diff --git a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
index 1924b4d39c..b9d94fab8e 100644
--- a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
+++ b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
@@ -50,275 +50,73 @@ This topic explains how to enable BitLocker on an end user's computer by using M
 
     -   Robust error handling
 
-    You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/download/details.aspx?id=48698). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server.
+   You can download the `Invoke-MbamClientDeployment.ps1` script from [Microsoft.com Download Center](https://www.microsoft.com/download/details.aspx?id=48698). This is the main script that your deployment system will call to configure BitLocker drive encryption and record recovery keys with the MBAM Server.
 
-    **WMI deployment methods for MBAM:** The following WMI methods have been added in MBAM 2.5 SP1 to support enabling BitLocker by using the `Invoke-MbamClientDeployment.ps1` PowerShell script.
+   **WMI deployment methods for MBAM:** The following WMI methods have been added in MBAM 2.5 SP1 to support enabling BitLocker by using the `Invoke-MbamClientDeployment.ps1` PowerShell script.
 
-    <a href="" id="mbam-machine-wmi-class"></a>**MBAM\_Machine WMI Class**  
-    **PrepareTpmAndEscrowOwnerAuth:** Reads the TPM OwnerAuth and sends it to the MBAM recovery database by using the MBAM recovery service. If the TPM is not owned and auto-provisioning is not on, it generates a TPM OwnerAuth and takes ownership. If it fails, an error code is returned for troubleshooting.
+   <a href="" id="mbam-machine-wmi-class"></a>**MBAM\_Machine WMI Class**  
+   **PrepareTpmAndEscrowOwnerAuth:** Reads the TPM OwnerAuth and sends it to the MBAM recovery database by using the MBAM recovery service. If the TPM is not owned and auto-provisioning is not on, it generates a TPM OwnerAuth and takes ownership. If it fails, an error code is returned for troubleshooting.
 
-    <table>
-    <colgroup>
-    <col width="50%" />
-    <col width="50%" />
-    </colgroup>
-    <thead>
-    <tr class="header">
-    <th align="left">Parameter</th>
-    <th align="left">Description</th>
-    </tr>
-    </thead>
-    <tbody>
-    <tr class="odd">
-    <td align="left"><p>RecoveryServiceEndPoint</p></td>
-    <td align="left"><p>A string specifying the MBAM recovery service endpoint.</p></td>
-    </tr>
-    </tbody>
-    </table>
+| Parameter | Description |
+| -------- | ----------- |
+| RecoveryServiceEndPoint | A string specifying the MBAM recovery service endpoint. |
 
-     
+Here are a list of common error messages:
 
-    <table>
-    <colgroup>
-    <col width="50%" />
-    <col width="50%" />
-    </colgroup>
-    <thead>
-    <tr class="header">
-    <th align="left">Common return values</th>
-    <th align="left">Error message</th>
-    </tr>
-    </thead>
-    <tbody>
-    <tr class="odd">
-    <td align="left"><p><strong>S_OK</strong></p>
-    <p>0 (0x0)</p></td>
-    <td align="left"><p>The method was successful</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p><strong>MBAM_E_TPM_NOT_PRESENT</strong></p>
-    <p>2147746304 (0x80040200)</p></td>
-    <td align="left"><p>TPM is not present in the computer or is disabled in the BIOS configuration.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p><strong>MBAM_E_TPM_INCORRECT_STATE</strong></p>
-    <p>2147746305 (0x80040201)</p></td>
-    <td align="left"><p>TPM is not in the correct state (enabled, activated and owner installation allowed).</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p><strong>MBAM_E_TPM_AUTO_PROVISIONING_PENDING</strong></p>
-    <p>2147746306 (0x80040202)</p></td>
-    <td align="left"><p>MBAM cannot take ownership of TPM because auto-provisioning is pending. Try again after auto-provisioning is completed.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p><strong>MBAM_E_TPM_OWNERAUTH_READFAIL</strong></p>
-    <p>2147746307 (0x80040203)</p></td>
-    <td align="left"><p>MBAM cannot read the TPM owner authorization value. The value might have been removed after a successful escrow. On Windows 7, MBAM cannot read the value if the TPM is owned by others.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p><strong>MBAM_E_REBOOT_REQUIRED</strong></p>
-    <p>2147746308 (0x80040204)</p></td>
-    <td align="left"><p>The computer must be restarted to set TPM to the correct state. You might need to manually reboot the computer.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p><strong>MBAM_E_SHUTDOWN_REQUIRED</strong></p>
-    <p>2147746309 (0x80040205)</p></td>
-    <td align="left"><p>The computer must be shut down and turned back on to set TPM to the correct state. You might need to manually reboot the computer.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p><strong>WS_E_ENDPOINT_ACCESS_DENIED</strong></p>
-    <p>2151481349 (0x803D0005)</p></td>
-    <td align="left"><p>Access was denied by the remote endpoint.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p><strong>WS_E_ENDPOINT_NOT_FOUND</strong></p>
-    <p>2151481357 (0x803D000D)</p></td>
-    <td align="left"><p>The remote endpoint does not exist or could not be located.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p><strong>WS_E_ENDPOINT_FAILURE</strong></p>
-    <p>2151481357 (0x803D000F)</p></td>
-    <td align="left"><p>The remote endpoint could not process the request.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p><strong>WS_E_ENDPOINT_UNREACHABLE</strong></p>
-    <p>2151481360 (0x803D0010)</p></td>
-    <td align="left"><p>The remote endpoint was not reachable.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p><strong>WS_E_ENDPOINT_FAULT_RECEIVED</strong></p>
-    <p>2151481363 (0x803D0013)</p></td>
-    <td align="left"><p>A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p><strong>WS_E_INVALID_ENDPOINT_URL</strong></p>
-    <p>2151481376 (0x803D0020)</p></td>
-    <td align="left"><p>The endpoint address URL is not valid. The URL must start with “http” or “https”.</p></td>
-    </tr>
-    </tbody>
-    </table>
+| Common return values | Error message |
+| -------------------- | ------------- |
+|  **S_OK**<br />0 (0x0) | The method was successful. |
+| **MBAM_E_TPM_NOT_PRESENT**<br />2147746304 (0x80040200) | TPM is not present in the computer or is disabled in the BIOS configuration. |
+| **MBAM_E_TPM_INCORRECT_STATE**<br />2147746305 (0x80040201) | TPM is not in the correct state (enabled, activated and owner installation allowed). |
+| **MBAM_E_TPM_AUTO_PROVISIONING_PENDING**<br />2147746306 (0x80040202) | MBAM cannot take ownership of TPM because auto-provisioning is pending. Try again after auto-provisioning is completed. |
+| **MBAM_E_TPM_OWNERAUTH_READFAIL**<br />2147746307 (0x80040203) | MBAM cannot read the TPM owner authorization value. The value might have been removed after a successful escrow. On Windows 7, MBAM cannot read the value if the TPM is owned by others. |
+| **MBAM_E_REBOOT_REQUIRED**<br />2147746308 (0x80040204) | The computer must be restarted to set TPM to the correct state. You might need to manually reboot the computer. |
+| **MBAM_E_SHUTDOWN_REQUIRED**<br />2147746309 (0x80040205) | The computer must be shut down and turned back on to set TPM to the correct state. You might need to manually reboot the computer. |
+| **WS_E_ENDPOINT_ACCESS_DENIED**<br />2151481349 (0x803D0005) | Access was denied by the remote endpoint. |
+| **WS_E_ENDPOINT_NOT_FOUND**<br />2151481357 (0x803D000D) | The remote endpoint does not exist or could not be located. |
+| **WS_E_ENDPOINT_FAILURE<br />2151481357 (0x803D000F) | The remote endpoint could not process the request. |
+| **WS_E_ENDPOINT_UNREACHABLE**<br />2151481360 (0x803D0010) | The remote endpoint was not reachable. |
+| **WS_E_ENDPOINT_FAULT_RECEIVED**<br />2151481363 (0x803D0013) | A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint. |
+| **WS_E_INVALID_ENDPOINT_URL** 2151481376 (0x803D0020) | The endpoint address URL is not valid. The URL must start with “http” or “https”. |
 
-     
-
-    **ReportStatus:** Reads the compliance status of the volume and sends it to the MBAM compliance status database by using the MBAM status reporting service. The status includes cipher strength, protector type, protector state and encryption state. If it fails, an error code is returned for troubleshooting.
-
-    <table>
-    <colgroup>
-    <col width="50%" />
-    <col width="50%" />
-    </colgroup>
-    <thead>
-    <tr class="header">
-    <th align="left">Parameter</th>
-    <th align="left">Description</th>
-    </tr>
-    </thead>
-    <tbody>
-    <tr class="odd">
-    <td align="left"><p>ReportingServiceEndPoint</p></td>
-    <td align="left"><p>A string specifying the MBAM status reporting service endpoint.</p></td>
-    </tr>
-    </tbody>
-    </table>
-
-     
-
-    <table>
-    <colgroup>
-    <col width="50%" />
-    <col width="50%" />
-    </colgroup>
-    <thead>
-    <tr class="header">
-    <th align="left">Common return values</th>
-    <th align="left">Error message</th>
-    </tr>
-    </thead>
-    <tbody>
-    <tr class="odd">
-    <td align="left"><p><strong>S_OK</strong></p>
-    <p>0 (0x0)</p></td>
-    <td align="left"><p>The method was successful</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p><strong>WS_E_ENDPOINT_ACCESS_DENIED</strong></p>
-    <p>2151481349 (0x803D0005)</p></td>
-    <td align="left"><p>Access was denied by the remote endpoint.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p><strong>WS_E_ENDPOINT_NOT_FOUND</strong></p>
-    <p>2151481357 (0x803D000D)</p></td>
-    <td align="left"><p>The remote endpoint does not exist or could not be located.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p><strong>WS_E_ENDPOINT_FAILURE</strong></p>
-    <p>2151481357 (0x803D000F)</p></td>
-    <td align="left"><p>The remote endpoint could not process the request.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p><strong>WS_E_ENDPOINT_UNREACHABLE</strong></p>
-    <p>2151481360 (0x803D0010)</p></td>
-    <td align="left"><p>The remote endpoint was not reachable.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p><strong>WS_E_ENDPOINT_FAULT_RECEIVED</strong></p>
-    <p>2151481363 (0x803D0013)</p></td>
-    <td align="left"><p>A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p><strong>WS_E_INVALID_ENDPOINT_URL</strong></p>
-    <p>2151481376 (0x803D0020)</p></td>
-    <td align="left"><p>The endpoint address URL is not valid. The URL must start with “http” or “https”.</p></td>
-    </tr>
-    </tbody>
-    </table>
-
-     
-
-    <a href="" id="mbam-volume-wmi-class"></a>**MBAM\_Volume WMI Class**  
-    **EscrowRecoveryKey:** Reads the recovery numerical password and key package of the volume and sends them to the MBAM recovery database by using the MBAM recovery service. If it fails, an error code is returned for troubleshooting.
-
-    <table>
-    <colgroup>
-    <col width="50%" />
-    <col width="50%" />
-    </colgroup>
-    <thead>
-    <tr class="header">
-    <th align="left">Parameter</th>
-    <th align="left">Description</th>
-    </tr>
-    </thead>
-    <tbody>
-    <tr class="odd">
-    <td align="left"><p>RecoveryServiceEndPoint</p></td>
-    <td align="left"><p>A string specifying the MBAM recovery service endpoint.</p></td>
-    </tr>
-    </tbody>
-    </table>
-
-     
-
-    <table>
-    <colgroup>
-    <col width="50%" />
-    <col width="50%" />
-    </colgroup>
-    <thead>
-    <tr class="header">
-    <th align="left">Common return values</th>
-    <th align="left">Error message</th>
-    </tr>
-    </thead>
-    <tbody>
-    <tr class="odd">
-    <td align="left"><p><strong>S_OK</strong></p>
-    <p>0 (0x0)</p></td>
-    <td align="left"><p>The method was successful</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p><strong>FVE_E_LOCKED_VOLUME</strong></p>
-    <p>2150694912 (0x80310000)</p></td>
-    <td align="left"><p>The volume is locked.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p><strong>FVE_E_PROTECTOR_NOT_FOUND</strong></p>
-    <p>2150694963 (0x80310033)</p></td>
-    <td align="left"><p>A Numerical Password protector was not found for the volume.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p><strong>WS_E_ENDPOINT_ACCESS_DENIED</strong></p>
-    <p>2151481349 (0x803D0005)</p></td>
-    <td align="left"><p>Access was denied by the remote endpoint.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p><strong>WS_E_ENDPOINT_NOT_FOUND</strong></p>
-    <p>2151481357 (0x803D000D)</p></td>
-    <td align="left"><p>The remote endpoint does not exist or could not be located.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p><strong>WS_E_ENDPOINT_FAILURE</strong></p>
-    <p>2151481357 (0x803D000F)</p></td>
-    <td align="left"><p>The remote endpoint could not process the request.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p><strong>WS_E_ENDPOINT_UNREACHABLE</strong></p>
-    <p>2151481360 (0x803D0010)</p></td>
-    <td align="left"><p>The remote endpoint was not reachable.</p></td>
-    </tr>
-    <tr class="even">
-    <td align="left"><p><strong>WS_E_ENDPOINT_FAULT_RECEIVED</strong></p>
-    <p>2151481363 (0x803D0013)</p></td>
-    <td align="left"><p>A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint.</p></td>
-    </tr>
-    <tr class="odd">
-    <td align="left"><p><strong>WS_E_INVALID_ENDPOINT_URL</strong></p>
-    <p>2151481376 (0x803D0020)</p></td>
-    <td align="left"><p>The endpoint address URL is not valid. The URL must start with “http” or “https”.</p></td>
-    </tr>
-    </tbody>
-    </table>
+   **ReportStatus:** Reads the compliance status of the volume and sends it to the MBAM compliance status database by using the MBAM status reporting service. The status includes cipher strength, protector type, protector state and encryption state. If it fails, an error code is returned for troubleshooting.
+   
+   | Parameter | Description |
+   | --------- | ----------- |
+   | ReportingServiceEndPoint | A string specifying the MBAM status reporting service endpoint. |
+   
+   Here are a list of common error messages:
+   
+   | Common return values | Error message |
+   | -------------------- | ------------- |
+   | **S_OK**<br /> 0 (0x0) | The method was successful |
+   | **WS_E_ENDPOINT_ACCESS_DENIED**<br />2151481349 (0x803D0005) | Access was denied by the remote endpoint.|
+   | **WS_E_ENDPOINT_NOT_FOUND**<br />2151481357 (0x803D000D) | The remote endpoint does not exist or could not be located. |
+   | **WS_E_ENDPOINT_FAILURE**<br /> 2151481357 (0x803D000F) | The remote endpoint could not process the request. |
+   | **WS_E_ENDPOINT_UNREACHABLE**<br />2151481360 (0x803D0010) | The remote endpoint was not reachable. |
+   | **WS_E_ENDPOINT_FAULT_RECEIVED**<br />2151481363 (0x803D0013) | A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint. |
+   | **WS_E_INVALID_ENDPOINT_URL**<br />2151481376 (0x803D0020) | The endpoint address URL is not valid. The URL must start with “http” or “https”. |
 
+   <a href="" id="mbam-volume-wmi-class"></a>**MBAM\_Volume WMI Class**  
+   **EscrowRecoveryKey:** Reads the recovery numerical password and key package of the volume and sends them to the MBAM recovery database by using the MBAM recovery service. If it fails, an error code is returned for troubleshooting.
+   
+   | Parameter | Description |
+   | --------- | ----------- |
+   | RecoveryServiceEndPoint | A string specifying the MBAM recovery service endpoint. |
+   
+   Here are a list of common error messages:
+   
+   | Common return values | Error message |
+   | -------------------- | ------------- |
+   | **S_OK**<br />0 (0x0) | The method was successful |
+   | **FVE_E_LOCKED_VOLUME**<br />2150694912 (0x80310000) | The volume is locked. |
+   | **FVE_E_PROTECTOR_NOT_FOUND**<br />2150694963 (0x80310033) | A Numerical Password protector was not found for the volume. | 
+   | **WS_E_ENDPOINT_ACCESS_DENIED**<br />2151481349 (0x803D0005) | Access was denied by the remote endpoint. |
+   | **WS_E_ENDPOINT_NOT_FOUND**<br />2151481357 (0x803D000D) | The remote endpoint does not exist or could not be located. |
+   | **WS_E_ENDPOINT_FAILURE**<br />2151481357 (0x803D000F) | The remote endpoint could not process the request. |
+   | **WS_E_ENDPOINT_UNREACHABLE**<br />2151481360 (0x803D0010) | The remote endpoint was not reachable. |
+   | **WS_E_ENDPOINT_FAULT_RECEIVED**<br />2151481363 (0x803D0013) | A message containing a fault was received from the remote endpoint. Make sure you are connecting to the correct service endpoint. |
+   | **WS_E_INVALID_ENDPOINT_URL**<br />2151481376 (0x803D0020) | The endpoint address URL is not valid. The URL must start with “http” or “https”. |
      
 
 2.  **Deploy MBAM by using Microsoft Deployment Toolkit (MDT) and PowerShell**
@@ -328,13 +126,9 @@ This topic explains how to enable BitLocker on an end user's computer by using M
         **Note**  
         The `Invoke-MbamClientDeployment.ps1` PowerShell script can be used with any imaging process or tool. This section shows how to integrate it by using MDT, but the steps are similar to integrating it with any other process or tool.
 
-         
-
         **Caution**  
         If you are using BitLocker pre-provisioning (WinPE) and want to maintain the TPM owner authorization value, you must add the `SaveWinPETpmOwnerAuth.wsf` script in WinPE immediately before the installation reboots into the full operating system. **If you do not use this script, you will lose the TPM owner authorization value on reboot.**
-
-         
-
+        
     2.  Copy `Invoke-MbamClientDeployment.ps1` to **&lt;DeploymentShare&gt;\\Scripts**. If you are using pre-provisioning, copy the `SaveWinPETpmOwnerAuth.wsf` file into **&lt;DeploymentShare&gt;\\Scripts**.
 
     3.  Add the MBAM 2.5 SP1 client application to the Applications node in the deployment share.
@@ -467,46 +261,40 @@ This topic explains how to enable BitLocker on an end user's computer by using M
     **Caution**  
     This step describes how to modify the Windows registry. Using Registry Editor incorrectly can cause serious issues that can require you to reinstall Windows. We cannot guarantee that issues resulting from the incorrect use of Registry Editor can be resolved. Use Registry Editor at your own risk.
 
-     
-
     1.  Set the TPM for **Operating system only encryption**, run Regedit.exe, and then import the registry key template from C:\\Program Files\\Microsoft\\MDOP MBAM\\MBAMDeploymentKeyTemplate.reg.
 
     2.  In Regedit.exe, go to HKLM\\SOFTWARE\\Microsoft\\MBAM, and configure the settings that are listed in the following table.
 
         **Note**  
         You can set Group Policy settings or registry values related to MBAM here. These settings will override previously set values.
+        
+        Registry entry
+        Configuration settings
 
-         
+        DeploymentTime
 
-    Registry entry
+        0 = Off
 
-    Configuration settings
+        1 = Use deployment time policy settings (default) – use this setting to enable encryption at the time Windows is deployed to the client computer.
 
-    DeploymentTime
+        UseKeyRecoveryService
 
-    0 = Off
+        0 = Do not use key escrow (the next two registry entries are not required in this case)
 
-    1 = Use deployment time policy settings (default) – use this setting to enable encryption at the time Windows is deployed to the client computer.
+        1 = Use key escrow in Key Recovery system (default)
 
-    UseKeyRecoveryService
+        This is the recommended setting, which enables MBAM to store the recovery keys. The computer must be able to communicate with the MBAM Key Recovery service. Verify that the computer can communicate with the service before you proceed.
 
-    0 = Do not use key escrow (the next two registry entries are not required in this case)
+        KeyRecoveryOptions
 
-    1 = Use key escrow in Key Recovery system (default)
+        0 = Uploads Recovery Key only
 
-    This is the recommended setting, which enables MBAM to store the recovery keys. The computer must be able to communicate with the MBAM Key Recovery service. Verify that the computer can communicate with the service before you proceed.
+        1 = Uploads Recovery Key and Key Recovery Package (default)
 
-    KeyRecoveryOptions
+        KeyRecoveryServiceEndPoint
 
-    0 = Uploads Recovery Key only
+        Set this value to the URL for the server running the Key Recovery service, for example, http://&lt;computer name&gt;/MBAMRecoveryAndHardwareService/CoreService.svc.
 
-    1 = Uploads Recovery Key and Key Recovery Package (default)
-
-    KeyRecoveryServiceEndPoint
-
-    Set this value to the URL for the server running the Key Recovery service, for example, http://&lt;computer name&gt;/MBAMRecoveryAndHardwareService/CoreService.svc.
-
-     
 
 6.  The MBAM Client will restart the system during the MBAM Client deployment. When you are ready for this restart, run the following command at a command prompt as an administrator:
 
@@ -522,20 +310,8 @@ This topic explains how to enable BitLocker on an end user's computer by using M
 
 9.  To delete the bypass registry values, run Regedit.exe, and go to the HKLM\\SOFTWARE\\Microsoft registry entry. Right-click the **MBAM** node, and then click **Delete**.
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopmbam).
-
 ## Related topics
 
-
 [Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md)
 
 [Planning for MBAM 2.5 Client Deployment](planning-for-mbam-25-client-deployment.md)
-
- 
-
- 
-
-
-
-
-
diff --git a/windows/keep-secure/tpm-recommendations.md b/windows/keep-secure/tpm-recommendations.md
index 82168aa9c3..651ed1468f 100644
--- a/windows/keep-secure/tpm-recommendations.md
+++ b/windows/keep-secure/tpm-recommendations.md
@@ -31,7 +31,15 @@ Trusted Platform Module (TPM) technology is designed to provide hardware-based,
 
 The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.
 
-Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG).
+Traditionally, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
+
+TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user reinstalls the operating system, he or she may need to tell the operating system to explicitly provision the TPM again before it can use all the TPM’s features.
+
+The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
+
+OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM.
+
+The TCG designed the TPM as a low-cost, mass-market security solution that addresses the requirements of different customer segments. There are variations in the security properties of different TPM implementations just as there are variations in customer and regulatory requirements for different sectors. In public-sector procurement, for example, some governments have clearly defined security requirements for TPMs whereas others do not.
 
 **Note**  
 Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
@@ -41,11 +49,10 @@ Some information relates to pre-released product which may be substantially modi
 ## TPM 1.2 vs. 2.0 comparison
 
 
-From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0. As indicated in the table below, TPM 2.0 has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM.
+From an industry standard, Microsoft has been an industry leader in moving and standardizing on TPM 2.0, which has many key realized benefits across algorithms, crypto, hierarchy, root keys, authorization and NV RAM.
 
 ## Why TPM 2.0?
 
-
 TPM 2.0 products and systems have important security advantages over TPM 1.2, including:
 
 -   The TPM 1.2 spec only allows for the use of RSA and the SHA-1 hashing algorithm.
@@ -65,7 +72,6 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
 
 ## Discrete or firmware TPM?
 
-
 Windows uses discrete and firmware TPM in the same way. Windows gains no functional advantage or disadvantage from either option.
 
 From a security standpoint, discrete and firmware share the same characteristics;
@@ -77,20 +83,22 @@ From a security standpoint, discrete and firmware share the same characteristics
 
 For more info, see [fTPM: A Firmware-based TPM 2.0 Implementation](http://research.microsoft.com/apps/pubs/?id=258236).
 
-## TPM 2.0 Compliance for Windows 10 in the future
+## Is there any importance for TPM for consumer?
+For end consumers, TPM is behind the scenes but still very relevant for Hello, Passport and in the future, many other key features in Windows 10. It offers the best Passport experience, helps encrypt passwords, secures streaming high quality 4K content and builds on our overall Windows 10 experience story for security as a critical pillar.  Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
 
-
-All shipping devices for Windows 10 across all SKU types must be using TPM 2.0 discrete or firmware from **July 28, 2016**. This requirement will be enforced through our Windows Hardware Certification program.
+## TPM 2.0 Compliance for Windows 10
 
 ### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
 
--   With Windows 10 as with Windows 8, all connected standby systems are required to include TPM 2.0 support.
--   For Windows 10 and later, if a SoC is chosen that includes an integrated fTPM2.0, the device must ship with the fTPM FW support or a discrete TPM 1.2 or 2.0.
--   Starting **July 28th, 2016** all devices shipping with Windows 10 desktop must implement TPM 2.0 and ship with the TPM enabled.
+- As of July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of a existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7, https://msdn.microsoft.com/library/windows/hardware/dn915086(v=vs.85).aspx)
+ 
+## Two implementation options: 
+•	Discrete TPM chip as a separate discrete component 
+•	Firmware TPM solution using Intel PTT (platform trust technology) or AMD 
 
 ### Windows 10 Mobile
 
--   All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM enabled.
+-   All devices shipping with Windows 10 Mobile must implement TPM 2.0 and ship with the TPM 2.0 enabled.
 
 ### IoT Core
 
@@ -102,7 +110,6 @@ All shipping devices for Windows 10 across all SKU types must be using TPM 2.0 d
 
 ## TPM and Windows Features
 
-
 The following table defines which Windows features require TPM support. Some features are not applicable to Windows 7/8/8.1 and are noted accordingly.
 
 <table>
@@ -124,7 +131,7 @@ The following table defines which Windows features require TPM support. Some fea
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left">Measure Boot</td>
+<td align="left">Measured Boot</td>
 <td align="left">Required</td>
 <td align="left">Required</td>
 <td align="left">Required</td>
@@ -147,7 +154,7 @@ The following table defines which Windows features require TPM support. Some fea
 <tr class="even">
 <td align="left">Passport: MSA or Local Account</td>
 <td align="left">n/a</td>
-<td align="left">Not Required</td>
+<td align="left">Required</td>
 <td align="left">Required</td>
 <td align="left">TPM 2.0 is required with HMAC and EK certificate for key attestation support.</td>
 </tr>
@@ -175,7 +182,7 @@ The following table defines which Windows features require TPM support. Some fea
 <tr class="even">
 <td align="left">Device Health Attestation</td>
 <td align="left">n/a</td>
-<td align="left">Not Required</td>
+<td align="left">Required</td>
 <td align="left">Required</td>
 <td align="left"></td>
 </tr>
@@ -240,6 +247,7 @@ There are a variety of TPM manufacturers for both discrete and firmware.
 <td align="left"><ul>
 <li>Infineon</li>
 <li>Nuvoton</li>
+<li>Atmel</li>
 <li>NationZ</li>
 <li>ST Micro</li>
 </ul></td>
@@ -274,11 +282,12 @@ There are a variety of TPM manufacturers for both discrete and firmware.
 <tr class="even">
 <td align="left">Intel</td>
 <td align="left"><ul>
-<li>Clovertrail</li>
-<li>Haswell</li>
-<li>Broadwell</li>
-<li>Skylake</li>
+<li>Atom (CloverTrail)
 <li>Baytrail</li>
+<li>4th generation(Haswell)</li>
+<li>5th generation(Broadwell)</li>
+<li>Braswell</li>
+<li>Skylake</li>
 </ul></td>
 </tr>
 <tr class="odd">
@@ -301,7 +310,7 @@ There are a variety of TPM manufacturers for both discrete and firmware.
 
 ### Certified TPM parts
 
-Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. Discrete TPM 2.0 vendors have targeted completion of certification by the end of 2015.
+Government customers and enterprise customers in regulated industries may have acquisition standards that require use of common certified TPM parts. As a result, OEMs, who provide the devices, may be required to use only certified TPM components on their commercial class systems. Discrete TPM 2.0 vendors have completion certification.
 
 ### Windows 7 32-bit support
 
diff --git a/windows/manage/change-history-for-manage-and-update-windows-10.md b/windows/manage/change-history-for-manage-and-update-windows-10.md
index 18be77205f..8767cf30ff 100644
--- a/windows/manage/change-history-for-manage-and-update-windows-10.md
+++ b/windows/manage/change-history-for-manage-and-update-windows-10.md
@@ -13,6 +13,11 @@ author: jdeckerMS
 
 This topic lists new and updated topics in the [Manage and update Windows 10](index.md) documentation for [Windows 10 and Windows 10 Mobile](../index.md).
 
+## May 2016
+
+New or changed topic | Description |
+---|---|
+[Set up a kiosk on Windows 10 Pro, Enterprise, or Education](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) | Corrected script for setting a custom shell using Shell Launcher | 
 ## April 2016
 
 
diff --git a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
index b88902b04f..55945ea84b 100644
--- a/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
+++ b/windows/manage/set-up-a-kiosk-for-windows-10-for-desktop-editions.md
@@ -350,7 +350,9 @@ Modify the following PowerShell script as appropriate. The comments in the sampl
 
     $ShellLauncherClass.SetEnabled($TRUE)
 
-    “`nEnabled is set to “ + $DefaultShellObject.IsEnabled()
+    $IsShellLauncherEnabled = $ShellLauncherClass.IsEnabled()
+
+    “`nEnabled is set to “ + $IsShellLauncherEnabled.Enabled
 
     # Remove the new custom shells.