Merge branch 'master' into lsaldanha-4906123

2025-05-13 13:57:22 +00:00 · 2021-03-09 13:37:30 +05:30 · 2021-03-09 13:37:30 +05:30 · 0466e700c9
commit 0466e700c9
parent d7c585c71c be662852d7
497 changed files with 1920 additions and 1275 deletions
--- a/.acrolinx-config.edn
+++ b/.acrolinx-config.edn
@ -35,7 +35,7 @@
 "
 ## Acrolinx Scorecards
-**The minimum Acrolinx topic score of 65 is required for all MARVEL content merged to the default branch.**
+**The minimum Acrolinx topic score of 80 is required for all MARVEL content merged to the default branch.**
 If you need a scoring exception for content in this PR, add the *Sign off* and the *Acrolinx exception* labels to the PR. The PubOps Team will review the exception request and may take one or more of the following actions:
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -1699,6 +1699,11 @@
      "source_path": "windows/security/threat-protection/windows-defender-atp/manage-edr.md",
      "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-edr",
      "redirect_document_id": true
    },
 	{
      "source_path": "windows/security/threat-protection/microsoft-defender-atp/manage-edrmanage-edr.md",
      "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/overview-endpoint-detection-response",
      "redirect_document_id": false
    },
    {
      "source_path": "windows/security/threat-protection/windows-defender-atp/management-apis.md",
@ -16535,6 +16540,11 @@
      "redirect_url": "https://docs.microsoft.com/windows/deployment/update/waas-configure-wufb",
      "redirect_document_id": true
    },
    {
      "source_path": "windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md",
      "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventory-table",
      "redirect_document_id": true
    },
    {
      "source_path": "windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md",
      "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/troubleshoot-asr",
--- a/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
+++ b/browsers/edge/microsoft-edge-kiosk-mode-deploy.md
@ -162,12 +162,12 @@ With this method, you can use Microsoft Intune or other MDM services to configur
   |   |   |
   |---|---|
-   | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**<p>![](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge Legacy as a kiosk app.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode<p>**Data type:**  Integer<p>**Allowed values:**<ul><li>**Single-app kiosk experience**<ul><li>**0** - Digital signage and interactive display</li><li>**1** - InPrivate Public browsing</li></ul></li><li>**Multi-app kiosk experience**<ul><li>**0** - Normal Microsoft Edge Legacy running in assigned access</li><li>**1** - InPrivate public browsing with other apps</li></ul></li></ul> |
+   | **[ConfigureKioskMode](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskmode)**<p>![Icon Mode](images/icon-thin-line-computer.png) | Configure the display mode for Microsoft Edge Legacy as a kiosk app.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskMode<p>**Data type:**  Integer<p>**Allowed values:**<ul><li>**Single-app kiosk experience**<ul><li>**0** - Digital signage and interactive display</li><li>**1** - InPrivate Public browsing</li></ul></li><li>**Multi-app kiosk experience**<ul><li>**0** - Normal Microsoft Edge Legacy running in assigned access</li><li>**1** - InPrivate public browsing with other apps</li></ul></li></ul> |
-   | **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**<p>![](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge Legacy kiosk mode resets the user's session.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout<p>**Data type:** Integer<p>**Allowed values:**<ul><li>**0** - No idle timer</li><li>**1-1440 (5 minutes is the default)** - Set reset on idle timer</li></ul>  |
+   | **[ConfigureKioskResetAfterIdleTimeout](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurekioskresetafteridletimeout)**<p>![Icon Timeout](images/icon-thin-line-computer.png) | Change the time in minutes from the last user activity before Microsoft Edge Legacy kiosk mode resets the user's session.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureKioskResetAfterIdleTimeout<p>**Data type:** Integer<p>**Allowed values:**<ul><li>**0** - No idle timer</li><li>**1-1440 (5 minutes is the default)** - Set reset on idle timer</li></ul>  |
-   | **[HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages)**<p>![](images/icon-thin-line-computer.png)  | Set one or more start pages, URLs, to load when Microsoft Edge Legacy launches.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages<p>**Data type:** String<p>**Allowed values:**<p>Enter one or more URLs, for example,<br>&nbsp;&nbsp;&nbsp;\<https://www.msn.com\>\<https:/www.bing.com\>  |
+   | **[HomePages](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-homepages)**<p>![Icon HomePage](images/icon-thin-line-computer.png)  | Set one or more start pages, URLs, to load when Microsoft Edge Legacy launches.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/HomePages<p>**Data type:** String<p>**Allowed values:**<p>Enter one or more URLs, for example,<br>&nbsp;&nbsp;&nbsp;\<https://www.msn.com\>\<https:/www.bing.com\>  |
-   | **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**<p>![](images/icon-thin-line-computer.png)  | Configure how the Home Button behaves.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton<p>**Data type:** Integer<p> **Allowed values:**<ul><li>**0 (default)** - Not configured. Show home button, and load the default Start page.</li><li>**1** - Enabled. Show home button and load New Tab page</li><li>**2** - Enabled. Show home button & set a specific page.</li><li>**3** - Enabled. Hide the home button.</li></ul>   |
+   | **[ConfigureHomeButton](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-configurehomebutton)**<p>![Icon Configure](images/icon-thin-line-computer.png)  | Configure how the Home Button behaves.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/ConfigureHomeButton<p>**Data type:** Integer<p> **Allowed values:**<ul><li>**0 (default)** - Not configured. Show home button, and load the default Start page.</li><li>**1** - Enabled. Show home button and load New Tab page</li><li>**2** - Enabled. Show home button & set a specific page.</li><li>**3** - Enabled. Hide the home button.</li></ul>   |
-   | **[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**<p>![](images/icon-thin-line-computer.png)   | If you set ConfigureHomeButton to 2, configure the home button URL.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.bing.com   |
+   | **[SetHomeButtonURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-sethomebuttonurl)**<p>![Icon Set Home](images/icon-thin-line-computer.png)   | If you set ConfigureHomeButton to 2, configure the home button URL.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetHomeButtonURL <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.bing.com   |
-   | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**<p>![](images/icon-thin-line-computer.png)   | Set a custom URL for the New Tab page.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.msn.com    |
+   | **[SetNewTabPageURL](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-browser#browser-setnewtabpageurl)**<p>![Icon New Tab](images/icon-thin-line-computer.png)   | Set a custom URL for the New Tab page.<p><p>**URI full path:** ./Vendor/MSFT/Policy/Config/Browser/SetNewTabPageURL <p>**Data type:** String<p>**Allowed values:** Enter a URL, for example, https://www.msn.com    |
 **_Congratulations!_** <p>You’ve just finished setting up a kiosk or digital signage with policies for Microsoft Edge Legacy kiosk mode using Microsoft Intune or other MDM service.
--- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
+++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
@ -86,14 +86,14 @@ See the [example ETW capture](#example-etw-capture) at the bottom of this articl
 The following is a high-level view of the main wifi components in Windows.
 <table>
-<tr><td><img src="images/wcm.png"></td><td>The <b>Windows Connection Manager</b> (Wcmsvc) is closely associated with the UI controls (taskbar icon) to connect to various networks, including wireless networks. It accepts and processes input from the user and feeds it to the core wireless service. </td></tr>
+<tr><td><img src="images/wcm.png" alt="Windows Connection Manager"></td><td>The <b>Windows Connection Manager</b> (Wcmsvc) is closely associated with the UI controls (taskbar icon) to connect to various networks, including wireless networks. It accepts and processes input from the user and feeds it to the core wireless service. </td></tr>
-<tr><td><img src="images/wlan.png"></td><td>The <b>WLAN Autoconfig Service</b> (WlanSvc) handles the following core functions of wireless networks in windows:
+<tr><td><img src="images/wlan.png" alt="WLAN Autoconfig Service"></td><td>The <b>WLAN Autoconfig Service</b> (WlanSvc) handles the following core functions of wireless networks in windows:
 - Scanning for wireless networks in range
 - Managing connectivity of wireless networks</td></tr>
-<tr><td><img src="images/msm.png"></td><td>The <b>Media Specific Module</b> (MSM) handles security aspects of connection being established.</td></tr>
+<tr><td><img src="images/msm.png" alt="Media Specific Module"></td><td>The <b>Media Specific Module</b> (MSM) handles security aspects of connection being established.</td></tr>
-<tr><td><img src="images/wifi-stack.png"></td><td>The <b>Native WiFi stack</b> consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc.</td></tr>
+<tr><td><img src="images/wifi-stack.png" alt="Native WiFi stack"></td><td>The <b>Native WiFi stack</b> consists of drivers and wireless APIs to interact with wireless miniports and the supporting user-mode Wlansvc.</td></tr>
-<tr><td><img src="images/miniport.png"></td><td>Third-party <b>wireless miniport</b> drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.</td></tr>
+<tr><td><img src="images/miniport.png" alt="Wireless miniport"></td><td>Third-party <b>wireless miniport</b> drivers interface with the upper wireless stack to provide notifications to and receive commands from Windows.</td></tr>
 </table>
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@ -16,7 +16,6 @@ ms.topic: article
 # Create mandatory user profiles
 **Applies to**
 - Windows 10
 A mandatory user profile is a roaming user profile that has been pre-configured by an administrator to specify settings for users. Settings commonly defined in a mandatory profile include (but are not limited to): icons that appear on the desktop, desktop backgrounds, user preferences in Control Panel, printer selections, and more. Configuration changes made during a user's session that are normally saved to a roaming user profile are not saved when a mandatory user profile is assigned.
@ -76,7 +75,7 @@ First, you create a default user profile with the customizations that you want,
   > [!TIP]
   > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following:
   >
-   > ![Microsoft Bing Translator package](images/sysprep-error.png)
+   > ![Microsoft Bing Translator package error](images/sysprep-error.png)
   >
   > Use the [Remove-AppxProvisionedPackage](https://docs.microsoft.com/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps) and [Remove-AppxPackage -AllUsers](https://docs.microsoft.com/powershell/module/appx/remove-appxpackage?view=win10-ps) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
@ -86,20 +85,24 @@ First, you create a default user profile with the customizations that you want,
 1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
-   ![Example of UI](images/copy-to.png)
+
   ![Example of User Profiles UI](images/copy-to.png)
 1. In **Copy To**, under **Permitted to use**, click **Change**.
-   ![Example of UI](images/copy-to-change.png)
+   ![Example of Copy To UI](images/copy-to-change.png)
 1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
 1. In **Copy To**, in the **Copy profile to** field, enter the path and folder name where you want to store the mandatory profile. The folder name must use the correct [extension](#profile-extension-for-each-windows-version) for the operating system version. For example, the folder name must end with ".v6" to identify it as a user profile folder for Windows 10, version 1607.
   - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
   ![Example of Copy profile to](images/copy-to-path.png)
   - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
-   ![Example of UI](images/copy-to-path.png)
+   ![Example of Copy To UI with UNC path](images/copy-to-path.png)
 1. Click **OK** to copy the default user profile.
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@ -159,16 +159,16 @@
 ### [Personalization CSP](personalization-csp.md)
 #### [Personalization DDF file](personalization-ddf.md)
 ### [Policy CSP](policy-configuration-service-provider.md)
-#### [Policy DDF file](policy-ddf-file.md)
+#### [Policy CSP DDF file](policy-ddf-file.md)
-#### [Policies in Policy CSP supported by Group Policy](policy-csps-supported-by-group-policy.md)
+#### [Policies in Policy CSP supported by Group Policy](policies-in-policy-csp-supported-by-group-policy.md)
-#### [ADMX-backed policies in Policy CSP](policy-csps-admx-backed.md)
+#### [ADMX-backed policies in Policy CSP](policies-in-policy-csp-admx-backed.md)
-#### [Policies in Policy CSP supported by HoloLens 2](policy-csps-supported-by-hololens2.md)
+#### [Policies in Policy CSP supported by HoloLens 2](policies-in-policy-csp-supported-by-hololens2.md)
-#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policy-csps-supported-by-hololens-1st-gen-commercial-suite.md)
+#### [Policies in Policy CSP supported by HoloLens (1st gen) Commercial Suite](policies-in-policy-csp-supported-by-hololens-1st-gen-commercial-suite.md)
-#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policy-csps-supported-by-hololens-1st-gen-development-edition.md)
+#### [Policies in Policy CSP supported by HoloLens (1st gen) Development Edition](policies-in-policy-csp-supported-by-hololens-1st-gen-development-edition.md)
-#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policy-csps-supported-by-iot-enterprise.md)
+#### [Policies in Policy CSP supported by Windows 10 IoT Enterprise](policies-in-policy-csp-supported-by-iot-enterprise.md)
-#### [Policies in Policy CSP supported by Windows 10 IoT Core](policy-csps-supported-by-iot-core.md)
+#### [Policies in Policy CSP supported by Windows 10 IoT Core](policies-in-policy-csp-supported-by-iot-core.md)
-#### [Policies in Policy CSP supported by Microsoft Surface Hub](policy-csps-supported-by-surface-hub.md)
+#### [Policies in Policy CSP supported by Microsoft Surface Hub](policies-in-policy-csp-supported-by-surface-hub.md)
-#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policy-csps-that-can-be-set-using-eas.md)
+#### [Policy CSPs that can be set using Exchange Active Sync (EAS)](policies-in-policy-csp-that-can-be-set-using-eas.md)
 #### [AboveLock](policy-csp-abovelock.md)
 #### [Accounts](policy-csp-accounts.md)
 #### [ActiveXControls](policy-csp-activexcontrols.md)
--- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
@ -23,10 +23,10 @@ To help diagnose enrollment or device management issues in Windows 10 devices m
   ![Access work or school page in Settings](images/diagnose-mdm-failures15.png)
 1. At the bottom of the **Settings** page, click **Create report**.  
-   ![Access work or school page in Settings](images/diagnose-mdm-failures16.png)
+   ![Access work or school page and then Create report](images/diagnose-mdm-failures16.png)
 1. A window opens that shows the path to the log files. Click **Export**.
-   ![Access work or school page in Settings](images/diagnose-mdm-failures17.png)
+   ![Access work or school log files](images/diagnose-mdm-failures17.png)
 1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report.
@ -121,28 +121,28 @@ Since there is no Event Viewer in Windows 10 Mobile, you can use the [Field Medi
 1.  Download and install the [Field Medic]( https://go.microsoft.com/fwlink/p/?LinkId=718232) app from the store.
 2.  Open the Field Medic app and then click on **Advanced**.
-    ![field medic screenshot](images/diagnose-mdm-failures2.png)
+    ![field medic screenshot 2](images/diagnose-mdm-failures2.png)
 3.  Click on **Choose with ETW provider to use**.
-    ![field medic screenshot](images/diagnose-mdm-failures3.png)
+    ![field medic screenshot 3](images/diagnose-mdm-failures3.png)
 4.  Check **Enterprise** and un-check the rest.
-    ![field medic screenshot](images/diagnose-mdm-failures4.png)
+    ![field medic screenshot 4](images/diagnose-mdm-failures4.png)
 5.  In the app, click on **Start Logging** and then perform the operation that you want to troubleshoot.
-    ![field medic screenshot](images/diagnose-mdm-failures2.png)
+    ![field medic screenshot 5](images/diagnose-mdm-failures2.png)
 6.  When the operation is done, click on **Stop Logging**.
-    ![field medic screenshot](images/diagnose-mdm-failures5.png)
+    ![field medic screenshot 6](images/diagnose-mdm-failures5.png)
 7.  Save the logs. They will be stored in the Field Medic log location on the device.
 8.  You can send the logs via email by attaching the files from **Documents > Field Medic > Reports > ...** folder.
-    ![device documents folder](images/diagnose-mdm-failures6.png)![device folder screenshot](images/diagnose-mdm-failures7.png)![device folder screenshot](images/diagnose-mdm-failures8.png)
+    ![device documents folder](images/diagnose-mdm-failures6.png)![device folder screenshot 7](images/diagnose-mdm-failures7.png)![device folder screenshot 8](images/diagnose-mdm-failures8.png)
 The following table contains a list of common providers and their corresponding GUIDs.
@ -294,21 +294,21 @@ For best results, ensure that the PC or VM on which you are viewing logs matches
 3.  Navigate to the etl file that you got from the device and then open the file.
 4.  Click **Yes** when prompted to save it to the new log format.
-    ![prompt](images/diagnose-mdm-failures10.png)
+    ![event viewer prompt](images/diagnose-mdm-failures10.png)
    ![diagnose mdm failures](images/diagnose-mdm-failures11.png)
 5.  The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu.
-    ![event viewer](images/diagnose-mdm-failures12.png)
+    ![event viewer actions](images/diagnose-mdm-failures12.png)
 6.  Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**.
-    ![event filter](images/diagnose-mdm-failures13.png)
+    ![event filter for Device Management](images/diagnose-mdm-failures13.png)
 7.  Now you are ready to start reviewing the logs.
-    ![event viewer](images/diagnose-mdm-failures14.png)
+    ![event viewer review logs](images/diagnose-mdm-failures14.png)
 ## Collect device state data
@ -336,9 +336,3 @@ Here's an example of how to collect current MDM device state data using the [Dia
 ```
--- a/windows/client-management/mdm/policy-csp-browser.md
+++ b/windows/client-management/mdm/policy-csp-browser.md
@ -177,6 +177,10 @@ ms.localizationpriority: medium
  <dd>
    <a href="#browser-showmessagewhenopeningsitesininternetexplorer">Browser/ShowMessageWhenOpeningSitesInInternetExplorer</a>
  </dd>
  <dd>
    <a href="#browser-suppressedgedeprecationnotification">Browser/SuppressEdgeDeprecationNotification</a>
  </dd>
  <dd>
    <a href="#browser-syncfavoritesbetweenieandmicrosoftedge">Browser/SyncFavoritesBetweenIEAndMicrosoftEdge</a>
  </dd>
@ -4069,6 +4073,74 @@ Most restricted value: 0
 <hr/>
 <!--Policy-->
 <a href="" id="browser-suppressedgedeprecationnotification"></a>**Browser/SuppressEdgeDeprecationNotification**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Windows Edition</th>
    <th>Supported?</th>
 </tr>
 <tr>
    <td>Home</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Pro</td>
    <td><img src="images/checkmark.png" alt="check mark" /></td>
 </tr>
 <tr>
    <td>Business</td>
    <td><img src="images/checkmark.png" alt="check mark" /></td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td><img src="images/checkmark.png" alt="check mark" /></td>
 </tr>
 <tr>
    <td>Education</td>
    <td><img src="images/checkmark.png" alt="check mark" /></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * User
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 This policy allows Enterprise Admins to turn off the notification for company devices that the Edge Legacy browser is no longer supported after 3/9/2021 to avoid confusion for their enterprise users and reduce help desk calls. 
 By default, a notification will be presented to the user informing them of this upon application startup.
 With this policy, you can either allow (default) or suppress this notification.
 > [!NOTE]
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
 -   GP English name: *Suppress Edge Deprecation Notification*
 -   GP name: *SuppressEdgeDeprecationNotification*
 -   GP path: *Windows Components/Microsoft Edge*
 -   GP ADMX file name: *MicrosoftEdge.admx*
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 Supported values:
 -   0 (default) – Allowed. Notification will be shown at application startup.
 -   1 – Prevented/not allowed.
 <hr/>
 <!--Policy-->
 <a href="" id="browser-syncfavoritesbetweenieandmicrosoftedge"></a>**Browser/SyncFavoritesBetweenIEAndMicrosoftEdge**  
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@ -85,21 +85,30 @@ You can configure Windows to be in shared PC mode in a couple different ways:
 - Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps:
-  1. Go to the [Microsoft Endpoint Manager portal](https://endpoint.microsoft.com/#home).
+  1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
  2. Select **Devices** from the navigation. 
  3. Under **Policy**, select **Configuration profiles**.
  4. Select **Create profile**.
  5. From the **Platform** menu, select **Windows 10 and later**.
  6. From the **Profile** menu, select **Shared multi-user device**.
-     ![custom OMA-URI policy in Intune](images/shared_pc_1.jpg) 
+  2. Select **Devices** > **Windows** > **Configuration profiles** > **Create profile**.
-  7. Select **Create**.
+  3. Enter the following properties:
  8. Enter a name for the policy (e.g. My Win10 Shared devices policy). You can optionally add a description should you wish to do so.
  9. Select **Next**.
  10. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**.
-     ![Shared PC settings in ICD](images/shared_pc_3.png) 
+     - **Platform**: Select **Windows 10 and later**.
     - **Profile**: Select **Templates** > **Shared multi-user device**.
  4. Select **Create**.
  5. In **Basics**, enter the following properties:
     - **Name**: Enter a descriptive name for the new profile.
     - **Description**: Enter a description for the profile. This setting is optional, but recommended.
  6. Select **Next**.
  7. In **Configuration settings**, depending on the platform you chose, the settings you can configure are different. Choose your platform for detailed settings:
  8. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**.
     > [!div class="mx-imgBorder"]
     > ![Shared PC mode in the Configuration settings page](images/shared_pc_3.png) 
  11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**.
@ -109,26 +118,26 @@ You can configure Windows to be in shared PC mode in a couple different ways:
 - WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](https://msdn.microsoft.com/library/windows/desktop/dn905224.aspx) to configure the [MDM_SharedPC class](https://msdn.microsoft.com/library/windows/desktop/mt779129.aspx). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](https://docs.microsoft.com/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:
-```
+  ```powershell
-$sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
+  $sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
-$sharedPC.EnableSharedPCMode = $True
+  $sharedPC.EnableSharedPCMode = $True
-$sharedPC.SetEduPolicies = $True
+  $sharedPC.SetEduPolicies = $True
-$sharedPC.SetPowerPolicies = $True
+  $sharedPC.SetPowerPolicies = $True
-$sharedPC.MaintenanceStartTime = 0
+  $sharedPC.MaintenanceStartTime = 0
-$sharedPC.SignInOnResume = $True
+  $sharedPC.SignInOnResume = $True
-$sharedPC.SleepTimeout = 0
+  $sharedPC.SleepTimeout = 0
-$sharedPC.EnableAccountManager = $True
+  $sharedPC.EnableAccountManager = $True
-$sharedPC.AccountModel = 2
+  $sharedPC.AccountModel = 2
-$sharedPC.DeletionPolicy = 1
+  $sharedPC.DeletionPolicy = 1
-$sharedPC.DiskLevelDeletion = 25
+  $sharedPC.DiskLevelDeletion = 25
-$sharedPC.DiskLevelCaching = 50
+  $sharedPC.DiskLevelCaching = 50
-$sharedPC.RestrictLocalStorage = $False
+  $sharedPC.RestrictLocalStorage = $False
-$sharedPC.KioskModeAUMID = ""
+  $sharedPC.KioskModeAUMID = ""
-$sharedPC.KioskModeUserTileDisplayText = ""
+  $sharedPC.KioskModeUserTileDisplayText = ""
-$sharedPC.InactiveThreshold = 0
+  $sharedPC.InactiveThreshold = 0
-Set-CimInstance -CimInstance $sharedPC
+  Set-CimInstance -CimInstance $sharedPC
-Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC
+  Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName MDM_SharedPC
-```
+  ```
 ### Create a provisioning package for shared use
@ -205,19 +214,24 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
 ## Guidance for accounts on shared PCs
 * We recommend no local admin accounts on the PC to improve the reliability and security of the PC.
 * When a PC is set up in shared PC mode with the default deletion policy, accounts will be cached automatically until disk space is low. Then, accounts will be deleted to reclaim disk space. This account management happens automatically. Both Azure AD and Active Directory domain accounts are managed in this way. Any accounts created through **Guest** and **Kiosk** will be deleted automatically at sign out.
 * On a Windows PC joined to Azure Active Directory:
    * By default, the account that joined the PC to Azure AD will have an admin account on that PC. Global administrators for the Azure AD domain will also have admin accounts on the PC.
    * With Azure AD Premium, you can specify which accounts have admin accounts on a PC using the **Additional administrators on Azure AD Joined devices** setting on the Azure portal.
 * Local accounts that already exist on a PC won’t be deleted when turning on shared PC mode. New local accounts that are created using **Settings > Accounts > Other people > Add someone else to this PC** after shared PC mode is turned on won't be deleted. However, any new local accounts created by the **Guest** and **Kiosk** options on the sign-in screen (if enabled) will automatically be deleted at sign-out.
 * If admin accounts are necessary on the PC
    * Ensure the PC is joined to a domain that enables accounts to be signed on as admin, or
    * Create admin accounts before setting up shared PC mode, or 
    * Create exempt accounts before signing out when turning shared pc mode on.
 * The account management service supports accounts that are exempt from deletion.
-    * An account can be marked exempt from deletion by adding the account SID to the `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\` registry key.
+    * An account can be marked exempt from deletion by adding the account SID to the registry key: `HKEY_LOCAL_MACHINE\SOFTARE\Microsoft\Windows\CurrentVersion\SharedPC\Exemptions\`.
-    * To add the account SID to the registry key using PowerShell:<br/>
+    * To add the account SID to the registry key using PowerShell:
-        ```
+
        ```powershell
        $adminName = "LocalAdmin"
        $adminPass = 'Pa$$word123'
        iex "net user /add $adminName $adminPass"
@ -228,8 +242,6 @@ On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work ac
        ``` 
 ## Policies set by shared PC mode
 Shared PC mode sets local group policies to configure the device. Some of these are configurable using the shared pc mode options.
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@ -45,8 +45,9 @@ These steps will show you how to configure an Active Directory account with the
 On **DC01**:
-1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on DC01.  This script configures permissions to allow the MDT_JD account to manage computer accounts in the contoso > Computers organizational unit.
+1. Download the [Set-OUPermissions.ps1 script](https://go.microsoft.com/fwlink/p/?LinkId=619362) and copy it to the **C:\\Setup\\Scripts** directory on **DC01**.  This script configures permissions to allow the **MDT_JD** account to manage computer accounts in the contoso > Computers organizational unit.
-2. Create the MDT_JD service account by running the following command from an elevated Windows PowerShell prompt:
+
 2. Create the **MDT_JD** service account by running the following command from an elevated **Windows PowerShell prompt**:
   ```powershell
   New-ADUser -Name MDT_JD -UserPrincipalName MDT_JD -path "OU=Service Accounts,OU=Accounts,OU=Contoso,DC=CONTOSO,DC=COM" -Description "MDT join domain account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -PasswordNeverExpires $true -Enabled $true 
@ -60,19 +61,20 @@ On **DC01**:
   .\Set-OUPermissions.ps1 -Account MDT_JD -TargetOU "OU=Workstations,OU=Computers,OU=Contoso"
   ```
-The following is a list of the permissions being granted:
+   The following is a list of the permissions being granted:
-    a.  Scope: This object and all descendant objects
+
-    b.  Create Computer objects
+   - Scope: This object and all descendant objects
-    c.  Delete Computer objects
+   - Create Computer objects
-    d.  Scope: Descendant Computer objects
+   - Delete Computer objects
-    e.  Read All Properties
+   - Scope: Descendant Computer objects
-    f.  Write All Properties
+   - Read All Properties
-    g.  Read Permissions
+   - Write All Properties
-    h.  Modify Permissions
+   - Read Permissions
-    i.  Change Password
+   - Modify Permissions
-    j.  Reset Password
+   - Change Password
-    k.  Validated write to DNS host name
+   - Reset Password
-    l.  Validated write to service principal name
+   - Validated write to DNS host name
   - Validated write to service principal name
 ## Step 2: Set up the MDT production deployment share
@ -87,8 +89,11 @@ The steps for creating the deployment share for production are the same as when
 1. Ensure you are signed on as: contoso\administrator.
 2. In the Deployment Workbench console, right-click **Deployment Shares** and select **New Deployment Share**.
 3. On the **Path** page, in the **Deployment share path** text box, type **D:\\MDTProduction** and click **Next**.
 4. On the **Share** page, in the **Share name** text box, type **MDTProduction$** and click **Next**.
 5. On the **Descriptive Name** page, in the **Deployment share description** text box, type **MDT Production** and click **Next**.
 6. On the **Options** page, accept the default settings and click **Next** twice, and then click **Finish**.
 7. Using File Explorer, verify that you can access the **\\\\MDT01\\MDTProduction$** share.
@ -116,9 +121,13 @@ In these steps, we assume that you have completed the steps in the [Create a Win
 1.  Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Production**; select the **Operating Systems** node, and create a folder named **Windows 10**.
 2.  Right-click the **Windows 10** folder and select **Import Operating System**.
 3.  On the **OS Type** page, select **Custom image file** and click **Next**.
 4.  On the **Image** page, in the **Source file** text box, browse to **D:\\MDTBuildLab\\Captures\\REFW10X64-001.wim** and click **Next**.
 5.  On the **Setup** page, select the **Copy Windows 7, Windows Server 2008 R2, or later setup files from the specified path** option; in the **Setup source directory** text box, browse to **D:\\MDTBuildLab\\Operating Systems\\W10EX64RTM** and click **Next**.
 6.  On the **Destination** page, in the **Destination directory name** text box, type **W10EX64RTM**, click **Next** twice, and then click **Finish**.
 7.  After adding the operating system, double-click the added operating system name in the **Operating Systems / Windows 10** node and change the name to **Windows 10 Enterprise x64 RTM Custom Image**.
@ -140,16 +149,22 @@ On **MDT01**:
 2. Extract the .exe file that you downloaded to an .msi (ex: .\AcroRdrDC1902120058_en_US.exe -sfx_o"d:\setup\adobe\install\" -sfx_ne).
 3. In the Deployment Workbench, expand the **MDT Production** node and navigate to the **Applications** node.
 4. Right-click the **Applications** node, and create a new folder named **Adobe**.
 5. In the **Applications** node, right-click the **Adobe** folder and select **New Application**.
 6. On the **Application Type** page, select the **Application with source files** option and click **Next**.
 7. On the **Details** page, in the **Application Name** text box, type **Install - Adobe Reader** and click *Next**.
 8. On the **Source** page, in the **Source Directory** text box, browse to **D:\\setup\\adobe\\install** and click **Next**.
 9. On the **Destination** page, in the **Specify the name of the directory that should be created** text box, type **Install - Adobe Reader** and click **Next**.
 10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**.
-![acroread image](../images/acroread.png)
+    ![acroread image](../images/acroread.png)
-The Adobe Reader application added to the Deployment Workbench.
+    The Adobe Reader application added to the Deployment Workbench.
 ## Step 5: Prepare the drivers repository
@ -211,16 +226,17 @@ When you import drivers to the MDT driver repository, MDT creates a single insta
 The preceding folder names should match the actual make and model values that MDT reads from devices during deployment. You can find out the model values for your machines by using the following command in Windows PowerShell:
-``` powershell
+```powershell
 Get-WmiObject -Class:Win32_ComputerSystem
 ```
 Or, you can use this command in a normal command prompt:
-``` 
+```console
 wmic csproduct get name
 ```
-If you want a more standardized naming convention, try the ModelAliasExit.vbs script from the Deployment Guys blog post entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536).
+If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](https://go.microsoft.com/fwlink/p/?LinkId=619536).
 ![drivers](../images/fig4-oob-drivers.png)
@ -244,9 +260,9 @@ On **MDT01**:
    2.  Folders: Select the WinPE x64 folder in Out-of-Box Drivers.
    3.  Click **Next**, **Next** and **Finish**.
-![figure 5](../images/fig5-selectprofile.png)
+    ![figure 5](../images/fig5-selectprofile.png)
-Creating the WinPE x64 selection profile.
+    Creating the WinPE x64 selection profile.
 ### Extract and import drivers for the x64 boot image
@ -267,7 +283,8 @@ On **MDT01**:
 For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6.
-![ThinkStation image](../images/thinkstation.png)
+> [!div class="mx-imgBorder"]
 > ![ThinkStation image](../images/thinkstation.png)
 To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
@ -276,9 +293,12 @@ In this example, we assume you have downloaded and extracted the drivers using T
 On **MDT01**:
 1. In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Lenovo** node.
 2.  Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)**
-The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers.
+2.  Right-click the **30A6003TUS** folder and select **Import Drivers** and use the following Driver source directory to import drivers: 
    **D:\\Drivers\\Windows 10 x64\\Lenovo\\ThinkStation P500 (30A6003TUS)**
    The folder you select and all sub-folders will be checked for drivers, expanding any .cab files that are present and searching for drivers.
 ### For the Latitude E7450
@ -289,7 +309,10 @@ In these steps, we assume you have downloaded and extracted the CAB file for the
 On **MDT01**:
 1. In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Dell Inc** node.
-2.  Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450**
+
 2.  Right-click the **Latitude E7450** folder and select **Import Drivers** and use the following Driver source directory to import drivers: 
    **D:\\Drivers\\Windows 10 x64\\Dell Inc\\Latitude E7450**
 ### For the HP EliteBook 8560w
@ -300,7 +323,10 @@ In these steps, we assume you have downloaded and extracted the drivers for the
 On **MDT01**:
 1.  In the **Deployment Workbench**, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Hewlett-Packard** node.
-2.  Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w**
+
 2.  Right-click the **HP EliteBook 8560w** folder and select **Import Drivers** and use the following Driver source directory to import drivers: 
    **D:\\Drivers\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w**
 ### For the Microsoft Surface Laptop
@ -309,7 +335,10 @@ For the Microsoft Surface Laptop model, you find the drivers on the Microsoft we
 On **MDT01**:
 1.  In the Deployment Workbench, in the **MDT Production** > **Out-Of-Box Drivers** > **Windows 10 x64** node, expand the **Microsoft** node.
-2.  Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop**
+
 2.  Right-click the **Surface Laptop** folder and select **Import Drivers**; and use the following Driver source directory to import drivers: 
    **D:\\Drivers\\Windows 10 x64\\Microsoft\\Surface Laptop**
 ## Step 6: Create the deployment task sequence
@ -320,40 +349,46 @@ This section will show you how to create the task sequence used to deploy your p
 On **MDT01**:
 1. In the Deployment Workbench, under the **MDT Production** node, right-click **Task Sequences**, and create a folder named **Windows 10**.
 2. Right-click the new **Windows 10** folder and select **New Task Sequence**. Use the following settings for the New Task Sequence Wizard:
-   1. Task sequence ID: W10-X64-001
+   - Task sequence ID: W10-X64-001
-   2. Task sequence name: Windows 10 Enterprise x64 RTM Custom Image
+   - Task sequence name: Windows 10 Enterprise x64 RTM Custom Image
-   3. Task sequence comments: Production Image
+   - Task sequence comments: Production Image
-   4. Template: Standard Client Task Sequence
+   - Template: Standard Client Task Sequence
-   5. Select OS: Windows 10 Enterprise x64 RTM Custom Image
+   - Select OS: Windows 10 Enterprise x64 RTM Custom Image
-   6. Specify Product Key: Do not specify a product key at this time
+   - Specify Product Key: Do not specify a product key at this time
-   7. Full Name: Contoso
+   - Full Name: Contoso
-   8. Organization: Contoso
+   - Organization: Contoso
-   9. Internet Explorer home page: https://www.contoso.com
+   - Internet Explorer home page: https://www.contoso.com
-   10. Admin Password: Do not specify an Administrator Password at this time
+   - Admin Password: Do not specify an Administrator Password at this time
 ### Edit the Windows 10 task sequence
 1. Continuing from the previous procedure, right-click the **Windows 10 Enterprise x64 RTM Custom Image** task sequence, and select **Properties**.
 2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
   1.  Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
       1.  Name: Set DriverGroup001
       2.  Task Sequence Variable: DriverGroup001
       3.  Value: Windows 10 x64\\%Make%\\%Model%
   2.  Configure the **Inject Drivers** action with the following settings:
       1.  Choose a selection profile: Nothing
       2.  Install all drivers from the selection profile
-           >[!NOTE]
+2. On the **Task Sequence** tab, configure the **Windows 10 Enterprise x64 RTM Custom Image** task sequence with the following settings:
-           >The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting.
+
   1.  Preinstall: After the **Enable BitLocker (Offline)** action, add a **Set Task Sequence Variable** action with the following settings:
       - Name: Set DriverGroup001
       - Task Sequence Variable: DriverGroup001
       - Value: Windows 10 x64\\%Make%\\%Model%
   2.  Configure the **Inject Drivers** action with the following settings:
       - Choose a selection profile: Nothing
       - Install all drivers from the selection profile
       > [!NOTE]
       > The configuration above indicates that MDT should only use drivers from the folder specified by the DriverGroup001 property, which is defined by the "Choose a selection profile: Nothing" setting, and that MDT should not use plug and play to determine which drivers to copy, which is defined by the "Install all drivers from the selection profile" setting.
   3.  State Restore. Enable the **Windows Update (Pre-Application Installation)** action.
   4.  State Restore. Enable the **Windows Update (Post-Application Installation)** action.
 3. Click **OK**.
-![drivergroup](../images/fig6-taskseq.png)
+   ![drivergroup](../images/fig6-taskseq.png)
-The task sequence for production deployment.
+   The task sequence for production deployment.
 ## Step 7: Configure the MDT production deployment share
@ -408,56 +443,65 @@ On **MDT01**:
 3. Click **Edit Bootstrap.ini** and modify using the following information:
-``` 
+   ``` 
-[Settings]
+   [Settings]
-Priority=Default
+   Priority=Default
-[Default]
+   [Default]
-DeployRoot=\\MDT01\MDTProduction$
+   DeployRoot=\\MDT01\MDTProduction$
-UserDomain=CONTOSO
+   UserDomain=CONTOSO
-UserID=MDT_BA
+   UserID=MDT_BA
-UserPassword=pass@word1
+   UserPassword=pass@word1
-SkipBDDWelcome=YES
+   SkipBDDWelcome=YES
-```
+   ```
 4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
 5. On the **General** sub tab (still under the main Windows PE tab), configure the following settings:
-   - In the **Lite Touch Boot Image Settings** area:
+
-     1.  Image description: MDT Production x86
+   In the **Lite Touch Boot Image Settings** area:
-     2.  ISO file name: MDT Production x86.iso
+
   - Image description: MDT Production x86
   - ISO file name: MDT Production x86.iso
   > [!NOTE]
   > 
-     >Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
+   > Because you are going to use Pre-Boot Execution Environment (PXE) later to deploy the machines, you do not need the ISO file; however, we recommend creating ISO files because they are useful when troubleshooting deployments and for quick tests.
 6. On the **Drivers and Patches** sub tab, select the **WinPE x86** selection profile and select the **Include all drivers from the selection profile** option.
 7. On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
 8. On the **General** sub tab, configure the following settings:
-   -   In the **Lite Touch Boot Image Settings** area:
+
-       1.  Image description: MDT Production x64
+   In the **Lite Touch Boot Image Settings** area:
-       2.  ISO file name: MDT Production x64.iso
+
   - Image description: MDT Production x64
   - ISO file name: MDT Production x64.iso
 9. In the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
 10. In the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box.
 11. Click **OK**.
->[!NOTE]
+    >[!NOTE]
->It will take a while for the Deployment Workbench to create the monitoring database and web service.
+    >It will take a while for the Deployment Workbench to create the monitoring database and web service.
    ![figure 8](../images/mdt-07-fig08.png)
-![figure 8](../images/mdt-07-fig08.png)
+    The Windows PE tab for the x64 boot image.
 The Windows PE tab for the x64 boot image.
 ### The rules explained
 The rules for the MDT Production deployment share are somewhat different from those for the MDT Build Lab deployment share. The biggest differences are that you deploy the machines into a domain instead of a workgroup.
->
+You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address.  In this example we are skipping the welcome screen and providing credentials.
 >You can optionally remove the **UserID** and **UserPassword** entries from Bootstrap.ini so that users performing PXE boot are prompted to provide credentials with permission to connect to the deployment share. Setting **SkipBDDWelcome=NO** enables the welcome screen that displays options to run the deployment wizard, run DaRT tools (if installed), exit to a Windows PE command prompt, set the keyboard layout, or configure a static IP address.  In this example we are skipping the welcome screen and providing credentials.
 ### The Bootstrap.ini file
 This is the MDT Production Bootstrap.ini:
 ``` 
 [Settings]
 Priority=Default
@ -473,6 +517,7 @@ SkipBDDWelcome=YES
 ### The CustomSettings.ini file
 This is the CustomSettings.ini file with the new join domain information:
 ``` 
 [Settings]
 Priority=Default
@ -529,18 +574,26 @@ If your organization has a Microsoft Software Assurance agreement, you also can
 If you have licensing for MDOP and DaRT, you can add DaRT to the boot images using the steps in this section. If you do not have DaRT licensing, or don't want to use it, simply skip to the next section, [Update the Deployment Share](#update-the-deployment-share). To enable the remote connection feature in MDT, you need to do the following:
->DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop). Note: MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
+
 > [!NOTE]
 > DaRT 10 is part of [MDOP 2015](https://docs.microsoft.com/microsoft-desktop-optimization-pack/#how-to-get-mdop).
 >
 > MDOP might be available as a download from your [Visual Studio subscription](https://my.visualstudio.com/Downloads). When searching, be sure to look for **Desktop Optimization Pack**.
 On **MDT01**:
 1. Download MDOP 2015 and copy the DaRT 10 installer file to the D:\\Setup\\DaRT 10 folder on MDT01 (DaRT\\DaRT 10\\Installers\\\<lang\>\\x64\\MSDaRT100.msi).
 2. Install DaRT 10 (MSDaRT10.msi) using the default settings.
   ![DaRT image](../images/dart.png)
 2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively.
 3. In the Deployment Workbench, right-click the **MDT Production** deployment share and select **Properties**.
 4. On the **Windows PE** tab, in the **Platform** drop-down list, make sure **x86** is selected.
 5. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox.
   ![DaRT selection](../images/mdt-07-fig09.png)
@ -548,13 +601,17 @@ On **MDT01**:
   Selecting the DaRT 10 feature in the deployment share.
 8. In the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
 9. In the **Features** sub tab, in addition to the default selected feature pack, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box.
 10. Click **OK**.
 ### Update the deployment share
 Like the MDT Build Lab deployment share, the MDT Production deployment share needs to be updated after it has been configured. This is the process during which the Windows PE boot images are created.
 1.  Right-click the **MDT Production** deployment share and select **Update Deployment Share**.
 2.  Use the default options for the Update Deployment Share Wizard.
 >[!NOTE]
@ -571,12 +628,14 @@ You need to add the MDT Production Lite Touch x64 Boot image to WDS in preparati
 On **MDT01**:
 1. Open the Windows Deployment Services console, expand the **Servers** node and then expand **MDT01.contoso.com**.
 2. Right-click **Boot Images** and select **Add Boot Image**.
 3. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings.
-![figure 9](../images/mdt-07-fig10.png)
+   ![figure 9](../images/mdt-07-fig10.png)
-The boot image added to the WDS console.
+   The boot image added to the WDS console.
 ### Deploy the Windows 10 client
@ -585,13 +644,15 @@ At this point, you should have a solution ready for deploying the Windows 10 cl
 On **HV01**:
 1. Create a virtual machine with the following settings:
-    1. Name: PC0005
+
-    2. Store the virtual machine in a different location: C:\VM
+   - Name: PC0005
-    3. Generation: 2
+   - Store the virtual machine in a different location: C:\VM
-    4. Memory: 2048 MB
+   - Generation: 2
-    5. Network: Must be able to connect to \\MDT01\MDTProduction$
+   - Memory: 2048 MB
-    6. Hard disk: 60 GB (dynamic disk)
+   - Network: Must be able to connect to \\MDT01\MDTProduction$
-    7. Installation Options: Install an operating system from a network-based installation server
+   - Hard disk: 60 GB (dynamic disk)
   - Installation Options: Install an operating system from a network-based installation server
 2.  Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server.
    ![figure 10](../images/mdt-07-fig11.png)
@ -599,15 +660,18 @@ On **HV01**:
    The initial PXE boot process of PC0005.
 3.  After Windows PE has booted, complete the Windows Deployment Wizard using the following setting:
    1.  Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
    2.  Computer Name: **PC0005**
    3.  Applications: Select the **Install - Adobe Reader** checkbox.
 4.  Setup now begins and does the following:
    1.  Installs the Windows 10 Enterprise operating system.
    2.  Installs the added application.
    3.  Updates the operating system via your local Windows Server Update Services (WSUS) server.
-![pc0005 image1](../images/pc0005-vm.png)
+    - Select a task sequence to execute on this computer: Windows 10 Enterprise x64 RTM Custom Image
    - Computer Name: **PC0005**
    - Applications: Select the **Install - Adobe Reader** checkbox.
 4.  Setup now begins and does the following:
    - Installs the Windows 10 Enterprise operating system.
    - Installs the added application.
    - Updates the operating system via your local Windows Server Update Services (WSUS) server.
    ![pc0005 image1](../images/pc0005-vm.png)
 ### Application installation
@ -622,12 +686,14 @@ Since you have enabled the monitoring on the MDT Production deployment share, yo
 On **MDT01**:
 1.  In the Deployment Workbench, expand the **MDT Production** deployment share folder.
 2.  Select the **Monitoring** node, and wait until you see PC0005.
 3.  Double-click PC0005, and review the information.
-![figure 11](../images/mdt-07-fig13.png)
+    ![figure 11](../images/mdt-07-fig13.png)
-The Monitoring node, showing the deployment progress of PC0005.
+    The Monitoring node, showing the deployment progress of PC0005.
 ### Use information in the Event Viewer
@ -657,9 +723,9 @@ On **MDT01**:
 3.  Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**.
 4.  After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created.
-![figure 13](../images/mdt-07-fig15.png)
+    ![figure 13](../images/mdt-07-fig15.png)
-The newly created multicast namespace.
+    The newly created multicast namespace.
 ## Use offline media to deploy Windows 10
@ -674,15 +740,18 @@ To filter what is being added to the media, you create a selection profile. When
 On **MDT01**:
 1.  In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click **Selection Profiles**, and select **New Selection Profile**.
 2.  Use the following settings for the New Selection Profile Wizard:
-    1.  General Settings
+
    - General Settings
      -   Selection profile name: Windows 10 Offline Media
-    2.  Folders
+
-        1.  Applications / Adobe
+    - Folders
-        2.  Operating Systems / Windows 10
+      - Applications / Adobe
-        3.  Out-Of-Box Drivers / WinPE x64
+      - Operating Systems / Windows 10
-        4.  Out-Of-Box Drivers / Windows 10 x64
+      - Out-Of-Box Drivers / WinPE x64
-        5.  Task Sequences / Windows 10
+      - Out-Of-Box Drivers / Windows 10 x64
      - Task Sequences / Windows 10
      ![offline media](../images/mdt-offline-media.png)
@ -696,10 +765,11 @@ In these steps, you generate offline media from the MDT Production deployment sh
     >When creating offline media, you need to create the target folder first. It is crucial that you do not create a subfolder inside the deployment share folder because it will break the offline media.
 2.  In the Deployment Workbench, under the **MDT Production / Advanced Configuration** node, right-click the **Media** node, and select **New Media**.
 3.  Use the following settings for the New Media Wizard:
    -   General Settings
-        1.  Media path: **D:\\MDTOfflineMedia**
+        - Media path: **D:\\MDTOfflineMedia**
-        2.  Selection profile: **Windows 10 Offline Media**
+        - Selection profile: **Windows 10 Offline Media**
 ### Configure the offline media
@ -708,16 +778,22 @@ Offline media has its own rules, its own Bootstrap.ini and CustomSettings.ini fi
 On **MDT01**:
 1.  Copy the CustomSettings.ini file from the **D:\MDTProduction\Control** folder to **D:\\MDTOfflineMedia\\Content\\Deploy\\Control**. Overwrite the existing files.
 2.  In the Deployment Workbench, under the **MDT Production / Advanced Configuration / Media** node, right-click the **MEDIA001** media, and select **Properties**.
 3.  In the **General** tab, configure the following:
-    1.  Clear the Generate x86 boot image check box.
+    - Clear the Generate x86 boot image check box.
-    2.  ISO file name: Windows 10 Offline Media.iso
+    - ISO file name: Windows 10 Offline Media.iso
 4.  On the **Windows PE** tab, in the **Platform** drop-down list, select **x64**.
 5.  On the **General** sub tab, configure the following settings:
-    1.  In the **Lite Touch Boot Image Settings** area:
+    - In the **Lite Touch Boot Image Settings** area:
      -  Image description: MDT Production x64
-    2.  In the **Windows PE Customizations** area, set the Scratch space size to 128.
+    - In the **Windows PE Customizations** area, set the Scratch space size to 128.
 6.  On the **Drivers and Patches** sub tab, select the **WinPE x64** selection profile and select the **Include all drivers from the selection profile** option.
 7.  Click **OK**.
 ### Generate the offline media
@ -727,6 +803,7 @@ You have now configured the offline media deployment share, however the share ha
 On **MDT01**:
 1.  In the Deployment Workbench, navigate to the **MDT Production / Advanced Configuration / Media** node.
 2.  Right-click the **MEDIA001** media, and select **Update Media Content**. The Update Media Content process now generates the offline media in the **D:\\MDTOfflineMedia\\Content** folder. The process might require several minutes.
 ### Create a bootable USB stick
@ -734,15 +811,20 @@ On **MDT01**:
 The ISO that you got when updating the offline media item can be burned to a DVD and used directly (it will be bootable), but it is often more efficient to use USB sticks instead since they are faster and can hold more data. (A dual-layer DVD is limited to 8.5 GB.)
 >[!TIP] 
->In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM: <br>&nbsp;<br>Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800. <br>&nbsp;<br>Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm. <br>&nbsp;<br>To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (\<SkipWimSplit\>True\</SkipWimSplit\>), so this must be changed and the offline media content updated.
+>In this example, the .wim file is 5.5 GB in size. However, bootable USB sticks are formatted with the FAT32 file system which limits file size to 4.0 GB. You can place the image on a different drive (ex: E:\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.swm) and then modify E:\Deploy\Control\OperatingSystems.xml to point to it. Alternatively to keep using the USB you must split the .wim file, which can be done using DISM: <br>&nbsp;<br>Dism /Split-Image /ImageFile:D:\MDTOfflinemedia\Content\Deploy\Operating Systems\W10EX64RTM\REFW10X64-001.wim /SWMFile:E:\sources\install.swm /FileSize:3800. <br>&nbsp;<br>Windows Setup automatically installs from this file, provided you name it install.swm. The file names for the next files include numbers, for example: install2.swm, install3.swm. <br>&nbsp;<br>To enable split image in MDT, the Settings.xml file in your deployment share (ex: D:\MDTProduction\Control\Settings.xml) must have the **SkipWimSplit** value set to **False**. By default this value is set to True (`<SkipWimSplit>True</SkipWimSplit>`), so this must be changed and the offline media content updated.
 Follow these steps to create a bootable USB stick from the offline media content:
 1.  On a physical machine running Windows 7 or later, insert the USB stick you want to use.
 2.  Copy the content of the **MDTOfflineMedia\\Content** folder to the root of the USB stick.
 3.  Start an elevated command prompt (run as Administrator), and start the Diskpart utility by typing **Diskpart** and pressing **Enter**.
 4.  In the Diskpart utility, you can type **list volume** (or the shorter **list vol**) to list the volumes, but you really only need to remember the drive letter of the USB stick to which you copied the content. In our example, the USB stick had the drive letter F.
 5.  In the Diskpart utility, type **select volume F** (replace F with your USB stick drive letter).
 6.  In the Diskpart utility, type **active**, and then type **exit**.
 ## Unified Extensible Firmware Interface (UEFI)-based deployments
--- a/windows/deployment/planning/windows-10-removed-features.md
+++ b/windows/deployment/planning/windows-10-removed-features.md
@ -28,6 +28,7 @@ The following features and functionalities have been removed from the installed
 |Feature    |  Details and mitigation  | Removed in version |
 | ----------- | --------------------- | ------ |
 |Microsoft Edge|The legacy version of Microsoft Edge is no longer supported after March 9th, 2021. For more information, see [End of support reminder for Microsoft Edge Legacy](https://docs.microsoft.com/lifecycle/announcements/edge-legacy-eos-details). | 21H1 |
 |MBAE service metadata|The MBAE app experience is replaced by an MO UWP app. Metadata for the MBAE service is removed. | 20H2 |
 | Connect app | The **Connect** app for wireless projection using Miracast is no longer installed by default, but is available as an optional feature. To install the app, click on **Settings** > **Apps** > **Optional features** > **Add a feature** and then install the **Wireless Display** app. | 2004 |
 | Rinna and Japanese Address suggestion | The Rinna and Japanese Address suggestion service for Microsoft Japanese Input Method Editor (IME) ended on August 13th, 2020. For more information, see [Rinna and Japanese Address suggestion will no longer be offered](https://support.microsoft.com/help/4576767/windows-10-rinna-and-japanese-address-suggestion) | 2004 |
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@ -24,7 +24,7 @@ Volume-licensed media is available for each release of Windows 10 in the Volume
 ## Dynamic Update
-Whenever installation of a feature update starts (whether from media or an environment connected to Windows Update), *Dynamic Update* is one of the first steps. Windows 10 Setup contacts a Microsoft endpoint to fetch Dynamic Update packages, and then applies those updates to your operating system installation media. The update packages includes the following kinds of updates:
+Whenever installation of a feature update starts (whether from media or an environment connected to Windows Update), *Dynamic Update* is one of the first steps. Windows 10 Setup contacts a Microsoft endpoint to fetch Dynamic Update packages, and then applies those updates to your operating system installation media. The update packages include the following kinds of updates:
 - Updates to Setup.exe binaries or other files that Setup uses for feature updates
 - Updates for the "safe operating system" (SafeOS) that is used for the Windows recovery environment
@ -44,9 +44,9 @@ You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https
 The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in **bold** the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
-|To find this Dynamic Update packages, search for or check the results here-->  |Title  |Product  |Description (select the **Title** link to see **Details**)  |
+|To find this Dynamic Update packages, search for or check the results here  |Title  |Product  |Description (select the **Title** link to see **Details**)  |
 |---------|---------|---------|---------|
-|Safe OS Dynamic Update      | 2019-08 Dynamic Update...        | Windows 10 Dynamic Update,Windows **Safe OS Dynamic Update**         | ComponentUpdate:        |
+|Safe OS Dynamic Update      | 2019-08 Dynamic Update...        | Windows 10 Dynamic Update, Windows **Safe OS Dynamic Update**         | ComponentUpdate:        |
 |Setup Dynamic Update     | 2019-08 Dynamic Update...         | Windows 10 Dynamic Update        | **SetupUpdate**        |
 |Latest cumulative update     | 2019-08 **Cumulative Update for Windows 10**    |  Windows 10       |  Install this update to resolve issues in Windows...       |
 |Servicing stack Dynamic Update     | 2019-09 **Servicing Stack Update for Windows 10**        |  Windows 10...       | Install this update to resolve issues in Windows...        |
@ -81,6 +81,9 @@ This table shows the correct sequence for applying the various tasks to the file
 |Add .NET and .NET cumulative updates     |         |        | 24        |
 |Export image     | 8        |  17       | 25        |
 > [!NOTE]
 > Starting in February 2021, the latest cumulative update and servicing stack update will be combined and distributed in the Microsoft Update Catalog as a new combined cumulative update. For Steps 1, 9, and 18 that require the servicing stack update for updating the installation media, you should use the combined cumulative update. For more information on the combined cumulative update, see [Servicing stack updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates).
 ### Multiple Windows editions
 The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@ -29,8 +29,6 @@ Servicing stack updates provide fixes to the servicing stack, the component that
 Servicing stack updates improve the reliability of the update process to mitigate potential issues while installing the latest quality updates and feature updates. If you don't install the latest servicing stack update, there's a risk that your device can't be updated with the latest Microsoft security fixes.
 For information about some changes to servicing stack updates, see [Simplifing Deployment of Servicing Stack Updates](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/simplifying-on-premises-deployment-of-servicing-stack-updates/ba-p/1646039) on the Windows IT Pro blog.
 ## When are they released?
 Servicing stack update are released depending on new issues or vulnerabilities. In rare occasions a servicing stack update may need to be released on demand to address an issue impacting systems installing the monthly security update. Starting in November 2018 new servicing stack updates will be classified as "Security" with a severity rating of "Critical."
@ -44,7 +42,6 @@ Both Windows 10 and Windows Server use the cumulative update mechanism, in which
 Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update.
 ## Is there any special guidance?
 Microsoft recommends you install the latest servicing stack updates for your operating system before installing the latest cumulative update.
@ -58,3 +55,7 @@ Typically, the improvements are reliability and performance improvements that do
 * Servicing stack update releases are specific to the operating system version (build number), much like quality updates.
 * Search to install latest available [Servicing stack update for Windows 10](https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV990001).
 * Once a servicing stack update is installed, it cannot be removed or uninstalled from the machine.
 ## Simplifying on-premises deployment of servicing stack updates
 With the Windows Update experience, servicing stack updates and cumulative updates are deployed together to the device. The update stack automatically orchestrates the installation, so both are applied correctly. Starting in February 2021, the cumulative update will include the latest servicing stack updates, to provide a single cumulative update payload to both Windows Server Update Services (WSUS) and Microsoft Catalog. If you use an endpoint management tool backed by WSUS, such as Configuration Manager, you will only have to select and deploy the monthly cumulative update. The latest servicing stack updates will automatically be applied correctly. Release notes and file information for cumulative updates, including those related to the servicing stack, will be in a single KB article. The combined monthly cumulative update will be available on Windows 10, version 2004 and later starting with the 2021 2C release, KB4601382.
--- a/windows/deployment/update/windows-as-a-service.md
+++ b/windows/deployment/update/windows-as-a-service.md
@ -6,6 +6,7 @@ ms.manager: laurawi
 audience: itpro
 itproauthor: jaimeo
 author: jaimeo
 ms.author: jaimeo
 description: Discover the latest news articles, videos, and podcasts about Windows as a service. Find resources for using Windows as a service within your organization. 
 ms.audience: itpro
 ms.reviewer: 
@ -46,7 +47,7 @@ The latest news:
 ## IT pro champs corner
 Written by IT pros for IT pros, sharing real world examples and scenarios for Windows 10 deployment and servicing.
-<img src="images/champs-2.png" alt="" width="640" height="320">
+<img src="images/champs-2.png" alt="Champs" width="640" height="320">
 <a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Tactical-considerations-for-creating-Windows-deployment-rings/ba-p/746979">**NEW** Tactical considerations for creating Windows deployment rings</a>
@ -67,7 +68,7 @@ Written by IT pros for IT pros, sharing real world examples and scenarios for Wi
 Learn more about Windows as a service and its value to your organization.
-<img src="images/discover-land.png">
+<img src="images/discover-land.png" alt="Discover">
 <a href="waas-overview.md">Overview of Windows as a service</a>
@ -82,7 +83,7 @@ Learn more about Windows as a service and its value to your organization.
 Prepare to implement Windows as a service effectively using the right tools, products, and strategies.
-<img src="images/plan-land.png" alt="" />
+<img src="images/plan-land.png" alt="Plan" />
 <a href="https://www.microsoft.com/windowsforbusiness/simplified-updates">Simplified updates</a>
@ -98,7 +99,7 @@ Prepare to implement Windows as a service effectively using the right tools, pro
 Secure your organization's deployment investment.
-<img src="images/deploy-land.png" alt="" />
+<img src="images/deploy-land.png" alt="Deploy" />
 <a href="index.md">Update Windows 10 in the enterprise</a>
@ -112,6 +113,6 @@ Secure your organization's deployment investment.
 ## Microsoft Ignite 2018
-<img src="images/ignite-land.jpg" alt="" width="640" height="320"/>
+<img src="images/ignite-land.jpg" alt="Ignite" width="640" height="320"/>
 Looking to learn more? These informative session replays from Microsoft Ignite 2018 (complete with downloadable slide decks) can provide some great insights on Windows as a service. See [MyIgnite - Session catalog](https://myignite.techcommunity.microsoft.com/sessions).
--- a/windows/deployment/update/windows-update-resources.md
+++ b/windows/deployment/update/windows-update-resources.md
@ -6,7 +6,6 @@ ms.mktglfcycl:
 audience: itpro
 ms.localizationpriority: medium
 ms.audience: itpro
 ms.date: 09/18/2018
 ms.reviewer:
 manager: laurawi
 ms.topic: article
@ -16,7 +15,15 @@ author: jaimeo
 # Windows Update - additional resources
-> Applies to: Windows 10
+**Applies to**:
 - Windows 10
 - Windows Server 2016
 - Windows Server 2019
 > [!NOTE]
 > Windows Server 2016 supports policies available in Windows 10, version 1607. Windows Server 2019 supports policies available in Windows 10, version 1809.
 The following resources provide additional information about using Windows Update.
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@ -29,6 +29,9 @@ ms.topic: article
 >- Windows Server 2012
 >- Windows Server 2016
 >- Windows Server 2019
 >- Office 2013*
 >- Office 2016*
 >- Office 2019*
 **Looking for retail activation?**
@ -46,10 +49,13 @@ The process proceeds as follows:
 1. Perform one of the following tasks:
   - Install the Volume Activation Services server role on a domain controller and add a KMS host key by using the Volume Activation Tools Wizard.
   - Extend the domain to the Windows Server 2012 R2 or higher schema level, and add a KMS host key by using the VAMT.
 1. Microsoft verifies the KMS host key, and an activation object is created.
 1. Client computers are activated by receiving the activation object from a domain controller during startup.
-    ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg)
+2. Microsoft verifies the KMS host key, and an activation object is created.
 3. Client computers are activated by receiving the activation object from a domain controller during startup.
    > [!div class="mx-imgBorder"]
    > ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg)
    **Figure 10**. The Active Directory-based activation flow
@ -69,52 +75,67 @@ When a reactivation event occurs, the client queries AD DS for the activation o
 **To configure Active Directory-based activation on Windows Server 2012 R2 or higher, complete the following steps:**
 1. Use an account with Domain Administrator and Enterprise Administrator credentials to sign in to a domain controller.
-1. Launch Server Manager.
+
-1. Add the Volume Activation Services role, as shown in Figure 11.
+2. Launch Server Manager.
 3. Add the Volume Activation Services role, as shown in Figure 11.
    ![Adding the Volume Activation Services role](../images/volumeactivationforwindows81-11.jpg)
    **Figure 11**. Adding the Volume Activation Services role
-1. Click the link to launch the Volume Activation Tools (Figure 12).
+4. Click the link to launch the Volume Activation Tools (Figure 12).
    ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-12.jpg)
    **Figure 12**. Launching the Volume Activation Tools
-1. Select the **Active Directory-Based Activation** option (Figure 13).
+5. Select the **Active Directory-Based Activation** option (Figure 13).
    ![Selecting Active Directory-Based Activation](../images/volumeactivationforwindows81-13.jpg)
    **Figure 13**. Selecting Active Directory-Based Activation
-1. Enter your KMS host key and (optionally) a display name (Figure 14).
+6. Enter your KMS host key and (optionally) a display name (Figure 14).
    ![Choosing how to activate your product](../images/volumeactivationforwindows81-15.jpg)
    **Figure 14**. Entering your KMS host key
-1. Activate your KMS host key by phone or online (Figure 15).
+7. Activate your KMS host key by phone or online (Figure 15).
    ![Entering your KMS host key](../images/volumeactivationforwindows81-14.jpg)
    **Figure 15**. Choosing how to activate your product
-1. After activating the key, click **Commit**, and then click **Close**.
+    > [!NOTE]
    > To activate a KMS Host Key (CSVLK) for Microsoft Office, you need to install the version-specific Office Volume License Pack on the server where the Volume Activation Server Role is installed.
    > 
    > 
    > - [Office 2013 VL pack](https://www.microsoft.com/download/details.aspx?id=35584)
    > 
    > - [Office 2016 VL pack](https://www.microsoft.com/download/details.aspx?id=49164)
    >
    > - [Office 2019 VL pack](https://www.microsoft.com/download/details.aspx?id=57342)
 8. After activating the key, click **Commit**, and then click **Close**.
 ## Verifying the configuration of Active Directory-based activation
 To verify your Active Directory-based activation configuration, complete the following steps:
 1. After you configure Active Directory-based activation, start a computer that is running an edition of Windows that is configured by volume licensing.
-1. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
+2. If the computer has been previously configured with a MAK key, replace the MAK key with the GVLK by running the **slmgr.vbs /ipk** command and specifying the GLVK as the new product key.
-1. If the computer is not joined to your domain, join it to the domain.
+3. If the computer is not joined to your domain, join it to the domain.
-1. Sign in to the computer.
+4. Sign in to the computer.
-1. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
+5. Open Windows Explorer, right-click **Computer**, and then click **Properties**.
-1. Scroll down to the **Windows activation** section, and verify that this client has been activated.
+6. Scroll down to the **Windows activation** section, and verify that this client has been activated.
    > [!NOTE]
    > If you are using both KMS and Active Directory-based activation, it may be difficult to see whether a client has been activated by KMS or by Active Directory-based activation. Consider disabling KMS during the test, or make sure that you are using a client computer that has not already been activated by KMS. The **slmgr.vbs /dlv** command also indicates whether KMS has been used.
    > 
    > To manage individual activations or apply multiple (mass) activations, please consider using the [VAMT](https://docs.microsoft.com/windows/deployment/volume-activation/volume-activation-management-tool).
 ## See also
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@ -21,7 +21,7 @@ ms.topic: article
 Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to **Windows 10 Enterprise** automatically if they are subscribed to Windows 10 Enterprise E3 or E5.
-With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions – **Windows 10 Education**.
+With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions—**Windows 10 Education**.
 The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering GVLKs, and subsequently rebooting client devices.
@ -68,12 +68,19 @@ The following figure illustrates how deploying Windows 10 has evolved with each
 ![Illustration of how Windows 10 deployment has evolved](images/sa-evolution.png)
 - **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.<br>
 - **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after).  This was a lot easier than wipe-and-load, but it was still time-consuming.<br>
 - **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU.  This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.<br>
 - **Windows 10, version 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise.  In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.<br>
 - **Windows 10, version 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.<br>
 - **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.<br>
 - **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.<br>
 - **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription.
 ## Requirements
@ -105,21 +112,29 @@ To resolve this issue:
 If the device is running Windows 10, version 1703, 1709, or 1803, the user must either sign in with an Azure AD account, or you must disable MFA for this user during the 30-day polling period and renewal.
 If the device is running Windows 10, version 1809 or later:
 1. Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
 2. When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
-![Subscription Activation with MFA example 1](images/sa-mfa1.png)<br>
+- Windows 10, version 1809 must be updated with [KB4497934](https://support.microsoft.com/help/4497934/windows-10-update-kb4497934). Later versions of Windows 10 automatically include this patch.
-![Subscription Activation with MFA example 2](images/sa-mfa2.png)<br>
+
-![Subscription Activation with MFA example 3](images/sa-mfa3.png)
+- When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
   ![Subscription Activation with MFA example 1](images/sa-mfa1.png)<br>
   ![Subscription Activation with MFA example 2](images/sa-mfa2.png)<br>
   ![Subscription Activation with MFA example 3](images/sa-mfa3.png)
 ### Windows 10 Education requirements
-1. Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
+- Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
 2. A device with a Windows 10 Pro Education digital license. You can confirm this information in Settings > Update & Security > Activation.
 3. The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
 4. Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
-> If Windows 10 Pro is converted to Windows 10 Pro Education [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
+- A device with a Windows 10 Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**.
 - The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
 - Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
 > [!IMPORTANT]
 > If Windows 10 Pro is converted to Windows 10 Pro Education by [using benefits available in Store for Education](https://docs.microsoft.com/education/windows/change-to-pro-education#change-using-microsoft-store-for-education), then the feature will not work. You will need to re-image the device using a Windows 10 Pro Education edition.
 ## Benefits
@ -131,15 +146,19 @@ With Windows 10 Enterprise or Windows 10 Education, businesses and institutions
 You can benefit by moving to Windows as an online service in the following ways:
-1. Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
+- Licenses for Windows 10 Enterprise and Education are checked based on Azure Active Directory (Azure AD) credentials, so now businesses have a systematic way to assign licenses to end users and groups in their organization.
-2. User logon triggers a silent edition upgrade, with no reboot required
+
-3. Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys.
+- User logon triggers a silent edition upgrade, with no reboot required.
-4. Compliance support via seat assignment.
+
-5. Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs.
+- Support for mobile worker/BYOD activation; transition away from on-prem KMS and MAK keys.
 - Compliance support via seat assignment.
 - Licenses can be updated to different users dynamically, enabling you to optimize your licensing investment against changing needs.
 ## How it works
-The device is AAD joined from Settings > Accounts > Access work or school.
+The device is AAD joined from **Settings > Accounts > Access work or school**.
 The IT administrator assigns Windows 10 Enterprise to a user. See the following figure.
@ -157,26 +176,35 @@ Before Windows 10, version 1903:<br>
 After Windows 10, version 1903:<br>
 ![1903](images/after.png)
-Note:
+> [!NOTE]
-1. A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
+> 
-2. A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
+> - A Windows 10 Pro Education device will only step up to Windows 10 Education edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
 > 
 > - A Windows 10 Pro device will only step up to Windows 10 Enterprise edition when “Windows 10 Enterprise” license is assigned from M365 Admin center (as of May 2019).
 ### Scenarios
-**Scenario #1**:  You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
+#### Scenario #1
 You are using Windows 10, version 1803 or above, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
 All of your Windows 10 Pro devices will step-up to Windows 10 Enterprise, and devices that are already running Windows 10 Enterprise will migrate from KMS or MAK activated Enterprise edition to Subscription activated Enterprise edition when a Subscription Activation-enabled user signs in to the device.
-**Scenario #2**:  You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
+#### Scenario #2 
 You are using Windows 10, version 1607, 1703, or 1709 with KMS for activation, and just purchased Windows 10 Enterprise E3 or E5 subscriptions (or have had an E3 or E5 subscription for a while but haven’t yet deployed Windows 10 Enterprise).
 To change all of your Windows 10 Pro devices to Windows 10 Enterprise, run the following command on each computer:
-<pre style="overflow-y: visible">
+```console
 cscript.exe c:\windows\system32\slmgr.vbs /ipk NPPR9-FWDCX-D2C8J-H872K-2YT43</pre>
 ```
 The command causes the OS to change to Windows 10 Enterprise and then seek out the KMS server to reactivate.  This key comes from [Appendix A: KMS Client Setup Keys](https://docs.microsoft.com/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj612867(v=ws.11)) in the Volume Activation guide.  It is also possible to inject the Windows 10 Pro key from this article if you wish to step back down from Enterprise to Pro.
-**Scenario #3**:  Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
+#### Scenario #3
 Using Azure AD-joined devices or Active Directory-joined devices running Windows 10 1709 or later, and with Azure AD synchronization configured, just follow the steps in [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md) to acquire a $0 SKU and get a new Windows 10 Enterprise E3 or E5 license in Azure AD. Then, assign that license to all of your Azure AD users. These can be AD-synced accounts.  The device will automatically change from Windows 10 Pro to Windows 10 Enterprise when that user signs in.
 In summary, if you have a Windows 10 Enterprise E3 or E5 subscription, but are still running Windows 10 Pro, it’s really simple (and quick) to move to Windows 10 Enterprise using one of the scenarios above.
@ -204,7 +232,7 @@ If you are using Windows 10, version 1607, 1703, or 1709 and have already deploy
 If the computer has never been activated with a Pro key, run the following script. Copy the text below into a .cmd file and run the file from an elevated command prompt:
-<pre style="overflow-y: visible">
+```console
@echo off
 FOR /F "skip=1" %%A IN ('wmic path SoftwareLicensingService get OA3xOriginalProductKey') DO  (
 SET "ProductKey=%%A"
@ -218,18 +246,24 @@ echo No key present
 echo Installing %ProductKey%
 changepk.exe /ProductKey %ProductKey%
 )
-</pre>
+```
 ### Obtaining an Azure AD license
 Enterprise Agreement/Software Assurance (EA/SA):
 - Organizations with a traditional EA must order a $0 SKU, process e-mails sent to the license administrator for the company, and assign licenses using Azure AD (ideally to groups using the new Azure AD Premium feature for group assignment). For more information, see [Enabling Subscription Activation with an existing EA](https://docs.microsoft.com/windows/deployment/deploy-enterprise-licenses#enabling-subscription-activation-with-an-existing-ea).
 - The license administrator can assign seats to Azure AD users with the same process that is used for O365.
 - New EA/SA Windows Enterprise customers can acquire both an SA subscription and an associated $0 cloud subscription.
 Microsoft Products & Services Agreements (MPSA):
 - Organizations with MPSA are automatically emailed the details of the new service. They must take steps to process the instructions.
 - Existing MPSA customers will receive service activation emails that allow their customer administrator to assign users to the service.
 - New MPSA customers who purchase the Software Subscription Windows Enterprise E3 and E5 will be enabled for both the traditional key-based and new subscriptions activation method.
 ### Deploying licenses
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@ -52,7 +52,7 @@ SIDs always remain unique. Security authorities never issue the same SID twice,
 A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
-![](images/security-identifider-architecture.jpg)
+![Security identifier architecture](images/security-identifider-architecture.jpg)
 The individual values of a SID are described in the following table.
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@ -0,0 +1,209 @@
 ---
 title: Deploying Certificates to Key Trust Users to Enable RDP
 description: Learn how to deploy certificates to a Key Trust user to enable remote desktop with supplied credentials
 keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security, mobile
 audience: ITPro
 author: mapalko
 ms.author: mapalko
 manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 localizationpriority: medium
 ms.date: 02/22/2021
 ms.reviewer: 
 ---
 # Deploying Certificates to Key Trust Users to Enable RDP
 **Applies To**
 - Windows 10, version 1703 or later
 - Hybrid deployment
 - Key trust
 Windows Hello for Business supports using a certificate as the supplied credential when establishing a remote desktop connection to a server or other device. For certificate trust deployments, creation of this certificate occurs at container creation time.
 This document discusses an approach for key trust deployments where authentication certificates can be deployed to an existing key trust user.
 Three approaches are documented here:
 1. Deploying a certificate to hybrid joined devices using an on-premises Active Directory certificate enrollment policy.
 1. Deploying a certificate to hybrid or Azure AD joined devices using Simple Certificate Enrollment Protocol (SCEP) and Intune.
 1. Working with non-Microsoft enterprise certificate authorities.
 ## Deploying a certificate to a hybrid joined device using an on-premises Active Directory Certificate enrollment policy
 ### Create a Windows Hello for Business certificate template
 1. Sign in to your issuing certificate authority (CA).
 1. Open the **Certificate Authority** Console (%windir%\system32\certsrv.msc).
 1. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
 1. Right-click **Certificate Templates** and then click **Manage** to open the **Certificate Templates** console.
 1. Right-click the **Smartcard Logon** template and click **Duplicate Template**
    ![Duplicating Smartcard Template](images/rdpcert/duplicatetemplate.png)
 1. On the **Compatibility** tab:
    1. Clear the **Show resulting changes** check box
    1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Authority list
    1. Select **Windows Server 2012 or Windows Server 2012 R2** from the Certification Recipient list
 1. On the **General** tab:
    1. Specify a Template display name, such as **WHfB Certificate Authentication**
    1. Set the validity period to the desired value
    1. Take note of the Template name for later, which should be the same as the Template display name minus spaces (**WHfBCertificateAuthentication** in this example).
 1. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
 1. On the **Subject Name** tab:
    1. Select the **Build from this Active Directory** information button if it is not already selected
    1. Select **Fully distinguished name** from the **Subject name format** list if Fully distinguished name is not already selected
    1. Select the **User Principal Name (UPN)** check box under **Include this information in alternative subject name**
 1. On the **Request Handling** tab:
    1. Select the **Renew with same key** check box
    1. Set the Purpose to **Signature and smartcard logon**
        1. Click **Yes** when prompted to change the certificate purpose
    1. Click **Prompt the user during enrollment**
 1. On the **Cryptography** tab:
    1. Set the Provider Category to **Key Storage Provider**
    1. Set the Algorithm name to **RSA**
    1. Set the minimum key size to **2048**
    1. Select **Requests must use one of the following providers**
    1. Tick **Microsoft Software Key Storage Provider**
    1. Set the Request hash to **SHA256**
 1. On the **Security** tab, add the security group that you want to give **Enroll** access to. For example, if you want to give access to all users, select the **Authenticated** users group, and then select Enroll permissions for them  .
 1. Click **OK** to finalize your changes and create the new template. Your new template should now appear in the list of Certificate Templates.
 1. Close the Certificate Templates console.
 1. Open an elevated command prompt and change to a temporary working directory.
 1. Execute the following command:
    certutil -dstemplate \<TemplateName\> \> \<TemplateName\>.txt
    Replace \<TemplateName\> with the Template name you took note of earlier in step 7.
 1. Open the text file created by the command above.
    1. Delete the last line of the output from the file that reads **CertUtil: -dsTemplate command completed successfully.**
    1. Modify the line that reads **pKIDefaultCSPs = "1,Microsoft Software Key Storage Provider"** to **pKIDefaultCSPs = "1,Microsoft Passport Key Storage Provider"**
 1. Save the text file.
 1. Update the certificate template by executing the following command:
    certutil - dsaddtemplate \<TemplateName\>.txt
 1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue**
    ![Selecting Certificate Template to Issue](images/rdpcert/certificatetemplatetoissue.png)
 1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list.
 1. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks** and then click **Stop Service**. Right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
 ### Requesting a Certificate
 1. Ensure the hybrid Azure AD joined device has network line of sight to Active Directory domain controllers and the issuing certificate authority. 
 1. Start the **Certificates – Current User** console (%windir%\system32\certmgr.msc).
 1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…**
    ![Request a new certificate](images/rdpcert/requestnewcertificate.png)
 1. On the Certificate Enrollment screen, click **Next**.
 1. Under Select Certificate Enrollment Policy, ensure **Active Directory Enrollment Policy** is selected and then click **Next**.
 1. Under Request Certificates, click the check-box next to the certificate template you created in the previous section (WHfB Certificate Authentication) and then click **Enroll**.
 1. After a successful certificate request, click Finish on the Certificate Installation Results screen
 ## Deploying a certificate to Hybrid or Azure AD Joined Devices using Simple Certificate Enrollment Protocol (SCEP) via Intune
 Deploying a certificate to Azure AD Joined Devices may be achieved with the Simple Certificate Enrollment Protocol (SCEP) via Intune. For guidance deploying the required infrastructure, refer to [Configure infrastructure to support SCEP certificate profiles with Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/certificates-scep-configure).
 Next you should deploy the root CA certificate (and any other intermediate certificate authority certificates) to Azure AD Joined Devices using a Trusted root certificate profile with Intune. For guidance, refer to [Create trusted certificate profiles in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/certificates-trusted-root).
 Once these requirements have been met, a new device configuration profile may be configured from Intune that provisions a certificate for the user of the device. Proceed as follows:
 1. Sign in to the Microsoft [Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
 1. Navigate to Devices \> Configuration Profiles \> Create profile.
 1. Enter the following properties:
    1. For Platform, select **Windows 10 and later**.
    1. For Profile, select **SCEP Certificate**.
    1. Click **Create**.
 1. In **Basics**, enter the following parameters:
    1. **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is SCEP profile for entire company.
    1. **Description**: Enter a description for the profile. This setting is optional, but recommended.
    1. Select **Next**.
 1. In the **Configuration settings**, complete the following:
    1. For Certificate Type, choose **User**.
    1. For Subject name format, set it to **CN={{UserPrincipalName}}**.
    1. Under Subject alternative name, select **User principal name (UPN)** from the drop-down menu and set the value to **CN={{UserPrincipalName}}**.
    1. For Certificate validity period, set a value of your choosing.
    1. For Key storage provider (KSP), choose **Enroll to Windows Hello for Business, otherwise fail (Windows 10 and later)**.
    1. For Key usage, choose **Digital Signature**.
    1. For Key size (bits), choose **2048**.
    1. For Hash algorithm, choose **SHA-2**.
    1. Under Root Certificate, click **+Root Certificate** and select the trusted certificate profile you created earlier for the Root CA Certificate.
    1. Under Extended key usage, add the following:
        | Name | Object Identifier | Predefined Values |
        |------|-------------------|-------------------|
        | Smart Card Logon | 1.3.6.1.4.1.311.20.2.2 | Smart Card Logon |
        | Client Authentication | 1.3.6.1.5.5.7.3.2 | Client Authentication |
    1. For Renewal threshold (%), set a value of your choosing.
    1. For SCEP Server URLs, provide the public endpoint that you configured during the deployment of your SCEP infrastructure.
    1. Click **Next**
 1. In Assignments, target the devices or users who should receive a certificate and click **Next**
 1. In Applicability Rules, provide additional issuance restrictions if required and click **Next**
 1. In Review + create, click **Create**
 Once the configuration profile has been created, targeted clients will receive the profile from Intune on their next refresh cycle. You should find a new certificate in the user store. To validate the certificate is present, do the following steps:
 1. Open the Certificates - Current User console (%windir%\system32\certmgr.msc)
 1. In the left pane of the MMC, expand **Personal** and select **Certificates**
 1. In the right-hand pane of the MMC, check for the new certificate
 > [!NOTE]
 > This infrastructure may also deploy the same certificates to co-managed or modern-managed Hybrid AAD-Joined devices using Intune Policies.
 ## Using non-Microsoft Enterprise Certificate Authorities
 If you are using a Public Key Infrastructure that uses non-Microsoft services, the certificate templates published to the on-premises Active Directory may not be available. For guidance with integration of Intune/SCEP with non-Microsoft PKI deployments, refer to [Use third-party certification authorities (CA) with SCEP in Microsoft Intune](https://docs.microsoft.com/mem/intune/protect/certificate-authority-add-scep-overview).
 As an alternative to using SCEP or if none of the previously covered solutions will work in your environment, you can manually generate Certificate Signing Requests (CSR) for submission to your PKI. To assist with this approach, you can use the [Generate-CertificateRequest](https://www.powershellgallery.com/packages/Generate-CertificateRequest) PowerShell commandlet.
 The Generate-CertificateRequest commandlet will generate an .inf file for a pre-existing Windows Hello for Business key. The .inf can be used to generate a certificate request manually using certreq.exe. The commandlet will also generate a .req file, which can be submitted to your PKI for a certificate.
 ## RDP Sign-in with Windows Hello for Business Certificate Authentication
 After adding the certificate using an approach from any of the previous sections, you should be able to RDP to any Windows device or server in the same Forest as the user’s on-premises Active Directory account, provided the PKI certificate chain for the issuing certificate authority is deployed to that target server.
 1. Open the Remote Desktop Client (%windir%\system32\mstsc.exe) on the Hybrid AAD-Joined client where the authentication certificate has been deployed.
 1. Attempt an RDP session to a target server.
 1. Use the certificate credential protected by your Windows Hello for Business gesture.
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@ -29,7 +29,7 @@ When you set up Windows Hello in Windows 10, you may get an error during the **
 The following image shows an example of an error during **Create a PIN**.
-![](images/pinerror.png)
+![PIN error](images/pinerror.png)
 ## Error mitigations
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@ -44,42 +44,58 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
 ### Connect Azure Active Directory with the PIN reset service
 1. Go to the [Microsoft PIN Reset Service Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=b8456c59-1230-44c7-a4a2-99b085333e84&resource=https%3A%2F%2Fgraph.windows.net&redirect_uri=https%3A%2F%2Fcred.microsoft.com&state=e9191523-6c2f-4f1d-a4f9-c36f26f89df0&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
 2. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account.
   ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png)
 3. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
 4. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
 ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png)
 > [!NOTE]
 > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
 5. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
- ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png)
+
   > [!div class="mx-imgBorder"]
   > ![PIN reset service permissions page](images/pinreset/pin-reset-applications.png)
 ### Configure Windows devices to use PIN reset using Group Policy
 You configure Windows 10 to use the Microsoft PIN Reset service using the computer configuration portion of a Group Policy object.
 1. Using the Group Policy Management Console (GPMC), scope a domain-based Group Policy to computer accounts in Active Directory.
 2. Edit the Group Policy object from Step 1.
 3. Enable the **Use PIN Recovery** policy setting located under **Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business**.
 4. Close the Group Policy Management Editor to save the Group Policy object.  Close the GPMC.
 #### Create a PIN Reset Device configuration profile using Microsoft Intune
 1. Sign-in to [Endpoint Manager admin center](https://endpoint.microsoft.com/) using a Global administrator account.
 2. Click **Endpoint Security** > **Account Protection** > **Properties**.
 3. Set **Enable PIN recovery** to **Yes**.
 > [!NOTE]
 > You can also setup PIN recovery using configuration profiles.
 > 1. Sign in to Endpoint Manager.
 >
 > 2. Click **Devices** > **Configuration Profiles** > Create a new profile or edit an existing profile using the Identity Protection profile type.
 > 
 > 3. Set **Enable PIN recovery** to **Yes**.
 #### Assign the PIN Reset Device configuration profile using Microsoft Intune
-1. Sign in to the [Azure Portal](https://portal.azure.com) using a Global administrator account. 
+1. Sign in to the [Azure portal](https://portal.azure.com) using a Global administrator account. 
 2. Navigate to the Microsoft Intune blade. Choose **Device configuration** > **Profiles**. From the list of device configuration profiles, choose the profile that contains the PIN reset configuration.
 3. In the device configuration profile, select **Assignments**.
 4. Use the **Include** and/or **Exclude** tabs to target the device configuration profile to select groups.
 ## On-premises Deployments
@ -104,15 +120,15 @@ On-premises deployments provide users with the ability to reset forgotten PINs e
 #### Reset PIN above the Lock Screen
- 1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
+1. On Windows 10, version 1709, click **I forgot my PIN** from the Windows Sign-in
- 2. Enter your password and press enter.
+2. Enter your password and press enter.
- 3. Follow the instructions provided by the provisioning process
+3. Follow the instructions provided by the provisioning process
- 4. When finished, unlock your desktop using your newly created PIN.
+4. When finished, unlock your desktop using your newly created PIN.
 You may find that PIN reset from settings only works post login, and that the "lock screen" PIN reset function will not work if you have any matching limitation of SSPR password reset from the lock screen. For more information, see [Enable Azure Active Directory self-service password reset at the Windows sign-in screen - **General limitations**](https://docs.microsoft.com/azure/active-directory/authentication/howto-sspr-windows#general-limitations).
 > [!NOTE]
-> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch the [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience) video.
+> Visit the [Windows Hello for Business Videos](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos.md) page and watch [Windows Hello for Business forgotten PIN user experience](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience).
 ## Related topics
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@ -1,6 +1,6 @@
 ---
 title: Remote Desktop
-description: Learn how Windows Hello for Business supports using a certificate deployed to a WHFB container to a remote desktop to a server or another device.
+description: Learn how Windows Hello for Business supports using biometrics with remote desktop
 keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, remote desktop, RDP
 ms.prod: w10
 ms.mktglfcycl: deploy
@ -13,7 +13,7 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 localizationpriority: medium
-ms.date: 09/16/2020
+ms.date: 02/24/2021
 ms.reviewer: 
 ---
--- a/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png
+++ b/windows/security/identity-protection/hello-for-business/images/rdpcert/certificatetemplatetoissue.png
--- a/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png
+++ b/windows/security/identity-protection/hello-for-business/images/rdpcert/duplicatetemplate.png
--- a/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png
+++ b/windows/security/identity-protection/hello-for-business/images/rdpcert/requestnewcertificate.png
--- a/windows/security/identity-protection/hello-for-business/toc.yml
+++ b/windows/security/identity-protection/hello-for-business/toc.yml
@ -103,6 +103,8 @@
        href: hello-cert-trust-policy-settings.md
    - name: Managing Windows Hello for Business in your organization
      href: hello-manage-in-organization.md
    - name: Deploying Certificates to Key Trust Users to Enable RDP
      href: hello-deployment-rdp-certs.md
  - name: Windows Hello for Business Features
    items:
    - name: Conditional Access 
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@ -429,7 +429,8 @@
 ##### [DeviceNetworkEvents](microsoft-defender-atp/advanced-hunting-devicenetworkevents-table.md)
 ##### [DeviceProcessEvents](microsoft-defender-atp/advanced-hunting-deviceprocessevents-table.md)
 ##### [DeviceRegistryEvents](microsoft-defender-atp/advanced-hunting-deviceregistryevents-table.md)
-##### [DeviceTvmSoftwareInventoryVulnerabilities](microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventoryvulnerabilities-table.md)
+##### [DeviceTvmSoftwareInventory](microsoft-defender-atp/advanced-hunting-devicetvmsoftwareinventory-table.md)
 ##### [DeviceTvmSoftwareVulnerabilities](microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilities-table.md)
 ##### [DeviceTvmSoftwareVulnerabilitiesKB](microsoft-defender-atp/advanced-hunting-devicetvmsoftwarevulnerabilitieskb-table.md)
 ##### [DeviceTvmSecureConfigurationAssessment](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessment-table.md)
 ##### [DeviceTvmSecureConfigurationAssessmentKB](microsoft-defender-atp/advanced-hunting-devicetvmsecureconfigurationassessmentkb-table.md)
--- a/windows/security/threat-protection/change-history-for-threat-protection.md
+++ b/windows/security/threat-protection/change-history-for-threat-protection.md
@ -1,5 +1,5 @@
 ---
-title: "Change history for [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)"
+title: "Change history for [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)"
 ms.reviewer: 
 ms.author: dansimp
 description: This topic lists new and updated topics in the Defender for Endpoint content set.
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@ -20,13 +20,13 @@ ms.technology: mde
 # Threat Protection
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 [Microsoft Defender for Endpoint](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/microsoft-defender-advanced-threat-protection) is a unified platform for preventative protection, post-breach detection, automated investigation, and response. Defender for Endpoint protects endpoints from cyber threats, detects advanced attacks and data breaches, automates security incidents, and improves security posture.
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 > [!TIP]
 > Enable your users to access cloud services and on-premises applications with ease and enable modern management capabilities for all devices. For more information, see [Secure your remote workforce](https://docs.microsoft.com/enterprise-mobility-security/remote-work/). 
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@ -25,14 +25,14 @@ MBSA was largely used in situations where neither Microsoft Update nor a local W
 A script can help you with an alternative to MBSA’s patch-compliance checking:
 - [Using WUA to Scan for Updates Offline](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline), which includes a sample .vbs script. 
-For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be).
+For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with PowerShell](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0).
 For example:
 [![VBS script](images/vbs-example.png)](https://docs.microsoft.com/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) 
 [![PowerShell script](images/powershell-example.png)](https://gallery.technet.microsoft.com/Using-WUA-to-Scan-for-f7e5e0be) 
-The preceding scripts leverage the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
+The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
 The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers.
 ## More Information  
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data-update-compliance.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you may encounter when using the Microsoft Defender AV Assessment section in the Update Compliance add-in.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/collect-diagnostic-data.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 This article describes how to collect diagnostic data that can be used by Microsoft support and engineering teams to help troubleshoot issues you might encounter when using the Microsoft Defender AV.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/command-line-arguments-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 You can perform various Microsoft Defender Antivirus functions with the dedicated command-line tool *mpcmdrun.exe*. This utility is useful when you want to automate Microsoft Defender Antivirus use. You can find the utility in `%ProgramFiles%\Windows Defender\MpCmdRun.exe`. You must run it from a command prompt.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configuration-management-reference-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 You can manage and configure Microsoft Defender Antivirus with the following tools:
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-advanced-scan-types-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 ## Use Microsoft Intune to configure scanning options
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Block at first sight provides a way to detect and block new malware within seconds. This protection is enabled by default when certain prerequisite settings are enabled. These settings include cloud-delivered protection, a specified sample submission timeout (such as 50 seconds), and a file-blocking level of high. In most enterprise organizations, these settings are enabled by default with Microsoft Defender Antivirus deployments. 
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-cloud-block-timeout-period-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 When Microsoft Defender Antivirus finds a suspicious file, it can prevent the file from running while it queries the [Microsoft Defender Antivirus cloud service](utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md).
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-end-user-interaction-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 You can configure how users of the endpoints on your network can interact with Microsoft Defender Antivirus.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-exclusions-microsoft-defender-antivirus.md
@ -22,7 +22,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 You can exclude certain files, folders, processes, and process-opened files from Microsoft Defender Antivirus scans. Such exclusions apply to [scheduled scans](scheduled-catch-up-scans-microsoft-defender-antivirus.md), [on-demand scans](run-scan-microsoft-defender-antivirus.md), and [always-on real-time protection and monitoring](configure-real-time-protection-microsoft-defender-antivirus.md). Exclusions for process-opened files only apply to real-time protection.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-extension-file-exclusions-microsoft-defender-antivirus.md
@ -22,7 +22,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 > [!IMPORTANT]
 > Microsoft Defender Antivirus exclusions don't apply to other Microsoft Defender for Endpoint capabilities, including [endpoint detection and response (EDR)](../microsoft-defender-atp/overview-endpoint-detection-response.md), [attack surface reduction (ASR) rules](../microsoft-defender-atp/attack-surface-reduction.md), and [controlled folder access](../microsoft-defender-atp/controlled-folders.md). Files that you exclude using the methods described in this article can still trigger EDR alerts and other detections. To exclude files broadly, add them to the Microsoft Defender for Endpoint [custom indicators](../microsoft-defender-atp/manage-indicators.md).
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-local-policy-overrides-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 By default, Microsoft Defender Antivirus settings that are deployed via a Group Policy Object to the endpoints in your network will prevent users from locally changing the settings. You can change this in some instances.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-microsoft-defender-antivirus-features.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 You can configure Microsoft Defender Antivirus with a number of tools, including:
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-network-connections-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 To ensure Microsoft Defender Antivirus cloud-delivered protection works properly, you need to configure your network to allow connections between your endpoints and certain Microsoft servers.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-notifications-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 In Windows 10, application notifications about malware detection and remediation are more robust, consistent, and concise.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-process-opened-file-exclusions-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 You can exclude files that have been opened by specific processes from Microsoft Defender Antivirus scans. See [Recommendations for defining exclusions](configure-exclusions-microsoft-defender-antivirus.md#recommendations-for-defining-exclusions) before defining your exclusion lists.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-protection-features-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Microsoft Defender Antivirus uses several methods to provide threat protection:
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-real-time-protection-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Always-on protection consists of real-time protection, behavior monitoring, and heuristics to identify malware based on known suspicious and malicious activities.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-remediation-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 When Microsoft Defender Antivirus runs a scan, it will attempt to remediate or remove threats that it finds. You can configure how Microsoft Defender Antivirus should react to certain threats, whether it should create a restore point before remediating, and when it should remove remediated threats.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/configure-server-exclusions-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ ms.date: 02/10/2021
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Microsoft Defender Antivirus on Windows Server 2016 and Windows Server 2019 automatically enrolls you in certain exclusions, as defined by your specified server role. See the [list of automatic exclusions](#list-of-automatic-exclusions) (in this article). These exclusions do not appear in the standard exclusion lists that are shown in the [Windows Security app](microsoft-defender-security-center-antivirus.md#exclusions).
--- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans. 
--- a/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/customize-run-review-remediate-scans-windows-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 You can use Group Policy, PowerShell, and Windows Management Instrumentation (WMI) to configure Microsoft Defender Antivirus scans. 
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-manage-report-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 You can deploy, manage, and report on Microsoft Defender Antivirus in a number of ways.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deploy-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Depending on the management tool you are using, you may need to specifically enable or configure Microsoft Defender Antivirus protection. 
--- a/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/deployment-vdi-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 In addition to standard on-premises or hardware configurations, you can also use Microsoft Defender Antivirus in a remote desktop (RDS) or virtual desktop infrastructure (VDI) environment.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft Edge](https://docs.microsoft.com/microsoft-edge/deploy/microsoft-edge)
 > [!NOTE]
--- a/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/enable-cloud-protection-microsoft-defender-antivirus.md
@ -22,7 +22,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 > [!NOTE]
 > The Microsoft Defender Antivirus cloud service is a mechanism for delivering updated protection to your network and endpoints. Although it is called a cloud service, it is not simply protection for files stored in the cloud; rather, it uses distributed resources and machine learning to deliver protection to your endpoints at a rate that is far faster than traditional Security intelligence updates.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/evaluate-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Use this guide to determine how well Microsoft Defender Antivirus protects you from viruses, malware, and potentially unwanted applications.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/limited-periodic-scanning-microsoft-defender-antivirus.md
@ -25,7 +25,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Limited periodic scanning is a special type of threat detection and remediation that can be enabled when you have installed another antivirus product on a Windows 10 device.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-event-based-updates-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Microsoft Defender Antivirus allows you to determine if updates should (or should not) occur after certain events, such as at startup or after receiving specific reports from the cloud-delivered protection service.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-outdated-endpoints-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Microsoft Defender Antivirus lets you define how long an endpoint can avoid an update or how many scans it can miss before it is required to update and scan itself. This is especially useful in environments where devices are not often connected to a corporate or external network, or devices that are not used on a daily basis.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-update-schedule-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Microsoft Defender Antivirus lets you determine when it should look for and download updates.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-protection-updates-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=22146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=22154037)
 <a id="protection-updates"></a>
 <!-- this has been used as anchor in VDI content -->
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-baselines-microsoft-defender-antivirus.md
@ -13,7 +13,7 @@ ms.author: deniseb
 ms.custom: nextgen
 ms.reviewer: pahuijbr
 manager: dansimp
-ms.date: 02/12/2021
+ms.date: 03/05/2021
 ms.technology: mde
 ---
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 There are two types of updates related to keeping Microsoft Defender Antivirus up to date:
@ -408,6 +408,20 @@ We recommend updating your Windows 10 (Enterprise, Pro, and Home editions), Wind
 For more information, see [Microsoft Defender update for Windows operating system installation images](https://support.microsoft.com/help/4568292/defender-update-for-windows-operating-system-installation-images).
 <details>
 <summary>1.1.2103.01</summary>
 &ensp;Package version: **1.1.2103.01**    
 &ensp;Platform version: **4.18.2101.9**   
 &ensp;Engine version: **1.17800.5**  
 &ensp;Signature version: **1.331.2302.0**    
 ### Fixes
 - None
 ### Additional information
 - None  
 <br/>
 </details><details>
 <summary>1.1.2102.03</summary>
 &ensp;Package version: **1.1.2102.03**    
--- a/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/manage-updates-mobile-devices-vms-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Mobile devices and VMs may require more configuration to ensure performance is not impacted by updates.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-compatibility.md
@ -23,7 +23,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 ## Overview
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-in-windows-10.md
@ -23,7 +23,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 ## Microsoft Defender Antivirus: Your next-generation protection
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-antivirus-on-windows-server-2016.md
@ -22,7 +22,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Microsoft Defender Antivirus is available on the following editions/versions of Windows Server:
 - Windows Server 2019
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-offline.md
@ -23,7 +23,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Microsoft Defender Offline is an antimalware scanning tool that lets you boot and run a scan from a trusted environment. The scan runs from outside the normal Windows kernel so it can target malware that attempts to bypass the Windows shell, such as viruses and rootkits that infect or overwrite the master boot record (MBR).
--- a/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/microsoft-defender-security-center-antivirus.md
@ -23,7 +23,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 In Windows 10, version 1703 and later, the Windows Defender app is part of the Windows Security.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/office-365-microsoft-defender-antivirus.md
@ -25,7 +25,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - Microsoft Defender Antivirus
 - Microsoft 365
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-changes-to-security-settings-with-tamper-protection.md
@ -14,7 +14,7 @@ audience: ITPro
 author: denisebmsft
 ms.author: deniseb
 ms.custom: nextgen
-ms.date: 02/17/2021
+ms.date: 03/08/2021
 ms.technology: mde
 ---
@ -25,7 +25,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Tamper protection is available for devices that are running one of the following versions of Windows:
@ -64,7 +64,7 @@ Tamper protection doesn't prevent you from viewing your security settings. And,
 | Turn tamper protection on (or off) for an individual device | [Manage tamper protection on an individual device](#manage-tamper-protection-on-an-individual-device) |
 | Turn tamper protection on (or off) for all or part of your organization using Intune <p>Fine-tune tamper protection settings in your organization | [Manage tamper protection for your organization using Intune](#manage-tamper-protection-for-your-organization-using-intune) |
 | Turn tamper protection on (or off) for your organization with Configuration Manager | [Manage tamper protection for your organization using tenant attach with Configuration Manager, version 2006](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006) |
-| Turn tamper protection on (or off) in the Microsoft Defender Security Center <p>Manage tamper protection across your tenant <p>(Currently in preview) | [Manage tamper protection for your organization using the Microsoft Defender Security Center](#manage-tamper-protection-for-your-organization-using-the-microsoft-defender-security-center) |
+| Turn tamper protection on (or off) in the Microsoft Defender Security Center <p>Manage tamper protection across your tenant | [Manage tamper protection for your organization using the Microsoft Defender Security Center](#manage-tamper-protection-for-your-organization-using-the-microsoft-defender-security-center) |
 | View details about tampering attempts on devices | [View information about tampering attempts](#view-information-about-tampering-attempts) |
 | Review your security recommendations | [Review security recommendations](#review-your-security-recommendations) |
 | Review the list of frequently asked questions (FAQs) | [Browse the FAQs](#view-information-about-tampering-attempts) |
@ -85,7 +85,9 @@ Here's what you see in the Windows Security app:
 ![Tamper protection turned on in Windows 10 Home](images/tamperprotectionturnedon.png)
 1. Select **Start**, and start typing *Security*. In the search results, select **Windows Security**.
 2. Select **Virus & threat protection** > **Virus & threat protection settings**.
 3. Set **Tamper Protection** to **On** or **Off**.
 ## Manage tamper protection for your organization using Intune
@ -95,9 +97,13 @@ If you are part of your organization's security team, and your subscription incl
 ### Requirements for managing tamper protection in Intune
 - You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations.
 - Your organization uses [Intune to manage devices](https://docs.microsoft.com/intune/fundamentals/what-is-device-management). ([Intune licenses](https://docs.microsoft.com/intune/fundamentals/licenses) are required; Intune is included in Microsoft 365 E5.)
 - Your Windows devices must be running Windows 10 OS [1709](https://docs.microsoft.com/windows/release-health/status-windows-10-1709), [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803), [1809](https://docs.microsoft.com/windows/release-health/status-windows-10-1809-and-windows-server-2019) or later. (For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information).)
 - You must be using Windows security with [security intelligence](https://www.microsoft.com/wdsi/definitions) updated to version 1.287.60.0 (or above).
 - Your devices must be using anti-malware platform version 4.18.1906.3 (or above) and anti-malware engine version 1.1.15500.X (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
 ### Turn tamper protection on (or off) in Intune
@ -105,12 +111,15 @@ If you are part of your organization's security team, and your subscription incl
 ![Turn tamper protection on with Intune](images/turnontamperprotect-MEM.png)
 1. Go to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com) and sign in with your work or school account.
 2. Select **Devices** > **Configuration Profiles**.
 3. Create a profile that includes the following settings:
    - **Platform: Windows 10 and later**
    - **Profile type: Endpoint protection**
    - **Category: Microsoft Defender Security Center**
    - **Tamper Protection: Enabled**
 4. Assign the profile to one or more groups.
 ### Are you using Windows OS 1709, 1803, or 1809?
@ -120,7 +129,9 @@ If you are using Windows 10 OS [1709](https://docs.microsoft.com/windows/release
 #### Use PowerShell to determine whether tamper protection is turned on
 1. Open the Windows PowerShell app.
 2. Use the [Get-MpComputerStatus](https://docs.microsoft.com/powershell/module/defender/get-mpcomputerstatus?view=win10-ps&preserve-view=true) PowerShell cmdlet.
 3. In the list of results, look for `IsTamperProtected`. (A value of *true* means tamper protection is enabled.)
 ## Manage tamper protection for your organization with Configuration Manager, version 2006
@ -133,9 +144,11 @@ If you're using [version 2006 of Configuration Manager](https://docs.microsoft.c
 ![Windows security experience in Endpoint Manager](images/win-security- exp-policy-endpt-security.png)
 1. Set up tenant attach. See [Microsoft Endpoint Manager tenant attach: Device sync and device actions](https://docs.microsoft.com/mem/configmgr/tenant-attach/device-sync-actions).
 2. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), go to **Endpoint security** > **Antivirus**, and choose **+ Create Policy**.<br/> 
   - In the **Platform** list, select **Windows 10 and Windows Server (ConfigMgr)**.  
   - In the **Profile** list, select **Windows Security experience (preview)**. <br/>
 3. Deploy the policy to your device collection.
 ### Need help with this? 
@ -147,24 +160,29 @@ See the following resources:
 ## Manage tamper protection for your organization using the Microsoft Defender Security Center
-Currently in preview, tamper protection can be turned on or off in the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). Here are a few points to keep in mind:
+Tamper protection can be turned on or off for your tenant using the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)). Here are a few points to keep in mind:
 - When you use the Microsoft Defender Security Center to manage tamper protection, you do not have to use Intune or the tenant attach method.
 - When you manage tamper protection in the Microsoft Defender Security Center, the setting is applied tenant wide, affecting all of your devices that are running Windows 10, Windows Server 2016, or Windows Server 2019. To fine-tune tamper protection (such as having tamper protection on for some devices but off for others), use either [Intune](#manage-tamper-protection-for-your-organization-using-intune) or [Configuration Manager with tenant attach](#manage-tamper-protection-for-your-organization-with-configuration-manager-version-2006).
 - If you have a hybrid environment, tamper protection settings configured in Intune take precedence over settings configured in the Microsoft Defender Security Center. 
 - Tamper protection is generally available; however, the ability to manage tamper protection in the Microsoft Defender Security Center is currently in preview.
 ### Requirements for managing tamper protection in the Microsoft Defender Security Center
 - You must have appropriate [permissions](../microsoft-defender-atp/assign-portal-access.md), such as global admin, security admin, or security operations.
 - Your Windows devices must be running one of the following versions of Windows:
   - Windows 10
   - [Windows Server 2019](/windows-server/get-started-19/whats-new-19)
   - Windows Server, version [1803](https://docs.microsoft.com/windows/release-health/status-windows-10-1803) or later
   - [Windows Server 2016](/windows-server/get-started/whats-new-in-windows-server-2016)
   - For more information about releases, see [Windows 10 release information](https://docs.microsoft.com/windows/release-health/release-information).
 - Your devices must be [onboarded to Microsoft Defender for Endpoint](../microsoft-defender-atp/onboarding.md).
 - Your devices must be using anti-malware platform version 4.18.2010.7 (or above) and anti-malware engine version 1.1.17600.5 (or above). ([Manage Microsoft Defender Antivirus updates and apply baselines](manage-updates-baselines-microsoft-defender-antivirus.md).)
 - [Cloud-delivered protection must be turned on](enable-cloud-protection-microsoft-defender-antivirus.md).
 ### Turn tamper protection on (or off) in the Microsoft Defender Security Center 
@ -172,7 +190,9 @@ Currently in preview, tamper protection can be turned on or off in the Microsoft
 ![Turn tamper protection on in the Microsoft Defender Security Center](images/mde-turn-tamperprotect-on.png)
 1. Go to the Microsoft Defender Security Center ([https://securitycenter.windows.com](https://securitycenter.windows.com)) and sign in.
 2. Choose **Settings**.
 3. Go to **General** > **Advanced features**, and then turn tamper protection on.
 ## View information about tampering attempts
--- a/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/prevent-end-user-interaction-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 You can use Group Policy to prevent users on endpoints from seeing the Microsoft Defender Antivirus interface. You can also prevent them from pausing scans.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/report-monitor-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Microsoft Defender Antivirus is built into Windows 10, Windows Server 2019, and Windows Server 2016. Microsoft Defender Antivirus is of your next-generation protection in Microsoft Defender for Endpoint. Next-generation protection helps protect your devices from software threats like viruses, malware, and spyware across email, apps, the cloud, and the web.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/restore-quarantined-files-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 If Microsoft Defender Antivirus is configured to detect and remediate threats on your device, Microsoft Defender Antivirus quarantines suspicious files. If you are certain a quarantined file is not a threat, you can restore it.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/review-scan-results-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 After a Microsoft Defender Antivirus scan completes, whether it is an [on-demand](run-scan-microsoft-defender-antivirus.md) or [scheduled scan](scheduled-catch-up-scans-microsoft-defender-antivirus.md), the results are recorded and you can view the results. 
--- a/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/run-scan-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 You can run an on-demand scan on individual endpoints. These scans will start immediately, and you can define parameters for the scan, such as the location or type.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/scheduled-catch-up-scans-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 > [!NOTE]
--- a/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/specify-cloud-protection-level-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 You can specify your level of cloud-delivered protection offered by Microsoft Defender Antivirus by using Microsoft Endpoint Manager (recommended) or Group Policy.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus-when-migrating.md
@ -22,7 +22,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 You can find help here if you encounter issues while migrating from a third-party security solution to Microsoft Defender Antivirus.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 If you encounter a problem with Microsoft Defender Antivirus, you can search the tables in this topic to find a matching issue and potential solution.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/troubleshoot-reporting.md
@ -23,7 +23,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 > [!IMPORTANT]
 > On March 31, 2020, the Microsoft Defender Antivirus reporting feature of Update Compliance will be removed. You can continue to define and review security compliance policies using [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager), which allows finer control over security features and updates.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-group-policy-microsoft-defender-antivirus.md
@ -23,7 +23,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 You can use [Group Policy](https://msdn.microsoft.com/library/ee663280(v=vs.85).aspx) to configure and manage Microsoft Defender Antivirus on your endpoints.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-intune-config-manager-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 If you were using Microsoft Endpoint Manager or Microsoft Intune to manage the endpoints on your network, you can now use Microsoft Endpoint Manager to manage Microsoft Defender Antivirus scans.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-powershell-cmdlets-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 You can use PowerShell to perform various functions in Windows Defender. Similar to the command prompt or command line, PowerShell is a task-based command-line shell and scripting language designed especially for system administration. You can read more about it at the [PowerShell hub on MSDN](https://docs.microsoft.com/previous-versions/msdn10/mt173057(v=msdn.10)).
--- a/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/use-wmi-microsoft-defender-antivirus.md
@ -24,7 +24,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Windows Management Instrumentation (WMI) is a scripting interface that allows you to retrieve, modify, and update settings.
--- a/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
+++ b/windows/security/threat-protection/microsoft-defender-antivirus/utilize-microsoft-cloud-protection-microsoft-defender-antivirus.md
@ -22,7 +22,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Microsoft next-generation technologies in Microsoft Defender Antivirus provide near-instant, automated protection against new and emerging threats. To dynamically identify new threats, these technologies work with large sets of interconnected data in the Microsoft Intelligent Security Graph and powerful artificial intelligence (AI) systems driven by advanced machine learning models.  
--- a/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/configure-md-app-guard.md
@ -18,7 +18,7 @@ ms.technology: mde
 # Configure Microsoft Defender Application Guard policy settings
 **Applies to:** 
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 Microsoft Defender Application Guard (Application Guard) works with Group Policy to help you manage your organization's computer settings. By using Group Policy, you can configure a setting once, and then copy it onto many computers. For example, you can set up multiple security settings in a GPO, which is linked to a domain, and then apply all those settings to every computer in the domain.
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@ -18,7 +18,7 @@ ms.technology: mde
 # Prepare to install Microsoft Defender Application Guard
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 ## Review system requirements
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@ -19,7 +19,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 We've come up with a list of scenarios that you can use to test hardware-based isolation in your organization.
--- a/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/access-mssp-portal.md
@ -21,7 +21,7 @@ ms.technology: mde
 # Access the Microsoft Defender Security Center MSSP customer portal
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@ -29,7 +29,7 @@ ms.technology: mde
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 >Want to experience Microsoft Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-mssp-support-abovefoldlink)
--- a/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/add-or-remove-machine-tags.md
@ -1,6 +1,6 @@
 ---
 title: Add or Remove Machine Tags API
-description: Learn how to use the Add or Remove machine tags API to adds or remove a tag for a machine in Microsoft Defender Advanced Threat Protection.
+description: Learn how to use the Add or Remove machine tags API to adds or remove a tag for a machine in Microsoft Defender for Endpoint.
 keywords: apis, graph api, supported apis, tags, machine tags
 search.product: eADQiWindows 10XVcnh
 ms.prod: m365-security
@ -20,8 +20,8 @@ ms.technology: mde
 # Add or Remove Machine Tags API
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+2154037
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
@ -90,7 +90,7 @@ If successful, this method returns 200 - Ok response code and the updated Machin
 Here is an example of a request that adds machine tag.
-```
+```http
 POST https://api.securitycenter.microsoft.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/tags
 ```
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@ -21,7 +21,7 @@ ms.technology: mde
 # Configure advanced features in Defender for Endpoint
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-assignedipaddress-function.md
@ -1,7 +1,7 @@
 ---
-title: AssignedIPAddresses() function in advanced hunting for Microsoft Defender Advanced Threat Protection
+title: AssignedIPAddresses() function in advanced hunting for Microsoft Defender for Endpoint
 description: Learn how to use the AssignedIPAddresses() function to get the latest IP addresses assigned to a device
-keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender Advanced Threat Protection, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
+keywords: advanced hunting, threat hunting, cyber threat hunting, mdatp, Microsoft Defender ATP, Microsoft Defender for Endpoint, Windows Defender, Windows Defender ATP, Windows Defender Advanced Threat Protection, search, query, telemetry, schema reference, kusto, FileProfile, file profile, function, enrichment
 search.product: eADQiWindows 10XVcnh
 search.appverid: met150
 ms.prod: m365-security
@ -26,8 +26,9 @@ ms.technology: mde
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedfeats-abovefoldlink)
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
 Use the `AssignedIPAddresses()` function in your advanced hunting queries to quickly obtain the latest IP addresses that have been assigned to a device. If you specify a timestamp argument, this function obtains the most recent IP addresses at the specified time.
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-best-practices.md
@ -23,8 +23,8 @@ ms.technology: mde
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2146631)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-bestpractices-abovefoldlink)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicealertevents-table.md
@ -24,8 +24,8 @@ ms.technology: mde
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceevents-table.md
@ -23,8 +23,8 @@ ms.technology: mde
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefilecertificateinfo-table.md
@ -24,8 +24,8 @@ ms.technology: mde
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-devicefileevents-table.md
@ -23,8 +23,8 @@ ms.technology: mde
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
- [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
+
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceimageloadevents-table.md
@ -23,8 +23,7 @@ ms.technology: mde
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-hunting-deviceinfo-table.md
@ -23,8 +23,7 @@ ms.technology: mde
 [!INCLUDE [Microsoft 365 Defender rebranding](../../includes/microsoft-defender.md)]
 **Applies to:**
- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/?linkid=2154037)
+- [Microsoft Defender for Endpoint](https://go.microsoft.com/fwlink/p/?linkid=2154037)
 - [Microsoft 365 Defender](https://go.microsoft.com/fwlink/?linkid=2118804)
 >Want to experience Defender for Endpoint? [Sign up for a free trial.](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp?ocid=docs-wdatp-advancedhuntingref-abovefoldlink)
--- a/Show More
+++ b/Show More