diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
index c6c5cf099e..83ca5233e3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-portal.md
@@ -45,8 +45,8 @@ You must download the deployment folder (**EMIEWebPortal/**), which includes all
 
 6. Go back up a directory, open the solution file **EMIEWebPortal.sln** in Visual Studio, open **Web.config** from **EMIEWebPortal/** folder, and replace MSIT-LOB-COMPAT with your server name hosting your database, replace LOBMerged with your database name, and build the entire solution.
 
-        >[!Note]
-        >Step 3 of this topic provides the steps to create your database.
+      >[!Note]
+      >Step 3 of this topic provides the steps to create your database.
 
 7. Copy the contents of the **EMIEWebPortal/** folder to a dedicated folder on your file system. For example, _D:\EMIEWebApp_. In a later step, you'll designate this folder as your website in the IIS Manager.
 
diff --git a/devices/hololens/TOC.md b/devices/hololens/TOC.md
index 6b1c835350..5d0635344e 100644
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@@ -1,17 +1,24 @@
 # [Microsoft HoloLens](index.md)
-## [What's new in Microsoft HoloLens](hololens-whats-new.md)
-## [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md)
-## [Insider preview for Microsoft HoloLens](hololens-insider.md)
-## [Set up HoloLens](hololens-setup.md)
+# [What's new in HoloLens](hololens-whats-new.md)
+# [HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md)
+# [Set up HoloLens](hololens-setup.md)
+
+# Device Management
+## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md)
 ## [Install localized version of HoloLens](hololens-install-localized.md)
-## [Unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md) 
+## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
 ## [Enroll HoloLens in MDM](hololens-enroll-mdm.md)
 ## [Manage updates to HoloLens](hololens-updates.md)
-## [Set up HoloLens in kiosk mode](hololens-kiosk.md)
-## [Share HoloLens with multiple people](hololens-multiple-users.md)
-## [Configure HoloLens using a provisioning package](hololens-provisioning.md)
-## [Install apps on HoloLens](hololens-install-apps.md)
-## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
 ## [Restore HoloLens 2 using Advanced Recovery Companion](hololens-recovery.md)
+
+# Application Management 
+## [Install apps on HoloLens](hololens-install-apps.md)
+## [Share HoloLens with multiple people](hololens-multiple-users.md)
+
+# User/Access Management
+## [Set up single application access](hololens-kiosk.md)
+## [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
 ## [How HoloLens stores data for spaces](hololens-spaces.md)
-## [Change history for Microsoft HoloLens documentation](change-history-hololens.md)
\ No newline at end of file
+
+# [Insider preview for Microsoft HoloLens](hololens-insider.md)
+# [Change history for Microsoft HoloLens documentation](change-history-hololens.md)
\ No newline at end of file
diff --git a/devices/surface-hub/create-a-device-account-using-office-365.md b/devices/surface-hub/create-a-device-account-using-office-365.md
index 2d52e698c0..85be497437 100644
--- a/devices/surface-hub/create-a-device-account-using-office-365.md
+++ b/devices/surface-hub/create-a-device-account-using-office-365.md
@@ -217,6 +217,8 @@ In order to enable Skype for Business, your environment will need to meet the fo
 
 ## <a href="" id="create-device-acct-eac"></a>Create a device account using the Exchange Admin Center
 
+>[!NOTE]
+>This method will only work if you are syncing from an on-premises Active Directory.
 
 You can use the Exchange Admin Center to create a device account:
 
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
index 101ca103bc..b80840d43d 100644
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -385,6 +385,6 @@ If the dump file shows an error that is related to a driver (for example, window
 
         1. Start WinRE, and open a Command Prompt window.
         2. Start a text editor, such as Notepad.
-        3. Navigate to C\Windows\System32\Config\.
+        3. Navigate to C:\Windows\System32\Config\.
         4. Rename the all five hives by appending ".old" to the name.
         5. Copy all the hives from the Regback folder, paste them in the Config folder, and then try to start the computer in Normal mode.
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 481636bb71..fee32a8f15 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -35,7 +35,7 @@ The auto-enrollment relies of the presence of an MDM service and the Azure Activ
 
 When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure  Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
 
-In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy is take precedence over MDM). In the future release of Windows 10, we are considering a feature that allows the admin to control which policy takes precedence.
+In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. See [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/) to learn more.
 
 For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices.
 
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index 7bc515edc2..0591f04600 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -36,7 +36,7 @@ The following diagram shows the PassportForWork configuration service provider i
 Root node for PassportForWork configuration service provider.
 
 <a href="" id="tenantid"></a>***TenantId***  
-A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management.
+A globally unique identifier (GUID), without curly braces ( { , } ), that is used as part of Windows Hello for Business provisioning and management. To get a GUID, use the PowerShell cmdlet [Get-AzureAccount](https://docs.microsoft.com/powershell/module/servicemanagement/azure/get-azureaccount). For more information see [Get Windows Azure Active Directory Tenant ID in Windows PowerShell](https://devblogs.microsoft.com/scripting/get-windows-azure-active-directory-tenant-id-in-windows-powershell).
 
 <a href="" id="tenantid-policies"></a>***TenantId*/Policies**  
 Node for defining the Windows Hello for Business policy settings.
diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md
index 7d77e94d7d..6efbed9a1f 100644
--- a/windows/client-management/new-policies-for-windows-10.md
+++ b/windows/client-management/new-policies-for-windows-10.md
@@ -254,6 +254,7 @@ No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=
 
 ## Related topics
 
+[Group Policy Settings Reference Spreadsheet Windows 1803](https://www.microsoft.com/download/details.aspx?id=56946)
 
 [Manage corporate devices](manage-corporate-devices.md)
 
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index 1232a8f3f0..8b6e9832e9 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -83,7 +83,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a
 ## Export the Start layout
 
 
-When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell to export the Start layout to an .xml file.
+When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell to export the Start layout to an .xml file. Start layout is located by default at C:\Users\username\AppData\Local\Microsoft\Windows\Shell\
 
 >[!IMPORTANT]
 >If you include secondary Microsoft Edge tiles (tiles that link to specific websites in Microsoft Edge), see [Add custom images to Microsoft Edge secondary tiles](start-secondary-tiles.md) for instructions.
@@ -155,6 +155,8 @@ When you have the Start layout that you want your users to see, use the [Export-
 >* If you place executable files or scripts in the \ProgramData\Microsoft\Windows\Start Menu\Programs folder, they will not pin to Start.
 >
 >* Start on Windows 10 does not support subfolders. We only support one folder. For example, \ProgramData\Microsoft\Windows\Start Menu\Programs\Folder. If you go any deeper than one folder, Start will compress the contents of all the subfolder to the top level.
+>
+>* Three additional shortcuts are pinned to the start menu after the export. These are shortcuts to %ALLUSERSPROFILE%\Microsoft\Windows\Start Menu\Programs, %APPDATA%\Microsoft\Windows\Start Menu\Programs, and %APPDATA%\Microsoft\Windows\Start Menu\Programs\System Tools\.
 
 
 ## Configure a partial Start layout
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index 0dac7f3654..a8f9235264 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -74,7 +74,7 @@ You can use Group Policy or an MDM solution like Intune to configure Delivery Op
 You will find the Delivery Optimization settings in Group Policy under **Configuration\Policies\Administrative Templates\Windows Components\Delivery Optimization**.
 In MDM, the same settings are under **.Vendor/MSFT/Policy/Config/DeliveryOptimization/**.
 
-Starting with Windows Intune version 1902, you can set many Delivery Optimization policies as a profile which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](https://docs.microsoft.com/intune/delivery-optimization-windows))
+Starting with Microsoft Intune version 1902, you can set many Delivery Optimization policies as a profile which you can then apply to groups of devices. For more information, see [Delivery Optimization settings in Microsoft Intune](https://docs.microsoft.com/intune/delivery-optimization-windows))
 
 **Starting with Windows 10, version 1903,** you can use the Azure Active Directory (AAD) Tenant ID as a means to define groups. To do this set the value for DOGroupIdSource to its new maximum value of 5.
 
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 37103745b0..2807a78f24 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -45,7 +45,7 @@ Semi-Annual Channel is the default servicing channel for all Windows 10 devices
 >The LTSB edition of Windows 10 is only available through the [Microsoft Volume Licensing Center](https://www.microsoft.com/Licensing/servicecenter/default.aspx).
 
 >[!NOTE]
->Semi-Annual Channel (Targeted) should be used only by the customers that are using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). For those, who don't use Windows Update for Business, Semi-Annual Channel (Targeted) would be the same as Semi-Annual Channel.
+>Semi-Annual Channel (Targeted) should be used only by the customers that are using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb). For those who don't use Windows Update for Business, Semi-Annual Channel (Targeted) would be the same as Semi-Annual Channel.
 
 ## Assign devices to Semi-Annual Channel
 
diff --git a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
index 9942044960..e2e21a62bc 100644
--- a/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
+++ b/windows/deployment/update/windows-analytics-FAQ-troubleshooting.md
@@ -84,11 +84,13 @@ If you have devices that appear in other solutions, but not Device Health (the D
 1. Using the Azure portal, remove the Device Health (appears as DeviceHealthProd on some pages) solution from your Log Analytics workspace. After completing this, add the Device Health solution to you workspace again.
 2. Confirm that the devices are running Windows 10.
 3. Verify that the Commercial ID is present in the device's registry. For details see [https://gpsearch.azurewebsites.net/#13551](https://gpsearch.azurewebsites.net/#13551).
-4. Confirm that devices have opted in to provide diagnostic data by checking in the registry that **AllowTelemetry** is set to 2 (Enhanced) or 3 (Full) in **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** (or **HKLM\Software\Policies\Microsoft\Windows\DataCollection**, which takes precedence if set).
+4. Confirm that devices are opted in to send diagnostic data by checking in the registry that **AllowTelemetry** is set to either 2 (Enhanced) or 3 (Full). 
+    - **AllowTelemetry** under **HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection** is the location set by Group Policy or MDM
+    - **AllowTelemetry** under **HKLM\Software\Policies\Microsoft\Windows\DataCollection** is the location set by local tools such as the Settings app.
+    - By convention the Group Policy location would take precedence if both are set. Starting with Windows 10, version 1803, the default precedence is modified to enable a device user to lower the diagnostic data level from that set by IT. For organizations which have no requirement to allow the user to override IT, the conventional (IT wins) behavior can be re-enabled using **DisableTelemetryOptInSettingsUx**. This policy can be set via Group Policy as  **Computer Configuration\Administrative Templates\Windows Components\Data Collection and Preview Builds\Configure telemetry opt-in setting user interface**.
 5. Verify that devices can reach the endpoints specified in [Enrolling devices in Windows Analytics](windows-analytics-get-started.md). Also check settings for SSL inspection and proxy authentication; see [Configuring endpoint access with SSL inspection](https://docs.microsoft.com/windows/deployment/update/windows-analytics-get-started#configuring-endpoint-access-with-ssl-inspection) for more information.
-6. Add the Device Health solution back to your Log Analytics workspace.
-7. Wait 48 hours for activity to appear in the reports.
-8. If you need additional troubleshooting, contact Microsoft Support.
+6. Wait 48 hours for activity to appear in the reports.
+7. If you need additional troubleshooting, contact Microsoft Support.
 
 
 ### Device crashes not appearing in Device Health Device Reliability
diff --git a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md
index b7b51ae981..5c36726a38 100644
--- a/windows/deployment/upgrade/upgrade-readiness-data-sharing.md
+++ b/windows/deployment/upgrade/upgrade-readiness-data-sharing.md
@@ -45,4 +45,10 @@ In order to enable this scenario, you need:
 - Set the reg key HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\DataCollection\DisableEnterpriseAuthProxy to 0. If the value does not exist, create a new DWORD, name it DisableEnterpriseAuthProxy and set the value to 0. The deployment script will check this is configured correctly.
 - Set ClientProxy=User in bat.
 
+>[!IMPORTANT]
+> Using **Logged-in user's internet connection** with **DisableEnterpriseAuthProxy = 0** scenario is incompatible with ATP where the required value of that attribute is 1.(Read more here)[https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection]
+
+
+
+
 
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index c68d13cadf..a9e92983f8 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -666,7 +666,7 @@ To remove the News app:
 
   -or-
 >[!IMPORTANT]
-> If you have any issues with these commands, do a system reboot and try the scripts again.
+> If you have any issues with these commands, restart the system and try the scripts again.
 >
 - Remove the app for new user accounts. From an elevated command prompt, run the following Windows PowerShell command: **Get-AppxProvisionedPackage -Online | Where-Object {$\_.PackageName -Like "Microsoft.BingNews"} | ForEach-Object { Remove-AppxProvisionedPackage -Online -PackageName $\_.PackageName}**
 
diff --git a/windows/security/identity-protection/access-control/special-identities.md b/windows/security/identity-protection/access-control/special-identities.md
index 16e282f16f..2dfcc827e9 100644
--- a/windows/security/identity-protection/access-control/special-identities.md
+++ b/windows/security/identity-protection/access-control/special-identities.md
@@ -34,364 +34,153 @@ Although the special identity groups can be assigned rights and permissions to r
 
 For information about security groups and group scope, see [Active Directory Security Groups](active-directory-security-groups.md).
 
-The special identity groups are described in the following tables.
+The special identity groups are described in the following tables:
 
--   [Anonymous Logon](#bkmk-anonymouslogon)
+-   [Anonymous Logon](#anonymous-logon)
 
--   [Authenticated User](#bkmk-authenticateduser)
+-   [Authenticated User](#authenticated-users)
 
--   [Batch](#bkmk-batch)
+-   [Batch](#batch)
 
--   [Creator Group](#bkmk-creatorgroup)
+-   [Creator Group](#creator-group)
 
--   [Creator Owner](#bkmk-creatorowner)
+-   [Creator Owner](#creator-owner)
 
--   [Dialup](#bkmk-dialup)
+-   [Dialup](#dialup)
 
--   [Digest Authentication](#bkmk-digestauth)
+-   [Digest Authentication](#digest-authentication)
 
--   [Enterprise Domain Controllers](#bkmk-entdcs)
+-   [Enterprise Domain Controllers](#enterprise-domain-controllers)
 
--   [Everyone](#bkmk-everyone)
+-   [Everyone](#everyone)
 
--   [Interactive](#bkmk-interactive)
+-   [Interactive](#interactive)
 
--   [Local Service](#bkmk-localservice)
+-   [Local Service](#local-service)
 
--   [LocalSystem](#bkmk-localsystem)
+-   [LocalSystem](#localsystem)
 
--   [Network](#bkmk-network)
+-   [Network](#network)
 
--   [Network Service](#bkmk-networkservice)
+-   [Network Service](#network-service)
 
--   [NTLM Authentication](#bkmk-ntlmauth)
+-   [NTLM Authentication](#ntlm-authentication)
 
--   [Other Organization](#bkmk-otherorganization)
+-   [Other Organization](#other-organization)
 
--   [Principal Self](#bkmk-principalself)
+-   [Principal Self](#principal-self)
 
--   [Remote Interactive Logon](#bkmk-remoteinteractivelogon)
+-   [Remote Interactive Logon](#remote-interactive-logon)
 
--   [Restricted](#bkmk-restrictedcode)
+-   [Restricted](#restricted)
 
--   [SChannel Authentication](#bkmk-schannelauth)
+-   [SChannel Authentication](#schannel-authentication)
 
--   [Service](#bkmk-service)
+-   [Service](#service)
 
--   [Terminal Server User](#bkmk-terminalserveruser)
+-   [Terminal Server User](#terminal-server-user)
 
--   [This Organization](#bkmk-thisorg)
+-   [This Organization](#this-organization)
 
--   [Window Manager\\Window Manager Group](#bkmk-windowmanager)
+-   [Window Manager\\Window Manager Group](#window-manager\\window-manager-group)
 
-## <a href="" id="bkmk-anonymouslogon"></a>Anonymous Logon
+## Anonymous Logon
 
 
 Any user who accesses the system through an anonymous logon has the Anonymous Logon identity. This identity allows anonymous access to resources, such as a web page that is published on corporate servers. The Anonymous Logon group is not a member of the Everyone group by default.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-7</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>None</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-7 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
 
- 
-
-## <a href="" id="bkmk-authenticateduser"></a>Authenticated Users
+## Authenticated Users
 
 
 Any user who accesses the system through a sign-in process has the Authenticated Users identity. This identity allows access to shared resources within the domain, such as files in a shared folder that should be accessible to all the workers in the organization. Membership is controlled by the operating system.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-11</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=System,cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</p>
-<p>[Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege</p>
-<p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-11 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=System,cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight<br>  [Add workstations to domain](/windows/device-security/security-policy-settings/add-workstations-to-domain): SeMachineAccountPrivilege<br>  [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege|
 
- 
-
-## <a href="" id="bkmk-batch"></a>Batch
+## Batch
 
 
 Any user or process that accesses the system as a batch job (or through the batch queue) has the Batch identity. This identity allows batch jobs to run scheduled tasks, such as a nightly cleanup job that deletes temporary files. Membership is controlled by the operating system.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-3</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>None</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-3 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| none|
 
- 
-
-## <a href="" id="bkmk-creatorgroup"></a>Creator Group
+## Creator Group
 
 
 The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory.
 
 A placeholder security identifier (SID) is created in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object’s current owner. The primary group is used only by the Portable Operating System Interface for UNIX (POSIX) subsystem.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-3-1</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>None</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-3-1 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| none|
 
- 
-
-## <a href="" id="bkmk-creatorowner"></a>Creator Owner
+## Creator Owner
 
 
 The person who created the file or the directory is a member of this special identity group. Windows Server operating systems use this identity to automatically grant access permissions to the creator of a file or directory. A placeholder SID is created in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the object’s current owner.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-3-0</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>None</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-3-0 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| none|
 
- 
-
-## <a href="" id="bkmk-dialup"></a>Dialup
+## Dialup
 
 
 Any user who accesses the system through a dial-up connection has the Dial-Up identity. This identity distinguishes dial-up users from other types of authenticated users.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-1</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>None</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-1 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| none| 
 
- 
-
-## <a href="" id="bkmk-digestauth"></a>Digest Authentication
+## Digest Authentication
 
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-64-21</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>None</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-64-21 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| none| 
 
- 
-
-## <a href="" id="bkmk-entdcs"></a>Enterprise Domain Controllers
+## Enterprise Domain Controllers
 
 
 This group includes all domain controllers in an Active Directory forest. Domain controllers with enterprise-wide roles and responsibilities have the Enterprise Domain Controllers identity. This identity allows them to perform certain tasks in the enterprise by using transitive trusts. Membership is controlled by the operating system.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-9</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights Assignment</p></td>
-<td><p>[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</p>
-<p>[Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-9 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight<br>  [Allow log on locally](/windows/device-security/security-policy-settings/allow-log-on-locally): SeInteractiveLogonRight|
 
- 
-
-## <a href="" id="bkmk-everyone"></a>Everyone
+## Everyone
 
 
 All interactive, network, dial-up, and authenticated users are members of the Everyone group. This special identity group gives wide access to system resources. Whenever a user logs on to the network, the user is automatically added to the Everyone group.
@@ -400,615 +189,184 @@ On computers running Windows 2000 and earlier, the Everyone group included the
 
 Membership is controlled by the operating system.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-1-0</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>[Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</p>
-<p>[Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege</p>
-<p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-1-0 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| [Access this computer from the network](/windows/device-security/security-policy-settings/access-this-computer-from-the-network): SeNetworkLogonRight</br> [Act as part of the operating system](/windows/device-security/security-policy-settings/act-as-part-of-the-operating-system): SeTcbPrivilege</br> [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege|
 
- 
-
-## <a href="" id="bkmk-interactive"></a>Interactive
+## Interactive
 
 
 Any user who is logged on to the local system has the Interactive identity. This identity allows only local users to access a resource. Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to the Interactive group. Membership is controlled by the operating system.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-4</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>None</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-4 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| None|
 
- 
-
-## <a href="" id="bkmk-localservice"></a>Local Service
+## Local Service
 
 
 The Local Service account is similar to an Authenticated User account. The Local Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Local Service account access network resources as a null session with anonymous credentials. The name of the account is NT AUTHORITY\\LocalService. This account does not have a password.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-19</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default user rights</p></td>
-<td><p>[Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege</p>
-<p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p>
-<p>[Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemtimePrivilege</p>
-<p>[Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege</p>
-<p>[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege</p>
-<p>[Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege</p>
-<p>[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege</p>
-<p>[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-19 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|  [Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege <br>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege<br> [Change the system time](/windows/device-security/security-policy-settings/change-the-system-time): SeSystemtimePrivilege<br> [Change the time zone](/windows/device-security/security-policy-settings/change-the-time-zone): SeTimeZonePrivilege<br> [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege<br> [Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege<br>[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege<br> [Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege<br>|
 
- 
-
-## <a href="" id="bkmk-localsystem"></a>LocalSystem
+## LocalSystem
 
 
 This is a service account that is used by the operating system. The LocalSystem account is a powerful account that has full access to the system and acts as the computer on the network. If a service logs on to the LocalSystem account on a domain controller, that service has access to the entire domain. Some services are configured by default to log on to the LocalSystem account. Do not change the default service setting. The name of the account is LocalSystem. This account does not have a password.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-18</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>None</p></td>
-</tr>
-</tbody>
-</table>
 
- 
-
-## <a href="" id="bkmk-network"></a>Network
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-18 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
 
+## Network
 
 This group implicitly includes all users who are logged on through a network connection. Any user who accesses the system through a network has the Network identity. This identity allows only remote users to access a resource. Whenever a user accesses a given resource over the network, the user is automatically added to the Network group. Membership is controlled by the operating system.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-2</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>None</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-2 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights|None|
 
- 
-
-## <a href="" id="bkmk-networkservice"></a>Network Service
+## Network Service
 
 
 The Network Service account is similar to an Authenticated User account. The Network Service account has the same level of access to resources and objects as members of the Users group. This limited access helps safeguard your system if individual services or processes are compromised. Services that run as the Network Service account access network resources by using the credentials of the computer account. The name of the account is NT AUTHORITY\\NetworkService. This account does not have a password.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-20</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>[Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege</p>
-<p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p>
-<p>[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege</p>
-<p>[Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege</p>
-<p>[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege</p>
-<p>[Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege</p>
-<p>[Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-20 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| [Adjust memory quotas for a process](/windows/device-security/security-policy-settings/adjust-memory-quotas-for-a-process): SeIncreaseQuotaPrivilege<br> [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege<br> [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege<br> [Generate security audits](/windows/device-security/security-policy-settings/generate-security-audits): SeAuditPrivilege<br> [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege<br> [Restore files and directories](/windows/device-security/security-policy-settings/restore-files-and-directories): SeRestorePrivilege<br> [Replace a process level token](/windows/device-security/security-policy-settings/replace-a-process-level-token): SeAssignPrimaryTokenPrivilege<br>|
 
- 
-
-## <a href="" id="bkmk-ntlmauth"></a>NTLM Authentication
+## NTLM Authentication
 
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-64-10</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>None</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-64-10 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| None|
 
- 
-
-## <a href="" id="bkmk-otherorganization"></a>Other Organization
+## Other Organization
 
 
 This group implicitly includes all users who are logged on to the system through a dial-up connection. Membership is controlled by the operating system.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-1000</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>None</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-1000 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| None |
 
- 
-
-## <a href="" id="bkmk-principalself"></a>Principal Self
+## Principal Self
 
 
 This identify is a placeholder in an ACE on a user, group, or computer object in Active Directory. When you grant permissions to Principal Self, you grant them to the security principal that is represented by the object. During an access check, the operating system replaces the SID for Principal Self with the SID for the security principal that is represented by the object.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-10</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>None</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-10 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| None |
 
- 
-
-## <a href="" id="bkmk-remoteinteractivelogon"></a>Remote Interactive Logon
+## Remote Interactive Logon
 
 
 This identity represents all users who are currently logged on to a computer by using a Remote Desktop connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-14</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>None</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-14|
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| None |
 
- 
-
-## <a href="" id="bkmk-restrictedcode"></a>Restricted
+## Restricted
 
 
 Users and computers with restricted capabilities have the Restricted identity. This identity group is used by a process that is running in a restricted security context, such as running an application with the RunAs service. When code runs at the Restricted security level, the Restricted SID is added to the user’s access token.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-12</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>None</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-12 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| None |
 
- 
-
-## <a href="" id="bkmk-schannelauth"></a>SChannel Authentication
+## SChannel Authentication
 
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-64-14</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>None</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-64-14 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| None |
 
- 
-
-## <a href="" id="bkmk-service"></a>Service
+## Service
 
 
 Any service that accesses the system has the Service identity. This identity group includes all security principals that are signed in as a service. This identity grants access to processes that are being run by Windows Server services. Membership is controlled by the operating system.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-6</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>[Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege</p>
-<p>[Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege</p></td>
-</tr>
-</tbody>
-</table>
 
- 
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-6 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| [Create global objects](/windows/device-security/security-policy-settings/create-global-objects): SeCreateGlobalPrivilege<br> [Impersonate a client after authentication](/windows/device-security/security-policy-settings/impersonate-a-client-after-authentication): SeImpersonatePrivilege<br>|
 
-## <a href="" id="bkmk-terminalserveruser"></a>Terminal Server User
+## Terminal Server User
 
 
 Any user accessing the system through Terminal Services has the Terminal Server User identity. This identity allows users to access Terminal Server applications and to perform other necessary tasks with Terminal Server services. Membership is controlled by the operating system.
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-13</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>None</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-13 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| None |
 
- 
-
-## <a href="" id="bkmk-thisorg"></a>This Organization
+## This Organization
 
 
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p>S-1-5-15</p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p>Foreign Security Principal</p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>None</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | S-1-5-15 |
+|Object Class|  Foreign Security Principal|
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| None | 
 
- 
+## Window Manager\\Window Manager Group
 
-## <a href="" id="bkmk-windowmanager"></a>Window Manager\\Window Manager Group
-
-
-<table>
-<colgroup>
-<col width="50%" />
-<col width="50%" />
-</colgroup>
-<thead>
-<tr class="header">
-<th>Attribute</th>
-<th>Value</th>
-</tr>
-</thead>
-<tbody>
-<tr class="odd">
-<td><p>Well-Known SID/RID</p></td>
-<td><p></p></td>
-</tr>
-<tr class="even">
-<td><p>Object Class</p></td>
-<td><p></p></td>
-</tr>
-<tr class="odd">
-<td><p>Default Location in Active Directory</p></td>
-<td><p>cn=WellKnown Security Principals, cn=Configuration, dc=&lt;forestRootDomain&gt;</p></td>
-</tr>
-<tr class="even">
-<td><p>Default User Rights</p></td>
-<td><p>[Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege</p>
-<p>[Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege</p></td>
-</tr>
-</tbody>
-</table>
+| **Attribute** | **Value** |
+|  :--: | :--: | 
+| Well-Known SID/RID | |
+|Object Class| |
+|Default Location in Active Directory |cn=WellKnown Security Principals, cn=Configuration, dc=\<forestRootDomain\>|
+|Default User Rights| [Bypass traverse checking](/windows/device-security/security-policy-settings/bypass-traverse-checking): SeChangeNotifyPrivilege<br> [Increase a process working set](/windows/device-security/security-policy-settings/increase-a-process-working-set): SeIncreaseWorkingSetPrivilege<br>|
 
 ## See also
 
@@ -1016,4 +374,4 @@ Any user accessing the system through Terminal Services has the Terminal Server
 
 - [Security Principals](security-principals.md)
 
-- [Access Control Overview](access-control.md)
\ No newline at end of file
+- [Access Control Overview](access-control.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
index 58043d111b..ea8762d16e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-pki.md
@@ -64,7 +64,7 @@ By default, the Active Directory Certificate Authority provides and publishes th
 Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
 1.	Open the **Certificate Authority** management console.
 2.	Right-click **Certificate Templates** and click **Manage**.
-3.	In the **Certificate Template Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
+3.	In the **Certificate Templates Console**, right-click the **Kerberos Authentication** template in the details pane and click **Duplicate Template**.
 4.	On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2008 R2** from the **Certification Authority** list. Select **Windows 7.Server 2008 R2** from the **Certification Recipient** list.
 5.	On the **General** tab, type **Domain Controller Authentication (Kerberos)** in Template display name.  Adjust the validity and renewal period to meet your enterprise’s needs.   
     **Note**If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
@@ -81,7 +81,7 @@ The Kerberos Authentication certificate template is the most current certificate
 Sign-in to a certificate authority or management workstations with _Enterprise Admin_ equivalent credentials.
 1.	Open the **Certificate Authority** management console.
 2.	Right-click **Certificate Templates** and click **Manage**.
-3.	In the **Certificate Template Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**.
+3.	In the **Certificate Templates Console**, right-click the **Domain Controller Authentication (Kerberos)** (or the name of the certificate template you created in the previous section) template in the details pane and click **Properties**.
 4.	Click the **Superseded Templates** tab. Click **Add**.
 5.	From the **Add Superseded Template** dialog, select the **Domain Controller** certificate template and click **OK**.  Click **Add**.
 6.	From the **Add Superseded Template** dialog, select the **Domain Controller Authentication** certificate template and click **OK**.
@@ -98,7 +98,7 @@ Windows 10 clients use the https protocol when communicating with Active Directo
 Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
 1.	Open the **Certificate Authority** management console.
 2.	Right-click **Certificate Templates** and click **Manage**.
-3.	In the **Certificate Template Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**.
+3.	In the **Certificate Templates Console**, right-click the **Web Server** template in the details pane and click **Duplicate Template**.
 4.	On the **Compatibility** tab, clear the **Show resulting changes** check box.  Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
 5.	On the **General** tab, type **Internal Web Server** in **Template display name**.  Adjust the validity and renewal period to meet your enterprise’s needs.   
     **Note:** If you use different template names, you’ll need to remember and substitute these names in different portions of the lab.
@@ -168,11 +168,11 @@ You want to confirm your domain controllers enroll the correct certificates and
 
 #### Use the Event Logs
 
-Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers.  Using the Event Viewer, navigate to the **CertificateServices-Lifecycles-System** event log under **Application and Services/Microsoft/Windows**.
+Windows Server 2012 and later include Certificate Lifecycle events to determine the lifecycles of certificates for both users and computers.  Using the Event Viewer, navigate to the **CertificateServicesClient-Lifecycle-System** event log under **Application and Services/Microsoft/Windows**.
 
 Look for an event indicating a new certificate enrollment (autoenrollment).  The details of the event include the certificate template on which the certificate was issued.  The name of the certificate template used to issue the certificate should match the certificate template name included in the event.  The certificate thumbprint and EKUs for the certificate are also included in the event.  The EKU needed for proper Windows Hello for Business authentication is Kerberos Authentication, in addition to other EKUs provide by the certificate template. 
 
-Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServices-Lifecycles-System event.  The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.
+Certificates superseded by your new domain controller certificate generate an archive event in the CertificateServicesClient-Lifecycle-System event.  The archive event contains the certificate template name and thumbprint of the certificate that was superseded by the new certificate.
 
 
 #### Certificate Manager
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index 99026497a4..c8fbed37c7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -284,9 +284,9 @@ A TPM implements controls that meet the specification described by the Trusted C
 - The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
 - The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
 
-Windows�10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
+Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](https://go.microsoft.com/fwlink/p/?LinkId=733948).
 
-Windows�10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows�10 supports only TPM 2.0. 
+Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0. 
 
 TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
 
@@ -316,16 +316,3 @@ In a simplified manner, the TPM is a passive component with limited resources. I
 
 [Return to Top](hello-how-it-works-technology.md)
 
-
-
-
-
-
-
-
-
-
-
-
-
-    
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index dd447eb2b1..2534ee8e04 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -58,7 +58,18 @@ The Windows Hello for Business deployment depends on an enterprise public key in
 
 Key trust deployments do not need client issued certificates for on-premises authentication.  Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
 
-The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012.
+The minimum required enterprise certificate authority that can be used with Windows Hello for Business is Windows Server 2012, but you can also use a third-party enterprise certification authority. The detailed requirements for the Domain Controller certificate are shown below.
+
+* The certificate must have a Certificate Revocation List (CRL) distribution point extension that points to a valid CRL.
+* Optionally, the certificate Subject section should contain the directory path of the server object (the distinguished name).
+* The certificate Key Usage section must contain Digital Signature and Key Encipherment.
+* Optionally, the certificate Basic Constraints section should contain: [Subject Type=End Entity, Path Length Constraint=None].
+* The certificate Enhanced Key Usage section must contain Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1).
+* The certificate Subject Alternative Name section must contain the Domain Name System (DNS) name.  
+* The certificate template must have an extension that has the BMP data value "DomainController".
+* The domain controller certificate must be installed in the local computer's certificate store.
+
+ 
 
 > [!IMPORTANT]
 > For Azure AD joined device to authenticate to and use on-premises resources, ensure you:
@@ -85,7 +96,7 @@ Organizations using older directory synchronization technology, such as DirSync
 <br>
 
 ## Federation with Azure ##
-You can deploy Windows Hello for Business key trust in non-federated and federated environments.  For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnectsync-implement-password-synchronization) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication).  For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2. 
+You can deploy Windows Hello for Business key trust in non-federated and federated environments.  For non-federated environments, key trust deployments work in environments that have deployed [Password Synchronization with Azure AD Connect](https://docs.microsoft.com/en-us/azure/active-directory/hybrid/whatis-phs) and [Azure Active Directory Pass-through-Authentication](https://docs.microsoft.com/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication).  For federated environments, you can deploy Windows Hello for Business key trust using Active Directory Federation Services (AD FS) beginning with Windows Server 2012 R2. 
 
 ### Section Review ###
 > [!div class="checklist"]
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 58614660a4..bca87f02c5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -97,7 +97,7 @@ Windows Hello for Business can use either keys (hardware or software) or certifi
 
 ## Learn more
 
-[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/itshowcase/Article/Content/830/Implementing-Windows-Hello-for-Business-at-Microsoft)
+[Implementing Windows Hello for Business at Microsoft](https://www.microsoft.com/en-us/itshowcase/implementing-windows-hello-for-business-at-microsoft)
 
 [Introduction to Windows Hello](https://go.microsoft.com/fwlink/p/?LinkId=786649), video presentation on Microsoft Virtual Academy
 
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index cb2349d9bd..d2f6bc7823 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -117,7 +117,7 @@ You will want to balance testing in a lab with providing results to management q
 
 ## The Process
 
-The journey to password-less is to take each work persona through each password-less step. In the begging, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow.  The process looks something like 
+The journey to password-less is to take each work persona through each password-less step. In the beginning, we encourage working with one persona at a time to ensure team members and stakeholders are familiar with the process. Once comfortable with the process, you can cover as many work personas in parallel as resources allow.  The process looks something like 
 
 1. Password-less replacement offering (Step 1) 
    1. Identify test users that represent the targeted work persona.
diff --git a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
index 137f60c277..6648747efc 100644
--- a/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+++ b/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs.md
@@ -163,16 +163,41 @@ Use Windows Event Forwarding to collect and aggregate your WIP audit events. You
 
 2.	In the console tree under **Application and Services Logs\Microsoft\Windows**, click **EDP-Audit-Regular** and **EDP-Audit-TCB**.
 
+## Collect WIP audit logs using Azure Monitor
+You can collect audit logs using Azure Monitor. See [Windows event log data sources in Azure Monitor.](https://docs.microsoft.com/en-us/windows/security/information-protection/windows-information-protection/collect-wip-audit-event-logs)
 
+**To view the WIP events in Azure Monitor**
+1.  Use an existing or create a new Log Analytics workspace.
 
+2.  In **Log Analytics** > **Advanced Settings**, select **Data**. In Windows Event Logs, add logs to receive:
 
+    ```
+    Microsoft-Windows-EDP-Application-Learning/Admin
+    Microsoft-Windows-EDP-Audit-TCB/Admin
+    ```
+    >[!NOTE]
+    >If using Windows Events Logs, the event log names can be found under Properties of the event in the Events folder (Application and Services Logs\Microsoft\Windows, click EDP-Audit-Regular and EDP-Audit-TCB).
 
+3.  Download Microsoft [Monitoring Agent](https://docs.microsoft.com/en-us/azure/azure-monitor/platform/agent-windows#install-the-agent-using-dsc-in-azure-automation).
 
+4.  To get MSI for Intune installation as stated in the Azure Monitor article, extract: MMASetup-.exe /c /t:
+Install Microsoft Monitoring Agent to WIP devices using Workspace ID and Primary key. More information on Workspace ID and Primary key can be found in **Log Analytics** > **Advanced Settings**.
 
+5.  To deploy MSI via Intune, in installation parameters add: /q /norestart NOAPM=1 ADD_OPINSIGHTS_WORKSPACE=1 OPINSIGHTS_WORKSPACE_AZURE_CLOUD_TYPE=0 OPINSIGHTS_WORKSPACE_ID=<WORKSPACE_ID> OPINSIGHTS_WORKSPACE_KEY=<WORKSPACE_KEY> AcceptEndUserLicenseAgreement=1
 
+>[!NOTE]
+>Replace <WORKSPACE_ID> & <WORKSPACE_KEY> received from step 5. In installation parameters, don't place <WORKSPACE_ID> & <WORKSPACE_KEY> in quotes ("" or '').
 
+6.  After the agent is deployed, data will be received within approximately 10 minutes.
 
+7.  To search for logs, go to **Log Analytics workspace** > **Logs**, and type **Event** in search.
 
+***Example***
+```
+Event | where EventLog == "Microsoft-Windows-EDP-Audit-TCB/Admin"
+```
 
-
-
+## Additional resources
+-   [How to deploy app via Intune](https://docs.microsoft.com/intune/apps-add)
+-   [How to create Log workspace](https://docs.microsoft.com/azure/azure-monitor/learn/quick-create-workspace)
+-   [How to use Microsoft Monitoring Agents for Windows](https://docs.microsoft.com/azure/azure-monitor/platform/agents-overview)
diff --git a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
index c40587d323..e397719da4 100644
--- a/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.md
@@ -62,7 +62,7 @@ Detailed Tracking security policy settings and audit events can be used to monit
 -   [Audit Process Creation](audit-process-creation.md)
 -   [Audit Process Termination](audit-process-termination.md)
 -   [Audit RPC Events](audit-rpc-events.md)
-
+-   [Audit Credential Validation](https://docs.microsoft.com/windows/security/threat-protection/auditing/audit-credential-validation)
 > **Note:**  For more information, see [Security Monitoring](https://blogs.technet.microsoft.com/nathangau/2018/01/25/security-monitoring-a-possible-new-way-to-detect-privilege-escalation/)
 
 ## DS Access
diff --git a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
index 6935b85eb1..e2a45c1988 100644
--- a/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
+++ b/windows/security/threat-protection/auditing/advanced-security-auditing-faq.md
@@ -83,7 +83,7 @@ The rules that govern how Group Policy settings are applied propagate to the sub
 | - | - | - | -|
 | Detailed File Share Auditing | Success | Failure | Success |
 | Process Creation Auditing | Disabled | Success | Disabled |
-| Logon Auditing | Success | Failure | Failure |
+| Logon Auditing | Failure | Success | Failure |
 
 ## <a href="" id="bkmk-14"></a>What is the difference between an object DACL and an object SACL?
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/live-response.md b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
index 8989f06877..358e414a2d 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/live-response.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/live-response.md
@@ -107,7 +107,7 @@ help | Provides help information for live response commands.
 persistence | Shows all known persistence methods on the machine.
 processes | Shows all processes running on the machine.
 registry | Shows registry values.
-sheduledtasks| Shows all scheduled tasks on the machine. 
+scheduledtasks| Shows all scheduled tasks on the machine. 
 services | Shows all services on the machine. 
 trace | Sets the terminal's logging mode to debug.
 
diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
index 8734d8b92a..a6fcc5d848 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
@@ -17,7 +17,7 @@ ms.collection: M365-security-compliance
 ms.topic: conceptual 
 ---
 
-# Microsoft Defender Advanced Threat Protection portal overview
+# Microsoft Defender Security Center portal overview
 
 **Applies to:**
 - [Microsoft Defender Advanced Threat Protection (Microsoft Defender ATP)](https://go.microsoft.com/fwlink/p/?linkid=2069559)
diff --git a/windows/security/threat-protection/security-compliance-toolkit-10.md b/windows/security/threat-protection/security-compliance-toolkit-10.md
index fe229e350d..faa63ea948 100644
--- a/windows/security/threat-protection/security-compliance-toolkit-10.md
+++ b/windows/security/threat-protection/security-compliance-toolkit-10.md
@@ -26,6 +26,7 @@ The SCT enables administrators to effectively manage their enterprise’s Group
 The Security Compliance Toolkit consists of:
 
 -   Windows 10 security baselines
+    -   Windows 10 Version 1903 (May 2019 Update)
     -   Windows 10 Version 1809 (October 2018 Update)
     -   Windows 10 Version 1803 (April 2018 Update)
     -   Windows 10 Version 1709 (Fall Creators Update)
@@ -69,4 +70,4 @@ LGPO.exe can import and apply settings from Registry Policy (Registry.pol) files
 It can export local policy to a GPO backup. 
 It can export the contents of a Registry Policy file to the “LGPO text” format that can then be edited, and can build a Registry Policy file from an LGPO text file.
 
-Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
\ No newline at end of file
+Documentation for the LGPO tool can be found on the [Microsoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2016/01/21/lgpo-exe-local-group-policy-object-utility-v1-0/) or by [downloading the tool](https://www.microsoft.com/download/details.aspx?id=55319).
diff --git a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
index e62f0051cb..b0715daedf 100644
--- a/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
+++ b/windows/security/threat-protection/security-policy-settings/store-passwords-using-reversible-encryption.md
@@ -69,6 +69,9 @@ Enabling this policy setting allows the operating system to store passwords in a
 
 Disable the **Store password using reversible encryption** policy setting.
 
+>[!Note]
+> When policy settings are disabled, only new passwords will be stored using one-way encryption by default. Existing passwords will be stored using reversible encryption until they are changed.
+
 ### Potential impact
 
 If your organization uses CHAP through remote access or IAS, or Digest Authentication in IIS, you must configure this policy setting to Enabled. This presents a security risk when you apply the setting through Group Policy on a user-by-user basis because it requires the appropriate user account object to be opened in Active Directory Users and Computers.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
index 901c6c4995..471d647e37 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configuration-management-reference-windows-defender-antivirus.md
@@ -26,7 +26,7 @@ You can manage and configure Windows Defender Antivirus with the following tools
 - System Center Configuration Manager
 - Group Policy
 - PowerShell cmdlets
-- Windows Management Instruction (WMI)
+- Windows Management Instrumentation (WMI)
 - The mpcmdrun.exe utility
 
 The topics in this section provide further information, links, and resources for using these tools to manage and configure Windows Defender Antivirus.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
index b895c48fac..e39c054561 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-network-connections-windows-defender-antivirus.md
@@ -95,7 +95,16 @@ Security intelligence and product updates
  Upload location for files submitted to Microsoft via the <a href="https://www.microsoft.com/en-us/security/portal/submission/submit.aspx">Submission form</a> or automatic sample submission
 </td>
 <td>
-*.blob.core.windows.net
+ussus1eastprod.blob.core.windows.net<br />
+ussus1westprod.blob.core.windows.net<br />
+usseu1northprod.blob.core.windows.net<br />
+usseu1westprod.blob.core.windows.net<br />
+ussuk1southprod.blob.core.windows.net<br />
+ussuk1westprod.blob.core.windows.net<br />
+ussas1eastprod.blob.core.windows.net<br />
+ussas1southeastprod.blob.core.windows.net<br />
+ussau1eastprod.blob.core.windows.net<br />
+ussau1southeastprod.blob.core.windows.net<br />
 </td>
 </tr>
 <tr style="vertical-align:top">
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
index 4da87e4759..e08175533a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-notifications-windows-defender-antivirus.md
@@ -73,7 +73,7 @@ Hiding notifications can be useful in situations where you can't hide the entire
 > [!NOTE]
 > Hiding notifications will only occur on endpoints to which the policy has been deployed. Notifications related to actions that must be taken (such as a reboot) will still appear on the [System Center Configuration Manager Endpoint Protection monitoring dashboard and reports](https://docs.microsoft.com/sccm/protect/deploy-use/monitor-endpoint-protection).
 
-See [Customize the Windows Security app for your organization](/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines.
+See [Customize the Windows Security app for your organization](../windows-defender-security-center/windows-defender-security-center.md) for instructions to add custom contact information to the notifications that users see on their machines.
 
 **Use Group Policy to hide notifications:**
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_26_Uninstall.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_26_Uninstall.png
index aa0d5c7caf..6463593a6c 100644
Binary files a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_26_Uninstall.png and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_26_Uninstall.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_DownloadPackages.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_DownloadPackages.png
new file mode 100644
index 0000000000..cc63efe4a4
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_DownloadPackages.png differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_IntuneAppUtil.png b/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_IntuneAppUtil.png
deleted file mode 100644
index 1bc70e06c0..0000000000
Binary files a/windows/security/threat-protection/windows-defender-antivirus/images/MDATP_2_IntuneAppUtil.png and /dev/null differ
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
index 695a6be30d..ea48873f29 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-intune.md
@@ -40,7 +40,7 @@ Download the installation and onboarding packages from Microsoft Defender Securi
 4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
 5. Download **IntuneAppUtil** from [https://docs.microsoft.com/en-us/intune/lob-apps-macos](https://docs.microsoft.com/en-us/intune/lob-apps-macos).
 
-    ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
+    ![Windows Defender Security Center screenshot](images/MDATP_2_DownloadPackages.png)
 
 6. From a command prompt, verify that you have the three files.
     Extract the contents of the .zip files:
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
index fd9c3d6b85..b3b990dbde 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-install-with-jamf.md
@@ -41,7 +41,7 @@ Download the installation and onboarding packages from Windows Defender Security
 3. In Section 2 of the page, select **Download installation package**. Save it as _wdav.pkg_ to a local directory.
 4. In Section 2 of the page, select **Download onboarding package**. Save it as _WindowsDefenderATPOnboardingPackage.zip_ to the same directory.
 
-    ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
+    ![Windows Defender Security Center screenshot](images/MDATP_2_DownloadPackages.png)
 
 5. From the command prompt, verify that you have the two files. Extract the contents of the .zip files like so:
 
@@ -70,7 +70,7 @@ The configuration profile contains a custom settings payload that includes:
 - Microsoft Defender ATP for Mac onboarding information
 - Approved Kernel Extensions payload, to enable running the Microsoft kernel driver
 
-To set the onboarding information, upload a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_.
+To set the onboarding information, add a property list file with the name, _jamf/WindowsDefenderATPOnboarding.plist_, as a custom setting. You can do this by navigating to **Computers**>**Configuration Profiles**, selecting **New**, then choosing **Custom Settings**>**Configure**. From there, you can upload the property list.
 
   >[!IMPORTANT]
   > You must set the the Preference Domain as "com.microsoft.wdav.atp"
@@ -104,8 +104,8 @@ Use the **Logs** tab to monitor deployment status for each enrolled device.
 
     ![Computer management packages screenshot](images/MDATP_19_MicrosoftDefenderWDAVPKG.png)
 
-2. Upload wdav.pkg to the Distribution Point.
-3. In the **filename** field, enter the name of the package. For example, wdav.pkg.
+2. Upload the package to the Distribution Point.
+3. In the **filename** field, enter the name of the package. For example, _wdav.pkg_.
 
 ### Policy
 
@@ -133,7 +133,7 @@ After a moment, the device's User Approved MDM status will change to **Yes**.
 
 ![MDM status screenshot](images/MDATP_23_MDMStatus.png)
 
-You may now enroll additional devices. You can also enroll them later, after you have finished provisioning system configuration and application packages.
+You may now enroll additional devices. You may also enroll them later, after you have finished provisioning system configuration and application packages.
 
 ## Deployment
 
@@ -150,11 +150,11 @@ You can monitor deployment status in the **Logs** tab:
 
 ### Status on client device
 
-After the Configuration Profile is deployed, you'll see the profile on the device in  **System Preferences > Profiles >**, under the name of the configuration profile.
+After the Configuration Profile is deployed, you'll see the profile for the device in  **System Preferences** > **Profiles >**.
 
 ![Status on client screenshot](images/MDATP_25_StatusOnClient.png)
 
-After the policy is applied, you'll see the Microsoft Defender ATP icon in the macOS status bar in the top-right corner.
+Once the policy is applied, you'll see the Microsoft Defender ATP icon in the macOS status bar in the top-right corner.
 
 ![Microsoft Defender icon in status bar screenshot](images/MDATP_Icon_Bar.png)
 
@@ -204,4 +204,33 @@ See [Logging installation issues](microsoft-defender-atp-mac-resources.md#loggin
 
 ## Uninstallation
 
-See [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling) for details on how to remove Microsoft Defender ATP for Mac from client devices.
\ No newline at end of file
+This method is based on the script described in [Uninstalling](microsoft-defender-atp-mac-resources.md#uninstalling).
+
+### Script
+
+Create a script in **Settings > Computer Management > Scripts**.
+
+This script removes Microsoft Defender ATP from the /Applications directory:
+
+```bash
+   echo "Is WDAV installed?"
+   ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
+
+   echo "Uninstalling WDAV..."
+   rm -rf '/Applications/Microsoft Defender ATP.app'
+
+   echo "Is WDAV still installed?"
+   ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
+
+   echo "Done!"
+```
+
+![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png)
+
+### Policy
+
+Your policy should contain a single script:
+
+![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png)
+
+Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy.
diff --git a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
index 694e2e86ce..55cd7868bf 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac-resources.md
@@ -32,12 +32,12 @@ If you can reproduce a problem, please increase the logging level, run the syste
 
 1. Increase logging level:
 
-```bash
+   ```bash
    mavel-mojave:~ testuser$ mdatp --log-level verbose
    Creating connection to daemon
    Connection established
    Operation succeeded
-```
+   ```
 
 2. Reproduce the problem
 
@@ -77,35 +77,6 @@ There are several ways to uninstall Microsoft Defender ATP for Mac. Please note
 
 - ```sudo rm -rf '/Applications/Microsoft Defender ATP'```
 
-### With a script
-
-Create a script in **Settings > Computer Management > Scripts**.
-
-![Microsoft Defender uninstall screenshot](images/MDATP_26_Uninstall.png)
-
-For example, this script removes Microsoft Defender ATP from the /Applications directory:
-
-```bash
-   echo "Is WDAV installed?"
-   ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
-
-   echo "Uninstalling WDAV..."
-   rm -rf '/Applications/Microsoft Defender ATP.app'
-
-   echo "Is WDAV still installed?"
-   ls -ld '/Applications/Microsoft Defender ATP.app' 2>/dev/null
-
-   echo "Done!"
-```
-
-### With a JAMF policy
-
-If you are running JAMF, your policy should contain a single script:
-
-![Microsoft Defender uninstall script screenshot](images/MDATP_27_UninstallScript.png)
-
-Configure the appropriate scope in the **Scope** tab to specify the machines that will receive this policy.
-
 ## Configuring from the command line
 
 Important tasks, such as controlling product settings and triggering on-demand scans, can be done from the command line:
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
index b6733d5ed0..b66723f6ca 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
@@ -57,12 +57,15 @@ This section covers requirements for each feature in Windows Defender EG.
 | ![supported](./images/ball_50.png) | Supported |
 | ![supported, full reporting](./images/ball_full.png) | Recommended. Includes full, automated reporting into the Microsoft Defender ATP console. Provides additional cloud-powered capabilities, including the Network protection ability to block apps from accessing low-reputation websites and an attack surface reduction rule that blocks executable files that meet age or prevalence criteria.|
 
-| Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 |
-| ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: |
-| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
-| Attack surface reduction rules | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
-| Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
-| Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
+| Feature | Windows 10 Home | Windows 10 Professional | Windows 10 Enterprise | Windows 10 with Enterprise E3 subscription | Windows 10 with Enterprise E5 subscription |
+| ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: | :--------------------------------------: |
+| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, enhanced](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
+| Attack surface reduction rules | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
+| Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
+| Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
+
+>[!NOTE]
+> The [Identity & Threat Protection package](https://www.microsoft.com/microsoft-365/blog/2019/01/02/introducing-new-advanced-security-and-compliance-offerings-for-microsoft-365/), available for Microsoft 365 E3 customers, provides the same Windows Defender ATP capabilities as the Enterprise E5 subscription.
 
 The following table lists which features in Windows Defender EG require enabling [real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) from Windows Defender Antivirus. 
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1803.md b/windows/whats-new/whats-new-windows-10-version-1803.md
index 58fe6b55e8..2ecf0408ac 100644
--- a/windows/whats-new/whats-new-windows-10-version-1803.md
+++ b/windows/whats-new/whats-new-windows-10-version-1803.md
@@ -22,11 +22,8 @@ This article lists new and updated features and content that are of interest to
 
 The following 3-minute video summarizes some of the new features that are available for IT Pros in this release.
 
-&nbsp;
-
 > [!video https://www.microsoft.com/en-us/videoplayer/embed/RE21ada?autoplay=false]
 
-
 ## Deployment
 
 ### Windows Autopilot
@@ -135,7 +132,7 @@ Portions of the work done during the offline phases of a Windows update have bee
 
 ### Co-management
 
-Intune and System Center Configuration Manager policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
+**Intune** and **System Center Configuration Manager** policies have been added to enable hybrid Azure AD-joined authentication. Mobile Device Management (MDM) has added over 150 new policies and settings in this release, including the [MDMWinsOverGP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-controlpolicyconflict) policy, to enable easier transition to cloud-based management.
 
 For more information, see [What's New in MDM enrollment and management](https://docs.microsoft.com/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1803)
 
@@ -231,8 +228,8 @@ Support in [Windows Defender Application Guard](#windows-defender-application-gu
 
 ## See Also
 
-[Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.<br>
-[What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.<br>
-[What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.<br>
-[Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709.
+- [Windows 10 Features](https://www.microsoft.com/windows/features): Review general information about Windows 10 features.  
+- [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.
+- [What's new in Windows 10, version 1709](https://docs.microsoft.com/windows-hardware/get-started/what-s-new-in-windows): See what’s new in Windows 10 hardware.
+- [Windows 10 Fall Creators Update Next Generation Security](https://www.youtube.com/watch?v=JDGMNFwyUg8): YouTube video about Windows Defender ATP in Windows 10, version 1709.
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index c77493d952..41a0e83637 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -120,7 +120,7 @@ The draft release of the [security configuration baseline settings](https://blog
 
 - [Windows Hello FIDO2 certification](https://fidoalliance.org/microsoft-achieves-fido2-certification-for-windows-hello/): Windows Hello is now a FIDO2 Certified authenticator and enables password-less login for websites supporting FIDO2 authentication, such as Microsoft account and Azure AD.
 - [Streamlined Windows Hello PIN reset experience](https://docs.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-videos#windows-hello-for-business-forgotten-pin-user-experience): Microsoft account users have a revamped Windows Hello PIN reset experience with the same look and feel as signing in on the web.
-- Sign-in with [Password-less](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience! i
+- Sign-in with [Password-less](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/passwordless-strategy) Microsoft accounts: Sign in to Windows 10 with a phone number account. Then use Windows Hello for an even easier sign-in experience!
 - [Remote Desktop with Biometrics](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-features#remote-desktop-with-biometrics): Azure Active Directory and Active Directory users using Windows Hello for Business can use biometrics to authenticate to a remote desktop session.
 
 ### Security management