging, or a potential attacker is deploying its tactics, techniques/tools, and procedures (TTPs) on the network, Windows Defender ATP will quickly trigger alerts and launch matching automatic investigations. 
-
-Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.
- 
-
-## In this section
-
-Topic | Description 
-:---|:---
-[View and organize the Incidents queue](view-incidents-queue.md)|  See the list of incidents and learn how to apply filters to limit the list and get a more focused view.
-[Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md) | Learn how to manage incidents by assigning it, updating its status, or setting its classification and other actions.
-[Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)|  See associated alerts, manage the incident, see alert metadata, and visualizations to help you investigate an incident.
-
-

windows/security/threat-protection/windows-defender-atp/investigate-incidents-windows-defender-advanced-threat-protection.md

@@ -1,78 +0,0 @@
----
-title: Investigate incidents in Windows Defender ATP
-description: See associated alerts, manage the incident, and see alert metadata to help you investigate an incident 
-keywords: investigate, incident, alerts, metadata, risk, detection source, affected machines, patterns, correlation
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-ms.date: 10/08/2018
----
-
-# Investigate incidents in Windows Defender ATP
-
-**Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-[!include[Prerelease information](prerelease.md)]
-
-Investigate incidents that affect your network, understand what they mean, and collate evidence to resolve them. 
-
-## Analyze incident details 
-Click an incident to see the **Incident pane**. Select **Open incident page** to see the incident details and related information (alerts, machines, investigations, evidence, graph). 
-
-![Image of incident details](images/atp-incident-details.png)
-
-### Alerts
-You can investigate the alerts and see how they were linked together in an incident. 
-Alerts are grouped into incidents based on the following reasons:
-- Automated investigation - The automated investigation triggered the linked alert while investigating the original alert 
-- File characteristics - The files associated with the alert have similar characteristics
-- Manual association - A user manually linked the alerts
-- Proximate time - The alerts were triggered on the same machine within a certain timeframe
-- Same file - The files associated with the alert are exactly the same
-
-![Image of alerts tab in incident page showing the Linked by tool tip](images/atp-incidents-alerts-tooltip.png)
-
-![Image of alerts tab with incident details page showing the reasons the alerts were linked together in that incident](images/atp-incidents-alerts-reason.png)
-
-You can also manage an alert and see alert metadata along with other information. For more information, see [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md). 
-
-### Machines
-You can also investigate the machines that are part of, or related to, a given incident. For more information, see [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md).
-
-![Image of machines tab in incident details page](images/atp-incident-machine-tab.png)
-
-### Investigations
-Select **Investigations** to see all the automatic investigations launched by the system in response to the incident alerts.
-
-![Image of investigations tab in incident details page](images/atp-incident-investigations-tab.png)
-
-## Going through the evidence
-Windows Defender Advanced Threat Protection automatically investigates all the incidents' supported events and suspicious entities in the alerts, providing you with auto-response and information about the important files, processes, services, and more. This helps quickly detect and block potential threats in the incident. 
-Each of the analyzed entities will be marked as infected, remediated, or suspicious. 
-
-![Image of evidence tab in incident details page](images/atp-incident-evidence-tab.png)
-
-## Visualizing associated cybersecurity threats 
-Windows Defender Advanced Threat Protection aggregates the threat information into an incident so you can see the patterns and correlations coming in from various data points. You can view such correlation through the incident graph.
-
-### Incident graph
-The **Graph** tells the story of the cybersecurity attack. For example, it shows you what was the entry point, which indicator of compromise or activity was observed on which machine. etc.
-
-![Image of the incident graph](images/atp-incident-graph-tab.png)
-
-You can click the circles on the incident graph to view the details of the malicious files, associated file detections, how many instances has there been worldwide, whether it’s been observed in your organization, if so, how many instances.
-
-![Image of indcident details](images/atp-incident-graph-details.png)
-
-## Related topics
-- [Incidents queue](incidents-queue.md)
-- [View and organize the Incidents queue](view-incidents-queue.md)
-- [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md)
-
-

windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md

@@ -88,4 +88,5 @@ Machines that are not matched to any groups are added to Ungrouped machines (def
 
 
 ## Related topic
-- [Manage portal access using role-based based access control](rbac-windows-defender-advanced-threat-protection.md)
+- [Manage portal access using role-based based access control](rbac-windows-defender-advanced-threat-protection.md)
+- [Get list of tenant machine groups using Graph API](get-machinegroups-collection-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/manage-incidents-windows-defender-advanced-threat-protection.md

@@ -1,61 +0,0 @@
----
-title: Manage Windows Defender ATP incidents
-description: Manage incidents by assigning it, updating its status, or setting its classification. 
-keywords: incidents, manage, assign, status, classification, true alert, false alert
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-ms.date: 010/08/2018
----
-
-# Manage Windows Defender ATP incidents
-
-**Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-[!include[Prerelease information](prerelease.md)]
-
-
-Managing incidents is an important part of every cybersecurity operation. You can manage incidents by selecting an incident from the **Incidents queue** or the **Incidents management pane**. You can assign incidents to yourself, change the status, classify, rename, or comment on them to keep track of their progress. 
-
-![Image of the incidents management pane](images/atp-incidents-mgt-pane.png)
-
-Selecting an incident from the **Incidents queue** brings up the **Incident management pane** where you can open the incident page for details.
-
-![Image of incident detail page](images/atp-incident-details-page.png)
-
-
-## Assign incidents
-If an incident has not been assigned yet, you can select **Assign to me** to assign the incident to yourself. Doing so assumes ownership of not just the incident, but also all the alerts associated with it.
-
-## Change the incident status
-You can categorize incidents (as **Active**, or **Resolved**) by changing their status as your investigation progresses. This helps you organize and manage how your team can respond to incidents.
-
-For example, your SoC analyst can review the urgent **Active** incidents for the day, and decide to assign them to himself for investigation.
-
-Alternatively, your SoC analyst might set the incident as **Resolved** if the incident has been remediated. 
-
-## Classify the incident 
-You can choose not to set a classification, or decide to specify whether an incident is true or false. Doing so helps the team see patterns and learn from them.
-
-## Rename incident
-By default, incidents are assigned with numbers. You can rename the incident if your organization uses a naming convention for easier cybersecurity threat identification.
-
-![Image of incident renaming](images/atp-rename-incident.png)
-
-## Add comments and view the history of an incident
-You can add comments and view historical events about an incident to see previous changes made to it.
-
-Whenever a change or comment is made to an alert, it is recorded in the Comments and history section.
-
-Added comments instantly appear on the pane.
-
-## Related topics
-- [Incidents queue](incidents-queue.md)
-- [View and organize the Incidents queue](view-incidents-queue.md)
-- [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/onboard-downlevel-windows-defender-advanced-threat-protection.md

@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 06/18/2018
+ms.date: 10/10/2018
 ---
 
 # Onboard previous versions of Windows
@@ -50,7 +50,7 @@ The following steps are required to enable this integration:
 
 ### Before you begin
 Review the following details to verify minimum system requirements:
-- Install the [February monthly update rollout](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598)
+- Install the [February monthly update rollup](https://support.microsoft.com/help/4074598/windows-7-update-kb4074598) or a later monthly update rollup.
   
   >[!NOTE]
   >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro. 
@@ -60,6 +60,14 @@ Review the following details to verify minimum system requirements:
   >[!NOTE]
   >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
 
+- Install either [.NET framework 4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) (or later) or [KB3154518](https://support.microsoft.com/en-us/help/3154518/support-for-tls-system-default-versions-included-in-the-net-framework)
+
+    >[NOTE]
+    >Only applicable for Windows 7 SP1 Enterprise and Windows 7 SP1 Pro.
+    >Don't install .NET framework 4.0.x, since it will negate the above installation.
+
+
+
 - Meet the Azure Log Analytics agent minimum system requirements. For more information, see [Collect data from computers in your environment with Log Analytics](https://docs.microsoft.com/en-us/azure/log-analytics/log-analytics-concept-hybrid#prerequisites)
 
 1. Download the agent setup file: [Windows 64-bit agent](https://go.microsoft.com/fwlink/?LinkId=828603) or [Windows 32-bit agent](https://go.microsoft.com/fwlink/?LinkId=828604).

windows/security/threat-protection/windows-defender-atp/onboard.md

@@ -14,6 +14,9 @@ ms.date: 09/03/2018
 ---
 
 # Configure and manage Windows Defender ATP capabilities
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 Configure and manage all the Windows Defender ATP capabilities to get the best security protection for your organization. 
 
@@ -24,7 +27,7 @@ Topic | Description
 [Configure attack surface reduction capabilities](configure-attack-surface-reduction.md) |  By ensuring configuration settings are properly set and exploit mitigation techniques are applied, these set of capabilities resist attacks and exploitations. 
 [Configure next generation protection](../windows-defender-antivirus/configure-windows-defender-antivirus-features.md) | Configure next generation protection to catch all types of emerging threats.
 [Configure Secure score dashboard security controls](secure-score-dashboard-windows-defender-advanced-threat-protection.md) | Configure the security controls in Secure score to increase the security posture of your organization.
-Configure Microsoft threat protection integration| Configure other solutions that integrate with Windows Defender ATP.
+Configure Microsoft Threat Protection integration| Configure other solutions that integrate with Windows Defender ATP.
 Management and API support| Pull alerts to your SIEM or use APIs to create custom alerts. Create and build Power BI reports. 
 [Configure Windows Defender Security Center settings](preferences-setup-windows-defender-advanced-threat-protection.md) |  Configure portal related settings such as general settings, advanced features, enable the preview experience and others.
 

windows/security/threat-protection/windows-defender-atp/overview-endpoint-detection-response.md

@@ -19,7 +19,7 @@ ms.date: 09/03/2018
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 
-The Widows Defender ATP endpoint detection and response capabilities provides near real-time actionable advance attacks detections, enables security analysts to effectively prioritize alerts, unfold the full scope of a breach and take response actions to remediate the threat.
+The Windows Defender ATP endpoint detection and response capabilities provides near real-time actionable advance attacks detections, enables security analysts to effectively prioritize alerts, unfold the full scope of a breach and take response actions to remediate the threat.
 
 
 When a threat is detected, alerts are be created in the system for an analyst to investigate. Alerts with the same attack techniques or attributed to the same attacker are aggregated into an entity called _incident_. Aggregating alerts in this manner makes it easy for analysts to collectively investigate and respond to threats.

windows/security/threat-protection/windows-defender-atp/overview.md

@@ -14,6 +14,9 @@ ms.date: 09/03/2018
 ---
 
 # Overview of Windows Defender ATP capabilities
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 Understand the concepts behind the capabilities in Windows Defender ATP so you take full advantage of the complete threat protection platform. 
 
@@ -28,7 +31,7 @@ Topic | Description
 [Secure score](overview-secure-score-windows-defender-advanced-threat-protection.md) | Quickly assess the security posture of your organization, see machines that require attention, as well as recommendations for actions to better protect your organization - all in one place.
 [Advanced hunting](overview-hunting-windows-defender-advanced-threat-protection.md) |  Use a powerful search and query language to create custom queries and detection rules.
 [Management and APIs](management-apis.md) | Windows Defender ATP supports a wide variety of tools to help you manage and interact with the platform so that you can integrate the service into your existing workflows.
-[Microsoft threat protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other security capabilities in the Microsoft threat protection stack. 
+[Microsoft Threat Protection](threat-protection-integration.md) | Microsoft security products work better together. Learn about other security capabilities in the Microsoft threat protection stack. 
 [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md) |Learn to navigate your way around Windows Defender Security Center. 
 
 

windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md

@@ -41,9 +41,6 @@ The following features are included in the preview release:
 - [Threat analytics](threat-analytics.md)<br>
 Threat Analytics is a set of interactive reports published by the Windows Defender ATP research team as soon as emerging threats and outbreaks are identified. The reports help security operations teams assess impact on their environment and provides recommended actions to contain, increase organizational resilience, and prevent specific threats.
 
-- [Incidents](incidents-queue.md)<br>
-Windows Defender ATP applies correlation analytics and aggregates all related alerts and investigations into an incident. Doing so helps narrate a broader story of an attack, thus providing you with the right visuals (upgraded incident graph) and data representations to understand and deal with complex cross-entity threats to your organization's network.
-
 
 - [Custom detection](overview-custom-detections.md)<br>
  With custom detections, you can create custom queries to monitor events for any kind of behavior such as suspicious or emerging threats. This can be done by leveraging the power of Advanced hunting through the creation of custom detection rules. 

windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md

@@ -34,4 +34,8 @@ File | Run API calls such as get file information, file related alerts, file rel
 IP | Run API calls such as get IP related alerts, IP related machines, IP statistics, and check if and IP is seen in your organization.
 Machines | Run API calls such as find machine information by IP, get machines, get machines by ID, information about logged on users, and alerts related to a given machine ID.
 User | Run API calls such as get alert related user information, user information, user related alerts, and user related machines.
+KbInfo | Run API call that gets list of Windows KB's information
+CveKbMap | Run API call that gets mapping of CVE's to corresponding KB's
+MachineSecurityStates | Run API call that gets list of machines with their security properties and versions
+MachineGroups | Run API call that gets list of machine group definitions
 

windows/security/threat-protection/windows-defender-atp/threat-protection-integration.md

@@ -1,7 +1,7 @@
 ---
-title: Microsoft threat protection
-description: 
-keywords: 
+title: Windows Defender ATP in Microsoft Threat Protection
+description: Learn about the capabilities within the Microsoft Threat Protection 
+keywords: microsoft threat protection, conditional access, office, advanced threat protection, azure atp, azure security center, microsoft cloud app security
 search.product: eADQiWindows 10XVcnh
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -10,10 +10,18 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: medium
-ms.date: 09/12/2018
+ms.date: 10/12/2018
 ---
 
-#  Microsoft threat protection
+# Microsoft Threat Protection 
+
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+Windows Defender ATP is part of the Microsoft Threat Protection solution that helps implement end-to-end security across possible attack surfaces in the modern workplace.
+
+For more information on Microsoft Threat Protection, see [Announcing Microsoft Threat Protection](https://techcommunity.microsoft.com/t5/Security-Privacy-and-Compliance/Announcing-Microsoft-Threat-Protection/ba-p/262783).
 
 Microsoft's multiple layers of threat protection across data, applications, devices, and identities can help protect your organization from advanced cyber threats. 
 

windows/security/threat-protection/windows-defender-atp/use-windows-defender-advanced-threat-protection.md

@@ -15,6 +15,10 @@ ms.date: 03/12/2018
 
 # Overview of Windows Defender Security Center
 
+**Applies to:**
+
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-usewdatp-abovefoldlink) 
 
 Windows Defender Security Center is the portal where you can access Windows Defender Advanced Threat Protection capabilities. 

windows/security/threat-protection/windows-defender-atp/view-incidents-queue.md

@@ -1,74 +0,0 @@
----
-title: View and organize the Incidents queue
-description: See the list of incidents and learn how to apply filters to limit the list and get a more focused view.
-keywords: view, organize, incidents, aggregate, investigations, queue, ttp
-search.product: eADQiWindows 10XVcnh
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.sitesec: library
-ms.pagetype: security
-ms.author: macapara
-author: mjcaparas
-ms.localizationpriority: medium
-ms.date: 10/08/2018
----
-
-# View and organize the Windows Defender Advanced Threat Protection Incidents queue
-**Applies to:**
-- Windows Defender Advanced Threat Protection (Windows Defender ATP)
-
-[!include[Prerelease information](prerelease.md)]
-
-The **Incidents queue** shows a collection of incidents that were flagged from machines in your network. It helps you sort through incidents to prioritize and create an informed cybersecurity response decision.
-
-By default, the queue displays incidents seen in the last 30 days, with the most recent incident showing at the top of the list, helping you see the most recent incidents first.
-
-There are several options you can choose from to customize the Incidents queue view. 
-
-On the top navigation you can:
-- Customize columns to add or remove columns 
-- Modify the number of items to view per page
-- Select the items to show per page
-- Batch-select the incidents to assign 
-- Navigate between pages
-- Apply filters
-
-![Image of incidents queue](images/atp-incident-queue.png)
-
-## Sort and filter the incidents queue
-You can apply the following filters to limit the list of incidents and get a more focused view.
-
-Incident severity | Description
-:---|:---
-High </br>(Red) | Threats often associated with advanced persistent threats (APT). These incidents indicate a high risk due to the severity of damage they can inflict on machines.
-Medium </br>(Orange) | Threats rarely observed in the organization, such as anomalous registry change, execution of suspicious files, and observed behaviors typical of attack stages.
-Low </br>(Yellow) | Threats associated with prevalent malware and hack-tools that do not necessarily indicate an advanced threat targeting the organization.
-Informational </br>(Grey) | Informational incidents are those that might not be considered harmful to the network but might be good to keep track of.
-
-### Category
-Incidents are categorized based on the description of the stage by which the cybersecurity kill chain is in. This view helps the threat analyst to determine priority, urgency, and corresponding response strategy to deploy based on context.
-
-### Alerts
-Indicates the number of alerts associated with or part of the incidents.
-
-
-### Machines
-You can limit to show only the machines at risk which are associated with incidents.
-
-### Users
-You can limit to show only the users of the machines at risk which are associated with incidents. 
-
-### Assigned to
-You can choose to show between unassigned incidents or those which are assigned to you.
-
-### Status
-You can choose to limit the list of incidents shown based on their status to see which ones are active or resolved
-
-### Classification
-Use this filter to choose between focusing on incidents flagged as true or false incidents.
-
-## Related topics
-- [Incidents queue](incidents-queue.md)
-- [Manage incidents](manage-incidents-windows-defender-advanced-threat-protection.md)
-- [Investigate incidents](investigate-incidents-windows-defender-advanced-threat-protection.md)
-

windows/security/threat-protection/windows-platform-common-criteria.md

@@ -1,14 +1,14 @@
 ---
-title: Windows Platform Common Criteria Certification
+title: Common Criteria Certifications
 description: This topic details how Microsoft supports the Common Criteria certification program.
 ms.prod: w10
 ms.localizationpriority: medium
 ms.author: daniha
 author: danihalfin
-ms.date: 04/03/2018
+ms.date: 10/8/2018
 ---
 
-# Windows Platform Common Criteria Certification
+# Common Criteria Certifications
 
 Microsoft is committed to optimizing the security of its products and services. As part of that commitment, Microsoft supports the Common Criteria certification program, continues to ensure that products incorporate the features and functions required by relevant Common Criteria protection profiles, and completes Common Criteria certifications of Microsoft Windows products.
 
@@ -18,7 +18,8 @@ Microsoft is committed to optimizing the security of its products and services.
 
 The Security Target describes security functionality and assurance measures used to evaluate Windows.
 
-  - [Microsoft Window 10 (Creators Update)](http://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
+  - [Microsoft Windows 10 (Fall Creators Update)](http://download.microsoft.com/download/B/6/A/B6A5EC2C-6351-4FB9-8FF1-643D4BD5BE6E/Windows%2010%201709%20GP%20OS%20Security%20Target.pdf)
+  - [Microsoft Windows 10 (Creators Update)](http://download.microsoft.com/download/e/8/b/e8b8c42a-a0b6-4ba1-9bdc-e704e8289697/windows%2010%20version%201703%20gp%20os%20security%20target%20-%20public%20\(january%2016,%202018\)\(final\)\(clean\).pdf)
   - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](http://download.microsoft.com/download/1/c/3/1c3b5ab0-e064-4350-a31f-48312180d9b5/st_vid10823-st.pdf)
   - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](http://download.microsoft.com/download/1/5/e/15eee6d3-f2a8-4441-8cb1-ce8c2ab91c24/windows%2010%20anniversary%20update%20mdf%20security%20target%20-%20public%20\(april%203%202017\).docx)
   - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](http://download.microsoft.com/download/f/8/c/f8c1c2a4-719c-48ae-942f-9fd3ce5b238f/windows%2010%20au%20and%20server%202016%20gp%20os%20security%20target%20-%20public%20\(december%202%202016\)%20\(clean\).docx)
@@ -52,7 +53,9 @@ These documents describe how to configure Windows to replicate the configuration
 
 **Windows 10, Windows 10 Mobile, Windows Server 2016, Windows Server 2012 R2**
 
-  - [Microsoft Window 10 (Creators Update)](http://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
+  
+  - [Microsoft Windows 10 (Fall Creators Update)](http://download.microsoft.com/download/5/D/2/5D26F473-0FCE-4AC4-9065-6AEC0FE5B693/Windows%2010%201709%20GP%20OS%20Administrative%20Guide.pdf)
+  - [Microsoft Windows 10 (Creators Update)](http://download.microsoft.com/download/e/9/7/e97f0c7f-e741-4657-8f79-2c0a7ca928e3/windows%2010%20cu%20gp%20os%20operational%20guidance%20\(jan%208%202017%20-%20public\).pdf)
   - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](http://download.microsoft.com/download/d/c/4/dc40b5c8-49c2-4587-8a04-ab3b81eb6fc4/st_vid10823-agd.pdf)
   - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](http://download.microsoft.com/download/4/c/1/4c1f4ea4-2d66-4232-a0f5-925b2bc763bc/windows%2010%20au%20operational%20guidance%20\(16%20mar%202017\)\(clean\).docx)
   - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](http://download.microsoft.com/download/b/5/2/b52e9081-05c6-4895-91a3-732bfa0eb4da/windows%2010%20au%20and%20server%202016%20gp%20os%20operational%20guidance%20\(final\).docx)
@@ -127,7 +130,8 @@ These documents describe how to configure Windows to replicate the configuration
 
 An Evaluation Technical Report (ETR) is a report submitted to the Common Criteria certification authority for how Windows complies with the claims made in the Security Target. A Certification / Validation Report provides the results of the evaluation by the validation team.
 
-  - [Microsoft Window 10 (Creators Update)](http://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
+  - [Microsoft Windows 10 (Fall Creators Update)](http://download.microsoft.com/download/2/C/2/2C20D013-0610-4047-B2FA-516819DFAE0A/Windows%2010%201709%20GP%20OS%20Certification%20Report.pdf) 
+  - [Microsoft Windows 10 (Creators Update)](http://download.microsoft.com/download/3/2/c/32cdf627-dd23-4266-90ff-2f9685fd15c0/2017-49%20inf-2218%20cr.pdf)
   - [Microsoft Windows Server 2016, Microsoft Windows Server 2012 R2, and Microsoft Windows 10 Hyper-V](http://download.microsoft.com/download/a/3/3/a336f881-4ac9-4c79-8202-95289f86bb7a/st_vid10823-vr.pdf)
   - [Microsoft Windows 10 (Anniversary Update) and Windows 10 Mobile (Anniversary Update)](http://download.microsoft.com/download/f/2/f/f2f7176e-34f4-4ab0-993c-6606d207bb3c/st_vid10752-vr.pdf)
   - [Microsoft Windows 10 (Anniversary Update) and Windows Server 2016](http://download.microsoft.com/download/5/4/8/548cc06e-c671-4502-bebf-20d38e49b731/2016-36-inf-1779.pdf)