diff --git a/.openpublishing.redirection.json b/.openpublishing.redirection.json
index f5db421a51..687298d717 100644
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@@ -1,6 +1,476 @@
 {
 "redirections": [
 {
+"source_path": "windows/security/threat-protection/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/administer-applocker-using-mdm.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/administer-applocker.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/applocker-architecture-and-components.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/applocker-functions.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/applocker-overview.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/applocker-policies-deployment-guide.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/applocker-policies-design-guide.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/applocker-policy-use-scenarios.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/applocker-processes-and-interactions.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/applocker-settings.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/applocker-technical-reference.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/configure-an-applocker-policy-for-audit-only.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/configure-an-applocker-policy-for-enforce-rules.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/configure-exceptions-for-an-applocker-rule.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/configure-the-application-identity-service.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/configure-the-appLocker-reference-device.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/create-a-rule-for-packaged-apps.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/create-a-rule-that-uses-a-file-hash-condition.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/create-a-rule-that-uses-a-path-condition.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/create-a-rule-that-uses-a-publisher-condition.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/create-applocker-default-rules.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/create-list-of-applications-deployed-to-each-business-group.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/create-your-applocker-policies.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/create-your-applocker-rules.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/delete-an-applocker-rule.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/deploy-the-applocker-policy-into-production.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/determine-group-policy-structure-and-rule-enforcement.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/determine-your-application-control-objectives.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/dll-rules-in-applocker.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/document-your-application-list.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/document-your-applocker-rules.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/edit-an-applocker-policy.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/edit-applocker-rules.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/enable-the-dll-rule-collection.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/enforce-applocker-rules.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/executable-rules-in-applocker.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/export-an-applocker-policy-from-a-gpo.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/export-an-applocker-policy-to-an-xml-file.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/how-applocker-works-techref.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/import-an-applocker-policy-from-another-computer.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/import-an-applocker-policy-into-a-gpo.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/maintain-applocker-policies.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/manage-packaged-apps-with-applocker.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/merge-applocker-policies-manually.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/monitor-application-usage-with-applocker.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/optimize-applocker-performance.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/plan-for-applocker-policy-management.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/refresh-an-applocker-policy.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/requirements-for-deploying-applocker-policies.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/requirements-to-use-applocker.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/run-the-automatically-generate-rules-wizard.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/script-rules-in-applocker.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/security-considerations-for-applocker.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/select-types-of-rules-to-create.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/test-and-update-an-applocker-policy.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/tools-to-use-with-applocker.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/understand-applocker-enforcement-settings.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/understand-applocker-policy-design-decisions.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/understand-the-applocker-policy-deployment-process.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/understanding-applocker-default-rules.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/understanding-applocker-rule-behavior.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/understanding-applocker-rule-collections.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/understanding-applocker-rule-condition-types.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/understanding-applocker-rule-exceptions.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/understanding-the-file-hash-rule-condition-in-applocker.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/understanding-the-path-rule-condition-in-applocker.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/understanding-the-publisher-rule-condition-in-applocker.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/use-the-applocker-windows-powershell-cmdlets.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/using-event-viewer-with-applocker.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/using-software-restriction-policies-and-applocker-policies.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/what-is-applocker.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/windows-installer-rules-in-applocker.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/working-with-applocker-policies.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/applocker/working-with-applocker-rules.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/device-guard/deploy-windows-defender-application-control.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer",
+"redirect_document_id": true
+},
+{
+"source_path": "windows/security/threat-protection/device-guard/device-guard-deployment-enable-virtualization-based-security.md",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/enable-virtualization-based-security",
+"redirect_document_id": true
+},
+{
 "source_path": "windows/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md",
 "redirect_url": "/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-available-settings",
 "redirect_document_id": true
@@ -1967,12 +2437,12 @@
 },
 {
 "source_path": "windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md",
-"redirect_url": "/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard",
+"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity",
 "redirect_document_id": true
 },
 {
 "source_path": "windows/device-security/device-guard/steps-to-deploy-windows-defender-application-control.md",
-"redirect_url": "/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy",
 "redirect_document_id": true
 },
 {
@@ -4647,7 +5117,7 @@
 },
 {
 "source_path": "windows/device-security/device-guard/deploy-code-integrity-policies-steps.md",
-"redirect_url": "/windows/device-security/device-guard/steps-to-deploy-windows-defender-application-control",
+"redirect_url": "/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy",
 "redirect_document_id": true
 },
 {
@@ -4686,7 +5156,7 @@
 "redirect_document_id": true
 },
 {
-"source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709.md",
+"source_path": "windows/configuration/basic-level-windows-diagnostic-events-and-fields-1803.md",
 "redirect_url": "/windows/configuration/basic-level-windows-diagnostic-events-and-fields",
 "redirect_document_id": true
 },
@@ -11002,7 +11472,7 @@
 },
 {
 "source_path": "windows/keep-secure/requirements-and-deployment-planning-guidelines-for-device-guard.md",
-"redirect_url": "/windows/device-security/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard",
+"redirect_url": "/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity",
 "redirect_document_id": true
 },
 {
diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index 3766535880..fcdd64629c 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -3,12 +3,13 @@ description: Microsoft Edge works with Group Policy and Microsoft Intune to help
 ms.assetid: 2e849894-255d-4f68-ae88-c2e4e31fa165
 author: shortpatti
 ms.author: pashort
+manager: elizapo
 ms.prod: edge
 ms.mktglfcycl: explore
 ms.sitesec: library
 title: Group Policy and Mobile Device Management settings for Microsoft Edge (Microsoft Edge for IT Pros)
 ms.localizationpriority: high
-ms.date: 4/5/2018 #Previsou release date 09/13/2017
+ms.date: 4/20/2018 #Previous release date 09/13/2017
 ---
 
 # Group Policy and Mobile Device Management (MDM) settings for Microsoft Edge
@@ -73,20 +74,6 @@ Your browsing data is the information that Microsoft Edge remembers and stores a
 |Data type | Integer |
 |Allowed values |<ul><li>**0 (default)** - Browsing data is not cleared on exit. The type of browsing data to clear can be configured by the employee in the Clear browsing data options under Settings.</li><li>**1** - Browsing data is cleared on exit.</li></ul> |
 
-## Allow configuration updates for the Books Library
->*Supporteded versions: Windows 10*
-
-Microsoft Edge automatically retrieves the configuration data for the Books Library, when this policy is enabled or not configured. If disabled, Microsoft Edge does not retrieve the Books configuration data.
-
-**Microsoft Intune to manage your MDM settings** 
-|   |   |
-|---|---|
-|MDM name |[AllowConfigurationUpdateForBooksLibrary ](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-allowconfigurationupdateforbookslibrary) |
-|Supported devices |Desktop  |
-|URI full path | ./Vendor/MSFT/Policy/Config/Browser/AllowConfigurationUpdateForBooksLibrary  |
-|Data type | Integer |
-|Allowed values |<ul><li>**0** - Disable. Microsoft Edge cannot retrieve a configuration.</li><li>**1 (default)** - Enable (default). Microsoft Edge can retrieve a configuration for Books Library.</li></ul> |
-
 
 ## Allow Cortana
 >*Supported versions: Windows 10, version 1607 or later*
@@ -117,19 +104,6 @@ F12 developer tools is a suite of tools to help you build and debug your webpage
 |Data type | Integer |
 |Allowed values |<ul><li>**0** - The F12 Developer Tools are disabled.</li><li>**1 (default)** - The F12 Developer Tools are enabled.</li></ul> |
 
-## Allow extended telemetry for the Books tab
->*Supporteded versions: Windows 10*
-
-If you enable this policy, both basic and additional diagnostic data is sent to Microsoft about the books you are reading from Books in Microsoft Edge. By default, this policy is disabled or not configured and only basic diagnostic data, depending on your device configuration, is sent to Microsoft. 
-
-**Microsoft Intune to manage your MDM settings** 
-|   |   |
-|---|---|
-|MDM name |[EnableExtendedBooksTelemetry](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-enableextendedbookstelemetry) |
-|Supported devices |Desktop<br>Mobile  |
-|URI full path | ./Vendor/MSFT/Policy/Config/Browser/EnableExtendedBooksTelemetry |
-|Data type | Integer |
-|Allowed values |<ul><li>**0  (default)** - Disable. Only basic diagnostic data is sent.</li><li>**1** - Enable. Both Basic and additional diagnostic data is sent.</li></ul> |
 
 ## Allow Extensions
 >*Supporteded versions: Windows 10, version 1607 or later*
@@ -197,7 +171,7 @@ This policy setting lets you configure what appears when a New Tab page is opene
 
 
 ## Always Enable book library
->*Supporteded versions: Windows 10*
+>*Supporteded versions: Windows 10, version 1709 or later*
 
 This policy settings specifies whether to always show the Books Library in Microsoft Edge. By default, this setting is disabled, which means the library is only visible in countries or regions where available. if enabled, the Books Library is always shown regardless of countries or region of activation.
 
@@ -598,19 +572,7 @@ This policy setting specifies whether you see an additional page in Microsoft Ed
 |Data type | Integer |
 |Allowed values |<ul><li>**0 (default)** - Doesn’t show an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li><li>**1** - Shows an additional page in Microsoft Edge, stating that a site has been opened using Internet Explorer 11.</li></ul> |
 
-## User shared folder for books
->*Supported versions: Windows 10*
 
-This policy setting specifies whether organizations should use a folder shared across users to store books from the Books Library. 
-
-**Microsoft Intune to manage your MDM settings** 
-|   |   |
-|---|---|
-|MDM name |[UseSharedFolderForBooks](https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-browser#browser-usesharedfolderforbooks) |
-|Supported devices |Desktop  |
-|URI full path |./Vendor/MSFT/Policy/Config/Browser/UseSharedFolderForBooks   |
-|Data type | Integer |
-|Allowed values |<ul><li>**0** - No shared folder.</li><li>**1** - Use as shared folder.</li></ul> |
 
 
 ## Related topics
diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index ad91f33903..6b277cfa47 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: surfacehub
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Change history for Microsoft HoloLens documentation
diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index a70c2265b8..d17932da87 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -7,11 +7,14 @@ ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Set up HoloLens in kiosk mode
 
+>[!WARNING]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks.
 
 When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. 
@@ -26,7 +29,7 @@ The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft
 >Be aware that voice commands are enabled for kiosk mode configured in Microsoft Intune or provisioning packages, even if the Cortana app is not selected as a kiosk app. 
 
 For HoloLens devices running Windows 10, version 1803, there are three methods that you can use to configure the device as a kiosk:
-- You can [use Microsoft Intune](#intune-kiosk), for HoloLens devices managed by Intune, to configure single-app and multi-app kiosks.
+- You can use [Microsoft Intune or other mobile device management (MDM) service](#intune-kiosk) to configure single-app and multi-app kiosks.
 - You can [use a provisioning package](#ppkg-kiosk) to configure single-app and multi-app kiosks.
 - You can [use the Windows Device Portal](#portal-kiosk) to configure single-app kiosks. This method is recommended only for demonstrations, as it requires that developer mode be enabled on the device.
 
@@ -35,14 +38,17 @@ For HoloLens devices running Windows 10, version 1607, you can [use the Windows
 <span id="start-kiosk"/>
 ## Start layout for HoloLens 
 
-If you use [Microsoft Intune](#intune-kiosk) or a [provisioning package](#ppkg-kiosk) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Holographic for Business, so you'll need to use a placeholder Start layout. 
+If you use [MDM, Microsoft Intune](#intune-kiosk), or a [provisioning package](#ppkg-kiosk) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Holographic for Business, so you'll need to use a placeholder Start layout. 
 
 >[!NOTE]
 >Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed.
 
 ### Start layout file for Intune
 
-Save the following sample as an XML file. You will select this file when you configure the kiosk in Microsoft Intune.
+Save the following sample as an XML file. You will select this file when you configure the kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile).
+
+>[!NOTE]
+>If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, use the [Start layout instructions for a provisioning package](#start-layout-for-a-provisioning-package). 
 
 ```xml
 <LayoutModificationTemplate
@@ -85,45 +91,13 @@ You will [create an XML file](#ppkg-kiosk) to define the kiosk configuration to
 ``` 
 
 <span id="intune-kiosk"/>
-## Set up kiosk mode using Microsoft Intune (Windows 10, version 1803)
+## Set up kiosk mode using Microsoft Intune or MDM (Windows 10, version 1803)
 
- 
+For HoloLens devices that are managed by Microsoft Intune, you [create a device restriction profile](https://docs.microsoft.com/intune/device-profile-create) and configure the [Kiosk (Preview) settings](https://docs.microsoft.com/intune/device-restrictions-windows-holographic#kiosk-preview).
 
-**Multi-app kiosk**
+For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#create-xml-file), and make sure to include the [Start layout](#start-layout-for-a-provisioning-package) in the XML file.  
 
-2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
-3. Select **Device configuration**.
-4. Select **Profiles**.
-5. Select **Create profile**.
-6. Enter a friendly name for the profile.
-7. Select **Windows 10 and later** for the platform.
-8. Select **Device restrictions** for the profile type.
-9. Select **Kiosk**.
-10. In **Kiosk Mode**, select **Multi app kiosk**.
-11. Select **Add** to define a configuration, which specifies the apps that will run and the layout for the Start menu.
-12. Enter a friendly name for the configuration.
-13. Select **UWP App** for a Universal Windows Platform app, and enter the Application User Model ID for an installed app.
-14. Select whether to enable the taskbar.
-15. Browse to and select [the Start layout XML file](#start-kiosk).
-16. Add one or more accounts. When the account signs in, only the apps defined in the configuration will be available.
-17. Select **OK**. You can add additional configurations or finish.
-18. Assign the profile to a device group to configure the devices in that group as kiosks.
 
-**Single-app kiosk**
-
-2. In the Microsoft Azure portal, search for **Intune** or go to **More services** > **Intune**.
-3. Select **Device configuration**.
-4. Select **Profiles**.
-5. Select **Create profile**.
-6. Enter a friendly name for the profile.
-7. Select **Windows 10 and later** for the platform.
-8. Select **Device restrictions** for the profile type.
-9. Select **Kiosk**.
-10. In **Kiosk Mode**, select **Single app kiosk**.
-11. Enter the user account that will be used for the kiosk.
-13. Enter the Application User Model ID for an installed app.
-14. Select **OK**, and then select **Create**.
-18. Assign the profile to a device group to configure the devices in that group as kiosks.
 
 <span id="ppkg-kiosk"/>
 ## Setup kiosk mode using a provisioning package (Windows 10, version 1803)
@@ -140,7 +114,7 @@ Follow [the instructions for creating a kiosk configuration XML file for desktop
 
 - Do not include Classic Windows applications (Win32) since they aren't supported on HoloLens.
 - Use the [placeholder Start XML](#start-kiosk) for HoloLens.
-- Use [group accounts](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#config-for-group-account) rather than individual accounts.
+
 
 <span id="add-xml"/>
 ### Add the kiosk configuration XML file to a provisioning package
diff --git a/devices/hololens/hololens-multiple-users.md b/devices/hololens/hololens-multiple-users.md
index 0282d545fe..b4ed3c8b1c 100644
--- a/devices/hololens/hololens-multiple-users.md
+++ b/devices/hololens/hololens-multiple-users.md
@@ -7,11 +7,14 @@ ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Share HoloLens with multiple people
 
+>[!WARNING]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 A HoloLens device can be shared by multiple Azure Active Directory (Azure AD) accounts, each with their own user settings and user data on the device.
 
 **Prerequisite**: The HoloLens device must be running Windows 10, version 1803, and be [upgraded to Windows Holographic for Business](hololens-upgrade-enterprise.md).
diff --git a/devices/hololens/hololens-provisioning.md b/devices/hololens/hololens-provisioning.md
index 87a541f840..8054d4f82d 100644
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@@ -7,11 +7,14 @@ ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Configure HoloLens using a provisioning package
 
+>[!WARNING]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 [Windows provisioning](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages) makes it easy for IT administrators to configure end-user devices without imaging. Windows Configuration Designer is a tool for configuring images and runtime settings which are then built into provisioning packages. 
 
 Some of the HoloLens configurations that you can apply in a provisioning package: 
diff --git a/devices/hololens/hololens-updates.md b/devices/hololens/hololens-updates.md
index 6eaeb70644..e7e0c89ac7 100644
--- a/devices/hololens/hololens-updates.md
+++ b/devices/hololens/hololens-updates.md
@@ -7,11 +7,14 @@ ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Manage updates to HoloLens
 
+>[!WARNING]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. As with desktop devices, administrators can manage updates to the HoloLens operating system using [Windows Update for Business](https://docs.microsoft.com/windows/deployment/update/waas-manage-updates-wufb).
 
 >[!NOTE]
diff --git a/devices/hololens/hololens-upgrade-enterprise.md b/devices/hololens/hololens-upgrade-enterprise.md
index ce45a29b1e..3beed8592e 100644
--- a/devices/hololens/hololens-upgrade-enterprise.md
+++ b/devices/hololens/hololens-upgrade-enterprise.md
@@ -7,11 +7,14 @@ ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Unlock Windows Holographic for Business features
 
+>[!WARNING]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 Microsoft HoloLens is available in the *Development Edition*, which runs Windows Holographic (an edition of Windows 10 designed for HoloLens), and in the [Commercial Suite](https://docs.microsoft.com/windows/mixed-reality/commercial-features), which provides extra features designed for business. 
 
 When you purchase the Commercial Suite, you receive a license that upgrades Windows Holographic to Windows Holographic for Business. This license can be applied to the device either through the organization's [mobile device management (MDM) provider](#edition-upgrade-using-mdm) or a [provisioning package](#edition-upgrade-using-a-provisioning-package).
diff --git a/devices/hololens/hololens-whats-new.md b/devices/hololens/hololens-whats-new.md
index 20cd006e6a..00e18e5b12 100644
--- a/devices/hololens/hololens-whats-new.md
+++ b/devices/hololens/hololens-whats-new.md
@@ -7,11 +7,14 @@ ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # What's new in Microsoft HoloLens
 
+>[!WARNING]
+>Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
 Windows 10, version 1803, is the first feature update to Windows Holographic for Business since its release in Windows 10, version 1607. This update introduces the following changes:
 
 - Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens-upgrade-enterprise.md). 
diff --git a/devices/hololens/index.md b/devices/hololens/index.md
index d545d9b2f2..98ceb942a3 100644
--- a/devices/hololens/index.md
+++ b/devices/hololens/index.md
@@ -7,7 +7,7 @@ ms.pagetype: hololens, devices
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Microsoft HoloLens
diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md
index d5d8bbf104..a595ea198c 100644
--- a/devices/surface-hub/device-reset-surface-hub.md
+++ b/devices/surface-hub/device-reset-surface-hub.md
@@ -60,6 +60,9 @@ If you see a blank screen for long periods of time during the **Reset device** p
  
 In the Windows Recovery Environment (Windows RE), you can recover your device by downloading a factory build from the cloud and installing it on the Surface Hub. This allows devices in an unusable state to recover without requiring assistance from Microsoft Support.
 
+>[!NOTE]
+>The **Recover from the cloud** process requires an open internet connection (no proxy, or other authentications). An ethernet connection is recommended.
+
 ### Recover a Surface Hub in a bad state
 
 If the device account gets into an unstable state or the Admin account is running into issues, you can use cloud recovery in **Settings**. You should only use cloud recovery when [reset](#reset-a-surface-hub-from-settings) doesn't fix the problem.  
@@ -77,8 +80,6 @@ On rare occasions, a Surface Hub may encounter an error while cleaning up user a
 1.  From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch. 
 2. The device should automatically boot into Windows RE. 
 3. After the Surface Hub enters Windows RE, select **Recover from the cloud**. (Optionally, you can choose **Reset**, however **Recover from the cloud** is the recommended approach.)
-    >[!NOTE]
-    >When using **Recover from the cloud**, an ethernet connection is recommended.
     
     ![Recover from the cloud](images/recover-from-cloud.png)
     
diff --git a/devices/surface-hub/surface-hub-authenticator-app.md b/devices/surface-hub/surface-hub-authenticator-app.md
index b303d0354c..4e76e525e0 100644
--- a/devices/surface-hub/surface-hub-authenticator-app.md
+++ b/devices/surface-hub/surface-hub-authenticator-app.md
@@ -24,7 +24,7 @@ To let people in your organization sign in to Surface Hub with their phones and
 
 - Make sure you have at minimum an Office 365 E3 subscription. 
 
-- [Configure Multi-Factor Authentication](https://docs.microsoft.com/azure/multi-factor-authentication/multi-factor-authentication). Make sure **Notification through mobile app** is selected. 
+- [Configure Multi-Factor Authentication](https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings). Make sure **Notification through mobile app** is selected. 
 
     ![multi-factor authentication options](images/mfa-options.png)
 
diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md
index de19d69ecb..f65f3f3998 100644
--- a/education/trial-in-a-box/educator-tib-get-started.md
+++ b/education/trial-in-a-box/educator-tib-get-started.md
@@ -81,6 +81,7 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse
 </br>
 </br>
 
+
 ![Spark communication, critical thinking, and creativity with Microsoft Teams](images/edu-TIB-setp-3-jump.png) 
 ## <a name="edu-task3"></a>3. Spark communication, critical thinking, and creativity in the classroom
 
diff --git a/education/trial-in-a-box/images/Bug.png b/education/trial-in-a-box/images/Bug.png
new file mode 100644
index 0000000000..3199821631
Binary files /dev/null and b/education/trial-in-a-box/images/Bug.png differ
diff --git a/education/trial-in-a-box/images/screenshot-bug.png b/education/trial-in-a-box/images/screenshot-bug.png
new file mode 100644
index 0000000000..3199821631
Binary files /dev/null and b/education/trial-in-a-box/images/screenshot-bug.png differ
diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md
index 97a8d7964f..08c14e499d 100644
--- a/education/trial-in-a-box/itadmin-tib-get-started.md
+++ b/education/trial-in-a-box/itadmin-tib-get-started.md
@@ -150,7 +150,7 @@ A provisioning package is a method for applying settings to Windows 10 without n
 
     ![The first screen to set up a new PC in Windows 10 Fall Creators Update](images/win10_oobe_firstscreen.png)
 
-    If the PC is past the account setup screen, reset the PC to start over. To reset the PC, go to **Settings > Update & security > Recovery > Reset this PC**.
+    If you go past the region selection screen, select **Ctrl + Shift + F3** which will prompt the "System Preparation Tool." Select **Okay** in the tool to return to the region selection screen. If this doesn't work, reset the PC by going to **Settings > Update & Security > Recovery > Reset this PC.**
 
 2. Insert the USB drive into **Device B**. Windows will recognize the drive and automatically install the provisioning package. 
 3. When prompted, remove the USB drive. You can then use the USB drive to start provisioning another student PC.
@@ -231,10 +231,10 @@ The Microsoft Store for Education is where you can shop for more apps for your s
 Update settings for all devices in your tenant by adding the **Documents** and **Downloads** folders to all devices managed in Intune for Education.
 
 1. Go to the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>.
-2. Select **Group > All Devices > Settings** and expand **Windows interface customizations**.
+2. Select **Group > All Devices > Settings** and expand **Windows interface settings**.
 3. In **Choose folders that appear in the Start menu**, select **Documents** and **Downloads**.
 
-    ![Choose folders that appear in the Start menu](images/i4e_groups_alldevices_newfolders.png)
+    ![Choose folders that appear in the Start menu](images/Bug.png)
 
 4. **Save** your changes.
 
diff --git a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md
index c9ef573ead..fef2c2c8fd 100644
--- a/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md
+++ b/mdop/appv-v5/how-to-sequence-a-new-application-with-app-v-51-beta-gb18030.md
@@ -57,8 +57,8 @@ ms.date: 06/16/2016
 
     -   If short paths have been disabled for the virtualized package’s target volume, you must also sequence the package to a volume that was created and still has short-paths disabled. It cannot be the system volume.
 
-**Note**  
-The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO_&lt;x&gt;" where x is any numeral. Error 0x8007139F will be generated.
+> [!NOTE]  
+> The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO_&lt;x&gt;" where x is any numeral. Error 0x8007139F will be generated.
 
 **To sequence a new standard application**
 
@@ -68,13 +68,13 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
 
 3.  On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
 
-    **Important**  
-    If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
+    > [!IMPORTANT]  
+    > If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
 
      
 
-    **Note**  
-    There is currently no way to disable Windows Defender in Windows 10. If you receive a warning, you can safely ignore it. It is unlikely that Windows Defender will affect sequencing at all.
+    > [!NOTE]  
+    > There is currently no way to disable Windows Defender in Windows 10. If you receive a warning, you can safely ignore it. It is unlikely that Windows Defender will affect sequencing at all.
 
      
 
@@ -82,8 +82,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
 
 5.  On the **Select Installer** page, click **Browse** and specify the installation file for the application.
 
-    **Note**  
-    If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package.
+    > [!NOTE]  
+    > If the specified application installer modifies security access to a file or directory, existing or new, the associated changes will not be captured into the package.
 
      
 
@@ -95,8 +95,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
 
 7.  On the **Installation** page, when the sequencer and application installer are ready you can proceed to install the application so that the sequencer can monitor the installation process.
 
-    **Important**  
-    You should always install applications to a secure location and make sure no other users are logged on to the computer running the sequencer during monitoring.
+    > [!IMPORTANT]  
+    > You should always install applications to a secure location and make sure no other users are logged on to the computer running the sequencer during monitoring.
 
      
 
@@ -106,8 +106,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
 
 9.  On the **Configure Software** page, optionally run the programs contained in the package. This step allows you to complete any necessary license or configuration tasks before you deploy and run the package on target computers. To run all the programs at one time, select at least one program, and then click **Run All**. To run specific programs, select the program or programs, and then click **Run Selected**. Complete the required configuration tasks and then close the applications. You may need to wait several minutes for all programs to run.
 
-    **Note**  
-    To run first-use tasks for any application that is not available in the list, open the application. The associated information will be captured during this step.
+    > [!NOTE]  
+    > To run first-use tasks for any application that is not available in the list, open the application. The associated information will be captured during this step.
 
      
 
@@ -125,15 +125,15 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
 
 12. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. It can take several minutes for all the applications to run. After all applications have run, close each of the applications, and then click **Next**.
 
-    **Note**  
-    If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened, and then depending on how the background loading is configured, will load the rest of the application.
+    > [!NOTE]  
+    > If you do not open any applications during this step, the default streaming method is on-demand streaming delivery. This means applications will be downloaded bit by bit until it can be opened, and then depending on how the background loading is configured, will load the rest of the application.
 
      
 
 13. On the **Target OS** page, specify the operating systems that can run this package. To allow all supported operating systems in your environment to run this package, select **Allow this package to run on any operating system**. To configure this package to run only on specific operating systems, select **Allow this package to run only on the following operating systems** and select the operating systems that can run this package. Click **Next**.
 
-    **Important**  
-    Make sure that the operating systems you specify here are supported by the application you are sequencing.
+    > [!IMPORTANT]  
+    > Make sure that the operating systems you specify here are supported by the application you are sequencing.
 
      
 
@@ -141,8 +141,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
 
     To save the package immediately, select **Save the package now** (default). Add optional **Comments** to be associated with the package. Comments are useful for identifying the program version and other information about the package.
 
-    **Important**  
-    The system does not support non-printable characters in **Comments** and **Descriptions**.
+    > [!IMPORTANT]  
+    > The system does not support non-printable characters in **Comments** and **Descriptions**.
 
      
 
@@ -152,19 +152,17 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
 
     The package is now available in the sequencer.
 
-    **Important**  
-    After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
+    > [!IMPORTANT]  
+    > After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
 
      
 
 **To sequence an add-on or plug-in application**
 
-1.  
-
-    **Note**  
-    Before performing the following procedure, install the parent application locally on the computer that is running the sequencer. Or if you have the parent application virtualized, you can follow the steps in the add-on or plug-in workflow to unpack the parent application on the computer.
-
-    For example, if you are sequencing a plug-in for Microsoft Excel, install Microsoft Excel locally on the computer that is running the sequencer. Also install the parent application in the same directory where the application is installed on target computers. If the plug-in or add-on is going to be used with an existing virtual application package, install the application on the same virtual application drive that was used when you created the parent virtual application package.
+1.  > [!NOTE]  
+    > Before performing the following procedure, install the parent application locally on the computer that is running the sequencer. Or if you have the parent application virtualized, you can follow the steps in the add-on or plug-in workflow to unpack the parent application on the computer.
+    >
+    > For example, if you are sequencing a plug-in for Microsoft Excel, install Microsoft Excel locally on the computer that is running the sequencer. Also install the parent application in the same directory where the application is installed on target computers. If the plug-in or add-on is going to be used with an existing virtual application package, install the application on the same virtual application drive that was used when you created the parent virtual application package.
 
      
 
@@ -174,8 +172,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
 
 3.  On the **Prepare Computer** page, review the issues that might cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
 
-    **Important**  
-    If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
+    > [!IMPORTANT]  
+    > If you are required to disable virus scanning software, you should first scan the computer that runs the sequencer in order to ensure that no unwanted or malicious files could be added to the package.
 
      
 
@@ -205,8 +203,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
 
 11. On the **Streaming** page, run each program so that it can be optimized and run more efficiently on target computers. Streaming improves the experience when the virtual application package is run on target computers on high-latency networks. It can take several minutes for all the applications to run. After all applications have run, close each of the applications. You can also configure the package to be required to be fully downloaded before opening by selecting the **Force applications to be downloaded** check-box. Click **Next**.
 
-    **Note**  
-    If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**.
+    > [!NOTE]  
+    > If necessary, you can stop an application from loading during this step. In the **Application Launch** dialog box, click **Stop** and select one of the check boxes: **Stop all applications** or **Stop this application only**.
 
      
 
@@ -216,8 +214,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
 
     To save the package immediately, select **Save the package now**. Optionally, add a **Description** that will be associated with the package. Descriptions are useful for identifying the version and other information about the package.
 
-    **Important**  
-    The system does not support non-printable characters in Comments and Descriptions.
+    > [!IMPORTANT]  
+    > The system does not support non-printable characters in Comments and Descriptions.
 
      
 
@@ -231,8 +229,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
 
 3.  On the **Prepare Computer** page, review the issues that could cause the package creation to fail or could cause the package to contain unnecessary data. You should resolve all potential issues before you continue. After making any corrections, click **Refresh** to display the updated information. After you have resolved all potential issues, click **Next**.
 
-    **Important**  
-    If you are required to disable virus scanning software, you should first scan the computer that runs the App-V 5.0 Sequencer in order to ensure that no unwanted or malicious files can be added to the package.
+    > [!IMPORTANT]  
+    > If you are required to disable virus scanning software, you should first scan the computer that runs the App-V 5.0 Sequencer in order to ensure that no unwanted or malicious files can be added to the package.
 
      
 
@@ -256,8 +254,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
 
     To save the package immediately, select **Save the package now**. Optionally, add a **Description** to be associated with the package. Descriptions are useful for identifying the program version and other information about the package.
 
-    **Important**  
-    The system does not support non-printable characters in Comments and Descriptions.
+    > [!IMPORTANT]  
+    > The system does not support non-printable characters in Comments and Descriptions.
 
      
 
@@ -267,8 +265,8 @@ The App-V 5.x Sequencer cannot sequence applications with filenames matching "CO
 
     The package is now available in the sequencer. To edit the package properties, click **Edit \[Package Name\]**.
 
-    **Important**  
-    After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
+    > [!IMPORTANT]  
+    > After you have successfully created a virtual application package, you cannot run the virtual application package on the computer that is running the sequencer.
 
      
 
diff --git a/mdop/mbam-v25/about-mbam-25-sp1.md b/mdop/mbam-v25/about-mbam-25-sp1.md
index 8cd8dc5a1b..dacedac502 100644
--- a/mdop/mbam-v25/about-mbam-25-sp1.md
+++ b/mdop/mbam-v25/about-mbam-25-sp1.md
@@ -230,9 +230,8 @@ MBAM is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part o
 For more information and late-breaking news that is not included in this documentation, see [Release Notes for MBAM 2.5 SP1](release-notes-for-mbam-25-sp1.md).
 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopmbam).
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
diff --git a/mdop/mbam-v25/about-mbam-25.md b/mdop/mbam-v25/about-mbam-25.md
index fa12092dab..cbde231c72 100644
--- a/mdop/mbam-v25/about-mbam-25.md
+++ b/mdop/mbam-v25/about-mbam-25.md
@@ -355,9 +355,8 @@ MBAM is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part o
 For more information and late-breaking news that is not included in this documentation, see [Release Notes for MBAM 2.5](release-notes-for-mbam-25.md).
 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
diff --git a/mdop/mbam-v25/accessibility-for-mbam-25.md b/mdop/mbam-v25/accessibility-for-mbam-25.md
index c4b1726472..006f3acba5 100644
--- a/mdop/mbam-v25/accessibility-for-mbam-25.md
+++ b/mdop/mbam-v25/accessibility-for-mbam-25.md
@@ -89,9 +89,8 @@ Microsoft Support Services are subject to the prices, terms, and conditions in p
 For more information about how accessible technology for computers helps to improve the lives of people with disabilities, see the [Microsoft Accessibility website](https://go.microsoft.com/fwlink/?linkid=8431).
 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
diff --git a/mdop/mbam-v25/administering-mbam-25-features.md b/mdop/mbam-v25/administering-mbam-25-features.md
index dbefcf71c0..4b0fad8bfc 100644
--- a/mdop/mbam-v25/administering-mbam-25-features.md
+++ b/mdop/mbam-v25/administering-mbam-25-features.md
@@ -41,9 +41,8 @@ This customized control panel does not replace the default Windows BitLocker con
 [Operations for MBAM 2.5](operations-for-mbam-25.md)
 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
  
 
diff --git a/mdop/mbam-v25/client-event-logs.md b/mdop/mbam-v25/client-event-logs.md
index aa4aae881c..f8d2dc07c4 100644
--- a/mdop/mbam-v25/client-event-logs.md
+++ b/mdop/mbam-v25/client-event-logs.md
@@ -253,21 +253,18 @@ The following table contains event IDs that can occur on the MBAM Client.
 
  
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
-
-
 [Technical Reference for MBAM 2.5](technical-reference-for-mbam-25.md)
 
 [Server Event Logs](server-event-logs.md)
 
  
 
- 
+
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/configuring-mbam-25-server-features-by-using-windows-powershell.md b/mdop/mbam-v25/configuring-mbam-25-server-features-by-using-windows-powershell.md
index 13c370473a..330377d65b 100644
--- a/mdop/mbam-v25/configuring-mbam-25-server-features-by-using-windows-powershell.md
+++ b/mdop/mbam-v25/configuring-mbam-25-server-features-by-using-windows-powershell.md
@@ -349,10 +349,8 @@ To view the local security setting, open the **Local Security Policy editor**, e
 
  
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -364,7 +362,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 [Using Windows PowerShell to Administer MBAM 2.5](using-windows-powershell-to-administer-mbam-25.md)
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
  
 
 
diff --git a/mdop/mbam-v25/configuring-the-mbam-25-server-features.md b/mdop/mbam-v25/configuring-the-mbam-25-server-features.md
index 2d2948f50c..49b94f770e 100644
--- a/mdop/mbam-v25/configuring-the-mbam-25-server-features.md
+++ b/mdop/mbam-v25/configuring-the-mbam-25-server-features.md
@@ -105,11 +105,8 @@ Each row in the following table describes the features that you will configure o
 
 For a list of events about MBAM Server feature configuration, see [Server Event Logs](server-event-logs.md).
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -117,7 +114,9 @@ Configuring the MBAM 2.5 Server Features
  
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md
index 743572b6fb..79e1582f84 100644
--- a/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md
+++ b/mdop/mbam-v25/copying-the-mbam-25-group-policy-templates.md
@@ -98,7 +98,6 @@ MDOP Group Policy templates are available for download in a self-extracting, com
 
     For descriptions of the Group Policy settings, see [Planning for MBAM 2.5 Group Policy Requirements](planning-for-mbam-25-group-policy-requirements.md).
 
-**Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -106,7 +105,9 @@ MDOP Group Policy templates are available for download in a self-extracting, com
 [Deploying MBAM 2.5 Group Policy Objects](deploying-mbam-25-group-policy-objects.md)
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
  
 
 
diff --git a/mdop/mbam-v25/create-or-edit-the-sms-defmof-file-mbam-25.md b/mdop/mbam-v25/create-or-edit-the-sms-defmof-file-mbam-25.md
index d71455a3ba..75f0c5dd3c 100644
--- a/mdop/mbam-v25/create-or-edit-the-sms-defmof-file-mbam-25.md
+++ b/mdop/mbam-v25/create-or-edit-the-sms-defmof-file-mbam-25.md
@@ -383,7 +383,9 @@ In the following sections, complete the instructions that correspond to the vers
  
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/customizing-the-self-service-portal-for-your-organization.md b/mdop/mbam-v25/customizing-the-self-service-portal-for-your-organization.md
index 638453ed01..87f74c21ad 100644
--- a/mdop/mbam-v25/customizing-the-self-service-portal-for-your-organization.md
+++ b/mdop/mbam-v25/customizing-the-self-service-portal-for-your-organization.md
@@ -58,11 +58,8 @@ You can customize the Self-Service Portal in the following ways:
 
  
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -70,7 +67,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/deploying-mbam-25-group-policy-objects.md b/mdop/mbam-v25/deploying-mbam-25-group-policy-objects.md
index 606ca70207..160b9ab0b2 100644
--- a/mdop/mbam-v25/deploying-mbam-25-group-policy-objects.md
+++ b/mdop/mbam-v25/deploying-mbam-25-group-policy-objects.md
@@ -48,9 +48,8 @@ Since MBAM offers a customized MBAM control panel that can replace the default W
 [Deploying MBAM 2.5](deploying-mbam-25.md)
 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
  
 
diff --git a/mdop/mbam-v25/deploying-mbam-25.md b/mdop/mbam-v25/deploying-mbam-25.md
index bea9f05d66..f1c1cff37e 100644
--- a/mdop/mbam-v25/deploying-mbam-25.md
+++ b/mdop/mbam-v25/deploying-mbam-25.md
@@ -82,9 +82,8 @@ Use this information to identify the procedures you can follow to deploy and con
 [Deploying MBAM 2.5 in a stand-alone configuration](https://support.microsoft.com/kb/3046555)
 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
  
 
diff --git a/mdop/mbam-v25/deploying-the-mbam-25-client.md b/mdop/mbam-v25/deploying-the-mbam-25-client.md
index 8eef257b98..5c05697ce7 100644
--- a/mdop/mbam-v25/deploying-the-mbam-25-client.md
+++ b/mdop/mbam-v25/deploying-the-mbam-25-client.md
@@ -49,11 +49,8 @@ This section explains how to install the MBAM Client by using a command line.
 
 [Deploying MBAM 2.5](deploying-mbam-25.md)
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -62,7 +59,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 [Planning for MBAM 2.5](planning-for-mbam-25.md)
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
  
 
 
diff --git a/mdop/mbam-v25/deploying-the-mbam-25-server-infrastructure.md b/mdop/mbam-v25/deploying-the-mbam-25-server-infrastructure.md
index 781cc1966b..47c09e74df 100644
--- a/mdop/mbam-v25/deploying-the-mbam-25-server-infrastructure.md
+++ b/mdop/mbam-v25/deploying-the-mbam-25-server-infrastructure.md
@@ -46,18 +46,15 @@ To deploy the Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 Serve
 
  
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
 [Deploying MBAM 2.5](deploying-mbam-25.md)
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
  
 
 
diff --git a/mdop/mbam-v25/determining-why-a-device-receives-a-noncompliance-message.md b/mdop/mbam-v25/determining-why-a-device-receives-a-noncompliance-message.md
index 6167e37171..e1dbf01ed9 100644
--- a/mdop/mbam-v25/determining-why-a-device-receives-a-noncompliance-message.md
+++ b/mdop/mbam-v25/determining-why-a-device-receives-a-noncompliance-message.md
@@ -103,11 +103,6 @@ You can use your preferred method to view WMI. If you use PowerShell, run `gwmi
 
  
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -116,7 +111,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 [Configuring MBAM 2.5 Server Features by Using Windows PowerShell](configuring-mbam-25-server-features-by-using-windows-powershell.md)
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
  
 
 
diff --git a/mdop/mbam-v25/edit-the-configurationmof-file-mbam-25.md b/mdop/mbam-v25/edit-the-configurationmof-file-mbam-25.md
index 33cea5faa3..f4616b4724 100644
--- a/mdop/mbam-v25/edit-the-configurationmof-file-mbam-25.md
+++ b/mdop/mbam-v25/edit-the-configurationmof-file-mbam-25.md
@@ -364,7 +364,6 @@ To enable the client computers to report BitLocker compliance details through th
     //=======================================================
     ```
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -378,7 +377,9 @@ To enable the client computers to report BitLocker compliance details through th
  
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/editing-the-mbam-25-group-policy-settings.md b/mdop/mbam-v25/editing-the-mbam-25-group-policy-settings.md
index 6be3a9fd6e..543f7e2ff6 100644
--- a/mdop/mbam-v25/editing-the-mbam-25-group-policy-settings.md
+++ b/mdop/mbam-v25/editing-the-mbam-25-group-policy-settings.md
@@ -91,8 +91,6 @@ Do not change the Group Policy settings in the **BitLocker Drive Encryption** no
 
      
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -101,7 +99,9 @@ Do not change the Group Policy settings in the **BitLocker Drive Encryption** no
 [Copying the MBAM 2.5 Group Policy Templates](copying-the-mbam-25-group-policy-templates.md)
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
  
 
 
diff --git a/mdop/mbam-v25/evaluating-mbam-25-in-a-test-environment.md b/mdop/mbam-v25/evaluating-mbam-25-in-a-test-environment.md
index 43d0bb217f..cd19e01e59 100644
--- a/mdop/mbam-v25/evaluating-mbam-25-in-a-test-environment.md
+++ b/mdop/mbam-v25/evaluating-mbam-25-in-a-test-environment.md
@@ -393,7 +393,6 @@ To evaluate MBAM by using the Configuration Manager Integration topology, follow
 
     2.  Within the **MBAM** node, select the folder that represents the language in which you want to view reports, and then select the report from the results pane.
 
-**Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -401,8 +400,9 @@ To evaluate MBAM by using the Configuration Manager Integration topology, follow
 [Getting Started with MBAM 2.5](getting-started-with-mbam-25.md)
 
  
-
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md b/mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md
index fa5b3d6352..311409761a 100644
--- a/mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md
+++ b/mdop/mbam-v25/generating-mbam-25-stand-alone-reports.md
@@ -93,7 +93,7 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi
 
 2.  Click **View Report** to view the report.
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+
 
 ## Related topics
 
@@ -104,7 +104,9 @@ To run the reports, you must be a member of the **MBAM Report Users** group, whi
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/getting-started-with-mbam-25.md b/mdop/mbam-v25/getting-started-with-mbam-25.md
index 095e8a955b..3513df82f6 100644
--- a/mdop/mbam-v25/getting-started-with-mbam-25.md
+++ b/mdop/mbam-v25/getting-started-with-mbam-25.md
@@ -91,9 +91,8 @@ MBAM 2.5 is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is pa
 [Technical Reference for MBAM 2.5](technical-reference-for-mbam-25.md)
 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
  
 
diff --git a/mdop/mbam-v25/hiding-the-default-bitlocker-drive-encryption-item-in-control-panel-mbam-25.md b/mdop/mbam-v25/hiding-the-default-bitlocker-drive-encryption-item-in-control-panel-mbam-25.md
index 0c6a56e80a..e91ed7e0c7 100644
--- a/mdop/mbam-v25/hiding-the-default-bitlocker-drive-encryption-item-in-control-panel-mbam-25.md
+++ b/mdop/mbam-v25/hiding-the-default-bitlocker-drive-encryption-item-in-control-panel-mbam-25.md
@@ -40,7 +40,7 @@ Do not change the Group Policy settings in the **BitLocker Drive Encryption** no
 
 3.  Click **Show**, click **Add**, and then type **Microsoft.BitLockerDriveEncryption**.
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+
 
 ## Related topics
 
@@ -51,7 +51,9 @@ Do not change the Group Policy settings in the **BitLocker Drive Encryption** no
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/high-level-architecture-for-mbam-25.md b/mdop/mbam-v25/high-level-architecture-for-mbam-25.md
index bf090ec2c0..4b67d0891b 100644
--- a/mdop/mbam-v25/high-level-architecture-for-mbam-25.md
+++ b/mdop/mbam-v25/high-level-architecture-for-mbam-25.md
@@ -33,9 +33,8 @@ Microsoft BitLocker Administration and Monitoring can be deployed in a Stand-alo
 [Getting Started with MBAM 2.5](getting-started-with-mbam-25.md)
 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
  
 
diff --git a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md
index 383814410b..41afc5d8a5 100644
--- a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md
+++ b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md
@@ -275,10 +275,6 @@ The integration of MBAM with Configuration Manager is based on a configuration p
 
  
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -292,7 +288,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
  
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md
index a9f2aeb37c..c494392cfe 100644
--- a/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md
+++ b/mdop/mbam-v25/high-level-architecture-of-mbam-25-with-stand-alone-topology.md
@@ -135,12 +135,7 @@ The MBAM Client:
 
 -   Collects recovery information and computer information about the client computers.
 
- 
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -153,7 +148,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/how-to-configure-the-mbam-25-databases.md b/mdop/mbam-v25/how-to-configure-the-mbam-25-databases.md
index 14ef61134c..af16424434 100644
--- a/mdop/mbam-v25/how-to-configure-the-mbam-25-databases.md
+++ b/mdop/mbam-v25/how-to-configure-the-mbam-25-databases.md
@@ -212,7 +212,7 @@ The instructions are based on the recommended architecture in [High-Level Archit
 
 5.  Click **Add** to add the MBAM databases on the server, and then click **Close**.
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+
 
 ## Related topics
 
@@ -229,7 +229,9 @@ The instructions are based on the recommended architecture in [High-Level Archit
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/how-to-configure-the-mbam-25-reports.md b/mdop/mbam-v25/how-to-configure-the-mbam-25-reports.md
index c6ef960a9b..10ac435c9b 100644
--- a/mdop/mbam-v25/how-to-configure-the-mbam-25-reports.md
+++ b/mdop/mbam-v25/how-to-configure-the-mbam-25-reports.md
@@ -153,7 +153,7 @@ The instructions are based on the recommended architecture in [High-Level Archit
 
 8.  Click **Add** to add the Reports on the server, and then click **Close**.
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+
 
 ## Related topics
 
@@ -167,7 +167,9 @@ The instructions are based on the recommended architecture in [High-Level Archit
 [Validating the MBAM 2.5 Server Feature Configuration](validating-the-mbam-25-server-feature-configuration.md)
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
  
 
 
diff --git a/mdop/mbam-v25/how-to-configure-the-mbam-25-system-center-configuration-manager-integration.md b/mdop/mbam-v25/how-to-configure-the-mbam-25-system-center-configuration-manager-integration.md
index c9710d5a86..596b57c08d 100644
--- a/mdop/mbam-v25/how-to-configure-the-mbam-25-system-center-configuration-manager-integration.md
+++ b/mdop/mbam-v25/how-to-configure-the-mbam-25-system-center-configuration-manager-integration.md
@@ -127,7 +127,7 @@ The instructions are based on the recommended architecture in [High-Level Archit
 
 6.  Click **Add** to add the Configuration Manager Integration feature to the server, and then click **Close**.
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+
 
 ## Related topics
 
@@ -137,7 +137,9 @@ The instructions are based on the recommended architecture in [High-Level Archit
 [Validating the MBAM 2.5 Server Feature Configuration](validating-the-mbam-25-server-feature-configuration.md)
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
  
 
 
diff --git a/mdop/mbam-v25/how-to-configure-the-mbam-25-web-applications.md b/mdop/mbam-v25/how-to-configure-the-mbam-25-web-applications.md
index ff0808091b..144484a16f 100644
--- a/mdop/mbam-v25/how-to-configure-the-mbam-25-web-applications.md
+++ b/mdop/mbam-v25/how-to-configure-the-mbam-25-web-applications.md
@@ -405,7 +405,6 @@ The web applications comprise the following websites and their corresponding web
 
     -   If your client computers do not have access to the CDN, complete the steps in [How to Configure the Self-Service Portal When Client Computers Cannot Access the Microsoft Content Delivery Network](how-to-configure-the-self-service-portal-when-client-computers-cannot-access-the-microsoft-content-delivery-network.md).
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -422,7 +421,9 @@ The web applications comprise the following websites and their corresponding web
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/how-to-configure-the-self-service-portal-when-client-computers-cannot-access-the-microsoft-content-delivery-network.md b/mdop/mbam-v25/how-to-configure-the-self-service-portal-when-client-computers-cannot-access-the-microsoft-content-delivery-network.md
index bd79f78e48..95f7fcdc46 100644
--- a/mdop/mbam-v25/how-to-configure-the-self-service-portal-when-client-computers-cannot-access-the-microsoft-content-delivery-network.md
+++ b/mdop/mbam-v25/how-to-configure-the-self-service-portal-when-client-computers-cannot-access-the-microsoft-content-delivery-network.md
@@ -56,9 +56,7 @@ In MBAM 2.5 SP1, the JavaScript files are included in the product, and you do no
 
     -   jQueryValidateUnobtrusivePath: /&lt;*virtual directory*&gt;/Scripts/jQuery.validate.unobtrusive.min.js
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring).
 
-    **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -67,7 +65,9 @@ In MBAM 2.5 SP1, the JavaScript files are included in the product, and you do no
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/how-to-deploy-the-mbam-client-by-using-a-command-line.md b/mdop/mbam-v25/how-to-deploy-the-mbam-client-by-using-a-command-line.md
index 8bf86c7ee8..7cea28e8c8 100644
--- a/mdop/mbam-v25/how-to-deploy-the-mbam-client-by-using-a-command-line.md
+++ b/mdop/mbam-v25/how-to-deploy-the-mbam-client-by-using-a-command-line.md
@@ -73,7 +73,6 @@ You can use this command-line option with either of the following installation m
 
  
 
-**Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -83,7 +82,9 @@ You can use this command-line option with either of the following installation m
  
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-25.md b/mdop/mbam-v25/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-25.md
index 988dabca29..9e9d2160e5 100644
--- a/mdop/mbam-v25/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-25.md
+++ b/mdop/mbam-v25/how-to-deploy-the-mbam-client-to-desktop-or-laptop-computers-mbam-25.md
@@ -35,18 +35,17 @@ Before you start the MBAM Client deployment, review the [MBAM 2.5 Supported Conf
 
      
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
-
-
 [Deploying the MBAM 2.5 Client](deploying-the-mbam-25-client.md)
 
 [Planning for MBAM 2.5 Client Deployment](planning-for-mbam-25-client-deployment.md)
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-25.md b/mdop/mbam-v25/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-25.md
index f618e1c78e..b7434dc064 100644
--- a/mdop/mbam-v25/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-25.md
+++ b/mdop/mbam-v25/how-to-determine-bitlocker-encryption-state-of-lost-computers-mbam-25.md
@@ -39,7 +39,7 @@ Device compliance is determined by the BitLocker policies that your enterprise h
 
 5.  Take the appropriate action, as determined by your policy for lost devices.
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+
 
 ## Related topics
 
@@ -47,7 +47,9 @@ Device compliance is determined by the BitLocker policies that your enterprise h
 [Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md)
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
  
 
 
diff --git a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
index 6161649e6f..79cc189aaa 100644
--- a/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
+++ b/mdop/mbam-v25/how-to-enable-bitlocker-by-using-mbam-as-part-of-a-windows-deploymentmbam-25.md
@@ -328,3 +328,6 @@ Here are a list of common error messages:
 
 [Planning for MBAM 2.5 Client Deployment](planning-for-mbam-25-client-deployment.md)
 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
\ No newline at end of file
diff --git a/mdop/mbam-v25/how-to-localize-the-helpdesktext-statement-that-points-users-to-more-self-service-portal-information.md b/mdop/mbam-v25/how-to-localize-the-helpdesktext-statement-that-points-users-to-more-self-service-portal-information.md
index 6f899ad463..74cb3987aa 100644
--- a/mdop/mbam-v25/how-to-localize-the-helpdesktext-statement-that-points-users-to-more-self-service-portal-information.md
+++ b/mdop/mbam-v25/how-to-localize-the-helpdesktext-statement-that-points-users-to-more-self-service-portal-information.md
@@ -37,7 +37,7 @@ In the following instructions, *SelfService* is the default virtual directory na
 
 4.  In the **Value** field, type the localized text that you want to display to end users.
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+
 
 ## Related topics
 
@@ -48,7 +48,9 @@ In the following instructions, *SelfService* is the default virtual directory na
 
  
 
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/how-to-localize-the-self-service-portal-helpdeskurl.md b/mdop/mbam-v25/how-to-localize-the-self-service-portal-helpdeskurl.md
index b7d2e10ad7..03920986d6 100644
--- a/mdop/mbam-v25/how-to-localize-the-self-service-portal-helpdeskurl.md
+++ b/mdop/mbam-v25/how-to-localize-the-self-service-portal-helpdeskurl.md
@@ -39,7 +39,7 @@ In the following instructions, *SelfService* is the default virtual directory na
 
 4.  In the **Value** field, type the localized version of the `HelpdeskURL` value that you want to display to end users.
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+
 
 ## Related topics
 
@@ -49,7 +49,9 @@ In the following instructions, *SelfService* is the default virtual directory na
  
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/how-to-localize-the-self-service-portal-notice-text.md b/mdop/mbam-v25/how-to-localize-the-self-service-portal-notice-text.md
index 1a82463029..a4cfaa869c 100644
--- a/mdop/mbam-v25/how-to-localize-the-self-service-portal-notice-text.md
+++ b/mdop/mbam-v25/how-to-localize-the-self-service-portal-notice-text.md
@@ -61,7 +61,7 @@ If an end user’s browser is set to a language that does not have a correspondi
 
     The name of the Language folder can also be the language neutral name **es** instead of **es-es**. If the end user’s browser is set to **es-es** and that folder does not exist, the parent locale (as defined in .NET) is recursively retrieved and checked, resolving to &lt;MBAM Self-Service Install Directory&gt;\\SelfServiceWebsite\\es\\Notice.txt before finally becoming the default Notice.txt file. This recursive fallback mimics the .NET resource loading rules.
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+
 
 ## Related topics
 
@@ -70,7 +70,9 @@ If an end user’s browser is set to a language that does not have a correspondi
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/how-to-manage-user-bitlocker-encryption-exemptions-mbam-25.md b/mdop/mbam-v25/how-to-manage-user-bitlocker-encryption-exemptions-mbam-25.md
index 13f9dbdcdd..3337c2bd83 100644
--- a/mdop/mbam-v25/how-to-manage-user-bitlocker-encryption-exemptions-mbam-25.md
+++ b/mdop/mbam-v25/how-to-manage-user-bitlocker-encryption-exemptions-mbam-25.md
@@ -145,7 +145,6 @@ The following steps describe what occurs when end users request an exemption fro
 
      
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -157,7 +156,9 @@ The following steps describe what occurs when end users request an exemption fro
  
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md b/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
index f9250586ad..ddeb99133d 100644
--- a/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
+++ b/mdop/mbam-v25/how-to-move-the-mbam-25-databases.md
@@ -495,7 +495,7 @@ The high-level steps for moving the Compliance and Audit Database are:
 
          
 
-**Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+
 
 ## Related topics
 
@@ -509,7 +509,9 @@ The high-level steps for moving the Compliance and Audit Database are:
  
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/how-to-move-the-mbam-25-reports.md b/mdop/mbam-v25/how-to-move-the-mbam-25-reports.md
index 3a188b39c7..bc5fa5a455 100644
--- a/mdop/mbam-v25/how-to-move-the-mbam-25-reports.md
+++ b/mdop/mbam-v25/how-to-move-the-mbam-25-reports.md
@@ -117,7 +117,7 @@ To run the example Windows PowerShell scripts in this topic, you must update the
 
      
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+
 
 ## Related topics
 
@@ -129,7 +129,9 @@ To run the example Windows PowerShell scripts in this topic, you must update the
 [Moving MBAM 2.5 Features to Another Server](moving-mbam-25-features-to-another-server.md)
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
  
 
 
diff --git a/mdop/mbam-v25/how-to-move-the-mbam-25-websites.md b/mdop/mbam-v25/how-to-move-the-mbam-25-websites.md
index 8013c027ac..a95d698126 100644
--- a/mdop/mbam-v25/how-to-move-the-mbam-25-websites.md
+++ b/mdop/mbam-v25/how-to-move-the-mbam-25-websites.md
@@ -49,7 +49,7 @@ During the configuration of both websites, you must provide the same connection
 
 4.  Customize the Self-Service Portal for your organization. Use the instructions in [Customizing the Self-Service Portal for Your Organization](customizing-the-self-service-portal-for-your-organization.md) to review your current customizations and to configure custom settings on the Self-Server Portal on Server B.
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+
 
 ## Related topics
 
@@ -62,7 +62,9 @@ During the configuration of both websites, you must provide the same connection
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/how-to-recover-a-corrupted-drive-mbam-25.md b/mdop/mbam-v25/how-to-recover-a-corrupted-drive-mbam-25.md
index d5cd38afb0..dc18c38f3d 100644
--- a/mdop/mbam-v25/how-to-recover-a-corrupted-drive-mbam-25.md
+++ b/mdop/mbam-v25/how-to-recover-a-corrupted-drive-mbam-25.md
@@ -75,7 +75,6 @@ You can use this procedure with the Administration and Monitoring Website (also
 
      
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -83,7 +82,9 @@ You can use this procedure with the Administration and Monitoring Website (also
 [Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md)
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
  
 
 
diff --git a/mdop/mbam-v25/how-to-recover-a-drive-in-recovery-mode-mbam-25.md b/mdop/mbam-v25/how-to-recover-a-drive-in-recovery-mode-mbam-25.md
index f623853f20..c6565a7304 100644
--- a/mdop/mbam-v25/how-to-recover-a-drive-in-recovery-mode-mbam-25.md
+++ b/mdop/mbam-v25/how-to-recover-a-drive-in-recovery-mode-mbam-25.md
@@ -64,7 +64,7 @@ Recovery passwords expire after a single use. On operating system drives and fix
 
     When the user types the recovery password into the system or uses the recovery package, the drive is unlocked.
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+
 
 ## Related topics
 
@@ -73,7 +73,9 @@ Recovery passwords expire after a single use. On operating system drives and fix
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md b/mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md
index 455fc25647..fe98ceee20 100644
--- a/mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md
+++ b/mdop/mbam-v25/how-to-recover-a-moved-drive-mbam-25.md
@@ -34,7 +34,7 @@ To recover a moved drive, you must use the **Drive Recovery** area of the Admini
 
 5.  When the removal is completed, start the computer normally. The MBAM agent will now enforce the policy to encrypt the drive with the new computer’s TPM plus the PIN.
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+
 
 ## Related topics
 
@@ -43,7 +43,9 @@ To recover a moved drive, you must use the **Drive Recovery** area of the Admini
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/how-to-reset-a-tpm-lockout-mbam-25.md b/mdop/mbam-v25/how-to-reset-a-tpm-lockout-mbam-25.md
index 4640df20d9..9303a8e597 100644
--- a/mdop/mbam-v25/how-to-reset-a-tpm-lockout-mbam-25.md
+++ b/mdop/mbam-v25/how-to-reset-a-tpm-lockout-mbam-25.md
@@ -58,7 +58,7 @@ For information about MBAM and TPM ownership, see [MBAM 2.5 Security Considerati
 
      
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+
 
 ## Related topics
 
@@ -67,7 +67,9 @@ For information about MBAM and TPM ownership, see [MBAM 2.5 Security Considerati
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/how-to-set-the-self-service-portal-branding-and-session-time-out.md b/mdop/mbam-v25/how-to-set-the-self-service-portal-branding-and-session-time-out.md
index 90423cdd28..4a5e23195c 100644
--- a/mdop/mbam-v25/how-to-set-the-self-service-portal-branding-and-session-time-out.md
+++ b/mdop/mbam-v25/how-to-set-the-self-service-portal-branding-and-session-time-out.md
@@ -135,7 +135,7 @@ In the following instructions, *SelfService* is the default virtual directory na
 
      
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+
 
 ## Related topics
 
@@ -144,7 +144,9 @@ In the following instructions, *SelfService* is the default virtual directory na
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/how-to-turn-the-self-service-portal-notice-text-on-or-off.md b/mdop/mbam-v25/how-to-turn-the-self-service-portal-notice-text-on-or-off.md
index d80d1faa45..c2e1679a7c 100644
--- a/mdop/mbam-v25/how-to-turn-the-self-service-portal-notice-text-on-or-off.md
+++ b/mdop/mbam-v25/how-to-turn-the-self-service-portal-notice-text-on-or-off.md
@@ -27,7 +27,7 @@ In the following instructions, *SelfService* is the default virtual directory na
 
 2.  In the **Name** column, select **DisplayNotice**, and set the value to **false**.
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+
 
 ## Related topics
 
@@ -38,7 +38,9 @@ In the following instructions, *SelfService* is the default virtual directory na
 
  
 
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/how-to-use-the-administration-and-monitoring-website.md b/mdop/mbam-v25/how-to-use-the-administration-and-monitoring-website.md
index 149f9a7984..e5107a9650 100644
--- a/mdop/mbam-v25/how-to-use-the-administration-and-monitoring-website.md
+++ b/mdop/mbam-v25/how-to-use-the-administration-and-monitoring-website.md
@@ -116,10 +116,6 @@ The following table summarizes the tasks you can perform on the Administration a
 
  
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -128,7 +124,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25.md b/mdop/mbam-v25/how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25.md
index c0c48e4539..188b547452 100644
--- a/mdop/mbam-v25/how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25.md
+++ b/mdop/mbam-v25/how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25.md
@@ -44,7 +44,7 @@ If the IT administrator configured an IIS Session State time-out, a message is d
 
 4.  Enter the 48-digit code into the BitLocker recovery screen on your computer to regain access to the computer.
 
-    **Got a suggestion for MBAM**? Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). **Got a MBAM issue**? Use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+
 
 ## Related topics
 
@@ -52,7 +52,9 @@ If the IT administrator configured an IIS Session State time-out, a message is d
 [Performing BitLocker Management with MBAM 2.5](performing-bitlocker-management-with-mbam-25.md)
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
  
 
 
diff --git a/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md b/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md
index cbc2ea71a9..cc36387362 100644
--- a/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md
+++ b/mdop/mbam-v25/illustrated-features-of-an-mbam-25-deployment.md
@@ -195,10 +195,6 @@ SSRS is installed on a server running Windows Server. A reporting services point
 
  
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -210,7 +206,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
  
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/index.md b/mdop/mbam-v25/index.md
index 9dd12bcbd5..2a9e37642f 100644
--- a/mdop/mbam-v25/index.md
+++ b/mdop/mbam-v25/index.md
@@ -59,9 +59,8 @@ To get the MBAM software, see [How Do I Get MDOP](https://go.microsoft.com/fwlin
     Get help in choosing a deployment method for MBAM, including step-by-step instructions for each method.
 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
  
 
diff --git a/mdop/mbam-v25/installing-the-mbam-25-server-software.md b/mdop/mbam-v25/installing-the-mbam-25-server-software.md
index 2ad71a7cc6..341600418b 100644
--- a/mdop/mbam-v25/installing-the-mbam-25-server-software.md
+++ b/mdop/mbam-v25/installing-the-mbam-25-server-software.md
@@ -126,11 +126,8 @@ The following table describes the command-line parameters for installing the MBA
 
  
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -140,7 +137,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/maintaining-mbam-25.md b/mdop/mbam-v25/maintaining-mbam-25.md
index dfe1999d5a..6b07d362cf 100644
--- a/mdop/mbam-v25/maintaining-mbam-25.md
+++ b/mdop/mbam-v25/maintaining-mbam-25.md
@@ -36,9 +36,8 @@ Use the steps in this topic to monitor the performance counters that record the
 [Operations for MBAM 2.5](operations-for-mbam-25.md)
 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
  
 
diff --git a/mdop/mbam-v25/mbam-25-deployment-checklist.md b/mdop/mbam-v25/mbam-25-deployment-checklist.md
index 23c0ca3666..8169a4c870 100644
--- a/mdop/mbam-v25/mbam-25-deployment-checklist.md
+++ b/mdop/mbam-v25/mbam-25-deployment-checklist.md
@@ -97,10 +97,6 @@ This checklist outlines the recommended steps and a high-level list of items to
 
  
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -110,7 +106,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
  
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/mbam-25-deployment-prerequisites.md b/mdop/mbam-v25/mbam-25-deployment-prerequisites.md
index 81ae918046..fd80f252ae 100644
--- a/mdop/mbam-v25/mbam-25-deployment-prerequisites.md
+++ b/mdop/mbam-v25/mbam-25-deployment-prerequisites.md
@@ -53,9 +53,8 @@ This section contains the software that you must install before starting the Mic
 -   [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)
 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
  
 
diff --git a/mdop/mbam-v25/mbam-25-planning-checklist.md b/mdop/mbam-v25/mbam-25-planning-checklist.md
index c4ab206f5a..a62ddee30b 100644
--- a/mdop/mbam-v25/mbam-25-planning-checklist.md
+++ b/mdop/mbam-v25/mbam-25-planning-checklist.md
@@ -124,10 +124,6 @@ You can use the following checklists to help you prepare your computing environm
 
  
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -137,7 +133,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
  
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/mbam-25-security-considerations.md b/mdop/mbam-v25/mbam-25-security-considerations.md
index 1ab4144ac1..3f10ae0da3 100644
--- a/mdop/mbam-v25/mbam-25-security-considerations.md
+++ b/mdop/mbam-v25/mbam-25-security-considerations.md
@@ -295,18 +295,17 @@ For an example of how to enable TDE for MBAM database instances, see [Understand
 
 **Use strong passwords or pass phrases**. Always use strong passwords with 15 or more characters for all MBAM administrator accounts. Never use blank passwords. For more information about password concepts, see [Password Policy](http://technet.microsoft.com/library/hh994572.aspx).
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
 [Planning to Deploy MBAM 2.5](planning-to-deploy-mbam-25.md)
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
  
 
 
diff --git a/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md b/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md
index b5cd982105..5d73f5edf1 100644
--- a/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md
+++ b/mdop/mbam-v25/mbam-25-server-prerequisites-for-stand-alone-and-configuration-manager-integration-topologies.md
@@ -407,11 +407,8 @@ Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser</code></pre>
 
  
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -424,7 +421,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
  
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/mbam-25-server-prerequisites-that-apply-only-to-the-configuration-manager-integration-topology.md b/mdop/mbam-v25/mbam-25-server-prerequisites-that-apply-only-to-the-configuration-manager-integration-topology.md
index b29f39406b..93707f9f9d 100644
--- a/mdop/mbam-v25/mbam-25-server-prerequisites-that-apply-only-to-the-configuration-manager-integration-topology.md
+++ b/mdop/mbam-v25/mbam-25-server-prerequisites-that-apply-only-to-the-configuration-manager-integration-topology.md
@@ -37,10 +37,6 @@ To enable the client computers to report BitLocker compliance details in the MBA
 
 [Create or Edit the Sms\_def.mof File](create-or-edit-the-sms-defmof-file-mbam-25.md)
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -54,7 +50,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
  
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/mbam-25-supported-configurations.md b/mdop/mbam-v25/mbam-25-supported-configurations.md
index 195d6fcf64..1c9cdc239c 100644
--- a/mdop/mbam-v25/mbam-25-supported-configurations.md
+++ b/mdop/mbam-v25/mbam-25-supported-configurations.md
@@ -561,11 +561,8 @@ The MBAM server can be deployed in Azure Infrastructure as a Service (IaaS) on a
 
 The MBAM client is not supported on virtual machines and is also not supported on Azure IaaS.
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -576,7 +573,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
  
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/monitoring-and-reporting-bitlocker-compliance-with-mbam-25.md b/mdop/mbam-v25/monitoring-and-reporting-bitlocker-compliance-with-mbam-25.md
index 86650a1bfd..e7f1395a8b 100644
--- a/mdop/mbam-v25/monitoring-and-reporting-bitlocker-compliance-with-mbam-25.md
+++ b/mdop/mbam-v25/monitoring-and-reporting-bitlocker-compliance-with-mbam-25.md
@@ -44,9 +44,8 @@ The topic in this section describes the reports for the Configuration Manager In
 [Operations for MBAM 2.5](operations-for-mbam-25.md)
 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
  
 
diff --git a/mdop/mbam-v25/monitoring-web-service-request-performance-counters.md b/mdop/mbam-v25/monitoring-web-service-request-performance-counters.md
index 113fa272b8..6376939620 100644
--- a/mdop/mbam-v25/monitoring-web-service-request-performance-counters.md
+++ b/mdop/mbam-v25/monitoring-web-service-request-performance-counters.md
@@ -81,11 +81,8 @@ The recommended tool for viewing MBAM performance counters is Windows Performanc
 
 For detailed instructions on how to view performance counters, see [How to View MBAM Performance Counters](https://go.microsoft.com/fwlink/?LinkId=393457).
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -96,6 +93,8 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
  
 
 
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
diff --git a/mdop/mbam-v25/moving-mbam-25-features-to-another-server.md b/mdop/mbam-v25/moving-mbam-25-features-to-another-server.md
index 557110bbd6..00fdddca93 100644
--- a/mdop/mbam-v25/moving-mbam-25-features-to-another-server.md
+++ b/mdop/mbam-v25/moving-mbam-25-features-to-another-server.md
@@ -41,9 +41,8 @@ Microsoft BitLocker Administration and Monitoring (MBAM) 2.5 enables you to move
 -   [Configuring the MBAM 2.5 Server Features](configuring-the-mbam-25-server-features.md)
 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
  
 
diff --git a/mdop/mbam-v25/operations-for-mbam-25.md b/mdop/mbam-v25/operations-for-mbam-25.md
index 0be326e434..5a895028c3 100644
--- a/mdop/mbam-v25/operations-for-mbam-25.md
+++ b/mdop/mbam-v25/operations-for-mbam-25.md
@@ -55,9 +55,8 @@ This topic describes the types of administrative tasks that you can perform with
 [Technical Reference for MBAM 2.5](technical-reference-for-mbam-25.md)
 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
  
 
diff --git a/mdop/mbam-v25/performing-bitlocker-management-with-mbam-25.md b/mdop/mbam-v25/performing-bitlocker-management-with-mbam-25.md
index a6765849f0..37802d9fc1 100644
--- a/mdop/mbam-v25/performing-bitlocker-management-with-mbam-25.md
+++ b/mdop/mbam-v25/performing-bitlocker-management-with-mbam-25.md
@@ -52,11 +52,8 @@ If end users get locked out of Windows by BitLocker, they can use the instructio
 
 [How to Use the Self-Service Portal to Regain Access to a Computer](how-to-use-the-self-service-portal-to-regain-access-to-a-computer-mbam-25.md)
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -64,7 +61,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/planning-for-mbam-25-client-deployment.md b/mdop/mbam-v25/planning-for-mbam-25-client-deployment.md
index 105ec5910e..54bddfa55e 100644
--- a/mdop/mbam-v25/planning-for-mbam-25-client-deployment.md
+++ b/mdop/mbam-v25/planning-for-mbam-25-client-deployment.md
@@ -59,10 +59,6 @@ The TPM protector option requires the administrator to accept the BIOS prompt to
 
 MBAM supports BitLocker on Encrypted Hard Drives that meet TCG specification requirements for Opal as well as IEEE 1667 standards. When BitLocker is enabled on these devices, it will generate keys and perform management functions on the encrypted drive. See [Encrypted Hard Drive](https://technet.microsoft.com/library/hh831627.aspx) for more information.
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -74,7 +70,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
  
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/planning-for-mbam-25-group-policy-requirements.md b/mdop/mbam-v25/planning-for-mbam-25-group-policy-requirements.md
index 96c6732f3b..c016d3779d 100644
--- a/mdop/mbam-v25/planning-for-mbam-25-group-policy-requirements.md
+++ b/mdop/mbam-v25/planning-for-mbam-25-group-policy-requirements.md
@@ -512,10 +512,6 @@ This section describes Removable Drive Group Policy definitions for Microsoft Bi
 
  
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -525,7 +521,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 [MBAM 2.5 Deployment Prerequisites](mbam-25-deployment-prerequisites.md)
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
  
 
 
diff --git a/mdop/mbam-v25/planning-for-mbam-25-groups-and-accounts.md b/mdop/mbam-v25/planning-for-mbam-25-groups-and-accounts.md
index 3271b950b3..541ece0a38 100644
--- a/mdop/mbam-v25/planning-for-mbam-25-groups-and-accounts.md
+++ b/mdop/mbam-v25/planning-for-mbam-25-groups-and-accounts.md
@@ -172,10 +172,6 @@ Create the following accounts for the Administration and Monitoring Website.
 
  
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -186,7 +182,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/planning-for-mbam-25-high-availability.md b/mdop/mbam-v25/planning-for-mbam-25-high-availability.md
index 29829ab49e..fcf168b878 100644
--- a/mdop/mbam-v25/planning-for-mbam-25-high-availability.md
+++ b/mdop/mbam-v25/planning-for-mbam-25-high-availability.md
@@ -123,11 +123,8 @@ MBAM provides a Volume Shadow Copy Service (VSS) writer, called the Microsoft Bi
 
 The VSS writer is registered on every server where you enable an MBAM web application. The MBAM VSS writer depends on the SQL Server VSS Writer, which is registered as part of the Microsoft SQL Server installation. Any backup technology that uses VSS writers to perform backup can discover the MBAM VSS writer.
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -136,7 +133,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
  
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/planning-for-mbam-25-server-deployment.md b/mdop/mbam-v25/planning-for-mbam-25-server-deployment.md
index cb91068cf3..6fc0c1b5d5 100644
--- a/mdop/mbam-v25/planning-for-mbam-25-server-deployment.md
+++ b/mdop/mbam-v25/planning-for-mbam-25-server-deployment.md
@@ -96,11 +96,8 @@ The Server infrastructure for the MBAM Configuration Manager topology contains t
 
 For a description of these features, see [High-Level Architecture of MBAM 2.5 with Configuration Manager Integration Topology](high-level-architecture-of-mbam-25-with-configuration-manager-integration-topology.md).
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -110,7 +107,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/planning-for-mbam-25.md b/mdop/mbam-v25/planning-for-mbam-25.md
index d6dbd8c240..bbf4e631bb 100644
--- a/mdop/mbam-v25/planning-for-mbam-25.md
+++ b/mdop/mbam-v25/planning-for-mbam-25.md
@@ -46,15 +46,14 @@ This topic lists the tasks, prerequisites, and requirements that you need to com
 
 [Technical Reference for MBAM 2.5](technical-reference-for-mbam-25.md)
 
+
+
+ 
+
+ 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
- 
-
- 
-
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md b/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md
index f6b5891298..b59cdf6226 100644
--- a/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md
+++ b/mdop/mbam-v25/planning-how-to-secure-the-mbam-websites.md
@@ -313,10 +313,6 @@ If you already registered SPNs on the machine account rather than in an applicat
 
  
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -329,7 +325,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 
  
 
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/planning-to-deploy-mbam-25.md b/mdop/mbam-v25/planning-to-deploy-mbam-25.md
index d40d55d6cb..4d0379428b 100644
--- a/mdop/mbam-v25/planning-to-deploy-mbam-25.md
+++ b/mdop/mbam-v25/planning-to-deploy-mbam-25.md
@@ -47,9 +47,8 @@ With MBAM, you can encrypt a computer in your organization either before the end
 [Planning for MBAM 2.5](planning-for-mbam-25.md)
 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
  
 
diff --git a/mdop/mbam-v25/preparing-your-environment-for-mbam-25.md b/mdop/mbam-v25/preparing-your-environment-for-mbam-25.md
index 3bff735f43..cccc386d97 100644
--- a/mdop/mbam-v25/preparing-your-environment-for-mbam-25.md
+++ b/mdop/mbam-v25/preparing-your-environment-for-mbam-25.md
@@ -47,9 +47,8 @@ As part of the prerequisites, you must define certain roles and accounts, which
 [MBAM 2.5 Supported Configurations](mbam-25-supported-configurations.md)
 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
  
 
diff --git a/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md b/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
index f4920073c1..f151a12f21 100644
--- a/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
+++ b/mdop/mbam-v25/prerequisites-for-mbam-25-clients.md
@@ -83,11 +83,8 @@ Before you install the MBAM Client software on end users' computers, ensure that
 If BitLocker was used without MBAM, MBAM can be installed and utilize the existing TPM information.
  
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -96,7 +93,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 [Planning to Deploy MBAM 2.5](planning-to-deploy-mbam-25.md)
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
  
 
 
diff --git a/mdop/mbam-v25/prerequisites-for-the-configuration-manager-integration-feature.md b/mdop/mbam-v25/prerequisites-for-the-configuration-manager-integration-feature.md
index 248bb620bf..f00c62f502 100644
--- a/mdop/mbam-v25/prerequisites-for-the-configuration-manager-integration-feature.md
+++ b/mdop/mbam-v25/prerequisites-for-the-configuration-manager-integration-feature.md
@@ -176,11 +176,8 @@ To install MBAM with Configuration Manager, you must have an administrative user
 
 To enable the client computers to report BitLocker compliance details through the MBAM Configuration Manager reports, you have to edit the Configuration.mof file and Sms\_def.mof file for System Center 2012 Configuration Manager and Microsoft System Center Configuration Manager 2007. For instructions, see [MBAM 2.5 Server Prerequisites that Apply Only to the Configuration Manager Integration Topology](mbam-25-server-prerequisites-that-apply-only-to-the-configuration-manager-integration-topology.md).
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -190,7 +187,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md b/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md
index ed0dcd0fb5..6fb8a41a78 100644
--- a/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md
+++ b/mdop/mbam-v25/release-notes-for-mbam-25-sp1.md
@@ -143,11 +143,8 @@ Original setting is:
 
 This is the reason why the issue was not seen with other browsers like Chrome, Firefox etc.
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/en-US/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -155,7 +152,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/release-notes-for-mbam-25.md b/mdop/mbam-v25/release-notes-for-mbam-25.md
index bf6d611a02..91c710e6ee 100644
--- a/mdop/mbam-v25/release-notes-for-mbam-25.md
+++ b/mdop/mbam-v25/release-notes-for-mbam-25.md
@@ -165,10 +165,6 @@ This table lists the hotfixes and KB articles for MBAM 2.5.
 
  
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -177,7 +173,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/removing-mbam-server-features-or-software.md b/mdop/mbam-v25/removing-mbam-server-features-or-software.md
index 142c6e121f..bf66d191ab 100644
--- a/mdop/mbam-v25/removing-mbam-server-features-or-software.md
+++ b/mdop/mbam-v25/removing-mbam-server-features-or-software.md
@@ -71,11 +71,8 @@ Use the following steps to remove the MBAM Server software and any MBAM Server f
 
 2.  Select **Uninstall**, and follow the remaining prompts to complete the process of uninstalling the MBAM Server software.
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -85,7 +82,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 
  
 
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/mdop/mbam-v25/server-event-logs.md b/mdop/mbam-v25/server-event-logs.md
index 4b8067be48..637ae371f3 100644
--- a/mdop/mbam-v25/server-event-logs.md
+++ b/mdop/mbam-v25/server-event-logs.md
@@ -660,10 +660,6 @@ The following table contains messages and troubleshooting information for event
 
  
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -673,7 +669,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 [Client Event Logs](client-event-logs.md)
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
  
 
 
diff --git a/mdop/mbam-v25/technical-reference-for-mbam-25.md b/mdop/mbam-v25/technical-reference-for-mbam-25.md
index f0411f3292..d09d2963c8 100644
--- a/mdop/mbam-v25/technical-reference-for-mbam-25.md
+++ b/mdop/mbam-v25/technical-reference-for-mbam-25.md
@@ -43,9 +43,8 @@ This section includes technical information about features in Microsoft BitLocke
 [Troubleshooting MBAM 2.5](troubleshooting-mbam-25.md)
 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
  
 
diff --git a/mdop/mbam-v25/troubleshooting-mbam-25.md b/mdop/mbam-v25/troubleshooting-mbam-25.md
index bc2671930f..cb05acd2bf 100644
--- a/mdop/mbam-v25/troubleshooting-mbam-25.md
+++ b/mdop/mbam-v25/troubleshooting-mbam-25.md
@@ -84,9 +84,8 @@ If you have a troubleshooting tip or a best practice to share that is not alread
 [Troubleshooting MBAM 2.5 installation problems](https://support.microsoft.com/kb/3049652)
 
 ## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
  
 
diff --git a/mdop/mbam-v25/understanding-mbam-25-stand-alone-reports.md b/mdop/mbam-v25/understanding-mbam-25-stand-alone-reports.md
index 6d37f02d47..508b82dd72 100644
--- a/mdop/mbam-v25/understanding-mbam-25-stand-alone-reports.md
+++ b/mdop/mbam-v25/understanding-mbam-25-stand-alone-reports.md
@@ -366,10 +366,6 @@ Report results can be saved to a file by clicking the **Export** button on the *
 
  
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -380,7 +376,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/understanding-the-bitlocker-encryption-options-and-bitlocker-drive-encryption-items-in-control-panel.md b/mdop/mbam-v25/understanding-the-bitlocker-encryption-options-and-bitlocker-drive-encryption-items-in-control-panel.md
index 9acb5a40e8..6a9f2918f6 100644
--- a/mdop/mbam-v25/understanding-the-bitlocker-encryption-options-and-bitlocker-drive-encryption-items-in-control-panel.md
+++ b/mdop/mbam-v25/understanding-the-bitlocker-encryption-options-and-bitlocker-drive-encryption-items-in-control-panel.md
@@ -113,10 +113,6 @@ The following table describes how the **Manage BitLocker** shortcut menu differs
 
  
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -125,7 +121,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md b/mdop/mbam-v25/upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md
index 52ef3ff163..3d7c288953 100644
--- a/mdop/mbam-v25/upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md
+++ b/mdop/mbam-v25/upgrading-to-mbam-25-or-mbam-25-sp1-from-previous-versions.md
@@ -147,11 +147,8 @@ MBAM supports upgrades to the MBAM 2.5 Client from any earlier version of the M
 
 -   Install the MBAM Client through an electronic software distribution system or through tools such as Active Directory Domain Services or System Center Configuration Manager.
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -163,7 +160,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md b/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md
index b7ac31ef9d..56da96c821 100644
--- a/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md
+++ b/mdop/mbam-v25/using-windows-powershell-to-administer-mbam-25.md
@@ -86,11 +86,8 @@ Windows PowerShell Help for MBAM cmdlets is available in the following formats:
 
  
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -100,7 +97,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md b/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md
index d0e3b1685a..c7b9098597 100644
--- a/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md
+++ b/mdop/mbam-v25/validating-the-mbam-25-server-feature-configuration.md
@@ -168,18 +168,17 @@ Use these steps to validate your MBAM Server deployment when you are using MBAM
 
     -   BitLocker Operating System Drive Protection
 
-## Got a suggestion for MBAM?
 
 
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
 [Configuring the MBAM 2.5 Server Features](configuring-the-mbam-25-server-features.md)
 
  
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
  
 
 
diff --git a/mdop/mbam-v25/viewing-mbam-25-reports-for-the-configuration-manager-integration-topology.md b/mdop/mbam-v25/viewing-mbam-25-reports-for-the-configuration-manager-integration-topology.md
index db55e575ba..b8c9ce465b 100644
--- a/mdop/mbam-v25/viewing-mbam-25-reports-for-the-configuration-manager-integration-topology.md
+++ b/mdop/mbam-v25/viewing-mbam-25-reports-for-the-configuration-manager-integration-topology.md
@@ -473,11 +473,6 @@ The Removable Data Volume encryption status is not shown in this report.
 
  
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
-
 ## Related topics
 
 
@@ -485,7 +480,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 
  
 
- 
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam). 
 
 
 
diff --git a/mdop/mbam-v25/viewing-mbam-25-reports-for-the-stand-alone-topology.md b/mdop/mbam-v25/viewing-mbam-25-reports-for-the-stand-alone-topology.md
index e1a671b6e8..98fca5e3d3 100644
--- a/mdop/mbam-v25/viewing-mbam-25-reports-for-the-stand-alone-topology.md
+++ b/mdop/mbam-v25/viewing-mbam-25-reports-for-the-stand-alone-topology.md
@@ -48,10 +48,6 @@ If you are using the Configuration Manager Integration topology, most reports ar
 
  
 
-## Got a suggestion for MBAM?
-
-
-Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics
 
@@ -62,7 +58,9 @@ Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-micros
 
  
 
-
+## Got a suggestion for MBAM?
+- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 
 
diff --git a/store-for-business/images/license-assign-icon.png b/store-for-business/images/license-assign-icon.png
new file mode 100644
index 0000000000..4a5daa933c
Binary files /dev/null and b/store-for-business/images/license-assign-icon.png differ
diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md
index eabd198c73..e851331cdb 100644
--- a/store-for-business/manage-private-store-settings.md
+++ b/store-for-business/manage-private-store-settings.md
@@ -30,8 +30,8 @@ You can change the name of your private store in Microsoft Store.
 **To change the name of your private store**
 
 1.  Sign in to the [Microsoft Store for Business](http://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
-2.  Click **Manage**, click **Permissions**.
-3.  On the **Private store** tab, click **Change**.
+2.  Click **Settings**, click **Distribute**.
+3.  In the **Private store** section, click **Change**.
 4.  Type a new display name for your private store, and click **Save**.
 
     ![Image showing Private store dialog used to change private store display name.](images/wsfb-renameprivatestore.png)
@@ -102,4 +102,4 @@ We've recently made performance improvements for changes in the private store. T
 | Create a new collection | 15 minutes|
 | Edit or remove a collection | 15 minutes |
 | Create private store tab | 4-6 hours |
-| Rename private store tab | 4-6 hours | 
\ No newline at end of file
+| Rename private store tab | 4-6 hours | 
diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md
index bbad8985d5..74fcb9bd83 100644
--- a/store-for-business/release-history-microsoft-store-business-education.md
+++ b/store-for-business/release-history-microsoft-store-business-education.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-ms.date: 3/29/2018
+ms.date: 4/26/2018
 ---
 
 # Microsoft Store for Business and Education release history
@@ -15,9 +15,16 @@ Microsoft Store for Business and Education regularly releases new and improved f
 
 Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) 
 
+## March 2018
+- **Performance improvements in private store** - We've made it significantly faster for you to udpate the private store. Many changes to the private store are available immediately after you make them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance)
+- **Private store collection updates** - We’ve made it easier to find apps when creating private store collections – now you can search and filter results. 
+ [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-collections) 
+- **Manage Skype Communication credits** - Office 365 customers that own Skype Communication Credits can now see and manage them in Microsoft Store for Business. You can view your account, add funds to your account, and manage auto-recharge settings.
+- **Upgrade Office 365 trial subscription** - Customers with Office 365 can upgrade their subscription and automatically re-assign their user licenses over to a new target subscription. For example, you could upgrade your Office 365 Business to Office 365 Business Premium. 
+
 ## January and February 2018
 - **One place for apps, software, and subscriptions** - The new **Products &amp; services** page in Microsoft Store for Business and Education gives customers a single place to manage all products and services.
-- **Create collections of apps in your private store** - Use **collections** to customize your private store. Collections allow you to create groups of apps that are commonly used in your organization or school -- you might create a collection for a Finance department, or a 6th-grade class. [Get more info](https://docs.microsoft.com/en-us/microsoft-store/manage-private-store-settings#private-store-collections)
+- **Create collections of apps in your private store** - Use **collections** to customize your private store. Collections allow you to create groups of apps that are commonly used in your organization or school -- you might create a collection for a Finance department, or a 6th-grade class. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-collections)
 - **Upgrade Office 365 trial subscription** - Customers with Office 365 trials can now transition their trial to a paid subscription in Microsoft Store for Business. This works for trials you acquired from Microsoft Store for Business, or Office Admin Portal.
 - **Supporting Microsoft Product and Services Agreement customers** - If you are purchasing under the Microsoft Products and Services Agreement (MPSA), you can use Microsoft Store for Business. Here you will find access to Products & Services purchased, Downloads & Keys, Software Assurance benefits, Order history, and Agreement details.
 - **Microsoft Product and Services Agreement customers can invite people to take roles** - MPSA admins can invite people to take Microsoft Store for Business roles even if the person is not in their tenant. You provide an email address when you assign the role, and we'll add the account to your tenant and assign the role. 
diff --git a/store-for-business/sfb-change-history.md b/store-for-business/sfb-change-history.md
index 75ec8368a3..ebc071d22a 100644
--- a/store-for-business/sfb-change-history.md
+++ b/store-for-business/sfb-change-history.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
 ms.author: TrudyHa
-ms.date: 3/29/2018
+ms.date: 4/26/2018
 ms.localizationpriority: high
 ---
 
@@ -18,13 +18,19 @@ ms.localizationpriority: high
 -   Windows 10
 -   Windows 10 Mobile
 
+## April 2018
+| New or changed topic | Description |
+| --- | --- |
+| [Configure access to Microsoft Store](https://docs.microsoft.com/en-us/windows/configuration/stop-employees-from-using-microsoft-store#a-href-idblock-store-group-policyablock-microsoft-store-using-group-policy) | Update on app updates when Microsoft Store is blocked. |
+| [What's New in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) | Update |
+
 ## March 2018
 | New or changed topic | Description |
 | --- | --- |
 | [Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business](manage-mpsa-software-microsoft-store-for-business.md) | New |
 | [Manage private store settings](manage-private-store-settings.md) | Update for adding private store performance improvements. |
 | [What's New in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) | Update |
- [Roles and permissions in Microsoft Store for Business](roles-and-permissions-microsoft-store-for-business.md) | Update |
+| [Roles and permissions in Microsoft Store for Business](roles-and-permissions-microsoft-store-for-business.md) | Update |
 
 ## February 2018
 
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index 0c4e59c682..cca4d43519 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -6,7 +6,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
-ms.date: 3/29/2018
+ms.date: 4/26/2018
 ---
 
 # What's new in Microsoft Store for Business and Education
@@ -15,14 +15,14 @@ Microsoft Store for Business and Education regularly releases new and improved f
 
 ## Latest updates for Store for Business and Education
 
-**March 2018**
+**April 2018**
 
 |  |  |
 |--------------------------------------|---------------------------------|
-| ![Private store performance icon](images/perf-improvement-icon.png) |**Performance improvements in private store**<br /><br /> We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. <br /><br />[Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
-| ![Private store library icon](images/private-store-icon.png) |**Private store collection updates**<br /><br /> We’ve made it easier to find apps when creating private store collections – now you can search and filter results. <br /><br />[Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-collections)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
-|  ![Skype icon.](images/skype-icon-wn.png) |**Manage Skype communication credits in Microsoft Store for Business and Education**<br /><br> Office 365 customers that own Skype Communication Credits can now see and manage them in Microsoft Store for Business. You can view your account, add funds to your account, and manage auto-recharge settings. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
-|  ![Upgrade Office 365 trial subscription.](images/office-logo.png) |**Upgrade Office 365 trial subscription**<br /><br> Customers with Office 365 can upgrade their subscription and automatically re-assign their user licenses over to a new target subscription. For example, you could upgrade your Office 365 Business to Office 365 Business Premium. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
+| ![License assign icon](images/license-assign-icon.png) |**Assign apps to larger groups**<br /><br /> We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We’ll figure out who’s in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we’ll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses.<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
+| ![Private store icon](images/private-store-icon.png) |**Change collection order in private store**<br /><br /> Private store collections make it easy for groups of people to find the apps that they need. Now, you can customize the order of your private store collections. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
+| ![Office logo icon](images/office-logo.png) |**Office 365 subscription management**<br /><br /> We know that sometimes customers need to cancel subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
+
 
 <!---
 We’ve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new features!
@@ -36,6 +36,12 @@ We’ve been working on bug fixes and performance improvements to provide you a
 
 ## Previous releases and updates
 
+[March 2018](release-history-microsoft-store-business-education.md#march-2018)
+- Performance improvements in private store
+- Private store collection updates
+- Manage Skype communication credits
+- Upgrade Office 365 trial subscription
+
 [January &amp; February, 2018](release-history-microsoft-store-business-education.md#january-and-february-2018)
 - One place for apps, software, and subscriptions
 - Create collections of apps in your private store
diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md
index 1ff3bfb5ab..6779ed5a13 100644
--- a/windows/application-management/manage-windows-mixed-reality.md
+++ b/windows/application-management/manage-windows-mixed-reality.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.localizationpriority: medium
 author: jdeckerms
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Enable or block Windows Mixed Reality apps in the enterprise
diff --git a/windows/client-management/mdm/TOC.md b/windows/client-management/mdm/TOC.md
index b0b0610178..659b090224 100644
--- a/windows/client-management/mdm/TOC.md
+++ b/windows/client-management/mdm/TOC.md
@@ -70,6 +70,8 @@
 ## [Configuration service provider reference](configuration-service-provider-reference.md)
 ### [AccountManagement CSP](accountmanagement-csp.md)
 #### [AccountManagement DDF file](accountmanagement-ddf.md)
+### [Accounts CSP](accounts-csp.md)
+#### [Accounts DDF file](accounts-ddf-file.md)
 ### [ActiveSync CSP](activesync-csp.md)
 #### [ActiveSync DDF file](activesync-ddf-file.md)
 ### [AllJoynManagement CSP](alljoynmanagement-csp.md)
diff --git a/windows/client-management/mdm/accounts-csp.md b/windows/client-management/mdm/accounts-csp.md
new file mode 100644
index 0000000000..0cec8a8ad3
--- /dev/null
+++ b/windows/client-management/mdm/accounts-csp.md
@@ -0,0 +1,51 @@
+---
+title: Accounts CSP
+description: The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and joint it to a local user group.
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 04/17/2018
+---
+
+# Accounts CSP 
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+The Accounts configuration service provider (CSP) is used by the enterprise (1) to rename a device, (2) to create a new local Windows account and joint it to a local user group. This CSP was added in Windows 10, version 1803.
+
+
+The following diagram shows the Accounts configuration service provider in tree format.
+
+![Accounts CSP diagram](images/provisioning-csp-accounts.png) 
+
+<a href="" id="accounts"></a>**./Device/Vendor/MSFT/Accounts**  
+Root node.
+
+<a href="" id="domain"></a>**Domain**  
+Interior node for the account domain information.
+
+<a href="" id="domain-computername"></a>**Domain/ComputerName**  
+This node specifies the name for a device.  This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution:  %RAND:<# of digits>% and %SERIAL%.  
+
+Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456").  (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. The server must explicitly reboot the device for this value to take effect.
+
+Supported operation is Add.
+
+<a href="" id="users"></a>**Users**  
+Interior node for the user account information.
+
+<a href="" id="users-username"></a>**Users/_UserName_**  
+This node specifies the username for a new local user account.  This setting can be managed remotely.
+
+<a href="" id="users-username-password"></a>**Users/_UserName_/Password**  
+This node specifies the password for a new local user account.  This setting can be managed remotely. 
+
+Supported operation is Add.
+
+<a href="" id="users-username-localusergroup"></a>**Users/_UserName_/LocalUserGroup**  
+This optional node specifies the local user group that a local user account should be joined to.  If the node is not set, the new local user account is joined just to the Standard Users group.  Set the value to 2 for Administrators group. This setting can be managed remotely.
+
+Supported operation is Add.
\ No newline at end of file
diff --git a/windows/client-management/mdm/accounts-ddf-file.md b/windows/client-management/mdm/accounts-ddf-file.md
new file mode 100644
index 0000000000..311ed73e93
--- /dev/null
+++ b/windows/client-management/mdm/accounts-ddf-file.md
@@ -0,0 +1,179 @@
+---
+title: Accounts DDF file
+description: XML file containing the device description framework
+ms.author: maricia
+ms.topic: article
+ms.prod: w10
+ms.technology: windows
+author: nickbrower
+ms.date: 04/17/2018
+---
+
+# Accounts CSP 
+
+> [!WARNING]
+> Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+This topic shows the OMA DM device description framework (DDF) for the **Accounts** configuration service provider.
+
+The XML below is for Windows 10, version 1803.
+
+``` syntax
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE MgmtTree PUBLIC " -//OMA//DTD-DM-DDF 1.2//EN"
+  "http://www.openmobilealliance.org/tech/DTD/DM_DDF-V1_2.dtd"
+  [<?oma-dm-ddf-ver supported-versions="1.2"?>]>
+<MgmtTree xmlns:MSFT="http://schemas.microsoft.com/MobileDevice/DM">
+  <VerDTD>1.2</VerDTD>
+      <Node>
+        <NodeName>Accounts</NodeName>
+        <Path>./Device/Vendor/MSFT</Path>
+        <DFProperties>
+          <AccessType>
+            <Get />
+          </AccessType>
+          <DFFormat>
+            <node />
+          </DFFormat>
+          <Occurrence>
+            <One />
+          </Occurrence>
+          <Scope>
+            <Permanent />
+          </Scope>
+          <DFType>
+            <DDFName></DDFName>
+            <MIME>com.microsoft/1.0/MDM/Accounts</MIME> 
+          </DFType>
+        </DFProperties>
+        <Node>
+          <NodeName>Domain</NodeName>
+          <DFProperties>
+            <AccessType>
+            </AccessType>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName>ComputerName</NodeName>
+            <DFProperties>
+              <AccessType>
+                <Add />
+              </AccessType>
+              <Description>This node specifies the name for a device.  This setting can be managed remotely. A couple of macros can be embedded within the value for dynamic substitution:  %RAND:&lt;# of digits&gt;% and %SERIAL%.  Examples: (a) "Test%RAND:6%" will generate a name "Test" followed by 6 random digits (e.g., "Test123456").  (b) "Foo%SERIAL%", will generate a name "Foo" followed by the serial number derived from device's ID. The server must explicitly reboot the device for this value to take effect.</Description>
+              <DFFormat>
+                <chr />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <CaseSense>
+                <CIS />
+              </CaseSense>
+              <DFTitle>ComputerName</DFTitle>
+              <DFType>
+                <MIME>text/plain</MIME>
+              </DFType>
+            </DFProperties>
+          </Node>
+        </Node>
+        <Node>
+          <NodeName>Users</NodeName>
+          <DFProperties>
+            <AccessType>
+            </AccessType>
+            <DFFormat>
+              <node />
+            </DFFormat>
+            <Occurrence>
+              <One />
+            </Occurrence>
+            <Scope>
+              <Permanent />
+            </Scope>
+            <DFType>
+              <DDFName></DDFName>
+            </DFType>
+          </DFProperties>
+          <Node>
+            <NodeName></NodeName>
+            <DFProperties>
+              <AccessType>
+              </AccessType>
+              <Description>This node specifies the username for a new local user account.  This setting can be managed remotely.</Description>
+              <DFFormat>
+                <node />
+              </DFFormat>
+              <Occurrence>
+                <One />
+              </Occurrence>
+              <Scope>
+                <Dynamic />
+              </Scope>
+              <DFTitle>UserName</DFTitle>
+              <DFType>
+                <DDFName></DDFName>
+              </DFType>
+            </DFProperties>
+            <Node>
+              <NodeName>Password</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Add />
+                </AccessType>
+                <Description>This node specifies the password for a new local user account.  This setting can be managed remotely. </Description>
+                <DFFormat>
+                  <chr />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFTitle>Password</DFTitle>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+            <Node>
+              <NodeName>LocalUserGroup</NodeName>
+              <DFProperties>
+                <AccessType>
+                  <Add />
+                </AccessType>
+                <DefaultValue>1</DefaultValue>
+                <Description>This optional node specifies the local user group that a local user account should be joined to.  If the node is not set, the new local user account is joined just to the Standard Users group.  Set the value to 2 for Administrators group. This setting can be managed remotely.</Description>
+                <DFFormat>
+                  <int />
+                </DFFormat>
+                <Occurrence>
+                  <One />
+                </Occurrence>
+                <Scope>
+                  <Dynamic />
+                </Scope>
+                <DFType>
+                  <MIME>text/plain</MIME>
+                </DFType>
+              </DFProperties>
+            </Node>
+          </Node>
+        </Node>
+      </Node>
+</MgmtTree>
+```
\ No newline at end of file
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 3121c0e91c..e424e88106 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 11/09/2017
+ms.date: 04/24/2018
 ---
 
 # AppLocker CSP
@@ -430,6 +430,11 @@ The following list shows the apps that may be included in the inbox.
 <td>59553c14-5701-49a2-9909-264d034deb3d</td>
 <td></td>
 </tr>
+<tr class="odd">
+<td>Broker plug-in (same as Work or school account)</td>
+<td></td>
+<td>Microsoft.AAD.BrokerPlugin</td>
+</tr>
 <tr class="even">
 <td>Calculator</td>
 <td>b58171c6-c70c-4266-a2e8-8f9c994f4456</td>
@@ -466,6 +471,21 @@ The following list shows the apps that may be included in the inbox.
 <td>Microsoft.Windows.Cortana</td>
 </tr>
 <tr class="odd">
+<td>Cortana Listen UI</td>
+<td></td>
+<td>CortanaListenUI</td>
+</tr>
+<tr class="odd">
+<td>Credentials Dialog Host</td>
+<td></td>
+<td>Microsoft.CredDialogHost</td>
+</tr>
+<tr class="odd">
+<td>Device Portal PIN UX</td>
+<td></td>
+<td>holopairingapp</td>
+</tr>
+<tr class="odd">
 <td>Email and accounts</td>
 <td>39cf127b-8c67-c149-539a-c02271d07060</td>
 <td>Microsoft.AccountsControl</td>
@@ -536,6 +556,11 @@ The following list shows the apps that may be included in the inbox.
 <td></td>
 </tr>
 <tr class="odd">
+<td>Holographic Shell</td>
+<td></td>
+<td>HoloShell</td>
+</tr>
+<tr class="odd">
 <td>Lumia motion data</td>
 <td>8fc25fd2-4e2e-4873-be44-20e57f6ec52b</td>
 <td></td>
@@ -567,6 +592,11 @@ The following list shows the apps that may be included in the inbox.
 <td></td>
 </tr>
 <tr class="odd">
+<td>Migration UI</td>
+<td></td>
+<td>MigrationUIApp</td>
+</tr>
+<tr class="odd">
 <td>MiracastView</td>
 <td>906beeda-b7e6-4ddc-ba8d-ad5031223ef9</td>
 <td>906beeda-b7e6-4ddc-ba8d-ad5031223ef9</td>
@@ -691,6 +721,11 @@ The following list shows the apps that may be included in the inbox.
 <td>2a4e62d8-8809-4787-89f8-69d0f01654fb</td>
 </tr>
 <tr class="odd">
+<td>Settings</td>
+<td></td>
+<td>SystemSettings</td>
+</tr>
+<tr class="odd">
 <td>Setup wizard</td>
 <td>07d87655-e4f0-474b-895a-773790ad4a32</td>
 <td></td>
@@ -701,6 +736,11 @@ The following list shows the apps that may be included in the inbox.
 <td></td>
 </tr>
 <tr class="odd">
+<td>Sign-in for Windows 10 Holographic</td>
+<td></td>
+<td>WebAuthBridgeInternetSso, WebAuthBridgeInternet, WebAuthBridgeIntranetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternetSso, WebAuthBrokerInternet, WebAuthBrokerIntranetSso, SignIn</td>
+</tr>
+<tr class="odd">
 <td>Skype</td>
 <td>c3f8e570-68b3-4d6a-bdbb-c0a3f4360a51</td>
 <td>Microsoft.SkypeApp</td>
@@ -1360,6 +1400,261 @@ In this example, **MobileGroup0** is the node name. We recommend using a GUID fo
 </SyncML>
 ```
 
+## Example for Windows 10 Holographic for Business
+The following example for Windows 10 Holographic for Business denies all apps and allows the minimum set of [inbox apps](#inboxappsandcomponents) to enable to enable a working device, as well as Settings.
+
+``` syntax
+<RuleCollection Type="Appx" EnforcementMode="Enabled">
+    <FilePublisherRule Id="96B82A15-F841-499a-B674-963DC647762F"
+                     Name="Whitelist BackgroundTaskHost"
+                     Description=""
+                     UserOrGroupSid="S-1-1-0"
+                     Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+          ProductName="*"
+          BinaryName="BackgroundTaskHost*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+  <FilePublisherRule Id="8D345CB2-AC5B-4b6b-8F0B-DCE3F6FB9259"
+                     Name="Whitelist CertInstaller"
+                     Description=""
+                     UserOrGroupSid="S-1-1-0"
+                     Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="*"
+          ProductName="4c4ad968-7100-49de-8cd1-402e198d869e"
+          BinaryName="*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+  <FilePublisherRule Id="9F07FB38-B952-4f3c-A17A-CE7EC8132987"
+                     Name="Whitelist MigrationUI"
+                     Description=""
+                     UserOrGroupSid="S-1-1-0"
+                     Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+          ProductName="MigrationUIApp"
+          BinaryName="*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+  <FilePublisherRule Id="1C32E96F-2F44-4317-9D98-2F624147D7AE"
+                     Name="Whitelist CredDiagHost"
+                     Description=""
+                     UserOrGroupSid="S-1-1-0"
+                     Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+          ProductName="Microsoft.CredDialogHost"
+          BinaryName="*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+  <FilePublisherRule Id="53DCC751-E92A-4d0a-84DF-E6EAC2A7C7CE"
+                     Name="Whitelist Settings"
+                     Description=""
+                     UserOrGroupSid="S-1-1-0"
+                     Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+          ProductName="SystemSettings"
+          BinaryName="*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+  <FilePublisherRule Id="70D9E233-81F4-4707-B79D-58F9C3A6BFB1"
+                     Name="Whitelist HoloShell"
+                     Description=""
+                     UserOrGroupSid="S-1-1-0"
+                     Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+          ProductName="HoloShell"
+          BinaryName="*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+  <FilePublisherRule Id="6557A9BC-BA1F-4b7d-90FD-8C620CA81906"
+                     Name="Whitelist MSA"
+                     Description=""
+                     UserOrGroupSid="S-1-1-0"
+                     Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+          ProductName="Microsoft.Windows.CloudExperienceHost"
+          BinaryName="*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+  <FilePublisherRule Id="81CD98A6-82EC-443f-87F8-039B00DFBE78"
+                     Name="Whitelist BrokerPlugin"
+                     Description=""
+                     UserOrGroupSid="S-1-1-0"
+                     Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+          ProductName="Microsoft.AAD.BrokerPlugin"
+          BinaryName="*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+  <FilePublisherRule Id="1330E03E-7D43-4e01-9853-40ED8CF62D10"
+                     Name="Whitelist SignIn1"
+                     Description=""
+                     UserOrGroupSid="S-1-1-0"
+                     Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+          ProductName="WebAuthBridgeInternetSso"
+          BinaryName="*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+  <FilePublisherRule Id="107EC30A-2CEF-4ec1-B556-F7DAA7DF7998"
+                     Name="Whitelist SignIn2"
+                     Description=""
+                     UserOrGroupSid="S-1-1-0"
+                     Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+          ProductName="WebAuthBridgeInternet"
+          BinaryName="*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+  <FilePublisherRule Id="F806AC17-3E31-4a83-92EB-6A34696478D1"
+                     Name="Whitelist SignIn3"
+                     Description=""
+                     UserOrGroupSid="S-1-1-0"
+                     Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+          ProductName="WebAuthBridgeIntranetSso"
+          BinaryName="*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+  <FilePublisherRule Id="E8CAF694-2256-4516-BDCC-CDABF218573C"
+                     Name="Whitelist SignIn4"
+                     Description=""
+                     UserOrGroupSid="S-1-1-0"
+                     Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+          ProductName="WebAuthBrokerInternetSso"
+          BinaryName="*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+  <FilePublisherRule Id="5918428D-B9A8-4810-8FB4-25AE5A25D5A7"
+                     Name="Whitelist SignIn5"
+                     Description=""
+                     UserOrGroupSid="S-1-1-0"
+                     Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+          ProductName="WebAuthBrokerInternet"
+          BinaryName="*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+  <FilePublisherRule Id="C90D99E3-C3EE-47c5-B181-7E8C54FA66B3"
+                     Name="Whitelist SignIn6"
+                     Description=""
+                     UserOrGroupSid="S-1-1-0"
+                     Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+          ProductName="WebAuthBrokerIntranetSso"
+          BinaryName="*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+  <FilePublisherRule Id="9CD87A91-FB48-480d-B788-3770A950CD03"
+                     Name="Whitelist SignIn7"
+                     Description=""
+                     UserOrGroupSid="S-1-1-0"
+                     Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+          ProductName="SignIn"
+          BinaryName="*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+  <FilePublisherRule Id="DCF74448-C287-4195-9072-8F3649AB9305"
+                     Name="Whitelist Cortana"
+                     Description=""
+                     UserOrGroupSid="S-1-1-0"
+                     Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+          ProductName="Microsoft.Windows.Cortana"
+          BinaryName="*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+  <FilePublisherRule Id="BE4FD0C4-527B-45a3-A5B8-F4EA00584779"
+                      Name="Whitelist Cortana ListenUI"
+                      Description=""
+                      UserOrGroupSid="S-1-1-0"
+                      Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+          ProductName="CortanaListenUI"
+          BinaryName="*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+  <FilePublisherRule Id="336509A7-FFBA-48cb-81BD-8DF9060B3CF8"
+                     Name="Whitelist Email and accounts"
+                     Description=""
+                     UserOrGroupSid="S-1-1-0"
+                     Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+          ProductName="Microsoft.AccountsControl"
+          BinaryName="*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+  <FilePublisherRule Id="55912F15-0B94-445b-80E1-83BC8F0E8999"
+                     Name="Whitelist Device Portal PIN UX"
+                     Description=""
+                     UserOrGroupSid="S-1-1-0"
+                     Action="Allow">
+    <Conditions>
+      <FilePublisherCondition PublisherName="CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US"
+          ProductName="holopairingapp"
+          BinaryName="*">
+        <BinaryVersionRange LowSection="*" HighSection="*" />
+      </FilePublisherCondition>
+    </Conditions>
+  </FilePublisherRule>
+</RuleCollection>
+```
+
 ## Recommended deny list for Windows Information Protection
 The following example for Windows 10, version 1607 denies known unenlightened Microsoft apps from accessing enterprise data as an allowed app. (An administrator might still use an exempt rule, instead.) This ensures an administrator does not accidentally make these apps Windows Information Protection allowed, and avoid known compatibility issues related to automatic file encryption with these applications.
 
diff --git a/windows/client-management/mdm/assignedaccess-csp.md b/windows/client-management/mdm/assignedaccess-csp.md
index f083dad4a1..fa60680334 100644
--- a/windows/client-management/mdm/assignedaccess-csp.md
+++ b/windows/client-management/mdm/assignedaccess-csp.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 03/20/2018
+ms.date: 04/25/2018
 ---
 
 # AssignedAccess CSP
@@ -20,7 +20,7 @@ For a step-by-step guide for setting up devices to run in kiosk mode, see [Set u
  In Windows 10, version 1709, the AssignedAccess configuration service provider (CSP) has been expanded to make it easy for administrators to create kiosks that run more than one app. You can configure multi-app kiosks using a provisioning package. For a step-by-step guide, see [Create a Windows 10 kiosk that runs multiple apps](https://docs.microsoft.com/en-us/windows/configuration/lock-down-windows-10-to-specific-apps).
 
 > [!Note]
-> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S.
+> The AssignedAccess CSP is supported in Windows 10 Enterprise and Windows 10 Education. Starting from Windows 10, version 1709 it is also supported in Windows 10 Pro and Windows 10 S. Starting in Windows 10, version 1803, it is also supported in Windows Holographic for Business edition.
 
 The following diagram shows the AssignedAccess configuration service provider in tree format
 
@@ -1137,4 +1137,64 @@ ShellLauncherConfiguration Get
         </xs:complexType>
     </xs:element>
 </xs:schema>
+```
+
+## Windows Holographic for Business edition example 
+
+This example configures the following apps: Skype, Learning, Feedback Hub, and Calibration, for first line workers. Use this XML in a provisioning package using Windows Configuration Designer. For instructions, see [Configure HoloLens using a provisioning package](https://docs.microsoft.com/en-us/hololens/hololens-provisioning).
+
+``` syntax
+<?xml version="1.0" encoding="utf-8" ?>
+<!-- 
+  This is a sample Assigned Access XML file. The Profile specifies which apps are allowed
+  and their app IDs. An Assigned Access Config specifies the accounts or groups to which 
+  a Profile is applicable. 
+  
+  !!! NOTE: Change the Account below to a user in the tenant being tested !!!
+-->
+<AssignedAccessConfiguration xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config">
+    <Profiles>
+        <Profile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}">
+            <AllAppsList>
+                <AllowedApps>
+                    <!-- Learning app -->
+                    <App AppUserModelId="GGVLearning_cw5n1h2txyewy!GGVLearning" />
+                    <!-- Calibration app -->
+                    <App AppUserModelId="ViewCalibrationApp_cw5n1h2txyewy!ViewCalibrationApp" />
+                    <!-- Feedback Hub -->
+                    <App AppUserModelId="Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe!App" />
+                    <!-- HoloSkype -->
+                    <App AppUserModelId="Microsoft.SkypeApp_kzf8qxf38zg5c!App" />
+                </AllowedApps>
+            </AllAppsList>
+            <!-- This section is required for parity with Desktop Assigned Access. It is not currently used on HoloLens -->
+            <StartLayout>
+                <![CDATA[<LayoutModificationTemplate xmlns:defaultlayout="http://schemas.microsoft.com/Start/2014/FullDefaultLayout" xmlns:start="http://schemas.microsoft.com/Start/2014/StartLayout" Version="1" xmlns="http://schemas.microsoft.com/Start/2014/LayoutModification">
+                      <LayoutOptions StartTileGroupCellWidth="6" />
+                      <DefaultLayoutOverride>
+                        <StartLayoutCollection>
+                          <defaultlayout:StartLayout GroupCellWidth="6">
+                            <start:Group Name="Life at a glance">
+                              <start:Tile Size="2x2" Column="0" Row="0" AppUserModelID="Microsoft.SkypeApp_kzf8qxf38zg5c!App" />
+                            </start:Group>
+                          </defaultlayout:StartLayout>
+                        </StartLayoutCollection>
+                      </DefaultLayoutOverride>
+                    </LayoutModificationTemplate>
+                ]]>
+            </StartLayout>
+            <!-- This section is required for parity with Desktop Assigned Access. It is not currently used on HoloLens -->
+            <Taskbar ShowTaskbar="true"/>
+        </Profile>
+    </Profiles>
+    <Configs>
+        <!-- IMPORTANT: Replace the account name here with an email address of the user you want to 
+        be enabled for assigned access. The value in the Account node must begin with 
+        AzureAD\ for AAD accounts. -->
+        <Config>
+            <Account>AzureAD\multiusertest@analogfre.onmicrosoft.com</Account>
+            <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
+        </Config>
+    </Configs>
+</AssignedAccessConfiguration>
 ```
\ No newline at end of file
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index 85c2515f2c..aaf22f9dd8 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -7,7 +7,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 03/23/2018
+ms.date: 04/24/2018
 ---
 
 # Configuration service provider reference
@@ -64,6 +64,34 @@ Footnotes:
 <!--EndSKU-->
 <!--EndCSP-->
 
+<!--StartCSP-->
+[Accounts CSP](accounts-csp.md)  
+
+<!--StartSKU-->
+<table>
+<tr>
+	<th>Home</th>
+	<th>Pro</th>
+	<th>Business</th>
+	<th>Enterprise</th>
+	<th>Education</th>
+	<th>Mobile</th>
+	<th>Mobile Enterprise</th>
+</tr>
+<tr>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+	<td><img src="images/crossmark.png" alt="cross mark" /></td>
+</tr>
+</table>
+
+<!--EndSKU-->
+<!--EndCSP-->
+
 <!--StartCSP-->
 [ActiveSync CSP](activesync-csp.md)  
 
@@ -2557,9 +2585,9 @@ The following list shows the configuration service providers supported in Window
 
 | Configuration service provider        | Windows Holographic edition      | Windows Holographic for Business edition |
 |--------|--------|------------|
-| [AccountManagement CSP](accountmanagement-csp.md)   | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)3       |
-| [Application CSP](application-csp.md)   | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       |
+| [AccountManagement CSP](accountmanagement-csp.md)   | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4       |
 | [AppLocker CSP](applocker-csp.md)      | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       |
+| [AssignedAccess CSP](assignedaccess-csp.md)      | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)4       |
 | [CertificateStore CSP](certificatestore-csp.md)    | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)|
 | [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)  | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       |
 | [DevDetail CSP](devdetail-csp.md)   | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       |
@@ -2578,9 +2606,11 @@ The following list shows the configuration service providers supported in Window
 | [WiFi CSP](wifi-csp.md)     | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       |
 | [WindowsLicensing CSP](windowslicensing-csp.md)   | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       |
 
-Footnotes: 
-- 2 - Added in Windows 10, version 1703
-- 3 - Added in Windows 10, version 1803
+ Footnotes: 
+- 1 - Added in Windows 10, version 1607
+- 2 - Added in Windows 10, version 1703  
+- 3 - Added in Windows 10, version 1709
+- 4 - Added in Windows 10, version 1803
 
 ## <a href="" id="surfacehubcspsupport"></a>CSPs supported in Microsoft Surface Hub
 
diff --git a/windows/client-management/mdm/images/provisioning-csp-accounts.png b/windows/client-management/mdm/images/provisioning-csp-accounts.png
new file mode 100644
index 0000000000..ceb90aff58
Binary files /dev/null and b/windows/client-management/mdm/images/provisioning-csp-accounts.png differ
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 6270e63cb6..a5338c8831 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 04/11/2018
+ms.date: 04/25/2018
 ---
 
 # What's new in MDM enrollment and management
@@ -1185,7 +1185,6 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li> 
 <li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li> 
 <li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li> 
-<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</li> 
 <li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</li> 
 <li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees</li> 
 <li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts</li> 
@@ -1310,7 +1309,7 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>ShellLauncher</li>
 <li>StatusConfiguration</li>
 </ul>
-<p>Updated the AssigneAccessConfiguration schema.</p>
+<p>Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in Windows Holographic for Business edition. Added example for Windows Holographic for Business edition.</p>
 </td></tr>
 <tr class="odd">
 <td style="vertical-align:top">[MultiSIM CSP](multisim-csp.md)</td>
@@ -1340,7 +1339,6 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <tr>
 <td style="vertical-align:top">[AccountManagement CSP](accountmanagement-csp.md)</td>
 <td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
-</ul>
 </td></tr>
 <tr>
 <td style="vertical-align:top">[RootCATrustedCertificates CSP](rootcacertificates-csp.md)</td>
@@ -1356,6 +1354,10 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 <li>ProxySettingsPerUser</li>
 </ul>
 </td></tr>
+<tr>
+<td style="vertical-align:top">[Accounts CSP](accounts-csp.md)</td>
+<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
+</td></tr>
 </tbody>
 </table>
 
@@ -1654,6 +1656,10 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 </ul>
 </td></tr>
 <tr>
+<td style="vertical-align:top">[Accounts CSP](accounts-csp.md)</td>
+<td style="vertical-align:top"><p>Added a new CSP in Windows 10, version 1803.</p>
+</td></tr>
+<tr>
 <td style="vertical-align:top">[Policy CSP](policy-configuration-service-provider.md)</td>
 <td style="vertical-align:top"><p>Added the following new policies for Windows 10, version 1803:</p>
 <ul>
@@ -1801,7 +1807,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>ShellLauncher</li>
 <li>StatusConfiguration</li>
 </ul>
-<p>Updated the AssigneAccessConfiguration schema.</p>
+<p>Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in Windows Holographic for Business edition. Added example for Windows Holographic for Business edition.</p>
 </td></tr>
 <tr class="odd">
 <td style="vertical-align:top">[MultiSIM CSP](multisim-csp.md)</td>
@@ -1863,7 +1869,6 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 <li>LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior</li> 
 <li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees</li> 
 <li>LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</li> 
-<li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</li> 
 <li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</li> 
 <li>LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees</li> 
 <li>LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts</li> 
diff --git a/windows/client-management/mdm/office-csp.md b/windows/client-management/mdm/office-csp.md
index f031f91a4b..5386096239 100644
--- a/windows/client-management/mdm/office-csp.md
+++ b/windows/client-management/mdm/office-csp.md
@@ -6,13 +6,13 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 01/26/2018
+ms.date: 04/25/2018
 ---
 
 # Office CSP
 
 
-The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx). 
+The Office configuration service provider (CSP) enables a Microsoft Office client to be installed on a device via the Office Deployment Tool (ODT). For more information, see [Configuration options for the Office Deployment Tool](https://technet.microsoft.com/en-us/library/jj219426.aspx) and [How to assign Office 365 apps to Windows 10 devices with Microsoft Intune](https://docs.microsoft.com/en-us/intune/apps-add-office365). 
 This CSP was added in Windows 10, version 1703.
 
 For additional information, see [Office DDF](office-ddf.md).
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index f3472fae60..71f83755e0 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -2054,9 +2054,6 @@ The following diagram shows the Policy configuration service provider in tree fo
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers" id="localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</a>
   </dd>
-  <dd>
-    <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession" id="localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</a>
-  </dd>
   <dd>
     <a href="./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways" id="localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</a>
   </dd>
@@ -4388,7 +4385,6 @@ The following diagram shows the Policy configuration service provider in tree fo
 -   [LocalPoliciesSecurityOptions/InteractiveLogon_SmartCardRemovalBehavior](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-interactivelogon-smartcardremovalbehavior)
 -   [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_DigitallySignCommunicationsIfServerAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-digitallysigncommunicationsifserveragrees)
 -   [LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers)
--   [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession)
 -   [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways)
 -   [LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsIfClientAgrees](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsifclientagrees)
 -   [LocalPoliciesSecurityOptions/NetworkAccess_DoNotAllowAnonymousEnumerationOfSAMAccounts](./policy-csp-localpoliciessecurityoptions.md#localpoliciessecurityoptions-networkaccess-donotallowanonymousenumerationofsamaccounts)
diff --git a/windows/client-management/mdm/policy-csp-defender.md b/windows/client-management/mdm/policy-csp-defender.md
index 76c96ac41d..a0edded74d 100644
--- a/windows/client-management/mdm/policy-csp-defender.md
+++ b/windows/client-management/mdm/policy-csp-defender.md
@@ -936,7 +936,7 @@ The following list shows the supported values:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
@@ -994,7 +994,7 @@ ADMX Info:
 </tr>
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
+	<td><img src="images/crossmark.png" alt="check mark" /></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>3</sup></td>
diff --git a/windows/client-management/mdm/policy-csp-deliveryoptimization.md b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
index 9b31c6322f..aa3591630f 100644
--- a/windows/client-management/mdm/policy-csp-deliveryoptimization.md
+++ b/windows/client-management/mdm/policy-csp-deliveryoptimization.md
@@ -509,7 +509,7 @@ If you set this policy, the GroupID policy will be ignored.
 
 The options set in this policy only apply to Group (2) download mode. If Group (2) isn't set as Download mode, this policy will be ignored.  
 
-For option 4 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.
+For option 3 - DHCP Option ID, the client will query DHCP Option ID 234 and use the returned GUID value as the Group ID.
 
 <!--/Description-->
 <!--ADMXMapped-->
diff --git a/windows/client-management/mdm/policy-csp-devicelock.md b/windows/client-management/mdm/policy-csp-devicelock.md
index 4ffde366c7..0a7c86e017 100644
--- a/windows/client-management/mdm/policy-csp-devicelock.md
+++ b/windows/client-management/mdm/policy-csp-devicelock.md
@@ -547,7 +547,7 @@ The following list shows the supported values:
 <tr>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
 	<td><img src="images/crossmark.png" alt="cross mark" /></td>
diff --git a/windows/client-management/mdm/policy-csp-kioskbrowser.md b/windows/client-management/mdm/policy-csp-kioskbrowser.md
index 863f6e7bce..f662a910d4 100644
--- a/windows/client-management/mdm/policy-csp-kioskbrowser.md
+++ b/windows/client-management/mdm/policy-csp-kioskbrowser.md
@@ -223,7 +223,7 @@ Added in Windows 10, version 1803. Configures the default URL kiosk browsers to
 
 <!--/Scope-->
 <!--Description-->
-Enables kiosk browser's end session button. When the policy is enabled, the kiosk browser enables a button to reset the browser by navigating back to the default URL and clearing the browsing data (cache, cookies, etc). When the user clicks on the button, the app will prompt the user for confirmation to end the session.
+Shows the Kiosk Browser's end session button. When the policy is enabled, the Kiosk Browser app shows a button to reset the browser. When the user clicks on the button, the app will prompt the user for confirmation to end the session. When the user confirms, the Kiosk broswser will clear all browsing data (cache, cookies, etc.) and navigate back to the default URL.
 
 <!--/Description-->
 <!--SupportedValues-->
diff --git a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
index 34c61a2c31..eba91fae44 100644
--- a/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
+++ b/windows/client-management/mdm/policy-csp-localpoliciessecurityoptions.md
@@ -90,9 +90,6 @@ ms.date: 04/06/2018
   <dd>
     <a href="#localpoliciessecurityoptions-microsoftnetworkclient-sendunencryptedpasswordtothirdpartysmbservers">LocalPoliciesSecurityOptions/MicrosoftNetworkClient_SendUnencryptedPasswordToThirdPartySMBServers</a>
   </dd>
-  <dd>
-    <a href="#localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession</a>
-  </dd>
   <dd>
     <a href="#localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways">LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways</a>
   </dd>
@@ -1612,63 +1609,6 @@ GP Info:
 
 <hr/>
 
-<!--Policy-->
-<a href="" id="localpoliciessecurityoptions-microsoftnetworkserver-amountofidletimerequiredbeforesuspendingsession"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_AmountOfIdleTimeRequiredBeforeSuspendingSession**  
-
-<!--SupportedSKUs-->
-<table>
-<tr>
-	<th>Home</th>
-	<th>Pro</th>
-	<th>Business</th>
-	<th>Enterprise</th>
-	<th>Education</th>
-	<th>Mobile</th>
-	<th>Mobile Enterprise</th>
-</tr>
-<tr>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>4</sup></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-	<td><img src="images/crossmark.png" alt="cross mark" /></td>
-</tr>
-</table>
-
-<!--/SupportedSKUs-->
-<!--Scope-->
-[Scope](./policy-configuration-service-provider.md#policy-scope):
-
-> [!div class = "checklist"]
-> * Device
-
-<hr/>
-
-<!--/Scope-->
-<!--Description-->
-Microsoft network server: Amount of idle time required before suspending a session
-
-This security setting determines the amount of continuous idle time that must pass in a Server Message Block (SMB) session before the session is suspended due to inactivity.
-
-Administrators can use this policy to control when a computer suspends an inactive SMB session. If client activity resumes, the session is automatically reestablished.
-
-For this policy setting, a value of 0 means to disconnect an idle session as quickly as is reasonably possible. The maximum value is 99999, which is 208 days; in effect, this value disables the policy.
-
-Default:This policy is not defined, which means that the system treats it as 15 minutes for servers and undefined for workstations.
-
-<!--/Description-->
-<!--RegistryMapped-->
-GP Info:  
--   GP English name: *Microsoft network server: Amount of idle time required before suspending session*
--   GP path: *Windows Settings/Security Settings/Local Policies/Security Options*
-
-<!--/RegistryMapped-->
-<!--/Policy-->
-
-<hr/>
-
 <!--Policy-->
 <a href="" id="localpoliciessecurityoptions-microsoftnetworkserver-digitallysigncommunicationsalways"></a>**LocalPoliciesSecurityOptions/MicrosoftNetworkServer_DigitallySignCommunicationsAlways**  
 
diff --git a/windows/client-management/mdm/policy-csp-privacy.md b/windows/client-management/mdm/policy-csp-privacy.md
index 932edbd301..18b6e20034 100644
--- a/windows/client-management/mdm/policy-csp-privacy.md
+++ b/windows/client-management/mdm/policy-csp-privacy.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: nickbrower
-ms.date: 03/12/2018
+ms.date: 04/19/2018
 ---
 
 # Policy CSP - Privacy
@@ -3352,13 +3352,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 </tr>
 </table>
 
@@ -3404,13 +3404,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 </tr>
 </table>
 
@@ -3456,13 +3456,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 </tr>
 </table>
 
@@ -3508,13 +3508,13 @@ ADMX Info:
 	<th>Mobile Enterprise</th>
 </tr>
 <tr>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
-	<td><img src="images/checkmark.png" alt="check mark" /><sup>1</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
+	<td><img src="images/checkmark.png" alt="check mark" /><sup>2</sup></td>
 </tr>
 </table>
 
diff --git a/windows/configuration/TOC.md b/windows/configuration/TOC.md
index 21616cfe36..2632bc321e 100644
--- a/windows/configuration/TOC.md
+++ b/windows/configuration/TOC.md
@@ -1,7 +1,8 @@
 # [Configure Windows 10](index.md)
 ## [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
 ## [Diagnostic Data Viewer Overview](diagnostic-data-viewer-overview.md)
-## [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
+## [Windows 10, version 1803 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md)
+## [Windows 10, version 1709 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
 ## [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
 ## [Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)
 ## [Windows 10, version 1709 diagnostic data for the Full level](windows-diagnostic-data.md)
diff --git a/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709.md b/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709.md
new file mode 100644
index 0000000000..06874ee41a
--- /dev/null
+++ b/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1709.md
@@ -0,0 +1,4741 @@
+---
+description: Learn more about the Windows diagnostic data that is gathered at the basic level.
+title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10)
+keywords: privacy, diagnostic data
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: high
+author: eross-msft
+ms.author: lizross
+ms.date: 03/13/2018
+---
+
+
+# Windows 10, version 1709 basic level Windows diagnostic events and fields
+
+
+ **Applies to**
+
+- Windows 10, version 1709
+
+
+The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information.
+
+The Basic level helps to identify problems that can occur on a particular device hardware or software configuration. For example, it can help determine if crashes are more frequent on devices with a specific amount of memory or that are running a particular driver version. This helps Microsoft fix operating system or app problems.
+
+Use this article to learn about diagnostic events, grouped by event area, and the fields within each event. A brief description is provided for each field. Every event generated includes common data, which collects device data.
+
+You can learn more about Windows functional and diagnostic data through these articles:
+
+
+- [Windows 10, version 1703 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
+- [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
+- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
+
+
+
+# Common data extensions
+
+### Common Data Extensions.App
+
+ 
+
+The following fields are available:
+
+- **expId**  Associates a flight, such as an OS flight, or an experiment, such as a web site UX experiment, with an event.
+- **userId**  The userID as known by the application.
+- **env**  The environment from which the event was logged.
+- **asId**  An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
+
+
+### Common Data Extensions.CS
+
+ 
+
+The following fields are available:
+
+- **sig**  A common schema signature that identifies new and modified event schemas.
+
+
+### Common Data Extensions.CUET
+
+ 
+
+The following fields are available:
+
+- **stId**  Represents the Scenario Entry Point ID. This is a unique GUID for each event in a diagnostic scenario. This used to be Scenario Trigger ID.
+- **aId**  Represents the ETW ActivityId. Logged via TraceLogging or directly via ETW.
+- **raId**  Represents the ETW Related ActivityId. Logged via TraceLogging or directly via ETW.
+- **op**  Represents the ETW Op Code.
+- **cat**  Represents a bitmask of the ETW Keywords associated with the event.
+- **flags**  Represents the bitmap that captures various Windows specific flags.
+- **cpId**  The composer ID, such as Reference, Desktop, Phone, Holographic, Hub, IoT Composer.
+- **tickets**  A list of strings that represent entries in the HTTP header of the web request that includes this event.
+- **bseq**  Upload buffer sequence number in the format \<buffer identifier\>:\<sequence number\>
+- **mon**  Combined monitor and event sequence numbers in the format \<monitor sequence\>:\<event sequence\>
+
+
+### Common Data Extensions.Device
+
+ 
+
+The following fields are available:
+
+- **ver**  Represents the major and minor version of the extension.
+- **localId**  Represents a locally defined unique ID for the device, not the human readable device name. Most likely equal to the value stored at HKLM\Software\Microsoft\SQMClient\MachineId
+- **deviceClass**  Represents the classification of the device, the device “family”.  For example, Desktop, Server, or Mobile.
+
+
+### Common Data Extensions.Envelope
+
+ 
+
+The following fields are available:
+
+- **ver**  Represents the major and minor version of the extension.
+- **name**  Represents the uniquely qualified name for the event.
+- **time**  Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
+- **popSample**  Represents the effective sample rate for this event at the time it was generated by a client.
+- **epoch**  Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **seqNum**  Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue.  The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **iKey**  Represents an ID for applications or other logical groupings of events.
+- **flags**  Represents a collection of bits that describe how the event should be processed by the Connected User Experiences and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **os**  Represents the operating system name.
+- **osVer**  Represents the OS version, and its format is OS dependent.
+- **appId**  Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **appVer**  Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
+- **cV**  Represents the Correlation Vector: A single field for tracking partial order of related diagnostic data events across component boundaries.
+
+
+### Common Data Extensions.OS
+
+ 
+
+The following fields are available:
+
+- **ver**  Represents the major and minor version of the extension.
+- **expId**  Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
+- **locale**  Represents the locale of the operating system.
+- **bootId**  An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
+
+
+### Common Data Extensions.User
+
+ 
+
+The following fields are available:
+
+- **ver**  Represents the major and minor version of the extension.
+- **localId**  Represents a unique user identity that is created locally and added by the client. This is not the user's account ID.
+
+
+### Common Data Extensions.XBL
+
+ 
+
+The following fields are available:
+
+- **nbf**  Not before time
+- **expId**  Expiration time
+- **sbx**  XBOX sandbox identifier
+- **dty**  XBOX device type
+- **did**  XBOX device ID
+- **xid**  A list of base10-encoded XBOX User IDs.
+- **uts**  A bit field, with 2 bits being assigned to each user ID listed in xid. This field is omitted if all users are retail accounts.
+
+
+### Common Data Extensions.Consent UI Event
+
+This User Account Control (UAC) diagnostic data point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
+
+The following fields are available:
+
+- **eventType**  Represents the type of elevation: If it succeeded, was cancelled, or was auto-approved.
+- **splitToken**  Represents the flag used to distinguish between administrators and standard users.
+- **friendlyName**  Represents the name of the file requesting elevation from low IL.
+- **elevationReason**  Represents the distinction between various elevation requests sources (appcompat, installer, COM, MSI and so on).
+- **exeName**  Represents the name of the file requesting elevation from low IL.
+- **signatureState**  Represents the state of the signature, if it signed, unsigned, OS signed and so on.
+- **publisherName**  Represents the name of the publisher of the file requesting elevation from low IL.
+- **cmdLine**  Represents the full command line arguments being used to elevate.
+- **Hash.Length**  Represents the length of the hash of the file requesting elevation from low IL.
+- **Hash**  Represents the hash of the file requesting elevation from low IL.
+- **HashAlgId**  Represents the algorithm ID of the hash of the file requesting elevation from low IL.
+- **telemetryFlags**  Represents the details about the elevation prompt for CEIP data.
+- **timeStamp**  Represents the time stamp on the file requesting elevation.
+- **fileVersionMS**  Represents the major version of the file requesting elevation.
+- **fileVersionLS**  Represents the minor version of the file requesting elevation.
+
+
+## Common data fields
+
+### Common Data Fields.MS.Device.DeviceInventory.Change
+
+These fields are added whenever Ms.Device.DeviceInventoryChange is included in the event.
+
+The following fields are available:
+
+- **syncId**  A string used to group StartSync, EndSync, Add, and Remove operations that belong together. This field is unique by Sync period and is used to disambiguate in situations where multiple agents perform overlapping inventories for the same object.
+- **objectType**  Indicates the object type that the event applies to.
+- **Action**  The change that was invoked on a device inventory object.
+- **inventoryId**  Device ID used for Compatibility testing
+
+
+### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PreUpgradeSettings
+
+These fields are added whenever PreUpgradeSettings is included in the event.
+
+The following fields are available:
+
+- **HKLM_SensorPermissionState.SensorPermissionState**  The state of the Location service before the feature update completed.
+- **HKLM_SensorPermissionState.HRESULT**  The error code returned when trying to query the Location service for the device.
+- **HKCU_SensorPermissionState.SensorPermissionState**  The state of the Location service when a user signs on before the feature update completed.
+- **HKCU_SensorPermissionState.HRESULT**  The error code returned when trying to query the Location service for the current user.
+- **HKLM_LocationPlatform.Status**  The state of the location platform after the feature update has completed.
+- **HKLM_LocationPlatform.HRESULT**  The error code returned when trying to query the location platform for the device.
+- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy**  The speech recognition state for the device before the feature update completed.
+- **HKLM_LocationSyncEnabled.HRESULT**  The error code returned when trying to query the Find My Device service for the device.
+- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy**  The speech recognition state for the current user before the feature update completed.
+- **HKCU_LocationSyncEnabled.HRESULT**  The error code returned when trying to query the Find My Device service for the current user.
+- **HKLM_AllowTelemetry.AllowTelemetry**  The state of the Connected User Experiences and Telemetry component for the device before the feature update.
+- **HKLM_AllowTelemetry.HRESULT**  The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
+- **HKLM_TIPC.Enabled**  The state of TIPC for the device.
+- **HKLM_TIPC.HRESULT**  The error code returned when trying to query TIPC for the device.
+- **HKCU_TIPC.Enabled**  The state of TIPC for the current user.
+- **HKCU_TIPC.HRESULT**  The error code returned when trying to query TIPC for the current user.
+- **HKLM_FlipAhead.FPEnabled**  Is Flip Ahead enabled for the device before the feature update was completed?
+- **HKLM_FlipAhead.HRESULT**  The error code returned when trying to query Flip Ahead for the device.
+- **HKCU_FlipAhead.FPEnabled**  Is Flip Ahead enabled for the current user before the feature update was completed?
+- **HKCU_FlipAhead.HRESULT**  The error code returned when trying to query Flip Ahead for the current user.
+- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled**  Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
+- **HKCU_TailoredExperiences.HRESULT**  The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
+- **HKLM_AdvertisingID.Enabled**  Is the adveristing ID enabled for the device?
+- **HKLM_AdvertisingID.HRESULT**  The error code returned when trying to query the state of the advertising ID for the device.
+- **HKCU_AdvertisingID.Enabled**  Is the adveristing ID enabled for the current user?
+- **HKCU_AdvertisingID.HRESULT**  The error code returned when trying to query the state of the advertising ID for the user.
+
+
+### Common Data Fields.TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate.PostUpgradeSettings
+
+These fields are added whenever PostUpgradeSettings is included in the event.
+
+The following fields are available:
+
+- **HKLM_SensorPermissionState.SensorPermissionState**  The state of the Location service after the feature update has completed.
+- **HKLM_SensorPermissionState.HRESULT**  The error code returned when trying to query the Location service for the device.
+- **HKCU_SensorPermissionState.SensorPermissionState**  The state of the Location service when a user signs on after a feature update has completed.
+- **HKCU_SensorPermissionState.HRESULT**  The error code returned when trying to query the Location service for the current user.
+- **HKLM_LocationPlatform.Status**  The state of the location platform after the feature update has completed.
+- **HKLM_LocationPlatform.HRESULT**  The error code returned when trying to query the location platform for the device.
+- **HKLM_LocationSyncEnabled.AcceptedPrivacyPolicy**  The speech recognition state for the device after the feature update has completed.
+- **HKLM_LocationSyncEnabled.HRESULT**  The error code returned when trying to query the Find My Device service for the device.
+- **HKCU_LocationSyncEnabled.AcceptedPrivacyPolicy**  The speech recognition state for the current user after the feature update has completed.
+- **HKCU_LocationSyncEnabled.HRESULT**  The error code returned when trying to query the Find My Device service for the current user.
+- **HKLM_AllowTelemetry.AllowTelemetry**  The state of the Connected User Experiences and Telemetry component for the device after the feature update.
+- **HKLM_AllowTelemetry.HRESULT**  The error code returned when trying to query the Connected User Experiences and Telemetry conponent for the device.
+- **HKLM_TIPC.Enabled**  The state of TIPC for the device.
+- **HKLM_TIPC.HRESULT**  The error code returned when trying to query TIPC for the device.
+- **HKCU_TIPC.Enabled**  The state of TIPC for the current user.
+- **HKCU_TIPC.HRESULT**  The error code returned when trying to query TIPC for the current user.
+- **HKLM_FlipAhead.FPEnabled**  Is Flip Ahead enabled for the device after the feature update has completed?
+- **HKLM_FlipAhead.HRESULT**  The error code returned when trying to query Flip Ahead for the device.
+- **HKCU_FlipAhead.FPEnabled**  Is Flip Ahead enabled for the current user after the feature update has completed?
+- **HKCU_FlipAhead.HRESULT**  The error code returned when trying to query Flip Ahead for the current user.
+- **HKLM_TailoredExperiences.TailoredExperiencesWithDiagnosticDataEnabled**  Is Tailored Experiences with Diagnostics Data enabled for the current user after the feature update had completed?
+- **HKCU_TailoredExperiences.HRESULT**  The error code returned when trying to query Tailored Experiences with Diagnostics Data for the current user.
+- **HKLM_AdvertisingID.Enabled**  Is the adveristing ID enabled for the device?
+- **HKLM_AdvertisingID.HRESULT**  The error code returned when trying to query the state of the advertising ID for the device.
+- **HKCU_AdvertisingID.Enabled**  Is the adveristing ID enabled for the current user?
+- **HKCU_AdvertisingID.HRESULT**  The error code returned when trying to query the state of the advertising ID for the user.
+
+
+## Appraiser events
+
+### Microsoft.Windows.Appraiser.General.RunContext
+
+This event indicates what should be expected in the data payload.
+
+The following fields are available:
+
+- **AppraiserBranch**  The source branch in which the currently running version of Appraiser was built.
+- **AppraiserProcess**  The name of the process that launched Appraiser.
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Context**  Indicates what mode Appraiser is running in. Example: Setup or Diagnostic Data.
+- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
+- **Time**  The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
+
+A summary event indicating the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserBranch**  The source branch in which the version of Appraiser that is running was built.
+- **AppraiserDataVersion**  The version of the data files being used by the Appraiser diagnostic data run.
+- **AppraiserProcess**  The name of the process that launched Appraiser.
+- **AppraiserVersion**  The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
+- **AuxFinal**  Obsolete, always set to false
+- **AuxInitial**  Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
+- **DeadlineDate**  A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
+- **EnterpriseRun**  Indicates if the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **FullSync**  Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
+- **InventoryFullSync**  Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
+- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
+- **PerfBackoff**  Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
+- **PerfBackoffInsurance**  Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
+- **RunAppraiser**  Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
+- **RunDate**  The date that the diagnostic data run was stated, expressed as a filetime.
+- **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
+- **RunOnline**  Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
+- **RunResult**  The hresult of the Appraiser diagnostic data run.
+- **SendingUtc**  Indicates if the Appraiser client is sending events during the current diagnostic data run.
+- **StoreHandleIsNotNull**  Obsolete, always set to false
+- **TelementrySent**  Indicates if diagnostic data was successfully sent.
+- **ThrottlingUtc**  Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability.
+- **Time**  The client time of the event.
+- **VerboseMode**  Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
+- **WhyFullSyncWithoutTablePrefix**  Indicates the reason or reasons that a full sync was generated.
+
+
+### Microsoft.Windows.Appraiser.General.EnterpriseScenarioWithDiagTrackServiceRunning
+
+The event that indicates that Appraiser has been triggered to run an enterprise scenario while the DiagTrack service is installed. This event can only be sent if a special flag is used to trigger the enterprise scenario.
+
+The following fields are available:
+
+- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
+- **Time**  The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
+
+This event represents the basic metadata about a file on the system.  The file must be part of an app and either have a block in the compatibility database or are part of an anti-virus program.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **AvDisplayName** If the app is an anti-virus app, this is its display name.
+- **AvProductState** Represents state of antivirus program with respect to whether it's turned on and the signatures are up-to-date.
+- **BinaryType**  A binary type.  Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
+- **BinFileVersion**  An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
+- **BinProductVersion**  An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
+- **BoeProgramId**  If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
+- **CompanyName**  The company name of the vendor who developed this file.
+- **FileId**  A hash that uniquely identifies a file.
+- **FileVersion**  The File version field from the file metadata under Properties -> Details.
+- **HasUpgradeExe** Does the anti-virus app have an upgrade.exe file?
+- **IsAv** Is the file an anti-virus reporting EXE?
+- **LinkDate**  The date and time that this file was linked on.
+- **LowerCaseLongPath**  The full file path to the file that was inventoried on the device.
+- **Name**  The name of the file that was inventoried.
+- **ProductName**  The Product name field from the file metadata under Properties -> Details.
+- **ProductVersion**  The Product version field from the file metadata under Properties -> Details.
+- **ProgramId**  A hash of the Name, Version, Publisher, and Language of an application used to identify it.
+- **Size**  The size of the file (in hexadecimal bytes).
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
+
+This event represents the drivers that an application installs.
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory component 
+- **Programids** The unique program identifier the driver is associated with.
+
+
+## Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
+
+This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. 
+
+The following fields are available:
+
+- **InventoryVersion** The version of the inventory component.
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
+
+This event sends compatibility decision data about a file to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **BlockAlreadyInbox**  The uplevel runtime block on the file already existed on the current OS.
+- **BlockingApplication**  Are there any application issues that interfere with upgrade due to the file in question?
+- **DisplayGenericMessage**  Will be a generic message be shown for this file?
+- **HardBlock**  This file is blocked in the SDB.
+- **HasUxBlockOverride**  Does the file have a block that is overridden by a tag in the SDB?
+- **MigApplication**  Does the file have a MigXML from the SDB associated with it that applies to the current upgrade mode?
+- **MigRemoval**  Does the file have a MigXML from the SDB that will cause the app to be removed on upgrade?
+- **NeedsDismissAction**  Will the file cause an action that can be dimissed?
+- **NeedsInstallPostUpgradeData**  After upgrade, the file will have a post-upgrade notification to install a replacement for the app.
+- **NeedsNotifyPostUpgradeData**  Does the file have a notification that should be shown after upgrade?
+- **NeedsReinstallPostUpgradeData**  After upgrade, this file will have a post-upgrade notification to reinstall the app.
+- **NeedsUninstallAction**  The file must be uninstalled to complete the upgrade.
+- **SdbBlockUpgrade**  The file is tagged as blocking upgrade in the SDB,
+- **SdbBlockUpgradeCanReinstall**  The file is tagged as blocking upgrade in the SDB. It can be reinstalled after upgrade.
+- **SdbBlockUpgradeUntilUpdate**  The file is tagged as blocking upgrade in the SDB. If the app is updated, the upgrade can proceed.
+- **SdbReinstallUpgrade**  The file is tagged as needing to be reinstalled after upgrade in the SDB. It does not block upgrade.
+- **SdbReinstallUpgradeWarn**  The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade.
+- **SoftBlock**  The file is softblocked in the SDB and has a warning.
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
+
+This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
+
+This event sends compatibility decision data about blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **BlockingApplication**  Are there are any application issues that interfere with upgrade due to matching info blocks?
+- **DisplayGenericMessage**  Will a generic message be shown for this block?
+- **NeedsUninstallAction**  Does the user need to take an action in setup due to a matching info block?
+- **SdbBlockUpgrade**  Is a matching info block blocking upgrade?
+- **SdbBlockUpgradeCanReinstall**  Is a matching info block blocking upgrade, but has the can reinstall tag?
+- **SdbBlockUpgradeUntilUpdate**  Is a matching info block blocking upgrade but has the until update tag?
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
+
+This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
+
+This event sends compatibility decision data about non-blocking entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **BlockingApplication**  Are there any application issues that interfere with upgrade due to matching info blocks?
+- **MigApplication**  Is there a matching info block with a mig for the current mode of upgrade?
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
+
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
+
+This event sends compatibility decision data about entries that require reinstall after upgrade. It's used to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **NeedsInstallPostUpgradeData**  Will the file have a notification after upgrade to install a replacement for the app?
+- **NeedsNotifyPostUpgradeData**  Should a notification be shown for this file after upgrade?
+- **NeedsReinstallPostUpgradeData**  Will the file have a notification after upgrade to reinstall the app?
+- **SdbReinstallUpgrade**  The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade).
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
+
+This event sends compatibility data for a PNP device, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ActiveNetworkConnection**  Is the device an active network device?
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **IsBootCritical**  Is the device boot critical?
+- **WuDriverCoverage**  Is there a driver uplevel for this device according to Windows Update?
+- **WuDriverUpdateId**  The Windows Update ID of the applicable uplevel driver.
+- **WuPopulatedFromId**  The expected uplevel driver matching ID based on driver coverage from Windows Update.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
+
+This event sends compatibility decision data about a PNP device to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate?
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **AssociatedDriverIsBlocked**  Is the driver associated with this PNP device blocked?
+- **BlockAssociatedDriver**  Should the driver associated with this PNP device be blocked?
+- **BlockingDevice**  Is this PNP device blocking upgrade?
+- **BlockUpgradeIfDriverBlocked**  Is the PNP device both boot critical and does not have a driver included with the OS?
+- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork**  Is this PNP device the only active network device?
+- **DisplayGenericMessage**  Will a generic message be shown during Setup for this PNP device?
+- **DriverAvailableInbox**  Is a driver included with the operating system for this PNP device?
+- **DriverAvailableOnline**  Is there a driver for this PNP device on Windows Update?
+- **DriverAvailableUplevel**  Is there a driver on Windows Update or included with the operating system for this PNP device?
+- **DriverBlockOverridden**  Is there is a driver block on the device that has been overridden?
+- **NeedsDismissAction**  Will the user would need to dismiss a warning during Setup for this device?
+- **NotRegressed**  Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
+- **SdbDeviceBlockUpgrade**  Is there an SDB block on the PNP device that blocks upgrade?
+- **SdbDriverBlockOverridden**  Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden?
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
+
+This event sends compatibility database data about driver packages to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
+
+This event sends decision data about driver package compatibility to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **DriverBlockOverridden**  Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
+- **DriverIsDeviceBlocked**  Was the driver package was blocked because of a device block?
+- **DriverIsDriverBlocked**  Is the driver package blocked because of a driver block?
+- **DriverShouldNotMigrate**  Should the driver package be migrated during upgrade?
+- **SdbDriverBlockOverridden**  Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
+
+This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **BiosDate**  The release date of the BIOS in UTC format.
+- **BiosName**  The name field from Win32_BIOS.
+- **Manufacturer**  The manufacturer field from Win32_ComputerSystem.
+- **Model**  The model field from Win32_ComputerSystem.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
+
+This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Blocking**  Is the device from upgrade due to memory restrictions?
+- **MemoryRequirementViolated**  Was a memory requirement violated?
+- **pageFile**  The current committed memory limit for the system or the current process, whichever is smaller (in bytes).
+- **ram**  The amount of memory on the device.
+- **ramKB**  The amount of memory (in KB).
+- **virtual**  The size of the user-mode portion of the virtual address space of the calling process (in bytes).
+- **virtualKB**  The amount of virtual memory (in KB).
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
+
+This event sends compatibility decision data about the BIOS to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Blocking**  Is the device blocked from upgrade due to a BIOS block?
+- **HasBiosBlock**  Does the device have a BIOS block?
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
+
+This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **SdbEntries**  An array of fields indicating the SDB entries that apply to this BIOS.
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
+
+This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **CompareExchange128Support**  Does the CPU support CompareExchange128?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
+
+This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **LahfSahfSupport**  Does the CPU support LAHF/SAHF?
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
+
+This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **NXDriverResult**  The result of the driver used to do a non-deterministic check for NX support.
+- **NXProcessorSupport**  Does the processor support NX?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
+
+This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **PrefetchWSupport**  Does the processor support PrefetchW?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
+
+This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **SSE2ProcessorSupport**  Does the processor support SSE2?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimAdd
+
+This event sends data indicating whether the operating system is running from a compressed WIM file, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **IsWimBoot**  Is the current operating system running from a compressed WIM file?
+- **RegistryWimBootValue**  The raw value from the registry that is used to indicate if the device is running from a WIM.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchAdd
+
+This event sends data indicating whether the system supports touch, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **IntegratedTouchDigitizerPresent**  Is there an integrated touch digitizer?
+- **MaximumTouches**  The maximum number of touch points supported by the device hardware.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
+
+This event sends data indicating whether the current operating system is activated, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **WindowsIsLicensedApiValue**  The result from the API that's used to indicate if operating system is activated.
+- **WindowsNotActivatedDecision**  Is the current operating system activated?
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
+
+This event sends data about the number of language packs installed on the system, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **HasLanguagePack**  Does this device have 2 or more language packs?
+- **LanguagePackCount**  How many language packs are installed?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanAdd
+
+This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **Blocking**  Is the upgrade blocked because of an emulated WLAN driver?
+- **HasWlanBlock**  Does the emulated WLAN driver have an upgrade block?
+- **WlanEmulatedDriver**  Does the device have an emulated WLAN driver?
+- **WlanExists**  Does the device support WLAN at all?
+- **WlanModulePresent**  Are any WLAN modules present?
+- **WlanNativeDriver**  Does the device have a non-emulated WLAN driver?
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
+
+This event sends true/false data about decision points used to understand whether Windows Media Center is used on the system, to help keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **EverLaunched**  Has Windows Media Center ever been launched?
+- **HasConfiguredTv**  Has the user configured a TV tuner through Windows Media Center?
+- **HasExtendedUserAccounts**  Are any Windows Media Center Extender user accounts configured?
+- **HasWatchedFolders**  Are any folders configured for Windows  Media Center to watch?
+- **IsDefaultLauncher**  Is Windows Media Center the default app for opening music or video files?
+- **IsPaid**  Is the user running a Windows Media Center edition that implies they paid for Windows Media Center?
+- **IsSupported**  Does the running OS support Windows Media Center?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
+
+This event sends decision data about the presence of Windows Media Center, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **BlockingApplication**  Is there any application issues that interfere with upgrade due to Windows Media Center?
+- **MediaCenterActivelyUsed**  If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true?
+- **MediaCenterIndicators**  Do any indicators imply that Windows Media Center is in active use?
+- **MediaCenterInUse**  Is Windows Media Center actively being used?
+- **MediaCenterPaidOrActivelyUsed**  Is Windows Media Center actively being used or is it running on a supported edition?
+- **NeedsDismissAction**  Are there any actions that can be dismissed coming from Windows Media Center?
+
+
+### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
+
+This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client.
+
+The following fields are available:
+
+- **DatasourceApplicationFile_RS2**  The total DatasourceApplicationFile objects targeting Windows 10 version 1703 present on this device.
+- **DatasourceDevicePnp_RS2**  The total DatasourceDevicePnp objects targeting Windows 10 version 1703 present on this device.
+- **DatasourceDriverPackage_RS2**  The total DatasourceDriverPackage objects targeting Windows 10 version 1703 present on this device.
+- **DataSourceMatchingInfoBlock_RS2**  The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
+- **DataSourceMatchingInfoPassive_RS2**  The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1703 present on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS2**  The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device.
+- **DatasourceSystemBios_RS2**  The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device.
+- **DecisionApplicationFile_RS2**  The total DecisionApplicationFile objects targeting Windows 10 version 1703 present on this device.
+- **DecisionDevicePnp_RS2**  The total DecisionDevicePnp objects targeting Windows 10 version 1703 present on this device.
+- **DecisionDriverPackage_RS2**  The total DecisionDriverPackage objects targeting Windows 10 version 1703 present on this device.
+- **DecisionMatchingInfoBlock_RS2**  The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
+- **DecisionMatchingInfoPassive_RS2**  The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 present on this device.
+- **DecisionMatchingInfoPostUpgrade_RS2**  The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device.
+- **DecisionMediaCenter_RS2**  The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device.
+- **DecisionSystemBios_RS2**  The total DecisionSystemBios objects targeting Windows 10 version 1703 present on this device.
+- **InventoryApplicationFile**  The total InventoryApplicationFile objects that are present on this device.
+- **InventoryLanguagePack**  The total InventoryLanguagePack objects that are present on this device.
+- **InventoryMediaCenter**  The total InventoryMediaCenter objects that are present on this device.
+- **InventorySystemBios**  The total InventorySystemBios objects that are present on this device.
+- **InventoryUplevelDriverPackage**  The total InventoryUplevelDriverPackage objects that are present on this device.
+- **PCFP**  An ID for the system that is calculated by hashing hardware identifiers.
+- **SystemMemory**  The total SystemMemory objects that are present on this device.
+- **SystemProcessorCompareExchange**  The total SystemProcessorCompareExchange objects that are present on this device.
+- **SystemProcessorLahfSahf**  The total SystemProcessorLahfSahf objects that are present on this device.
+- **SystemProcessorNx**  The total SystemProcessorNx objects that are present on this device.
+- **SystemProcessorPrefetchW**  The total SystemProcessorPrefetchW objects that are present on this device.
+- **SystemProcessorSse2**  The total SystemProcessorSse2 objects that are present on this device.
+- **SystemTouch**  The total SystemTouch objects that are present on this device.
+- **SystemWim**  The total SystemWim objects that are present on this device
+- **SystemWindowsActivationStatus**  The total SystemWindowsActivationStatus objects that are present on this device.
+- **SystemWlan**  The total SystemWlan objects that are present on this device.
+- **Wmdrm_RS2**  The total Wmdrm objects targeting Windows 10 version 1703 present on this device.
+- **DatasourceApplicationFile_RS3**  "The total DecisionApplicationFile objects targeting the next release of Windows on this device. "
+- **DatasourceDevicePnp_RS3**  The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
+- **DatasourceDriverPackage_RS3**  The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoBlock_RS3**  The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPassive_RS3**  The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS3**  The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DatasourceSystemBios_RS3**  The total DatasourceSystemBios objects targeting the next release of Windows on this device.
+- **DecisionApplicationFile_RS3**  The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DecisionDevicePnp_RS3**  The total DecisionDevicePnp objects targeting the next release of Windows on this device.
+- **DecisionDriverPackage_RS3**  The total DecisionDriverPackage objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoBlock_RS3**  The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPassive_RS3**  The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPostUpgrade_RS3**  The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DecisionMediaCenter_RS3**  The total DecisionMediaCenter objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_RS3**  The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **Wmdrm_RS3**  The total Wmdrm objects targeting the next release of Windows on this device.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
+
+This event indicates that a new set of InventoryUplevelDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
+
+This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
+
+This event indicates that a new set of SystemProcessorSse2Add events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
+
+This event indicates that a new set of InventorySystemBiosAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
+
+This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
+
+This event indicates that a new set of SystemMemoryAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
+
+This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
+
+This event  indicates that a new set of SystemProcessorNxAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
+
+This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimStartSync
+
+This event indicates that a new set of SystemWimAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
+
+This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchStartSync
+
+This event indicates that a new set of SystemTouchAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageEndSync
+
+This event indicates that a full set of DatasourceDriverPackageAdd events has been sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanStartSync
+
+This event indicates that a new set of SystemWlanAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
+
+This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
+
+This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
+
+This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
+
+This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmStartSync
+
+This event indicates that a new set of WmdrmAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveEndSync
+
+This event indicates that a full set of DataSourceMatchingInfoPassiveAdd events have been sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
+
+This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
+
+This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
+
+This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
+
+This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
+
+This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
+
+This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
+
+This event indicates that the DecisionDevicePnp object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
+
+This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
+
+This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmAdd
+
+This event sends data about the usage of older digital rights management on the system, to help keep Windows up to date. This data does not indicate the details of the media using the digital rights management, only whether any such files exist. Collecting this data was critical to ensuring the correct mitigation for customers, and should be able to be removed once all mitigations are in place.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **BlockingApplication**  Same as NeedsDismissAction
+- **NeedsDismissAction**  Indicates if a dismissible message is needed to warn the user about a potential loss of data due to DRM deprecation.
+- **WmdrmApiResult**  Raw value of the API used to gather DRM state.
+- **WmdrmCdRipped**  Indicates if the system has any files encrypted with personal DRM, which was used for ripped CDs.
+- **WmdrmIndicators**  WmdrmCdRipped OR WmdrmPurchased
+- **WmdrmInUse**  WmdrmIndicators AND dismissible block in setup was not dismissed.
+- **WmdrmNonPermanent**  Indicates if the system has any files with non-permanent licenses.
+- **WmdrmPurchased**  Indicates if the system has any files with permanent licenses.
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
+
+This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **BootCritical**  Is the driver package marked as boot critical?
+- **Build**  The build value from the driver package.
+- **CatalogFile**  The name of the catalog file within the driver package.
+- **Class**  The device class from the driver package.
+- **ClassGuid**  The device class GUID from the driver package.
+- **Date**  The date from the driver package.
+- **Inbox**  Is the driver package of a driver that is included with Windows?
+- **OriginalName**  The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU
+- **Provider**  The provider of the driver package.
+- **PublishedName**  The name of the INF file, post-rename.
+- **Revision**  The revision of the driver package.
+- **SignatureStatus**  Indicates if the driver package is signed. Unknown:0, Unsigned:1, Signed: 2
+- **VersionMajor**  The major version of the driver package.
+- **VersionMinor**  The minor version of the driver package.
+
+### Microsoft.Windows.Appraiser.General.GatedRegChange
+
+This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date.
+
+The following fields are available:
+
+- **NewData**  The data in the registry value after the scan completed.
+- **OldData**  The previous data in the registry value before the scan ran.
+- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
+- **RegKey**  The registry key name for which a result is being sent.
+- **RegValue**  The registry value for which a result is being sent.
+- **Time**  The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
+
+This event indicates that the DatasourceApplicationFile object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
+
+This event indicates that the DatasourceDevicePnp object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
+
+This event indicates that the DatasourceDriverPackage object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
+
+This event indicates that the SystemProcessorSse2 object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
+
+This event indicates that the InventoryUplevelDriverPackage object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
+
+This event indicates that the DecisionMediaCenter object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
+
+This event indicates that the InventoryMediaCenter object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
+
+This event indicates that the DatasourceSystemBios object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
+
+This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
+
+This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchRemove
+
+"This event indicates that the SystemTouch object is no longer present. "
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
+
+This event indicates that the SystemWindowsActivationStatus object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanRemove
+
+"This event indicates that the SystemWlan object is no longer present. "
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
+
+This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
+
+This event indicates that the SystemProcessorNx object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
+
+This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
+
+This event indicates that the DecisionDevicePnp object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
+
+This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryRemove
+
+This event that the SystemMemory object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
+
+This event indicates that the DecisionMatchingInfoBlock object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
+
+This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
+
+This event indicates that the InventoryApplicationFile object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimRemove
+
+"This event indicates that the SystemWim object is no longer present. "
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
+
+"This event indicates that the InventorySystemBios object is no longer present. "
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.WmdrmRemove
+
+This event indicates that the Wmdrm object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
+
+"This event indicates that the SystemProcessorLahfSahf object is no longer present. "
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
+
+This event indicates that the InventoryLanguagePack object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
+
+This event indicates that the DecisionDriverPackage object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
+
+This event indicates that the DecisionSystemBios object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
+
+"This event indicates that the SystemProcessorCompareExchange object is no longer present. "
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
+
+This event indicates that the SystemProcessorPrefetchW object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryDriverBinaryEndSync
+
+This event indicates that a full set of InventoryDriverBinaryAdd events has been sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+## Census events
+
+### Census.Battery
+
+This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date.
+
+The following fields are available:
+
+- **InternalBatteryCapablities**  Represents information about what the battery is capable of doing.
+- **InternalBatteryCapacityCurrent**  Represents the battery's current fully charged capacity in mWh (or relative). Compare this value to DesignedCapacity  to estimate the battery's wear.
+- **InternalBatteryCapacityDesign**  Represents the theoretical capacity of the battery when new, in mWh.
+- **InternalBatteryNumberOfCharges**  Provides the number of battery charges. This is used when creating new products and validating that existing products meets targeted functionality performance.
+- **IsAlwaysOnAlwaysConnectedCapable**  Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
+
+
+### Census.Enterprise
+
+This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment.
+
+The following fields are available:
+
+- **AzureOSIDPresent**  Represents the field used to identify an Azure machine.
+- **AzureVMType**  Represents whether the instance is Azure VM PAAS, Azure VM IAAS or any other VMs.
+- **CDJType**  Represents the type of cloud domain joined for the machine.
+- **CommercialId**  Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers.
+- **ContainerType**  The type of container, such as process or virtual machine hosted.
+- **EnrollmentType** Represents the type of enrollment, such as MDM or Intune, for a particular device.
+- **HashedDomain**  The hashed representation of the user domain used for login.
+- **IsCloudDomainJoined**  Is this device joined to an Azure Active Directory (AAD) tenant? true/false
+- **IsDERequirementMet**  Represents if the device can do device encryption.
+- **IsDeviceProtected**  Represents if Device protected by BitLocker/Device Encryption
+- **IsDomainJoined**  Indicates whether a machine is joined to a domain.
+- **IsEDPEnabled**  Represents if Enterprise data protected on the device.
+- **IsMDMEnrolled**  Whether the device has been MDM Enrolled or not.
+- **MPNId**  Returns the Partner ID/MPN ID from Regkey. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\DeployID
+- **SCCMClientId**  This ID correlate systems that send data to Compat Analytics (OMS) and other OMS based systems with systems in an Enterprise SCCM environment.
+- **ServerFeatures**  Represents the features installed on a Windows   Server. This can be used by developers and administrators who need to automate the process of determining the features installed on a set of server computers.
+- **SystemCenterID**  The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
+
+
+### Census.App
+
+This event sends version data about the Apps running on this device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **CensusVersion**  The version of Census that generated the current data for this device.
+- **IEVersion**  Retrieves which version of Internet Explorer is running on this device.
+
+
+### Census.Camera
+
+This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FrontFacingCameraResolution**  Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0.
+- **RearFacingCameraResolution**  Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0.
+
+
+### Census.UserDisplay
+
+This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date.
+
+The following fields are available:
+
+- **InternalPrimaryDisplayLogicalDPIX**  Retrieves the logical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayLogicalDPIY**  Retrieves the logical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIX**  Retrieves the physical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIY**  Retrieves the physical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayResolutionHorizontal**  Retrieves the number of pixels in the horizontal direction of the internal display.
+- **InternalPrimaryDisplayResolutionVertical**  Retrieves the number of pixels in the vertical direction of the internal display.
+- **InternalPrimaryDisplaySizePhysicalH**  Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
+- **InternalPrimaryDisplaySizePhysicalY**  Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
+- **InternalPrimaryDisplayType**  Represents the type of technology used in the monitor, such as Plasma, LED, LCOS, etc.
+- **NumberofExternalDisplays**  Retrieves the number of external displays connected to the machine
+- **NumberofInternalDisplays**  Retrieves the number of internal displays in a machine.
+- **VRAMDedicated**  Retrieves the video RAM in MB.
+- **VRAMDedicatedSystem**  Retrieves the amount of memory on the dedicated video card.
+- **VRAMSharedSystem**  Retrieves the amount of RAM memory that the video card can use.
+
+
+### Census.Firmware
+
+This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FirmwareManufacturer**  Represents the manufacturer of the device's firmware (BIOS).
+- **FirmwareReleaseDate**  Represents the date the current firmware was released.
+- **FirmwareType**  Represents the firmware type. The various types can be unknown, BIOS, UEFI.
+- **FirmwareVersion**  Represents the version of the current firmware.
+
+
+### Census.Flighting
+
+This event sends Windows Insider data from customers participating in improvement testing and feedback programs, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **DeviceSampleRate**  The diagnostic data sample rate assigned to the device.
+- **EnablePreviewBuilds**  Used to enable Windows Insider builds on a device.
+- **FlightIds**  A list of the different Windows Insider builds on this device.
+- **FlightingBranchName**  The name of the Windows Insider branch currently used by the device.
+- **IsFlightsDisabled**  Represents if the device is participating in the Windows Insider program.
+- **MSA_Accounts**  Represents a list of hashed IDs of the Microsoft Accounts that are flighting (pre-release builds) on this device.
+- **SSRK**  Retrieves the mobile targeting settings.
+
+
+### Census.Hardware
+
+This event sends data about the device, including hardware type, OEM brand, model line, model, diagnostic data level setting, and TPM support, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ActiveMicCount**  The number of active microphones attached to the device.
+- **ChassisType**  Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36.
+- **ComputerHardwareID**  Identifies a device class that is represented by a hash of different SMBIOS fields.
+- **D3DMaxFeatureLevel** The supported Direct3D version.
+- **DeviceColor**  Indicates a color of the device.
+- **DeviceForm**  Indicates the form as per the device classification.
+- **DeviceName**  The device name that is set by the user.
+- **DigitizerSupport**  Is a digitizer supported?
+- **DUID**  The device unique ID.
+- **Gyroscope** Indicates whether the device has a gyroscope.
+- **InventoryId**  The device ID used for compatibility testing.
+- **Magnetometer** Indicates whether the device has a magnetometer.
+- **NFCProximity** Indicates whether the device supports NFC.
+- **OEMDigitalMarkerFileName**  The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device.
+- **OEMManufacturerName**  The device manufacturer name.  The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date.
+- **OEMModelBaseBoard**  The baseboard model used by the OEM.
+- **OEMModelBaseBoardVersion**  Differentiates between developer and retail devices.
+- **OEMModelName**  The device model name.
+- **OEMModelNumber**  The device model number.
+- **OEMModelSKU**  The device edition that is defined by the manufacturer.
+- **OEMModelSystemFamily**  The system family set on the device by an OEM.
+- **OEMModelSystemVersion**  The system model version set on the device by the OEM.
+- **OEMOptionalIdentifier**  A Microsoft assigned value that represents a specific OEM subsidiary.
+- **OEMSerialNumber**  The serial number of the device that is set by the manufacturer.
+- **PhoneManufacturer**  The friendly name of the phone manufacturer.
+- **PowerPlatformRole**  The OEM preferred power management profile. It's used to help to identify the basic form factor of the device.
+- **SoCName**  The firmware manufacturer of the device.
+- **StudyID**  Used to identify retail and non-retail device.
+- **TelemetryLevel**  The diagnostic data level the user has opted into, such as Basic or Enhanced.
+- **TelemetryLevelLimitEnhanced** The diagnostic data level for Windows Analytics-based solutions.
+- **TelemetrySettingAuthority**  Determines who set the diagnostic data level, such as GP, MDM, or the user.
+- **TPMVersion**  The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
+- **VoiceSupported**  Does the device have a cellular radio capable of making voice calls?
+
+
+### Census.Memory
+
+This event sends data about the memory on the device, including ROM and RAM, to help keep Windows up to date.
+
+The following fields are available:
+
+- **TotalPhysicalRAM**  Represents the physical memory (in MB).
+- **TotalVisibleMemory**  Represents the memory that is not reserved by the system.
+
+
+### Census.Network
+
+This event sends data about the mobile and cellular network used by the device (mobile service provider, network, device ID, and service cost factors), to help keep Windows up to date.
+
+The following fields are available:
+
+- **IMEI0**  Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **IMEI1**  Represents the International Mobile Station Equipment Identity. This number is usually unique and used by the mobile operator to distinguish different phone hardware. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user. The two fields represent phone with dual sim coverage.
+- **MCC0**  Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MCC1**  Represents the Mobile Country Code (MCC). It used with the Mobile Network Code (MNC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MEID**  Represents the Mobile Equipment Identity (MEID). MEID is a worldwide unique phone ID assigned to CDMA phones. MEID replaces electronic serial number (ESN), and is equivalent to IMEI for GSM and WCDMA phones. Microsoft does not have access to mobile operator billing data so collecting this data does not expose or identify the user.
+- **MNC0**  Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MNC1**  Retrieves the Mobile Network Code (MNC). It used with the Mobile Country Code (MCC) to uniquely identify a mobile network operator. The two fields represent phone with dual sim coverage.
+- **MobileOperatorBilling**  Represents the telephone company that provides services for mobile phone users.
+- **MobileOperatorCommercialized**  Represents which reseller and geography the phone is commercialized for. This is the set of values on the phone for who and where it was intended to be used. For example, the commercialized mobile operator code AT&T in the US would be ATT-US.
+- **MobileOperatorNetwork0**  Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **MobileOperatorNetwork1**  Represents the operator of the current mobile network that the device is used on. (AT&T, T-Mobile, Vodafone). The two fields represent phone with dual sim coverage.
+- **NetworkAdapterGUID**  The GUID of the primary network adapter.
+- **NetworkCost**  Represents the network cost associated with a connection.
+- **SPN0**  Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+- **SPN1**  Retrieves the Service Provider Name (SPN). For example, these might be AT&T, Sprint, T-Mobile, or Verizon. The two fields represent phone with dual sim coverage.
+
+
+### Census.OS
+
+This event sends data about the operating system such as the version, locale, update service configuration, when and how it was originally installed, and whether it is a virtual device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ActivationChannel**  Retrieves the retail license key or Volume license key for a machine.
+- **AssignedAccessStatus** The kiosk configuration mode.
+- **CompactOS**  Indicates if the Compact OS feature from Win10 is enabled.
+- **DeveloperUnlockStatus**  "Represents if a device has been developer unlocked by the user or Group Policy. "
+- **DeviceTimeZone**  The time zone that is set on the device. Example: Pacific Standard Time
+- **GenuineState**  Retrieves the ID Value specifying the OS Genuine check.
+- **InstallationType**  Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
+- **InstallLanguage**  The first language installed on the user machine.
+- **IsDeviceRetailDemo**  Retrieves if the device is running in demo mode.
+- **IsEduData**  Returns Boolean if the education data policy is enabled.
+- **IsPortableOperatingSystem**  Retrieves whether OS is running Windows-To-Go
+- **IsSecureBootEnabled**  Retrieves whether Boot chain is signed under UEFI.
+- **LanguagePacks**  The list of language packages installed on the device.
+- **LicenseStateReason**  Retrieves why (or how) a system is licensed or unlicensed.  The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the Microsoft Store.
+- **OA3xOriginalProductKey**  Retrieves the License key stamped by the OEM to the machine.
+- **OSEdition**  Retrieves the version of the current OS.
+- **OSInstallDateTime**  Retrieves the date the OS was installed using ISO 8601 (Date part) == yyyy-mm-dd
+- **OSInstallType**  Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
+- **OSOOBEDateTime**  Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
+- **OSSKU**  Retrieves the Friendly Name of OS Edition.
+- **OSSubscriptionStatus**  Represents the existing status for enterprise subscription feature for PRO machines.
+- **OSSubscriptionTypeId**  Returns boolean for enterprise subscription feature for selected PRO machines.
+- **OSTimeZoneBiasInMins**  Retrieves the time zone set on machine.
+- **OSUILocale**  Retrieves the locale of the UI that is currently used by the OS.
+- **ProductActivationResult**  Returns Boolean if the OS Activation was successful.
+- **ProductActivationTime**  Returns the OS Activation time for tracking piracy issues.
+- **ProductKeyID2**  Retrieves the License key if the machine is updated with a new license key.
+- **RACw7Id**  Retrieves the Microsoft Reliability Analysis Component (RAC) Win7 Identifier. RAC is used to monitor and analyze system usage and reliability.
+- **ServiceMachineIP**  Retrieves the IP address of the KMS host used for anti-piracy.
+- **ServiceMachinePort**  Retrieves the port of the KMS host used for anti-piracy.
+- **ServiceProductKeyID**  Retrieves the License key of the KMS
+- **SharedPCMode**  Returns Boolean for education devices used as shared cart
+- **Signature**  Retrieves if it is a signature machine sold by Microsoft store.
+- **SLICStatus**  Whether a SLIC table exists on the device.
+- **SLICVersion**  Returns OS type/version from SLIC table.
+
+
+### Census.Processor
+
+This event sends data about the processor (architecture, speed, number of cores, manufacturer, and model number), to help keep Windows up to date.
+
+The following fields are available:
+
+- **KvaShadow** Microcode info of the processor.
+- **MMSettingOverride** Microcode setting of the processor.
+- **MMSettingOverrideMask** Microcode setting override of the processor.
+- **ProcessorArchitecture**  Retrieves the processor architecture of the installed operating system. 
+- **ProcessorClockSpeed**  Retrieves the clock speed of the processor in MHz.
+- **ProcessorCores**  Retrieves the number of cores in the processor.
+- **ProcessorIdentifier**  The processor identifier of a manufacturer.
+- **ProcessorManufacturer**  Retrieves the name of the processor's manufacturer.
+- **ProcessorModel**  Retrieves the name of the processor model.
+- **ProcessorPhysicalCores**  Number of physical cores in the processor.
+- **ProcessorUpdateRevision** The microcode version.
+- **SocketCount**  Number of physical CPU sockets of the machine.
+- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability.
+
+
+### Census.Security
+
+This event provides information on about security settings used to help keep Windows up-to-date and secure.
+
+- **AvailableSecurityProperties** Enumerates and reports state on the relevant security properties for Device Guard.
+- **CGRunning** Is Credential Guard running?
+- **DGState** A summary of the Device Guard state.
+- **HVCIRunning** Is HVCI running?
+- **IsSawGuest** Describes whether the device is running as a Secure Admin Workstation Guest.
+- **IsSawHost** Describes whether the device is running as a Secure Admin Workstation Host.
+- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security.
+- **SecureBootCapable** Is this device capable of running Secure Boot?
+- **VBSState** Is virtualization-based security enabled, disabled, or running?
+
+
+### Census.Speech
+
+This event is used to gather basic speech settings on the device.
+
+The following fields are available:
+
+- **AboveLockEnabled**  Cortana setting that represents if Cortana can be invoked when the device is locked.
+- **GPAllowInputPersonalization**  Indicates if a Group Policy setting has enabled speech functionalities.
+- **HolographicSpeechInputDisabled**  Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
+- **HolographicSpeechInputDisabledRemote**  Indicates if a remote policy has disabled speech functionalities for the HMD devices.
+- **KWSEnabled**  "Cortana setting that represents if a user has enabled the ""Hey Cortana"" keyword spotter (KWS)."
+- **MDMAllowInputPersonalization**  Indicates if an MDM policy has enabled speech functionalities.
+- **RemotelyManaged**  Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities.
+- **SpeakerIdEnabled**  Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
+- **SpeechServicesEnabled**  Windows setting that represents whether a user is opted-in for speech services on the device.
+
+
+
+### Census.Storage
+
+This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date.
+
+The following fields are available:
+
+- **PrimaryDiskTotalCapacity**  Retrieves the amount of disk space on the primary disk of the device in MB.
+- **PrimaryDiskType**  Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any).
+- **SystemVolumeTotalCapacity**  Retrieves the size of the partition that the System volume is installed on in MB.
+
+### Census.Userdefault
+
+This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
+
+The following fields are available:
+
+- **DefaultApp**  The current uer's default program selected for the following extension or protocol: .html,.htm,.jpg,.jpeg,.png,.mp3,.mp4, .mov,.pdf
+- **DefaultBrowserProgId**  The ProgramId of the current user's default browser
+
+
+### Census.UserNLS
+
+This event sends data about the default app language, input, and display language preferences set by the user, to help keep Windows up to date.
+
+The following fields are available:
+
+- **DefaultAppLanguage**  The current user Default App Language.
+- **DisplayLanguage**  The current user preferred Windows Display Language.
+- **HomeLocation**  The current user location, which is populated using GetUserGeoId() function.
+- **KeyboardInputLanguages**  The Keyboard input languages installed on the device.
+- **SpeechInputLanguages**  The Speech Input languages installed on the device.
+
+### Census.VM
+
+This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date.
+
+The following fields are available:
+
+- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within.
+- **HyperVisor**  Retrieves whether the current OS is running on top of a Hypervisor.
+- **IOMMUPresent**  Represents if an input/output memory management unit (IOMMU) is present.
+- **isVDI** Is the device using Virtual Desktop Infrastructure?
+- **IsVirtualDevice**  Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#HASH#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#HASH#1 Hypervisors.
+- **SLATSupported**  Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
+- **VirtualizationFirmwareEnabled**  Represents whether virtualization is enabled in the firmware.
+
+
+
+
+
+
+
+### Census.WU
+
+This event sends data about the Windows update server and other App store policies, to help keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserGatedStatus**  Indicates whether a device has been gated for upgrading.
+- **AppStoreAutoUpdate**  Retrieves the Appstore settings for auto upgrade. (Enable/Disabled).
+- **AppStoreAutoUpdateMDM**  Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
+- **AppStoreAutoUpdatePolicy**  Retrieves the Microsoft Store App Auto Update group policy setting
+- **DelayUpgrade**  Retrieves the Windows upgrade flag for delaying upgrades.
+- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it?
+- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update?
+- **OSAssessmentForQualityUpdate** Is the device on the latest quality update?
+- **OSAssessmentForSecurityUpdate** Is the device  on the latest security update?
+- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it?
+- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment.
+- **OSRollbackCount**  The number of times feature updates have rolled back on the device.
+- **OSRolledBack**  A flag that represents when a feature update has rolled back during setup.
+- **OSUninstalled**  A flag that represents when a feature update is uninstalled on a device .
+- **OSWUAutoUpdateOptions**  Retrieves the auto update settings on the device.
+- **UninstallActive**  A flag that represents when a device has uninstalled a previous upgrade recently.
+- **UpdateServiceURLConfigured**  Retrieves if the device is managed by Windows Server Update Services (WSUS).
+- **WUDeferUpdatePeriod**  Retrieves if deferral is set for Updates
+- **WUDeferUpgradePeriod**  Retrieves if deferral is set for Upgrades
+- **WUDODownloadMode**  Retrieves whether DO is turned on and how to acquire/distribute updates Delivery Optimization (DO) allows users to deploy previously downloaded WU updates to other devices on the same network.
+- **WUMachineId**  Retrieves the Windows Update (WU) Machine Identifier.
+- **WUPauseState**  Retrieves WU setting to determine if updates are paused
+- **WUServer**  Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
+
+### Census.Xbox
+
+This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date.
+
+The following fields are available:
+
+- **XboxConsolePreferredLanguage**  Retrieves the preferred language selected by the user on Xbox console.
+- **XboxConsoleSerialNumber**  Retrieves the serial number of the Xbox console.
+- **XboxLiveDeviceId**  Retrieves the unique device id of the console.
+- **XboxLiveSandboxId**  Retrieves the developer sandbox id if the device is internal to MS.
+
+
+
+
+## Diagnostic data events
+
+### TelClientSynthetic.AuthorizationInfo_Startup
+
+This event sends data indicating that a device has undergone a change of diagnostic data opt-in level detected at UTC startup, to help keep Windows up to date.
+
+The following fields are available:
+
+- **CanAddMsaToMsTelemetry**  True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
+- **CanCollectAnyTelemetry**  True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
+- **CanCollectCoreTelemetry**  True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
+- **CanCollectHeartbeats**  True if UTC is allowed to collect heartbeats.
+- **CanCollectOsTelemetry**  True if UTC is allowed to collect diagnostic data from the OS provider groups.
+- **CanPerformDiagnosticEscalations**  True if UTC is allowed to perform all scenario escalations.
+- **CanPerformScripting**  True if UTC is allowed to perform scripting.
+- **CanPerformTraceEscalations**  True if UTC is allowed to perform scenario escalations with tracing actions.
+- **CanReportScenarios**  True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
+- **PreviousPermissions**  Bitmask representing the previously configured permissions since the diagnostic data client was last started.
+- **TransitionFromEverythingOff**  True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
+
+
+### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
+
+This event sends data indicating that a device has undergone a change of diagnostic data opt-in level during the runtime of the device (not at UTC boot or offline), to help keep Windows up to date.
+
+The following fields are available:
+
+- **CanAddMsaToMsTelemetry**  True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
+- **CanCollectAnyTelemetry**  True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
+- **CanCollectCoreTelemetry**  True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
+- **CanCollectHeartbeats**  True if UTC is allowed to collect heartbeats.
+- **CanCollectOsTelemetry**  True if UTC is allowed to collect diagnostic data from the OS provider groups.
+- **CanPerformDiagnosticEscalations**  True if UTC is allowed to perform all scenario escalations.
+- **CanPerformScripting**  True if UTC is allowed to perform scripting.
+- **CanPerformTraceEscalations**  True if UTC is allowed to perform scenario escalations with tracing actions.
+- **CanReportScenarios**  True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
+- **PreviousPermissions**  Bitmask representing the previously configured permissions since the diagnostic data opt-in level was last changed.
+- **TransitionFromEverythingOff**  True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
+
+
+### TelClientSynthetic.ConnectivityHeartBeat_0
+
+This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads diagnostic data events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
+
+The following fields are available:
+
+- **CensusExitCode**  Returns last execution codes from census client run.
+- **CensusStartTime**  Returns timestamp corresponding to last successful census run.
+- **CensusTaskEnabled**  Returns Boolean value for the census task (Enable/Disable) on client machine.
+- **LastConnectivityLossTime**  Retrieves the last time the device lost free network.
+- **LastConntectivityLossTime**  Retrieves the last time the device lost free network.
+- **NetworkState**  Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network.
+- **NoNetworkTime**  Retrieves the time spent with no network (since the last time) in seconds.
+- **RestrictedNetworkTime**  Retrieves the time spent on a metered (cost restricted) network in seconds.
+
+
+### TelClientSynthetic.HeartBeat_5
+
+This event sends data about the health and quality of the diagnostic data data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
+
+The following fields are available:
+
+- **AgentConnectionErrorsCount**  The number of non-timeout errors associated with the host/agent channel.
+- **CensusExitCode**  The last exit code of the Census task.
+- **CensusStartTime**  The time of the last Census run.
+- **CensusTaskEnabled**  Indicates whether Census is enabled.
+- **ConsumerDroppedCount**  The number of events dropped by the consumer layer of the diagnostic data client.
+- **CriticalDataDbDroppedCount**  The number of critical data sampled events that were dropped at the database layer.
+- **CriticalDataThrottleDroppedCount**  The number of critical data sampled events that were dropped because of throttling.
+- **CriticalOverflowEntersCounter**  The number of times a critical overflow mode was entered into the event database.
+- **DbCriticalDroppedCount**  The total number of dropped critical events in the event database.
+- **DbDroppedCount**  The number of events that were dropped because the database was full.
+- **DecodingDroppedCount**  The number of events dropped because of decoding failures.
+- **EnteringCriticalOverflowDroppedCounter**  The number of events that was dropped because a critical overflow mode was initiated.
+- **EtwDroppedBufferCount**  The number of buffers dropped in the CUET ETW session.
+- **EtwDroppedCount**  The number of events dropped by the ETW layer of the diagnostic data client.
+- **EventSubStoreResetCounter**  The number of times the event database was reset.
+- **EventSubStoreResetSizeSum**  The total size of the event database across all resets reports in this instance.
+- **EventsUploaded**  The number of events that have been uploaded.
+- **Flags**  Flags that indicate device state, such as network, battery, and opt-in state.
+- **FullTriggerBufferDroppedCount**  The number of events that were dropped because the trigger buffer was full.
+- **HeartBeatSequenceNumber**  A monotonically increasing heartbeat counter.
+- **InvalidHttpCodeCount**  The number of invalid HTTP codes received from Vortex.
+- **LastAgentConnectionError**  The last non-timeout error that happened in the host/agent channel.
+- **LastEventSizeOffender**  The name of the last event that exceeded the maximum event size.
+- **LastInvalidHttpCode**  The last invalid HTTP code received from Vortex.
+- **MaxActiveAgentConnectionCount**  The maximum number of active agents during this heartbeat timeframe.
+- **MaxInUseScenarioCounter**  The soft maximum number of scenarios loaded by the Connected User Experiences and Telemetry component.
+- **PreviousHeartBeatTime**  The time of last heartbeat event. This allows chaining of events.
+- **SettingsHttpAttempts**  The number of attempts to contact the OneSettings service.
+- **SettingsHttpFailures**  The number of failures from contacting the OneSettings service.
+- **ThrottledDroppedCount**  The number of events dropped due to throttling of noisy providers.
+- **UploaderDroppedCount**  The number of events dropped by the uploader layer of the diagnostic data client.
+- **VortexFailuresTimeout**  The number of timeout failures received from Vortex.
+- **VortexHttpAttempts**  The number of attempts to contact the Vortex service.
+- **VortexHttpFailures4xx**  The number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx**  The number of 500-599 error codes received from Vortex.
+
+
+### TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate
+
+This event sends basic data on privacy settings before and after a feature update. This is used to ensure that customer privacy settings are correctly migrated across feature updates.
+
+The following fields are available:
+
+- **PostUpgradeSettings**  The privacy settings after a feature update.
+- **PreUpgradeSettings**  The privacy settings before a feature update.
+
+
+## DxgKernelTelemetry events
+
+### DxgKrnlTelemetry.GPUAdapterInventoryV2
+
+This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
+
+The following fields are available:
+
+- **aiSeqId**  The event sequence ID.
+- **bootId**  The system boot ID.
+- **ComputePreemptionLevel**  The maximum preemption level supported by GPU for compute payload.
+- **DedicatedSystemMemoryB**  The amount of system memory dedicated for GPU use (in bytes).
+- **DedicatedVideoMemoryB**  The amount of dedicated VRAM of the GPU (in bytes).
+- **DisplayAdapterLuid**  The display adapter LUID.
+- **DriverDate**  The date of the display driver.
+- **DriverRank**  The rank of the display driver.
+- **DriverVersion**  The display driver version.
+- **GPUDeviceID**  The GPU device ID.
+- **GPUPreemptionLevel**  The maximum preemption level supported by GPU for graphics payload.
+- **GPURevisionID**  The GPU revision ID.
+- **GPUVendorID**  The GPU vendor ID.
+- **InterfaceId**  The GPU interface ID.
+- **IsDisplayDevice**  Does the GPU have displaying capabilities?
+- **IsHybridDiscrete**  Does the GPU have discrete GPU capabilities in a hybrid device?
+- **IsHybridIntegrated**  Does the GPU have integrated GPU capabilities in a hybrid device?
+- **IsLDA**  Is the GPU comprised of Linked Display Adapters?
+- **IsMiracastSupported**  Does the GPU support Miracast?
+- **IsMismatchLDA**  Is at least one device in the Linked Display Adapters chain from a different vendor?
+- **IsMPOSupported**  Does the GPU support Multi-Plane Overlays?
+- **IsMsMiracastSupported**  Are the GPU Miracast capabilities driven by a Microsoft solution?
+- **IsPostAdapter**  Is this GPU the POST GPU in the device?
+- **IsRenderDevice**  Does the GPU have rendering capabilities?
+- **IsSoftwareDevice**  Is this a software implementation of the GPU?
+- **MeasureEnabled**  Is the device listening to MICROSOFT_KEYWORD_MEASURES?
+- **SharedSystemMemoryB**  The amount of system memory shared by GPU and CPU (in bytes).
+- **SubSystemID**  The subsystem ID.
+- **SubVendorID**  The GPU sub vendor ID.
+- **TelemetryEnabled**  Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
+- **TelInvEvntTrigger**  What triggered this event to be logged?  Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling)
+- **version**  The event version.
+- **WDDMVersion**  The Windows Display Driver Model version.
+- **NumVidPnSources**  The number of supported display output sources.
+- **NumVidPnTargets**  The number of supported display output targets.
+
+
+## Fault Reporting events
+
+### Microsoft.Windows.FaultReporting.AppCrashEvent
+
+"This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes"" by a user DO NOT emit this event."
+
+The following fields are available:
+
+- **AppName**  The name of the app that has crashed.
+- **AppSessionGuid**  GUID made up of process ID and is used as a correlation vector for process instances in the diagnostic data backend.
+- **AppTimeStamp**  The date/time stamp of the app.
+- **AppVersion**  The version of the app that has crashed.
+- **ExceptionCode**  The exception code returned by the process that has crashed.
+- **ExceptionOffset**  The address where the exception had occurred.
+- **Flags**  "Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. "
+- **ModName**  Exception module name (e.g. bar.dll).
+- **ModTimeStamp**  The date/time stamp of the module.
+- **ModVersion**  The version of the module that has crashed.
+- **PackageFullName**  Store application identity.
+- **PackageRelativeAppId**  Store application identity.
+- **ProcessArchitecture**  Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime**  The time of creation of the process that has crashed.
+- **ProcessId**  The ID of the process that has crashed.
+- **ReportId**  A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId**  The kernel reported AppId of the application being reported.
+- **TargetAppVer**  The specific version of the application being reported
+- **TargetAsId**  The sequence number for the hanging process.
+
+
+## Feature update events
+
+### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed
+
+This event sends diagnostic data about failures when uninstalling a feature update, to help resolve any issues preventing customers from reverting to a known state
+
+The following fields are available:
+
+- **failureReason**  Provides data about the uninstall initialization operation failure
+- **hr**  Provides the Win32 error code for the operation failure
+
+
+### Microsoft.Windows.Upgrade.Uninstall.UninstallFinalizedAndRebootTriggered
+
+Indicates that the uninstall was properly configured and that a system reboot was initiated
+
+The following fields are available:
+
+- **name**  Name of the event
+
+
+## Hang Reporting events
+
+### Microsoft.Windows.HangReporting.AppHangEvent
+
+This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
+
+The following fields are available:
+
+- **AppName**  The name of the app that has hung.
+- **AppSessionGuid**  GUID made up of process id used as a correlation vector for process instances in the diagnostic data backend.
+- **AppVersion**  The version of the app that has hung.
+- **PackageFullName**  Store application identity.
+- **PackageRelativeAppId**  Store application identity.
+- **ProcessArchitecture**  Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
+- **ProcessCreateTime**  The time of creation of the process that has hung.
+- **ProcessId**  The ID of the process that has hung.
+- **ReportId**  A GUID used to identify the report. This can used to track the report across Watson.
+- **TargetAppId**  The kernel reported AppId of the application being reported.
+- **TargetAppVer**  The specific version of the application being reported.
+- **TargetAsId**  The sequence number for the hanging process.
+- **TypeCode**  Bitmap describing the hang type.
+- **WaitingOnAppName**  If this is a cross process hang waiting for an application, this has the name of the application.
+- **WaitingOnAppVersion**  If this is a cross process hang, this has the version of the application for which it is waiting.
+- **WaitingOnPackageFullName**  If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
+- **WaitingOnPackageRelativeAppId**  If this is a cross process hang waiting for a package, this has the relative application id of the package.
+
+
+## Inventory events
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
+
+This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
+
+This event sends basic metadata about the USB hubs on the device
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events
+- **TotalUserConnectablePorts**  Total number of connectable USB ports
+- **TotalUserConnectableTypeCPorts**  Total number of connectable USB Type C ports
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
+
+This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule
+
+The following fields are available:
+
+- **Count**  Count of total Microsoft Office VBA rule violations
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
+
+This event provides data on the installed Office Add-ins.
+
+- **AddInCLSID** The CLSID key office for the Office addin.
+- **AddInId** The identifier of the Office addin.
+- **AddinType** The type of the Office addin.
+- **BinFileTimestamp** The timestamp of the Office addin.
+- **BinFileVersion** The version of the Office addin.
+- **Description** The description of the Office addin.
+- **FileId** The file ID of the Office addin.
+- **FriendlyName** The friendly name of the Office addin.
+- **FullPath** The full path to the Office addin.
+- **LoadBehavior** A Uint32 that describes the load behavior.
+- **LoadTime** The load time for the Office addin.
+- **OfficeApplication** The OIffice application for this addin.
+- **OfficeArchitecture** The architecture of the addin.
+- **OfficeVersion** The Office version for this addin.
+- **OutlookCrashingAddin** A boolean value that indicates if crashes have been found for this addin.
+- **ProductCompany** The name of the company associated with the Office addin.
+- **ProductName** The product name associated with the Office addin.
+- **ProductVersion** The version associated with the Office addin.
+- **ProgramId** The unique program identifier of the Office addin.
+- **Provider** The provider name for this addin.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
+
+This event indicates that the particular data object represented by the objectInstanceId is no longer present.
+
+There are no fields in this event.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
+
+This event provides insight data on the installed Office products.
+
+The following fields are available:
+
+- **OfficeApplication** The name of the Office application.
+- **OfficeArchitecture** The bitness of the Office application.
+- **OfficeVersion** The version of the Office application.
+- **Value** The insights collected about this entity.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
+
+This event indicates that the particular data object represented by the objectInstanceId is no longer present.
+
+There are no fields in this event.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
+
+This diagnostic event indicates that a new sync is being generated for this object type.
+
+There are no fields in this event.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
+
+This event describes various Office settings.
+
+The following fields are available:
+
+- **BrowserFlags** Browser flags for Office-related products.
+- **ExchangeProviderFlags** Provider policies for Office Exchange.
+- **SharedComputerLicensing** Office shared computer licensing policies.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type. 
+
+There are no fields in this event.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
+
+This event provides a summary rollup count of conditions encountered while performing a local scan of Office files, analyzing for known VBA programmability compatibility issues between legacy office version and ProPlus, and between 32 and 64-bit versions
+
+The following fields are available:
+
+- **Design**  Count of files with design issues found
+- **Design_x64**  Count of files with 64 bit design issues found
+- **DuplicateVBA**  Count of files with duplicate VBA code
+- **HasVBA**  Count of files with VBA code
+- **Inaccessible**  Count of files that were inaccessible for scanning
+- **Issues**  Count of files with issues detected
+- **Issues_x64**  Count of files with 64-bit issues detected
+- **IssuesNone**  Count of files with no issues detected
+- **IssuesNone_x64**  Count of files with no 64-bit issues detected
+- **Locked**  Count of files that were locked, preventing scanning
+- **NoVBA**  Count of files with no VBA inside
+- **Protected**  Count of files that were password protected, preventing scanning
+- **RemLimited**  Count of files that require limited remediation changes
+- **RemLimited_x64**  Count of files that require limited remediation changes for 64-bit issues
+- **RemSignificant**  Count of files that require significant remediation changes
+- **RemSignificant_x64**  Count of files that require significant remediation changes for 64-bit issues
+- **Score**  Overall compatibility score calculated for scanned content
+- **Score_x64**  Overall 64-bit compatibility score calculated for scanned content
+- **Total**  Total number of files scanned
+- **Validation**  Count of files that require additional manual validation
+- **Validation_x64**  Count of files that require additional manual validation for 64-bit issues
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove
+
+This event indicates that the particular data object represented by the objectInstanceId is no longer present.
+
+There are no fields in this event.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove
+
+This event indicates that the particular data object represented by the objectInstanceId is no longer present.
+
+There are no fields in this event.
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
+
+This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
+
+This event provides the basic metadata about the frameworks an application may depend on
+
+The following fields are available:
+
+- **FileId**  A hash that uniquely identifies a file
+- **Frameworks**  The list of frameworks this file depends on
+- **InventoryVersion**  The version of the inventory file generating the events
+- **ProgramId**  A hash of the Name, Version, Publisher, and Language of an application used to identify it
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
+
+These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up-to-date.
+
+The following fields are available:
+
+- **IndicatorValue**  The indicator value
+- **Value**  Describes an operating system indicator that may be relevant for the device upgrade.
+
+
+### Microsoft.Windows.Inventory.Indicators.Checksum
+
+This event summarizes the counts for the InventoryMiscellaneousUexIndicatorAdd events.
+
+The following fields are available:
+
+- **ChecksumDictionary**  A count of each operating system indicator.
+- **PCFP**  Equivalent to the InventoryId field that is found in other core events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
+
+This event sends basic metadata about an application on the system to help keep Windows up to date.
+
+The following fields are available:
+
+- **HiddenArp**  Indicates whether a program hides itself from showing up in ARP.
+- **InstallDate**  The date the application was installed (a best guess based on folder creation date heuristics).
+- **InstallDateArpLastModified**  The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015  00:00:00
+- **InstallDateFromLinkFile**  The estimated date of install based on the links to the files.  Passed as an array.
+- **InstallDateMsi**  The install date if the application was installed via MSI. Passed as an array.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **Language**  The language code of the program.
+- **MsiPackageCode**  A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
+- **MsiProductCode**  A GUID that describe the MSI Product.
+- **Name**  The name of the application
+- **OSVersionAtInstallTime**  The four octets from the OS version at the time of the application's install.
+- **PackageFullName**  The package full name for a Store application.
+- **ProgramInstanceId**  A hash of the file IDs in an app.
+- **Publisher**  The Publisher of the application. Location pulled from depends on the 'Source' field.
+- **RootDirPath**  The path to the root directory where the program was installed.
+- **Source**  How the program was installed (ARP, MSI, Appx, etc...)
+- **StoreAppType**  A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
+- **Type**  "One of (""Application"", ""Hotfix"", ""BOE"", ""Service"", ""Unknown""). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen."
+- **Version**  The version number of the program.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
+
+This event indicates that a new set of InventoryApplicationAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
+
+This event indicates that the InventoryDeviceContainer object is no longer present.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
+
+This event sends basic metadata about drive packages installed on the system  to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **Class**  The class name for the device driver.
+- **ClassGuid**  The class GUID for the device driver.
+- **Date**  The driver package date.
+- **Directory**  The path to the driver package.
+- **DriverInBox** Is the driver included with the operating system?
+- **Inf**  The INF name of the driver package.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **Provider**  The provider for the driver package.
+- **SubmissionId**  The HLK submission ID for the driver package.
+- **Version**  The version of the driver package.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
+
+This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
+
+This event indicates that the InventoryDriverBinary object is no longer present.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
+
+This event indicates that the InventoryDriverPackageRemove object is no longer present.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
+
+This event indicates that the InventoryDevicePnpRemove object is no longer present.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
+
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a PNP device) to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **Categories**  A comma separated list of functional categories in which the container belongs.
+- **DiscoveryMethod**  The discovery method for the device container.
+- **FriendlyName**  The name of the device container.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **IsActive**  Is the device connected, or has it been seen in the last 14 days?
+- **IsConnected**  For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
+- **IsMachineContainer**  Is the container the root device itself?
+- **IsNetworked**  Is this a networked device?
+- **IsPaired**  Does the device container require pairing?
+- **Manufacturer**  The manufacturer name for the device container.
+- **ModelId**  A model GUID.
+- **ModelName**  The model name.
+- **ModelNumber**  The model number for the device container.
+- **PrimaryCategory**  The primary category for the device container.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
+
+This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
+
+This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
+
+This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
+
+This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
+
+This event sends additional metadata about a PNP device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+
+The following fields are available:
+
+- **Audio_CaptureDriver**  The Audio device capture driver endpoint.
+- **Audio_RenderDriver**  The Audio device render driver endpoint.
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
+
+This event represents the basic metadata about a PNP device and its associated driver
+
+The following fields are available:
+
+- **class**  The device setup class of the driver loaded for the device
+- **classGuid**  The device class GUID from the driver package
+- **COMPID**  A JSON array the provides the value and order of the compatible ID tree for the device.
+- **ContainerId**  A system-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the device.
+- **description**  The device description
+- **deviceState**  DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
+- **DriverId**  A unique identifier for the installed device.
+- **DriverName**  The name of the driver image file.
+- **driverPackageStrongName**  The immediate parent directory name in the Directory field of InventoryDriverPackage.
+- **driverVerDate**  The date of the driver loaded for the device
+- **driverVerVersion**  The version of the driver loaded for the device
+- **enumerator**  The bus that enumerated the device
+- **HWID**  A JSON array that provides the value and order of the HWID tree for the device.
+- **Inf**  The INF file name.
+- **installState**  The device installation state.  One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **lowerClassFilters**  Lower filter class drivers IDs installed for the device.
+- **lowerFilters**  Lower filter drivers IDs installed for the device
+- **manufacturer**  The device manufacturer
+- **matchingID**  Represents the hardware ID or compatible ID that Windows uses to install a device instance
+- **model**  The device model
+- **parentId**  Device instance id of the parent of the device
+- **ProblemCode**  The current error code for the device.
+- **provider**  The device provider
+- **service**  The device service name#N##N##N##N##N#
+- **STACKID**  A JSON array that provides the value and order of the STACKID tree for the device.
+- **upperClassFilters**  Upper filter class drivers IDs installed for the device
+- **upperFilters**  Upper filter drivers IDs installed for the device
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
+
+This event provides the basic metadata about driver binaries running on the system
+
+The following fields are available:
+
+- **DriverCheckSum**  The checksum of the driver file.
+- **DriverCompany**  The company name that developed the driver.
+- **driverInBox**  Is the driver included with the operating system?
+- **driverIsKernelMode**  Is it a kernel mode driver?
+- **DriverName**  The file name of the driver.
+- **driverPackageStrongName**  The strong name of the driver package
+- **driverSigned**  The strong name of the driver package
+- **DriverTimeStamp**  The low 32 bits of the time stamp of the driver file.
+- **DriverType**  A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000.
+- **DriverVersion**  The version of the driver file.
+- **ImageSize**  The size of the driver file.
+- **Inf**  The name of the INF file.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **Product**  The product name that is included in the driver file.
+- **ProductVersion**  The product version that is included in the driver file.
+- **service**  The device service name
+- **WdfVersion**  The Windows Driver Framework version.
+
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicator
+
+This event sends value data about the markers on custom devices, to help keep Windows up to date. The formal name for markers is UEX Indicators. See marker list for definitions.
+
+The following fields are available:
+
+- **IndicatorValue**  Value of the marker/indicator
+- **Key**  Name of the marker/indicator
+
+
+### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
+
+This event sends inventory component versions for the Device Inventory data.
+
+The following fields are available:
+
+- **aeinv**  The version of the App inventory component.
+- **devinv**  The file version of the Device inventory component.
+
+
+### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
+
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
+
+The following fields are available:
+
+- **Device**  A count of device objects in cache
+- **DeviceCensus**  A count of devicecensus objects in cache
+- **DriverPackageExtended**  A count of driverpackageextended objects in cache
+- **File**  A count of file objects in cache
+- **FileSigningInfo**  A count of file signing info objects in cache.
+- **Generic**  A count of generic objects in cache
+- **HwItem**  A count of hwitem objects in cache
+- **InventoryApplication**  A count of application objects in cache
+- **InventoryApplicationFile**  A count of application file objects in cache
+- **InventoryDeviceContainer**  A count of device container objects in cache
+- **InventoryDeviceInterface**  A count of inventory device interface objects in cache.
+- **InventoryDeviceMediaClass**  A count of device media objects in cache
+- **InventoryDevicePnp**  A count of devicepnp objects in cache
+- **InventoryDriverBinary**  A count of driver binary objects in cache
+- **InventoryDriverPackage**  A count of device objects in cache
+- **Metadata**  A count of metadata objects in cache
+- **Orphan**  A count of orphan file objects in cache
+- **Programs**  A count of program objects in cache
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
+
+This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
+
+This event retrieves information about what sensor interfaces are available on the device.
+
+The following fields are available:
+
+- **Accelerometer3D**  Indicates if an Accelerator3D sensor is found.
+- **ActivityDetection**  Indicates if an Activity Detection sensor is found.
+- **AmbientLight**  Indicates if an Ambient Light sensor is found.
+- **Barometer**  Indicates if a Barometer sensor is found.
+- **Custom**  Indicates if a Custom sensor is found.
+- **EnergyMeter** Indicates if an Energy sensor is found.
+- **FloorElevation**  Indicates if a Floor Elevation sensor is found.
+- **GeomagneticOrientation**  Indicates if a Geo Magnetic Orientation sensor is found.
+- **GravityVector**  Indicates if a Gravity Detector sensor is found.
+- **Gyrometer3D**  Indicates if a Gyrometer3D sensor is found.
+- **Humidity**  Indicates if a Humidity sensor is found.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **LinearAccelerometer**  Indicates if a Linear Accelerometer sensor is found.
+- **Magnetometer3D**  Indicates if a Magnetometer3D sensor is found.
+- **Orientation**  Indicates if an Orientation sensor is found.
+- **Pedometer**  Indicates if a Pedometer sensor is found.
+- **Proximity**  Indicates if a Proximity sensor is found.
+- **RelativeOrientation**  Indicates if a Relative Orientation sensor is found.
+- **SimpleDeviceOrientation**  Indicates if a Simple Device Orientation sensor is found.
+- **Temperature**  Indicates if a Temperature sensor is found.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+There are no fields in this event.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
+
+This event provides data on the installed Office identifiers.
+
+- **OAudienceData** The Office Audience descriptor.
+- **OAudienceId** The Office Audience ID.
+- **OMID** The Office machine ID.
+- **OPlatform** The Office architecture.
+- **OVersion** The Office version
+- **OTenantId** The Office 365 Tenant GUID.
+- **OWowMID** The Office machine ID.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+There are no fields in this event.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
+
+This event provides data on the installed Office-related Internet Explorer features.
+
+- **OIeFeatureAddon** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeMachineLockdown** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeMimeHandling** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeMimeSniffing** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeNoAxInstall** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeNoDownload** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeObjectCaching** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIePasswordDisable** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeSafeBind** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeSecurityBand** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeUncSaveCheck** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeValidateUrl** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeWebOcPopup** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeWinRestrict** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+- **OIeZoneElevate** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+There are no fields in this event.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
+
+This event describes the Office products that are installed.
+
+- **OC2rApps** The Office Click-to-Run apps.
+- **OC2rSkus** The Office Click-to-Run products.
+- **OMsiApps** The Office MSI apps.
+- **OProductCodes** The Office MSI product code.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+There are no fields in this event.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+There are no fields in this event.
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+There are no fields in this event.
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
+
+This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed.
+
+There are no fields in this event.
+
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
+
+This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
+
+There are no fields in this event.
+
+## OneDrive events
+
+### Microsoft.OneDrive.Sync.Updater.OfficeRegistration
+
+This event determines the status of the OneDrive integration with Microsoft Office.
+
+The following fields are available:
+
+- **isValid**  Is the Microsoft Office registration valid?
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateTierReg
+
+This event determines status of the update tier registry values.
+
+The following fields are available:
+
+- **regReadEnterpriseHr**  The HResult of the enterprise reg read value.
+- **regReadTeamHr**  The HResult of the team reg read value.
+
+
+### Microsoft.OneDrive.Sync.Updater.RepairResult
+
+The event determines the result of the installation repair.
+
+The following fields are available:
+
+- **hr**  The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult
+
+This event determines the status when downloading the OneDrive update configuration file.
+
+The following fields are available:
+
+- **hr**  The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.SetupBinaryDownloadHResult
+
+This event indicates the status when downloading the OneDrive setup file.
+
+The following fields are available:
+
+- **hr**  The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
+
+This event determines the outcome of the operation.
+
+The following fields are available:
+
+- **hr**  The HResult of the operation.
+- **IsLoggingEnabled**  Is logging enabled?
+- **UpdaterVersion**  The version of the updater.
+
+
+### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
+
+This event determines the error code that was returned when verifying Internet connectivity.
+
+The following fields are available:
+
+- **winInetError**  The HResult of the operation.
+
+
+### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
+
+This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken
+
+The following fields are available:
+
+- **32bit**  The status of the OneDrive overlay icon on a 32-bit operating system.
+- **64bit**  The status of the OneDrive overlay icon on a 64-bit operating system.
+- **SixtyFourBit**  The status of the OneDrive overlay icon on a 32-bit operating system.
+- **ThirtyTwoBit**  The status of the OneDrive overlay icon on a 64-bit operating system.
+
+
+### Microsoft.OneDrive.Sync.Updater.ComponentInstallState
+
+This event determines the installation state of dependent OneDrive components.
+
+The following fields are available:
+
+- **ComponentName**  The name of the dependent component.
+- **isInstalled**  Is the dependent component installed?
+
+
+### Microsoft.OneDrive.Sync.Updater.CommonData
+
+This event contains basic OneDrive configuration data that helps to diagnose failures.
+
+The following fields are available:
+
+- **AppVersion**  The version of the app.
+- **BuildArch**  Is the architecture x86 or x64?
+- **Environment**  Is the device on the production or int service?
+- **IsMSFTInternal**  Is this an internal Microsoft device?
+- **MachineGuid**  The CEIP machine ID.
+- **Market**  Which market is this in?
+- **OfficeVersion**  The version of Office that is installed.
+- **OneDriveDeviceId**  The OneDrive device ID.
+- **OSDeviceName**  Only if the device is internal to Microsoft, the device name.
+- **OSUserName**  Only if the device is internal to Microsoft, the user name.
+- **UserGuid**  A unique global user identifier.
+
+
+### Microsoft.OneDrive.Sync.Setup.APIOperation
+
+This event includes basic data about install and uninstall OneDrive API operations.
+
+The following fields are available:
+
+- **APIName**  The name of the API.
+- **Duration**  How long the operation took.
+- **IsSuccess**  Was the operation successful?
+- **ResultCode**  The result code.
+- **ScenarioName**  The name of the scenario.
+
+
+### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
+
+This event is related to registering or unregistering the OneDrive update task.
+
+The following fields are available:
+
+- **APIName**  The name of the API.
+- **IsSuccess**  Was the operation successful?
+- **RegisterNewTaskResult**  The HResult of the RegisterNewTask operation.
+- **ScenarioName**  The name of the scenario.
+- **UnregisterOldTaskResult**  The HResult of the UnregisterOldTask operation.
+
+
+### Microsoft.OneDrive.Sync.Setup.EndExperience
+
+This event includes a success or failure summary of the installation.
+
+The following fields are available:
+
+- **APIName**  The name of the API.
+- **HResult**  Indicates the result code of the event
+- **IsSuccess**  Was the operation successful?
+- **ScenarioName**  The name of the scenario.
+
+
+### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
+
+This event is related to the OS version when the OS is upgraded with OneDrive installed.
+
+The following fields are available:
+
+- **CurrentOneDriveVersion**  The current version of OneDrive.
+- **CurrentOSBuildBranch**  The current branch of the operating system.
+- **CurrentOSBuildNumber**  The current build number of the operating system.
+- **CurrentOSVersion**  The current version of the operating system.
+- **HResult**  The HResult of the operation.
+- **SourceOSBuildBranch**  The source branch of the operating system.
+- **SourceOSBuildNumber**  The source build number of the operating system.
+- **SourceOSVersion**  The source version of the operating system.
+
+
+### Microsoft.OneDrive.Sync.Setup.SetupCommonData
+
+This event contains basic OneDrive configuration data that helps to diagnose failures.
+
+The following fields are available:
+
+- **AppVersion**  The version of the app.
+- **BuildArchitecture**  Is the architecture x86 or x64?
+- **Environment**  Is the device on the production or int service?
+- **MachineGuid**  The CEIP machine ID.
+- **Market**  Which market is this in?
+- **MSFTInternal**  Is this an internal Microsoft device?
+- **OfficeVersionString**  The version of Office that is installed.
+- **OSDeviceName**  Only if the device is internal to Microsoft, the device name.
+- **OSUserName**  Only if the device is internal to Microsoft, the user name.
+- **UserGuid**  The CEIP user ID.
+
+
+## Setup events
+
+### SetupPlatformTel.SetupPlatformTelActivityStarted
+
+"This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. "
+
+The following fields are available:
+
+- **Name**  The name of the dynamic update type. Example: GDR driver
+
+
+### SetupPlatformTel.SetupPlatformTelActivityEvent
+
+This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up-to-date
+
+The following fields are available:
+
+- **ActivityId**  Provides a unique Id to correlate events that occur between a activity start event, and a stop event
+- **ActivityName**  Provides a friendly name of the package type that belongs to the ActivityId (Setup, LanguagePack, GDR, Driver, etc.)
+- **FieldName**  Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
+- **GroupName**  Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **value**  Value associated with the corresponding event name. For example, time-related events will include the system time
+
+
+### SetupPlatformTel.SetupPlatformTelEvent
+
+This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios.
+
+The following fields are available:
+
+- **FieldName**  Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
+- **Value**  Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time.
+- **GroupName**  Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+
+
+## Shared PC events
+
+### Microsoft.Windows.SharedPC.AccountManager.DeleteUserAccount
+
+Activity for deletion of a user account for devices set up for Shared PC mode as part of the Transient Account Manager to help keep Windows up to date. Deleting unused user accounts on shared devices frees up disk space to improve Windows Update success rates.
+
+The following fields are available:
+
+- **accountType**  The type of account that was deleted. Example: AD, AAD, or Local
+- **userSid**  The security identifier of the account.
+- **wilActivity**  Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager.
+
+
+### Microsoft.Windows.SharedPC.AccountManager.SinglePolicyEvaluation
+
+Activity for run of the Transient Account Manager that determines if any user accounts should be deleted for devices set up for Shared PC mode to help keep Windows up to date. Deleting unused user accounts on shared devices frees up disk space to improve Windows Update success rates
+
+The following fields are available:
+
+- **wilActivity**  Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager.
+- **totalAccountCount**  The number of accounts on a device after running the Transient Account Manager policies.
+- **evaluationTrigger**  When was the Transient Account Manager policies ran? Example: At log off or during maintenance hours
+
+
+## Software update events
+
+### SoftwareUpdateClientTelemetry.UpdateDetected
+
+This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
+
+The following fields are available:
+
+- **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
+- **NumberOfApplicableUpdates**  The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **WUDeviceID**  The unique device ID controlled by the software distribution client
+- **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
+- **ServiceGuid**  An ID which represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.)
+
+
+### SoftwareUpdateClientTelemetry.SLSDiscovery
+
+This event sends data about the ability of Windows to discover the location of a backend server with which it must connect to perform updates or content acquisition, in order to determine disruptions in availability of update services and provide context for Windows Update errors.
+
+The following fields are available:
+
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **HResult**  Indicates the result code of the event (success, cancellation, failure code HResult)
+- **IsBackground**  Indicates whether the SLS discovery event took place in the foreground or background
+- **NextExpirationTime**  Indicates when the SLS cab expires
+- **ServiceID**  An ID which represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.)
+- **SusClientId**  The unique device ID controlled by the software distribution client
+- **UrlPath**  Path to the SLS cab that was downloaded
+- **WUAVersion**  The version number of the software distribution client
+
+
+### SoftwareUpdateClientTelemetry.Commit
+
+This event sends data on whether the Update Service has been called to execute an upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **BiosFamily**  The family of the BIOS (Basic Input Output System).
+- **BiosName**  The name of the device BIOS.
+- **BiosReleaseDate**  The release date of the device BIOS.
+- **BiosSKUNumber**  The sku number of the device BIOS.
+- **BIOSVendor**  The vendor of the BIOS.
+- **BiosVersion**  The version of the BIOS.
+- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **ClientVersion**  The version number of the software distribution client.
+- **DeviceModel**  What is the device model.
+- **EventInstanceID**  A globally unique identifier for event instance.
+- **EventScenario**  State of call
+- **EventType**  "Possible values are ""Child"", ""Bundle"", or ""Driver""."
+- **HandlerType**  Indicates the kind of content (app, driver, windows patch, etc.)
+- **RevisionNumber**  Unique revision number of Update
+- **ServerId**  Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store.
+- **SystemBIOSMajorRelease**  Major version of the BIOS.
+- **SystemBIOSMinorRelease**  Minor version of the BIOS.
+- **UpdateId**  Unique Update ID
+- **WUDeviceID**  UniqueDeviceID
+- **BundleRevisionNumber**  Identifies the revision number of the content bundle
+- **FlightId**  The specific id of the flight the device is getting
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
+
+
+### SoftwareUpdateClientTelemetry.DownloadCheckpoint
+
+This event provides a checkpoint between each of the Windows Update download phases for UUP content
+
+The following fields are available:
+
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough
+- **FileId**  A hash that uniquely identifies a file
+- **FileName**  Name of the downloaded file
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult)
+- **EventType**  "Possible values are ""Child"", ""Bundle"", ""Relase"" or ""Driver"""
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
+- **ClientVersion**  The version number of the software distribution client
+- **FlightId**  The unique identifier for each flight
+- **RevisionNumber**  Unique revision number of Update
+- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.)
+- **UpdateId**  Unique Update ID
+- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+
+
+### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
+
+This event identifies whether updates have been tampered with and protects against man-in-the-middle attacks.
+
+The following fields are available:
+
+- **EventScenario**  The purpose of this event, such as scan started, scan succeeded, or scan failed.
+- **ExtendedStatusCode**  The secondary status code of the event.
+- **LeafCertId**  Integral ID from the FragmentSigning data for certificate that failed.
+- **MetadataIntegrityMode**  The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
+- **MetadataSignature**  A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
+- **RevisionId**  The revision ID for a specific piece of content.
+- **RevisionNumber**  The revision number for a specific piece of content.
+- **ServiceGuid**  Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store
+- **SHA256OfLeafCertPublicKey**  A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
+- **SHA256OfTimestampToken**  A base64-encoded string of hash of the timestamp token blob.
+- **SignatureAlgorithm**  The hash algorithm for the metadata signature.
+- **StatusCode**  The status code of the event.
+- **TimestampTokenId**  The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
+- **UpdateId**  The update ID for a specific piece of content.
+- **TimestampTokenCertThumbprint**  "The thumbprint of the encoded timestamp token. "
+- **ValidityWindowInDays**  The validity window that's in effect when verifying the timestamp.
+- **ListOfSHA256OfIntermediateCerData**  A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
+- **RawMode**  The raw unparsed mode string from the SLS response. This field is null if not applicable.
+- **RawValidityWindowInDays**  The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
+- **SHA256OfLeafCerData**  A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
+- **EndpointUrl**  The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
+- **SLSPrograms**  A test program to which a device may have opted in. Example: Insider Fast
+
+
+### SoftwareUpdateClientTelemetry.Download
+
+This event sends tracking data about the software distribution client download of the content for that update, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ActiveDownloadTime**  How long the download took, in seconds, excluding time where the update wasn't actively being downloaded.
+- **AppXBlockHashValidationFailureCount**  A count of the number of blocks that have failed validation after being downloaded.
+- **AppXDownloadScope**  Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
+- **BiosFamily**  The family of the BIOS (Basic Input Output System).
+- **BiosName**  The name of the device BIOS.
+- **BiosReleaseDate**  The release date of the device BIOS.
+- **BiosSKUNumber**  The sku number of the device BIOS.
+- **BIOSVendor**  The vendor of the BIOS.
+- **BiosVersion**  The version of the BIOS.
+- **BundleBytesDownloaded**  How many bytes were downloaded for the specific content bundle.
+- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailFlag**  Indicates whether this particular update bundle had previously failed to download.
+- **BundleRevisionNumber**  Identifies the revision number of the content bundle.
+- **BytesDownloaded**  How many bytes were downloaded for an individual piece of content (not the entire bundle).
+- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
+- **CbsDownloadMethod**  Indicates whether the download was a full-file download or a partial/delta download.
+- **CDNCountryCode**  Two letter country abbreviation for the CDN's location.
+- **CDNId**  ID which defines which CDN the software distribution client downloaded the content from.
+- **ClientManagedByWSUSServer**  Indicates whether the client is managed by Windows Server Update Services (WSUS).
+- **ClientVersion**  The version number of the software distribution client.
+- **CurrentMobileOperator**  The mobile operator the device is currently connected to.
+- **DeviceModel**  What is the device model.
+- **DeviceOEM**  What OEM does this device belong to.
+- **DownloadPriority**  Indicates whether a download happened at background, normal, or foreground priority.
+- **DownloadScenarioId**  A unique ID for a given download used to tie together WU and DO events.
+- **DownloadType**  Differentiates the download type of SIH downloads between Metadata and Payload downloads.
+- **Edition**  Indicates the edition of Windows being used.
+- **EventInstanceID**  A globally unique identifier for event instance.
+- **EventNamespaceID**  Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
+- **EventType**  Possible values are Child, Bundle, or Driver.
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
+- **FlightBranch**  The branch that a device is on if participating in flighting (pre-release builds).
+- **FlightBuildNumber**  If this download was for a flight (pre-release build), this indicates the build number of that flight.
+- **FlightId**  The specific id of the flight (pre-release build) the device is getting.
+- **FlightRing**  The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HandlerType**  Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
+- **HardwareId**  If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
+- **HostName**  The hostname URL the content is downloading from.
+- **IPVersion**  Indicates whether the download took place over IPv4 or IPv6.
+- **IsAOACDevice**  Is it Always On, Always Connected?
+- **IsDependentSet**  Indicates whether a driver is a part of a larger System Hardware/Firmware Update
+- **IsWUfBDualScanEnabled**  Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled**  Indicates if Windows Update for Business is enabled on the device.
+- **NetworkCostBitMask**  Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.)
+- **NetworkRestrictionStatus**  "More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be ""metered."""
+- **PackageFullName**  The package name of the content.
+- **PhonePreviewEnabled**  Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
+- **PlatformRole**  The PowerPlatformRole as defined on MSDN
+- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **ProcessorArchitecture**  Processor architecture of the system (x86, AMD64, ARM).
+- **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to download.
+- **RevisionNumber**  Identifies the revision number of this specific piece of content.
+- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
+- **Setup360Phase**  If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
+- **ShippingMobileOperator**  The mobile operator that a device shipped on.
+- **StatusCode**  Indicates the result of a Download event (success, cancellation, failure code HResult).
+- **SystemBIOSMajorRelease**  Major version of the BIOS.
+- **SystemBIOSMinorRelease**  Minor version of the BIOS.
+- **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TargetMetadataVersion**  For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **ThrottlingServiceHResult**  Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
+- **TimeToEstablishConnection**  Time (in ms) it took to establish the connection prior to beginning downloaded.
+- **TotalExpectedBytes**  The total count of bytes that the download is expected to be.
+- **UpdateId**  An identifier associated with the specific piece of content.
+- **UpdateImportance**  Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **UsedDO**  Whether the download used the delivery optimization service.
+- **UsedSystemVolume**  Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
+- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **WUSetting**  Indicates the users' current updating settings.
+
+
+### SoftwareUpdateClientTelemetry.CheckForUpdates
+
+This event sends tracking data about the software distribution client check for content that is applicable to a device, to help keep Windows up to date
+
+The following fields are available:
+
+- **ActivityMatchingId**  Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
+- **AllowCachedResults**  Indicates if the scan allowed using cached results.
+- **BiosFamily**  The family of the BIOS (Basic Input Output System).
+- **BiosName**  The name of the device BIOS.
+- **BiosReleaseDate**  The release date of the device BIOS.
+- **BiosSKUNumber**  The sku number of the device BIOS.
+- **BIOSVendor**  The vendor of the BIOS.
+- **BiosVersion**  The version of the BIOS.
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
+- **CapabilityDetectoidGuid**  The GUID for a hardware applicability detectoid that could not be evaluated.
+- **CDNCountryCode**  Two letter country abbreviation for the CDN's location.
+- **CDNId**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **ClientVersion**  The version number of the software distribution client.
+- **CurrentMobileOperator**  The mobile operator the device is currently connected to.
+- **DeviceModel**  What is the device model.
+- **DriverError**  The error code hit during a driver scan. This is 0 if no error was encountered.
+- **EventInstanceID**  A globally unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **ExtendedMetadataCabUrl**  Hostname that is used to download an update.
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FailedUpdateGuids**  The GUIDs for the updates that failed to be evaluated during the scan.
+- **FailedUpdatesCount**  The number of updates that failed to be evaluated during the scan.
+- **FlightBranch**  The branch that a device is on if participating in flighting (pre-release builds).
+- **FlightRing**  The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
+- **IPVersion**  Indicates whether the download took place over IPv4 or IPv6
+- **IsWUfBDualScanEnabled**  Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled**  Indicates if Windows Update for Business is enabled on the device.
+- **MetadataIntegrityMode**  The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **MSIError**  The last error that was encountered during a scan for updates.
+- **NetworkConnectivityDetected**  Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
+- **NumberOfApplicationsCategoryScanEvaluated**  The number of categories (apps) for which an app update scan checked
+- **NumberOfLoop**  The number of round trips the scan required
+- **NumberOfNewUpdatesFromServiceSync**  The number of updates which were seen for the first time in this scan
+- **NumberOfUpdatesEvaluated**  The total number of updates which were evaluated as a part of the scan
+- **NumFailedMetadataSignatures**  The number of metadata signatures checks which failed for new metadata synced down.
+- **Online**  Indicates if this was an online scan.
+- **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
+- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **ScanDurationInSeconds**  The number of seconds a scan took
+- **ScanEnqueueTime**  The number of seconds it took to initialize a scan
+- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.).
+- **ServiceUrl**  The environment URL a device is configured to scan with
+- **ShippingMobileOperator**  The mobile operator that a device shipped on.
+- **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
+- **SyncType**  Describes the type of scan the event was
+- **SystemBIOSMajorRelease**  Major version of the BIOS.
+- **SystemBIOSMinorRelease**  Minor version of the BIOS.
+- **TotalNumMetadataSignatures**  The total number of metadata signatures checks done for new metadata that was synced down.
+- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable
+- **NumberOfApplicableUpdates**  The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **WebServiceRetryMethods**  Web service method requests that needed to be retried to complete operation.
+- **BranchReadinessLevel**  The servicing branch configured on the device.
+- **DeferralPolicySources**  Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
+- **DeferredUpdates**  Update IDs which are currently being deferred until a later time
+- **DriverExclusionPolicy**  Indicates if the policy for not including drivers with Windows Update is enabled.
+- **FeatureUpdateDeferral**  The deferral period configured for feature OS updates on the device (in days).
+- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
+- **FeatureUpdatePausePeriod**  The pause duration configured for feature OS updates on the device (in days).
+- **QualityUpdateDeferral**  The deferral period configured for quality OS updates on the device (in days).
+- **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
+- **QualityUpdatePausePeriod**  The pause duration configured for quality OS updates on the device (in days).
+- **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
+- **PausedUpdates**  A list of UpdateIds which that currently being paused.
+- **PauseFeatureUpdatesEndTime**  If feature OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseFeatureUpdatesStartTime**  If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PauseQualityUpdatesEndTime**  If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseQualityUpdatesStartTime**  If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **TargetMetadataVersion**  For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **Context**  Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
+- **DriverSyncPassPerformed**  Were drivers scanned this time?
+
+
+### SoftwareUpdateClientTelemetry.Install
+
+This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date.
+
+The following fields are available:
+
+- **BiosFamily**  The family of the BIOS (Basic Input Output System).
+- **BiosName**  The name of the device BIOS.
+- **BiosReleaseDate**  The release date of the device BIOS.
+- **BiosSKUNumber**  The sku number of the device BIOS.
+- **BIOSVendor**  The vendor of the BIOS.
+- **BiosVersion**  The version of the BIOS.
+- **BundleBytesDownloaded**  How many bytes were downloaded for the specific content bundle?
+- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailFlag**  Has this particular update bundle previously failed to install?
+- **BundleRevisionNumber**  Identifies the revision number of the content bundle.
+- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
+- **CbsDownloadMethod**  Was the download a full download or a partial download?
+- **ClientManagedByWSUSServer**  Is the client managed by Windows Server Update Services (WSUS)?
+- **ClientVersion**  The version number of the software distribution client.
+- **CSIErrorType**  The stage of CBS installation where it failed.
+- **CurrentMobileOperator**  Mobile operator that device is currently connected to.
+- **DeviceModel**  What is the device model.
+- **DeviceOEM**  What OEM does this device belong to.
+- **DownloadPriority**  The priority of the download activity.
+- **DownloadScenarioId**  A unique ID for a given download used to tie together WU and DO events.
+- **DriverPingBack**  Contains information about the previous driver and system state.
+- **Edition**  Indicates the edition of Windows being used.
+- **EventInstanceID**  A globally unique identifier for event instance.
+- **EventNamespaceID**  Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **EventType**  Possible values are Child, Bundle, or Driver.
+- **ExtendedErrorCode**  The extended error code.
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FeatureUpdatePause**  Are feature OS updates paused on the device?
+- **FlightBranch**  The branch that a device is on if participating in the Windows Insider Program.
+- **FlightBuildNumber**  If this installation was for a Windows Insider build, this is the build number of that build.
+- **FlightId**  The specific ID of the Windows Insider build the device is getting.
+- **FlightRing**  The ring that a device is on if participating in the Windows Insider Program.
+- **HandlerType**  Indicates what kind of content is being installed. Example: app, driver, Windows update
+- **HardwareId**  If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
+- **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
+- **IsAOACDevice**  Is it Always On, Always Connected? (Mobile device usage model)
+- **IsDependentSet**  Is the driver part of a larger System Hardware/Firmware update?
+- **IsFinalOutcomeEvent**  Does this event signal the end of the update/upgrade process?
+- **IsFirmware**  Is this update a firmware update?
+- **IsSuccessFailurePostReboot**  Did it succeed and then fail after a restart?
+- **IsWUfBDualScanEnabled**  Is Windows Update for Business dual scan enabled on the device?
+- **IsWUfBEnabled**  Is Windows Update for Business enabled on the device?
+- **MergedUpdate**  Was the OS update and a BSP update merged for installation?
+- **MsiAction**  The stage of MSI installation where it failed.
+- **MsiProductCode**  The unique identifier of the MSI installer.
+- **PackageFullName**  The package name of the content being installed.
+- **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting being introduced.
+- **PlatformRole**  The PowerPlatformRole as defined on MSDN.
+- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **ProcessorArchitecture**  Processor architecture of the system (x86, AMD64, ARM).
+- **QualityUpdatePause**  Are quality OS updates paused on the device?
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to install.
+- **RepeatSuccessInstallFlag**  Indicates whether this specific piece of content had previously installed successful, for example if another user had already installed it.
+- **RevisionNumber**  The revision number of this specific piece of content.
+- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
+- **Setup360Phase**  If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
+- **ShippingMobileOperator**  The mobile operator that a device shipped on.
+- **StatusCode**  Indicates the result of an installation event (success, cancellation, failure code HResult).
+- **SystemBIOSMajorRelease**  Major version of the BIOS.
+- **SystemBIOSMinorRelease**  Minor version of the BIOS.
+- **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TransactionCode**  The ID which represents a given MSI installation
+- **UpdateId**  Unique update ID
+- **UpdateImportance**  Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **UsedSystemVolume**  Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
+- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **WUSetting**  Indicates the user's current updating settings.
+
+
+### SoftwareUpdateClientTelemetry.DownloadHeartbeat
+
+This event allows tracking of ongoing downloads and contains data to explain the current state of the download
+
+The following fields are available:
+
+- **BundleID**  Identifier associated with the specific content bundle. If this value is found, it shouldn't report as all zeros
+- **BytesTotal**  Total bytes to transfer for this content
+- **BytesTransferred**  Total bytes transferred for this content at the time of heartbeat
+- **ConnectionStatus**  Indicates the connectivity state of the device at the time of heartbeat
+- **CurrentError**  Last (transient) error encountered by the active download
+- **DownloadFlags**  Flags indicating if power state is ignored
+- **DownloadState**  Current state of the active download for this content (queued, suspended, or progressing)
+- **IsNetworkMetered**  "Indicates whether Windows considered the current network to be ?metered"""
+- **MOAppDownloadLimit**  Mobile operator cap on size of application downloads, if any
+- **MOUpdateDownloadLimit**  Mobile operator cap on size of operating system update downloads, if any
+- **PowerState**  Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
+- **RelatedCV**  "The previous correlation vector that was used by the client, before swapping with a new one "
+- **ResumeCount**  Number of times this active download has resumed from a suspended state
+- **ServiceID**  "Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) "
+- **SuspendCount**  Number of times this active download has entered a suspended state
+- **SuspendReason**  Last reason for why this active download entered a suspended state
+- **CallerApplicationName**  Name provided by the caller who initiated API calls into the software distribution client
+- **ClientVersion**  The version number of the software distribution client
+- **EventType**  "Possible values are ""Child"", ""Bundle"", or ""Driver"""
+- **FlightId**  The unique identifier for each flight
+- **RevisionNumber**  Identifies the revision number of this specific piece of content
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
+- **UpdateId**  "Identifier associated with the specific piece of content "
+- **WUDeviceID**  "Unique device id controlled by the software distribution client "
+
+
+## Update events
+
+### Update360Telemetry.UpdateAgentPostRebootResult
+
+This event collects information for both Mobile and Desktop regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current post reboot phase
+- **FlightId**  The unique identifier for each flight
+- **ObjectId**  Unique value for each Update Agent mode
+- **RelatedCV**  Correlation vector value generated from the latest USO scan
+- **Result**  Indicates the Hresult
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId**  Unique value for each Update Agent mode attempt
+- **UpdateId**  Unique ID for each update
+- **PostRebootResult**  Indicates the Hresult
+
+
+### Update360Telemetry.UpdateAgent_Initialize
+
+This event sends data during the initialize phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current initialize phase.
+- **FlightId**  Unique ID for each flight.
+- **FlightMetadata**  Contains the FlightId and the build being flighted.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionData**  Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
+- **SessionId**  Unique value for each Update Agent mode attempt .
+- **UpdateId**  Unique ID for each update.
+- **Result**  Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+
+
+### Update360Telemetry.UpdateAgent_DownloadRequest
+
+This event sends data during the download request phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current download request phase.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **PackageCountOptional**  Number of optional packages requested.
+- **PackageCountRequired**  Number of required packages requested.
+- **PackageCountTotal**  Total number of packages needed.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId**  Unique value for each Update Agent mode attempt.
+- **PackageSizeCanonical**  Size of canonical packages in bytes
+- **PackageSizeDiff**  Size of diff packages in bytes
+- **PackageSizeExpress**  Size of express packages in bytes
+- **Result**  Result of the download request phase of update.
+- **FlightId**  Unique ID for each flight.
+- **UpdateId**  Unique ID for each update.
+- **PackageCountTotalCanonical**  Total number of canonical packages.
+- **PackageCountTotalDiff**  Total number of diff packages.
+- **PackageCountTotalExpress**  Total number of express packages.
+- **DeletedCorruptFiles**  Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
+- **RangeRequestState**  Represents the state of the download range request.
+
+
+### Update360Telemetry.UpdateAgent_Install
+
+This event sends data during the install phase of updating Windows.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current install phase.
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest scan.
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId**  Unique value for each Update Agent mode attempt.
+- **Result**  "Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled "
+- **FlightId**  Unique ID for each flight.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgent_ModeStart
+
+This event sends data for the start of each mode during the process of updating Windows.
+
+The following fields are available:
+
+- **Mode**  Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  The correlation vector value generated from the latest scan.
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId**  Unique value for each Update Agent mode attempt.
+- **FlightId**  Unique ID for each flight.
+- **UpdateId**  Unique ID for each update.
+
+
+### Update360Telemetry.UpdateAgent_SetupBoxLaunch
+
+This event sends data during the launching of the setup box when updating Windows.
+
+The following fields are available:
+
+- **ObjectId**  Unique value for each Update Agent mode.
+- **Quiet**  Indicates whether setup is running in quiet mode. 0 = false 1 = true
+- **RelatedCV**  Correlation vector value generated from the latest scan.
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId**  Unique value for each Update Agent mode attempt.
+- **FlightId**  Unique ID for each flight.
+- **UpdateId**  Unique ID for each update.
+- **SetupMode**  Setup mode 1 = predownload, 2 = install, 3 = finalize
+- **SandboxSize**  The size of the sandbox folder on the device.
+
+
+## Update notification events
+
+### Microsoft.Windows.UpdateNotificationPipeline.JavascriptJavascriptCriticalGenericMessage
+
+This event indicates that Javascript is reporting a schema and a set of values for critical diagnostic data.
+
+The following fields are available:
+
+- **CampaignConfigVersion**  Configuration version for the current campaign
+- **CampaignID**  Currently campaign that's running on UNP
+- **ConfigCatalogVersion**  Current catalog version of UNP
+- **ContentVersion**  Content version for the current campaign on UNP
+- **CV**  Correlation vector
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
+- **key1**  Interaction data for the UI
+- **key10**  Interaction data for the UI
+- **key11**  Interaction data for the UI
+- **key12**  Interaction data for the UI
+- **key13**  Interaction data for the UI
+- **key14**  Interaction data for the UI
+- **key15**  Interaction data for the UI
+- **key16**  Interaction data for the UI
+- **key17**  Interaction data for the UI
+- **key18**  Interaction data for the UI
+- **key19**  Interaction data for the UI
+- **key2**  Interaction data for the UI
+- **key20**  Interaction data for the UI
+- **key21**  Interaction data for the UI
+- **key22**  Interaction data for the UI
+- **key23**  Interaction data for the UI
+- **key24**  Interaction data for the UI
+- **key25**  Interaction data for the UI
+- **key26**  Interaction data for the UI
+- **key27**  Interaction data for the UI
+- **key28**  Interaction data for the UI
+- **key29**  Interaction data for the UI
+- **key3**  Interaction data for the UI
+- **key30**  Interaction data for the UI
+- **key4**  Interaction data for the UI
+- **key5**  Interaction data for the UI
+- **key6**  Interaction data for the UI
+- **key7**  Interaction data for the UI
+- **key8**  Interaction data for the UI
+- **key9**  Interaction data for the UI
+- **PackageVersion**  Current package version of UNP
+- **schema**  Type of UI interaction
+
+
+### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignHeartbeat
+
+This event is sent at the start of each campaign, to be used as a heartbeat
+
+The following fields are available:
+
+- **CampaignConfigVersion**  Configuration version for the current campaign
+- **CampaignID**  Currently campaign that's running on UNP
+- **ConfigCatalogVersion**  Current catalog version of UNP
+- **ContentVersion**  Content version for the current campaign on UNP
+- **CV**  Correlation vector
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
+- **PackageVersion**  Current UNP package version
+
+
+### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerCleaningCampaign
+
+This event indicates that the Campaign Manager is cleaning up the campaign content
+
+The following fields are available:
+
+- **CampaignConfigVersion**  Configuration version for the current campaign
+- **CampaignID**  Current campaign that's running on UNP
+- **ConfigCatalogVersion**  Current catalog version of UNP
+- **ContentVersion**  Content version for the current campaign on UNP
+- **CV**  Correlation vector
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
+- **PackageVersion**  Current UNP package version
+
+
+### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerGetIsCamppaignCompleteFailed
+
+This event is sent when a campaign completion status query fails
+
+The following fields are available:
+
+- **CampaignConfigVersion**  Configuration version for the current campaign
+- **CampaignID**  Current campaign that's running on UNP
+- **ConfigCatalogVersion**  Current catalog version of UNP
+- **ContentVersion**  Content version for the current campaign on UNP
+- **CV**  Correlation vector
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
+- **hresult**  HRESULT of the failure
+- **PackageVersion**  Current UNP package version
+
+
+### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat
+
+This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat
+
+The following fields are available:
+
+- **CampaignConfigVersion**  Configuration version for the current campaign
+- **CampaignID**  Currently campaign that's running on UNP
+- **ConfigCatalogVersion**  Current catalog version of UNP
+- **ContentVersion**  Content version for the current campaign on UNP
+- **CV**  Correlation vector
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
+- **PackageVersion**  Current UNP package version
+
+
+### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerRunCampaignFailed
+
+This event is sent when the Campaign Manager encounters an unexpected error while running the campaign
+
+The following fields are available:
+
+- **CampaignConfigVersion**  Configuration version for the current campaign
+- **CampaignID**  Currently campaign that's running on UNP
+- **ConfigCatalogVersion**  Current catalog version of UNP
+- **ContentVersion**  Content version for the current campaign on UNP
+- **CV**  Correlation vector
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
+- **hresult**  HRESULT of the failure#N#
+- **PackageVersion**  Current UNP package version
+
+
+## Upgrade events
+
+### Setup360Telemetry.PreDownloadUX
+
+The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.PredownloadUX indicates the outcome of the PredownloadUX portion of the update process.
+
+The following fields are available:
+
+- **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous operating system.
+- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous operating system).
+- **InstanceId**  Unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Examplle: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
+- **State**  The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  Windows Update client ID.
+
+
+### Setup360Telemetry.UnexpectedEvent
+
+This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
+- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.PreInstallQuiet
+
+This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
+- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback etc.
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario**  Setup360 flow type (Boot, Media, Update, MCT)
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.Finalize
+
+This event sends data indicating that the device has invoked the finalize phase of the upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
+- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.PostRebootInstall
+
+This event sends data indicating that the device has invoked the postrebootinstall phase of the upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ClientId**  With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
+
+
+### Setup360Telemetry.PreDownloadQuiet
+
+This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId**  Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous operating system).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
+- **ReportId**  Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.OsUninstall
+
+The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.OSUninstall indicates the outcome of an OS uninstall.
+
+The following fields are available:
+
+- **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  Windows Update client ID.
+
+
+### Setup360Telemetry.Downlevel
+
+This event sends data indicating that the device has invoked the downlevel phase of the upgrade. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ClientId**  If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the downlevel OS.
+- **HostOsSkuName**  The operating system edition which is running Setup360 instance (downlevel OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result**  The result of Setup360. It's an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
+- **State**  Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  A string that uniquely identifies a group of events.
+- **WuId**  This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
+
+
+### Setup360Telemetry.PreInstallUX
+
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10.  Specifically, the Setup360Telemetry.PreinstallUX indicates the outcome of the PreinstallUX portion of the update process.
+
+The following fields are available:
+
+- **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type, Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  Windows Update client ID.
+
+
+### Setup360Telemetry.Setup360
+
+This event sends data about OS deployment scenarios, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **FieldName**  Retrieves the data point.
+- **FlightData**  Specifies a unique identifier for each group of Windows Insider builds.
+- **InstanceId**  Retrieves a unique identifier for each instance of a setup session.
+- **ReportId**  Retrieves the report ID.
+- **ScenarioId**  Retrieves the deployment scenario.
+- **Value**  Retrieves the value associated with the corresponding FieldName.
+- **ClientId**  Retrieves the upgrade ID: Upgrades via Windows Update - specifies the WU clientID. All other deployment - static string.
+
+
+## Windows as a Service diagnostic events
+
+### Microsoft.Windows.WaaSMedic.SummaryEvent
+
+This event provides the results from the WaaSMedic engine
+
+The following fields are available:
+
+- **detectionSummary**  Result of each detection that ran
+- **featureAssessmentImpact**  Windows as a Service (WaaS) Assessment impact on feature updates
+- **insufficientSessions**  True, if the device has enough activity to be eligible for update diagnostics. False, if otherwise
+- **isManaged**  Indicates the device is managed for updates
+- **isWUConnected**  Indicates the device is connected to Windows Update
+- **noMoreActions**  All available WaaSMedic diagnostics have run. There are no pending diagnostics and corresponding actions
+- **qualityAssessmentImpact**  Windows as a Service (WaaS) Assessment impact for quality updates
+- **remediationSummary**  Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on
+- **usingBackupFeatureAssessment**  The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup feature assessments, which are determined programmatically on the client#N#
+- **usingBackupQualityAssessment**  The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup quality assessments, which are determined programmatically on the client#N#
+- **versionString**  Installed version of the WaaSMedic engine
+- **hrEngineResult**  Indicates the WaaSMedic engine operation error codes
+
+
+### Microsoft.Windows.WaaSMedic.Summary
+
+This event provides the results of the WaaSMedic diagnostic run
+
+The following fields are available:
+
+- **detectionSummary**  Result of each detection that ran
+- **remediationSummary**  Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on
+- **versionString**  Installed version of the WaaSMedic engine
+- **featureAssessmentImpact**  Windows as a Service (WaaS) Assessment impact on feature updates
+- **insufficientSessions**  True, if the device has enough activity to be eligible for update diagnostics. False, if otherwise
+- **isManaged**  Indicates the device is managed for updates
+- **isWUConnected**  Indicates the device is connected to Windows Update
+- **noMoreActions**  All available WaaSMedic diagnostics have run. There are no pending diagnostics and corresponding actions
+- **qualityAssessmentImpact**  Windows as a Service (WaaS) Assessment impact for quality updates
+- **usingBackupFeatureAssessment**  The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup feature assessments, which are determined programmatically on the client
+- **usingBackupQualityAssessment**  The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup quality assessments, which are determined programmatically on the client
+
+
+## Windows Error Reporting events
+
+### Microsoft.Windows.WERVertical.OSCrash
+
+This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
+
+The following fields are available:
+
+- **BootId**  Uint32 identifying the boot number for this device.
+- **BugCheckCode**  "Uint64 ""bugcheck code"" that identifies a proximate cause of the bug check."
+- **BugCheckParameter1**  Uint64 parameter providing additional information.
+- **BugCheckParameter2**  Uint64 parameter providing additional information.
+- **BugCheckParameter3**  Uint64 parameter providing additional information.
+- **BugCheckParameter4**  Uint64 parameter providing additional information.
+- **DumpFileAttributes**  Codes that identify the type of data contained in the dump file
+- **DumpFileSize**  Size of the dump file
+- **IsValidDumpFile**  True if the dump file is valid for the debugger, false otherwise
+- **ReportId**  WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
+
+
+## Microsoft Store events
+
+### Microsoft.Windows.StoreAgent.Telemetry.AbortedInstallation
+
+This event is sent when an installation or update is canceled by a user or the system and is used to help keep Windows Apps up to date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **AttemptNumber**  Number of retry attempts before it was canceled.
+- **BundleId**  The Item Bundle ID.
+- **CategoryId**  The Item Category ID.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  The result code of the last action performed before this operation.
+- **IntentPFNs**  Intent Product Family Name
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Was this requested by a user?
+- **IsMandatory**  Was this a mandatory update?
+- **IsRemediation**  Was this a remediation install?
+- **IsRestore**  Is this automatically restoring a previously acquired product?
+- **IsUpdate**  Flag indicating if this is an update.
+- **IsWin32**  Flag indicating if this is a Win32 app (not used).
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The product family name of the product being installed.
+- **ProductId**  The identity of the package or packages being installed.
+- **SystemAttemptNumber**  The total number of automatic attempts at installation before it was canceled.
+- **UpdateId**  Update ID (if this is an update)
+- **UserAttemptNumber**  The total number of user attempts at installation before it was canceled.
+- **WUContentId**  The Windows Update content ID
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
+
+This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  Includes a set of package full names for each app that is part of an atomic set.
+- **AttemptNumber**  The total number of attempts to acquire this product.
+- **BundleId**  The bundle ID
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  HResult code to show the result of the operation (success/failure).
+- **IntentPFNs**  Intent Product Family Name
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Did the user initiate the installation?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this happening after a device restore?
+- **IsUpdate**  Is this an update?
+- **IsWin32**  Flag indicating if this is a Win32app.
+- **ParentBundledId**  The product's parent bundle ID.
+- **ParentBundleId**  The parent bundle ID (if it's part of a bundle).
+- **PFN**  Product Family Name of the product being installed.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SystemAttemptNumber**  The number of attempts by the system to acquire this product.
+- **UpdateId**  The update ID (if this is an update)
+- **UserAttemptNumber**  The number of attempts by the user to acquire this product
+- **WUContentId**  The Windows Update content ID
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndDownload
+
+This event happens during the app update or installation when content is being downloaded at the end of the process to report success or failure. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The name of all packages to be downloaded and installed.
+- **AttemptNumber**  Number of retry attempts before it was canceled.
+- **BundleId**  The identity of the Windows Insider build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **DownloadSize**  The total size of the download.
+- **ExtendedHResult**  Any extended HResult error codes.
+- **HResult**  The result code of the last action performed.
+- **IntentPFNs**  Intent Product Family Name
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this initiated by the user?
+- **IsMandatory**  Is this a mandatory installation?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this a restore of a previously acquired product?
+- **IsUpdate**  Is this an update?
+- **IsWin32**  Flag indicating if this is a Win32 app (unused).
+- **ParentBundleId**  The parent bundle ID (if it's part of a bundle).
+- **PFN**  The Product Family Name of the app being download.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SystemAttemptNumber**  The number of attempts by the system to download.
+- **UpdateId**  Update ID (if this is an update)
+- **UserAttemptNumber**  The number of attempts by the user to download.
+- **WUContentId**  The Windows Update content ID.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndFrameworkUpdate
+
+This event happens when an app update requires an updated Framework package and the process starts to download it. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult**  The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndGetInstalledContentIds
+
+This event is sent after sending the inventory of the products installed to determine whether updates for those products are available.  It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult**  The result code of the last action performed before this operation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndInstall
+
+This event is sent after a product has been installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **AttemptNumber**  The number of retry attempts before it was canceled.
+- **BundleId**  The identity of the build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **ExtendedHResult**  The extended HResult error code.
+- **HResult**  The result code of the last action performed.
+- **IntentPFNs**  Intent Product Family Name
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this an interactive installation?
+- **IsMandatory**  Is this a mandatory installation?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this automatically restoring a previously acquired product?
+- **IsUpdate**  Is this an update?
+- **IsWin32**  Flag indicating if this a Win32 app (unused).
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  Product Family Name of the product being installed.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SystemAttemptNumber**  The total number of system attempts.
+- **UpdateId**  Update ID (if this is an update)
+- **UserAttemptNumber**  The total number of user attempts.
+- **WUContentId**  The Windows Update content ID
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndScanForUpdates
+
+This event is sent after a scan for product updates to determine if there are packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  The result code of the last action performed.
+- **IsApplicability**  Is this request to only check if there are any applicable packages to install?
+- **IsInteractive**  Is this user requested?
+- **IsOnline**  Is the request doing an online check?
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndSearchUpdatePackages
+
+This event is sent after searching for update packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **AttemptNumber**  The total number of retry attempts before it was canceled.
+- **BundleId**  The identity of the build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  The result code of the last action performed.
+- **IntentPFNs**  The licensing identity of this package.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this user requested?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this restoring previously acquired content?
+- **IsUpdate**  Is this an update?
+- **IsWin32**  Flag indicating if this a Win32 app (unused).
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The name of the package or packages requested for install.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SystemAttemptNumber**  The total number of system attempts.
+- **UpdateId**  Update ID (if this is an update)
+- **UserAttemptNumber**  The total number of user attempts.
+- **WUContentId**  The Windows Update content ID
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndStageUserData
+
+This event is sent between download and installation to see if there is app data that needs to be restored from the cloud. It's used to keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AttemptNumber**  The total number of retry attempts before it was canceled.
+- **BundleId**  The identity of the build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  The result code of the last action performed.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this user requested?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this restoring previously acquired content?
+- **IsUpdate**  Is this an update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The name of the package or packages requested for install.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SystemAttemptNumber**  The total number of system attempts.
+- **UserAttemptNumber**  The total number of system attempts.
+- **WUContentId**  The Windows Update content ID
+- **IntentPFNs**  The licensing identity of this package.
+- **AggregatedPackageFullNames**  The name of all packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
+
+This event happens at the beginning of the install process when an app update or new app is installed. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **BundleId**  The identity of the build associated with this product.
+- **CatalogId**  If this product is from a private catalog, the Store Product ID for the product being installed.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SkuId**  Specific edition ID being installed.
+- **VolumePath**  The disk path of the installation.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.PauseInstallation
+
+This event is sent when a product install or update is paused either by a user or the system. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AttemptNumber**  The total number of retry attempts before it was canceled.
+- **BundleId**  The identity of the build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this user requested?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this restoring previously acquired content?
+- **IsUpdate**  Is this an update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The Product Full Name.
+- **PreviousHResult**  The result code of the last action performed before this operation.
+- **PreviousInstallState**  Previous state before the installation or update was paused.
+- **ProductId**  The Store Product ID for the product being installed.
+- **RelatedCV**  Correlation Vector of a previous performed action on this product.
+- **SystemAttemptNumber**  The total number of system attempts.
+- **UserAttemptNumber**  The total number of user attempts.
+- **WUContentId**  The Windows Update content ID
+- **IntentPFNs**  The licensing identity of this package.
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
+
+This event happens when a product install or update is resumed either by a user or the system. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AttemptNumber**  The number of retry attempts before it was canceled.
+- **BundleId**  The identity of the build associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Is this user requested?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this restoring previously acquired content?
+- **IsUpdate**  Is this an update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The name of the package or packages requested for install.
+- **PreviousHResult**  The previous HResult error code.
+- **PreviousInstallState**  Previous state before the installation was paused.
+- **ProductId**  The Store Product ID for the product being installed.
+- **RelatedCV**  Correlation Vector for the original install before it was resumed.
+- **SystemAttemptNumber**  The total number of system attempts.
+- **UserAttemptNumber**  The total number of user attempts.
+- **WUContentId**  The Windows Update content ID
+- **IntentPFNs**  Intent Product Family Name
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
+- **HResult**  The result code of the last action performed before this operation.
+- **IsUserRetry**  Did the user initiate the retry?
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
+
+This event happens an app for a user needs to be updated. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **PFamN**  The name of the product that is requested for update.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation
+
+This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AttemptNumber**  Total number of installation attempts.
+- **BundleId**  The identity of the Windows Insider build that is associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Was this requested by a user?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this an automatic restore of a previously acquired product?
+- **IsUpdate**  Is this a product update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The name of all packages to be downloaded and installed.
+- **PreviousHResult**  The previous HResult code.
+- **PreviousInstallState**  Previous installation state before it was canceled.
+- **ProductId**  The name of the package or packages requested for installation.
+- **RelatedCV**  Correlation Vector of a previous performed action on this product.
+- **SystemAttemptNumber**  Total number of automatic attempts to install before it was canceled.
+- **UserAttemptNumber**  Total number of user attempts to install before it was canceled.
+- **WUContentId**  The Windows Update content ID
+- **IntentPFNs**  Intent Product Family Name
+- **AggregatedPackageFullNames**  The names of all package or packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest
+
+This event is sent when searching for update packages to install. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **CatalogId**  The Store Product ID for the product being installed.
+- **ProductId**  The Store Product ID for the product being installed.
+- **SkuId**  Specfic edition of the app being updated.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare
+
+This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult**  The result code of the last action performed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest
+
+This event is sent after the app installations or updates. It's used to help keep Windows up-to-date and secure
+
+The following fields are available:
+
+- **CatalogId**  The Store Product ID of the app being installed.
+- **HResult**  HResult code of the action being performed.
+- **IsBundle**  Is this a bundle?
+- **PackageFamilyName**  The name of the package being installed.
+- **ProductId**  The Store Product ID of the product being installed.
+- **SkuId**  Specific edition of the item being installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest
+
+This event happens when a product install or update is resumed by a user and on installation retries. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ProductId**  The Store Product ID for the product being installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
+
+This event is sent at the end of an app install or update and is used to track the very end of the install or update process.
+
+The following fields are available:
+
+- **FailedRetry**  Was the installation or update retry successful?
+- **HResult**  The HResult code of the operation.
+- **PFN**  The Package Family Name of the app that is being installed or updated.
+- **ProductId**  The product ID of the app that is being updated or installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
+
+This event is sent at the beginning of an app install or update and is used to track the very beginning of the install or update process.
+
+The following fields are available:
+
+- **PFN**  The Package Family Name of the app that is being installed or updated.
+- **ProductId**  The product ID of the app that is being updated or installed.
+
+
+## Windows Update Delivery Optimization events
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted
+
+This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **background**  Is the download a background download?
+- **bytesFromCDN**  The number of bytes received from a CDN source.
+- **bytesFromGroupPeers**  The number of bytes received from a peer in the same domain group.
+- **bytesFromIntPeers**  The number of bytes received from peers not in the same LAN or in the same domain group.
+- **bytesFromPeers**  The number of bytes received from a peer in the same LAN.
+- **bytesRequested**  The total number of bytes requested for download.
+- **cdnConnectionCount**  The total number of connections made to the CDN.
+- **cdnErrorCodes**  A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts**  The number of times each error in cdnErrorCodes was encountered.
+- **cdnIp**  The IP address of the source CDN.
+- **clientTelId**  A random number used for device sampling.
+- **doErrorCode**  The Delivery Optimization error code that was returned.
+- **downlinkBps**  The maximum measured available download bandwidth (in bytes per second).
+- **downlinkUsageBps**  The download speed (in bytes per second).
+- **downloadMode**  The download mode used for this file download session.
+- **fileID**  The ID of the file being downloaded.
+- **fileSize**  The size of the file being downloaded.
+- **groupConnectionCount**  The total number of connections made to peers in the same group.
+- **internetConnectionCount**  The total number of connections made to peers not in the same LAN or the same group.
+- **lanConnectionCount**  The total number of connections made to peers in the same LAN.
+- **numPeers**  The total number of peers used for this download.
+- **restrictedUpload**  Is the upload restricted?
+- **scenarioID**  The ID of the scenario.
+- **sessionID**  The ID of the download session.
+- **totalTimeMs**  Duration of the download (in seconds).
+- **updateID**  The ID of the update being downloaded.
+- **uplinkBps**  The maximum measured available upload bandwidth (in bytes per second).
+- **uplinkUsageBps**  The upload speed (in bytes per second).
+- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
+- **isVpn**  Is the device connected to a Virtual Private Network?
+- **usedMemoryStream**  Did the download use memory streaming?
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused
+
+This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **background**  Is the download a background download?
+- **clientTelId**  A random number used for device sampling.
+- **errorCode**  The error code that was returned.
+- **fileID**  The ID of the file being paused.
+- **reasonCode**  The reason for pausing the download.
+- **scenarioID**  The ID of the scenario.
+- **sessionID**  The ID of the download session.
+- **updateID**  The ID of the update being paused.
+- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
+- **isVpn**  Is the device connected to a Virtual Private Network?
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.JobError
+
+This event represents a Windows Update job error. It allows for investigation of top errors.
+
+The following fields are available:
+
+- **clientTelId**  A random number used for device sampling.
+- **errorCode**  The error code returned.
+- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID**  The ID of the file being downloaded.
+- **jobID**  The Windows Update job ID.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
+
+This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **background**  Is the download being done in the background?
+- **bytesFromCDN**  The number of bytes received from a CDN source.
+- **bytesFromGroupPeers**  The number of bytes received from a peer in the same group.
+- **bytesFromIntPeers**  The number of bytes received from peers not in the same LAN or in the same group.
+- **bytesFromPeers**  The number of bytes received from a peer in the same LAN.
+- **cdnErrorCodes**  A list of CDN connection errors since the last FailureCDNCommunication event.
+- **cdnErrorCounts**  The number of times each error in cdnErrorCodes was encountered.
+- **clientTelId**  A random number used for device sampling.
+- **doErrorCode**  The Delivery Optimization error code that was returned.
+- **errorCode**  The error code that was returned.
+- **experimentId**  When running a test, this is used to correlate events that are part of the same test.
+- **fileID**  The ID of the file being downloaded.
+- **isVpn**  Is the device connected to a Virtual Private Network?
+- **scenarioID**  The ID of the scenario.
+- **sessionID**  The ID of the file download session.
+- **updateID**  The ID of the update being downloaded.
+- **usedMemoryStream**  Did the download use memory streaming?
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
+
+This event describes the start of a new download with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **background**  Is the download a background download?
+- **cdnUrl**  The URL of the CDN.
+- **clientTelId**  A random number used for device sampling.
+- **deviceProfile**  Identifies the usage or form factor. Example: Desktop or Xbox
+- **diceRoll**  The dice roll value used in sampling events.
+- **doClientVersion**  The version of the Delivery Optimization client.
+- **doErrorCode**  The Delivery Optimization error code that was returned.
+- **downloadMode**  The download mode used for this file download session.
+- **errorCode**  The error code that was returned.
+- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID**  The ID of the file being downloaded.
+- **filePath**  The path where the file will be written.
+- **groupID**  ID for the group.
+- **isVpn**  Is the device connected to a Virtual Private Network?
+- **jobID**  The ID of the Windows Update job.
+- **minDiskSizeGB**  The minimum disk size (in GB) required for Peering.
+- **minDiskSizePolicyEnforced**  Is the minimum disk size enforced via policy?
+- **minFileSizePolicy**  The minimum content file size policy to allow the download using Peering.
+- **peerID**  The ID for this Delivery Optimization client.
+- **scenarioID**  The ID of the scenario.
+- **sessionID**  The ID of the download session.
+- **updateID**  The ID of the update being downloaded.
+- **usedMemoryStream**  Did the download use memory streaming?
+- **costFlags**  A set of flags representing network cost.
+
+
+### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
+
+This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads.
+
+The following fields are available:
+
+- **cdnIp**  The IP address of the CDN.
+- **cdnUrl**  The URL of the CDN.
+- **clientTelId**  A random number used for device sampling.
+- **errorCode**  The error code that was returned.
+- **errorCount**  The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
+- **httpStatusCode**  The HTTP status code returned by the CDN.
+- **sessionID**  The ID of the download session.
+- **cdnHeaders**  The HTTP headers returned by the CDN.
+- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
+- **fileID**  The ID of the file being downloaded.
+- **isHeadRequest**  The type of  HTTP request that was sent to the CDN. Example: HEAD or GET
+- **requestSize**  The size of the range requested from the CDN.
+- **responseSize**  The size of the range response received from the CDN.
+
+
+## Windows Update events
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
+
+This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **flightId**  The unique identifier for each flight
+- **mode**  Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
+- **objectId**  Unique value for each Update Agent mode
+- **relatedCV**  Correlation vector value generated from the latest scan
+- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **sessionId**  Unique value for each Update Agent mode attempt
+- **updateId**  Unique ID for each update
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize
+
+This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+
+The following fields are available:
+
+- **errorCode**  The error code returned for the current initialize phase
+- **flightId**  The unique identifier for each flight
+- **flightMetadata**  Contains the FlightId and the build being flighted
+- **objectId**  Unique value for each Update Agent mode
+- **relatedCV**  Correlation vector value generated from the latest USO scan
+- **result**  Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate#N#
+- **sessionData**  Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios)
+- **sessionId**  "Unique value for each Update Agent mode attempt "
+- **updateId**  Unique ID for each update
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit
+
+This event collects information regarding the final commit phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+
+The following fields are available:
+
+- **errorCode**  The error code returned for the current session initialization
+- **flightId**  The unique identifier for each flight
+- **objectId**  The unique GUID for each diagnostics session
+- **relatedCV**  A correlation vector value, generated from the latest USO scan
+- **result**  Outcome of the initialization of the session
+- **scenarioId**  Identifies the Update scenario
+- **sessionId**  The unique value for each update session
+- **updateId**  The unique identifier for each Update
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall
+
+This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+
+The following fields are available:
+
+- **errorCode**  The error code returned for the current install phase
+- **flightId**  The unique identifier for each flight
+- **objectId**  Unique value for each Update Agent mode
+- **relatedCV**  Correlation vector value generated from the latest scan
+- **result**  Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **sessionId**  Unique value for each Update Agent mode attempt
+- **updateId**  Unique ID for each update
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest
+
+This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+
+The following fields are available:
+
+- **deletedCorruptFiles**  Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted
+- **errorCode**  The error code returned for the current session initialization
+- **flightId**  The unique identifier for each flight
+- **objectId**  Unique value for each Update Agent mode
+- **packageCountOptional**  Number of optional packages requested
+- **packageCountRequired**  Number of required packages requested
+- **packageCountTotal**  Total number of packages needed
+- **packageCountTotalCanonical**  Total number of canonical packages
+- **packageCountTotalDiff**  Total number of diff packages
+- **packageCountTotalExpress**  Total number of express packages
+- **packageSizeCanonical**  Size of canonical packages in bytes
+- **packageSizeDiff**  Size of diff packages in bytes
+- **packageSizeExpress**  Size of express packages in bytes
+- **rangeRequestState**  Represents the state of the download range request
+- **relatedCV**  Correlation vector value generated from the latest USO scan
+- **result**  Result of the download request phase of update
+- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **sessionId**  Unique value for each Update Agent mode attempt
+- **updateId**  Unique ID for each update
+
+
+### Microsoft.Windows.Update.Orchestrator.GameActive
+
+This event indicates that an enabled GameMode process prevented the device from restarting to complete an update
+
+The following fields are available:
+
+- **eventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **gameModeReason**  Name of the enabled GameMode process that prevented the device from restarting to complete an update
+- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+
+
+### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationCompleted
+
+This event sends data collected at the end of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date.
+
+The following fields are available:
+
+- **MigrationDurationInMilliseconds**  How long the DMF migration took (in milliseconds)
+- **MigrationEndTime**  A system timestamp of when the DMF migration completed.
+- **RevisionNumbers**  A collection of revision numbers for the updates associated with the DMF session.
+- **UpdateIds**  A collection of GUIDs for updates that are associated with the DMF session.
+- **WuClientId**  The GUID of the Windows Update client responsible for triggering the DMF migration
+
+
+### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationStarted
+
+This event sends data collected at the beginning of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date.
+
+The following fields are available:
+
+- **MigrationMicrosoftPhases**  Revision numbers for the updates that were installed.
+- **MigrationOEMPhases**  WU Update IDs for the updates that were installed.
+- **MigrationStartTime**  The timestamp representing the beginning of the DMF migration
+- **WuClientId**  The GUID of the Windows Update client invoking DMF
+- **RevisionNumbers**  A collection of the revision numbers associated with the UpdateIds.
+- **UpdateIds**  A collection of GUIDs identifying the upgrades that are running.
+
+
+### Microsoft.Windows.Update.DataMigrationFramework.MigratorResult
+
+This event sends DMF migrator data to help keep Windows up to date.
+
+The following fields are available:
+
+- **CurrentStep**  This is the last step the migrator reported before returning a result. This tells us how far through the individual migrator the device was before failure.
+- **ErrorCode**  The result (as an HRESULT) of the migrator that just completed.
+- **MigratorId**  A GUID identifying the migrator that just completed.
+- **MigratorName**  The name of the migrator that just completed.
+- **RunDurationInSeconds**  The time it took for the migrator to complete.
+- **TotalSteps**  Migrators report progress in number of completed steps against the total steps. This is the total number of steps.
+
+
+### Microsoft.Windows.Update.Orchestrator.Download
+
+This event sends launch data for a Windows Update download to help keep Windows up to date.
+
+The following fields are available:
+
+- **deferReason**  Reason for download not completing
+- **detectionDeferreason**  Reason for download not completing
+- **errorCode**  An error code represented as a hexadecimal value
+- **eventScenario**  End to end update session ID.
+- **flightID**  Unique update ID.
+- **interactive**  Identifies if session is user initiated.
+- **revisionNumber**  Update revision number.
+- **updateId**  Update ID.
+- **updateScenarioType**  The update session type.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
+
+This event sends data on whether the update was applicable to the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **EventPublishedTime**  time that the event was generated
+- **revisionNumber**  Revision Number of the Update
+- **updateId**  Unique Update ID
+- **UpdateStatus**  Integer that describes Update state
+- **wuDeviceid**  Unique Device ID
+- **flightID**  Unique Update ID
+- **updateScenarioType**  The update session type.
+
+
+### Microsoft.Windows.Update.Orchestrator.PostInstall
+
+This event sends data about lite stack devices (mobile, IOT, anything non-PC) immediately before data migration is launched to help keep Windows up to date.
+
+The following fields are available:
+
+- **batteryLevel**  Current battery capacity in mWh or percentage left.
+- **bundleId**  Update grouping ID.
+- **bundleRevisionnumber**  Bundle revision number.
+- **errorCode**  Hex code for the error message, to allow lookup of the specific error.
+- **eventScenario**  End to end update session ID.
+- **flightID**  Unique update ID.
+- **sessionType**  Interactive vs. Background.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.RebootFailed
+
+This event sends information about whether an update required a reboot and reasons for failure to help keep Windows up to date.
+
+The following fields are available:
+
+- **batteryLevel**  Current battery capacity in mWh or percentage left.
+- **deferReason**  Reason for install not completing.
+- **EventPublishedTime**  The time that the reboot failure occurred.
+- **flightID**  Unique update ID.
+- **installRebootDeferreason**  Reason for reboot not occurring.
+- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **RebootResults**  Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code.
+- **revisionNumber**  Update revision number.
+- **updateId**  Update ID.
+- **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
+
+This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **configuredPoliciescount**  Policy Count
+- **policiesNamevaluesource**  Policy Name
+- **policyCacherefreshtime**  Refresh time
+- **updateInstalluxsetting**  This shows whether a user has set policies via UX option
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.UpdateRebootRequired
+
+This event sends data about whether an update required a reboot to help keep Windows up to date.
+
+The following fields are available:
+
+- **revisionNumber**  Update revision number.
+- **updateId**  Update ID.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+- **flightID**  Unique update ID.
+- **interactive**  Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType**  The update session type.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled
+
+This event sends data about a required reboot that is scheduled with no user interaction, to help keep Windows up to date.
+
+The following fields are available:
+
+- **activeHoursApplicable**  True, If Active Hours applicable on this device. False, otherwise.
+- **forcedReboot**  True, if a reboot is forced on the device. Otherwise, this is False
+- **rebootArgument**  Argument for the reboot task. It also represents specific reboot related action.
+- **rebootOutsideOfActiveHours**  True, if a reboot is scheduled outside of active hours. False, otherwise.
+- **rebootScheduledByUser**  True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically.
+- **revisionNumber**  Revision number of the update that is getting installed with this reboot.
+- **scheduledRebootTime**  Time of the scheduled reboot
+- **updateId**  Update ID of the update that is getting installed with this reboot.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+- **rebootState**  The state of the reboot.
+
+
+### Microsoft.Windows.Update.Orchestrator.Detection
+
+This event sends launch data for a Windows Update scan to help keep Windows up to date.
+
+The following fields are available:
+
+- **deferReason**  Reason why the device could not check for updates.
+- **detectionBlockreason**  Reason for detection not completing.
+- **detectionDeferreason**  A log of deferral reasons for every update state.
+- **errorCode**  The returned error code.
+- **eventScenario**  End to end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **flightID**  A unique update ID.
+- **interactive**  Identifies if session is User Initiated.
+- **revisionNumber**  Update revision number.
+- **updateId**  Update ID.
+- **updateScenarioType**  The update session type.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.InitiatingReboot
+
+This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date.
+
+The following fields are available:
+
+- **EventPublishedTime**  Time of the event.
+- **revisionNumber**  Revision number of the update.
+- **updateId**  Update ID.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+- **flightID**  Unique update ID
+- **interactive**  Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
+- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType**  The update session type.
+
+
+### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled
+
+This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **activeHoursApplicable**  Is the restart respecting Active Hours?
+- **rebootArgument**  The arguments that are passed to the OS for the restarted.
+- **rebootOutsideOfActiveHours**  Was the restart scheduled outside of Active Hours?
+- **rebootScheduledByUser**  Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device.
+- **rebootState**  The state of the restart.
+- **revisionNumber**  The revision number of the OS being updated.
+- **scheduledRebootTime**  Time of the scheduled reboot
+- **updateId**  The Windows Update device GUID.
+- **wuDeviceid**  The Windows Update device GUID.
+- **forcedReboot**  True, if a reboot is forced on the device. Otherwise, this is False
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded
+
+This event is sent when a security update has successfully completed.
+
+The following fields are available:
+
+- **UtcTime**  The Coordinated Universal Time that the restart was no longer needed.
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.ToastDisplayedToScheduleReboot
+
+This event is sent when a toast notification is shown to the user about scheduling a device restart.
+
+The following fields are available:
+
+- **UtcTime**  The Coordinated Universal Time when the toast notification was shown.
+
+
+### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
+
+This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date.
+
+The following fields are available:
+
+- **RebootTaskRestoredTime**  Time at which this reboot task was restored.
+- **revisionNumber**  Update revision number.
+- **updateId**  Update ID.
+- **wuDeviceid**  Device id on which the reboot is restored
+
+
+### Microsoft.Windows.Update.Orchestrator.SystemNeeded
+
+This event sends data about why a device is unable to reboot, to help keep Windows up to date.
+
+The following fields are available:
+
+- **eventScenario**  End to end update session ID.
+- **revisionNumber**  Update revision number.
+- **systemNeededReason**  Reason ID
+- **updateId**  Update ID.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType**  The update session type.
+
+
+### Microsoft.Windows.Update.UpdateStackServicing.CheckForUpdates
+
+This event sends data about the UpdateStackServicing check for updates, to help keep Windows up to date.
+
+The following fields are available:
+
+- **BspVersion**  The version of the BSP.
+- **CallerApplicationName**  The name of the USS scheduled task. Example UssScheduled or UssBoot
+- **ClientVersion**  The version of the client.
+- **CommercializationOperator**  The name of the operator.
+- **DetectionVersion**  The string returned from the GetDetectionVersion export of the downloaded detection DLL.
+- **DeviceName**  The name of the device.
+- **EventInstanceID**  The USS session ID.
+- **EventScenario**  The scenario of the event. Example: Started, Failed, or Succeeded
+- **OemName**  The name of the manufacturer.
+- **ServiceGuid**  The GUID of the service.
+- **StatusCode**  The HRESULT code of the operation.
+- **WUDeviceID**  The Windows Update device ID.
+
+
+### Microsoft.Windows.Update.Orchestrator.CommitFailed
+
+This events tracks when a device needs to restart after an update but did not.
+
+The following fields are available:
+
+- **errorCode**  The error code that was returned.
+- **wuDeviceid**  The Windows Update device GUID.
+
+
+### Microsoft.Windows.Update.Orchestrator.Install
+
+This event sends launch data for a Windows Update install to help keep Windows up to date.
+
+The following fields are available:
+
+- **batteryLevel**  Current battery capacity in mWh or percentage left.
+- **deferReason**  Reason for install not completing.
+- **eventScenario**  End to end update session ID.
+- **interactive**  Identifies if session is user initiated.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+- **flightUpdate**  Flight update
+- **installRebootinitiatetime**  The time it took for a reboot to be attempted.
+- **minutesToCommit**  The time it took to install updates.
+- **revisionNumber**  Update revision number.
+- **updateId**  Update ID.
+- **errorCode**  The error code reppresented by a hexadecimal value.
+- **installCommitfailedtime**  The time it took for a reboot to happen but the upgrade failed to progress.
+- **flightID**  Unique update ID
+- **ForcedRebootReminderSet**  A boolean value that indicates if a forced reboot will happen for updates.
+- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType**  The update session type.
+
+
+### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
+
+This event is generated right before the shutdown and commit operations
+
+The following fields are available:
+
+- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+
+
+### Microsoft.Windows.Update.Orchestrator.DeferRestart
+
+This event indicates that a restart required for installing updates was postponed
+
+The following fields are available:
+
+- **filteredDeferReason**  Indicates the raised, but ignorable, reasons that the USO didn't restart (for example, user active or low battery)
+- **raisedDeferReason**  Indicates the reason that the USO didn't restart. For example, user active or low battery
+- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+- **eventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+
+
+### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
+
+Reboot postponed due to needing a display
+
+The following fields are available:
+
+- **displayNeededReason**  Reason the display is needed
+- **eventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date
+- **revisionNumber**  Revision number of the update
+- **updateId**  Update ID
+- **updateScenarioType**  The update session type
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date
+- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+
+
+### Microsoft.Windows.Update.NotificationUx.RebootScheduled
+
+Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update
+
+The following fields are available:
+
+- **activeHoursApplicable**  True, If Active Hours applicable on this device. False, otherwise
+- **rebootArgument**  Argument for the reboot task. It also represents specific reboot related action
+- **rebootOutsideOfActiveHours**  True, if a reboot is scheduled outside of active hours. False, otherwise
+- **rebootScheduledByUser**  True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically
+- **rebootState**  The state of the reboot
+- **revisionNumber**  Revision number of the update that is getting installed with this reboot
+- **scheduledRebootTime**  Time of the scheduled reboot
+- **updateId**  ID of the update that is getting installed with this reboot
+- **wuDeviceid**  Unique device ID used by Windows Update
+- **scheduledRebootTimeInUTC**  Time of the scheduled reboot in Coordinated Universal Time
\ No newline at end of file
diff --git a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
index 06874ee41a..5ab90c23ab 100644
--- a/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
+++ b/windows/configuration/basic-level-windows-diagnostic-events-and-fields.md
@@ -1,24 +1,24 @@
 ---
-description: Learn more about the Windows diagnostic data that is gathered at the basic level.
-title: Windows 10, version 1709 basic diagnostic events and fields (Windows 10)
-keywords: privacy, diagnostic data
+description: Use this article to learn more about what Windows diagnostic data is gathered at the basic level.
+title: Windows 10, version 1803 basic diagnostic events and fields (Windows 10)
+keywords: privacy, telemetry, diagnostic data
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: security
 localizationpriority: high
-author: eross-msft
-ms.author: lizross
-ms.date: 03/13/2018
+author: brianlic-msft
+ms.author: brianlic
+ms.date: 4/10/2018
 ---
 
 
-# Windows 10, version 1709 basic level Windows diagnostic events and fields
+# Windows 10, version 1803 basic level Windows diagnostic events and fields
 
 
  **Applies to**
 
-- Windows 10, version 1709
+- Windows 10, version 1803
 
 
 The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Microsoft Store. When the level is set to Basic, it also includes the Security level information.
@@ -30,13 +30,16 @@ Use this article to learn about diagnostic events, grouped by event area, and th
 You can learn more about Windows functional and diagnostic data through these articles:
 
 
-- [Windows 10, version 1703 basic diagnostic events and fields](https://docs.microsoft.com/windows/configuration/basic-level-windows-diagnostic-events-and-fields-1703)
-- [Manage connections from Windows operating system components to Microsoft services](https://docs.microsoft.com/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services)
-- [Configure Windows diagnostic data in your organization](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization)
+- [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1709.md)
+- [Windows 10, version 1703 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)
+- [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md)
+- [Manage Windows 10 connection endpoints](manage-windows-endpoints-version-1709.md)
+- [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md)
 
 
 
-# Common data extensions
+
+## Common data extensions
 
 ### Common Data Extensions.App
 
@@ -48,6 +51,8 @@ The following fields are available:
 - **userId**  The userID as known by the application.
 - **env**  The environment from which the event was logged.
 - **asId**  An integer value that represents the app session. This value starts at 0 on the first app launch and increments after each subsequent app launch per boot session.
+- **id**  Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
+- **ver**  Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
 
 
 ### Common Data Extensions.CS
@@ -75,6 +80,8 @@ The following fields are available:
 - **tickets**  A list of strings that represent entries in the HTTP header of the web request that includes this event.
 - **bseq**  Upload buffer sequence number in the format \<buffer identifier\>:\<sequence number\>
 - **mon**  Combined monitor and event sequence numbers in the format \<monitor sequence\>:\<event sequence\>
+- **epoch**  Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
+- **seq**  Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue.  The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
 
 
 ### Common Data Extensions.Device
@@ -98,15 +105,9 @@ The following fields are available:
 - **name**  Represents the uniquely qualified name for the event.
 - **time**  Represents the event date time in Coordinated Universal Time (UTC) when the event was generated on the client. This should be in ISO 8601 format.
 - **popSample**  Represents the effective sample rate for this event at the time it was generated by a client.
-- **epoch**  Represents the epoch and seqNum fields, which help track how many events were fired and how many events were uploaded, and enables identification of data lost during upload and de-duplication of events on the ingress server.
-- **seqNum**  Represents the sequence field used to track absolute order of uploaded events. It is an incrementing identifier for each event added to the upload queue.  The Sequence helps track how many events were fired and how many events were uploaded and enables identification of data lost during upload and de-duplication of events on the ingress server.
 - **iKey**  Represents an ID for applications or other logical groupings of events.
-- **flags**  Represents a collection of bits that describe how the event should be processed by the Connected User Experiences and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
-- **os**  Represents the operating system name.
-- **osVer**  Represents the OS version, and its format is OS dependent.
-- **appId**  Represents a unique identifier of the client application currently loaded in the process producing the event; and is used to group events together and understand usage pattern, errors by application.
-- **appVer**  Represents the version number of the application. Used to understand errors by Version, Usage by Version across an app.
-- **cV**  Represents the Correlation Vector: A single field for tracking partial order of related diagnostic data events across component boundaries.
+- **flags**  Represents a collection of bits that describe how the event should be processed by the Connected User Experience and Telemetry component pipeline. The lowest-order byte is the event persistence. The next byte is the event latency.
+- **cV**  Represents the Correlation Vector: A single field for tracking partial order of related telemetry events across component boundaries.
 
 
 ### Common Data Extensions.OS
@@ -119,6 +120,8 @@ The following fields are available:
 - **expId**  Represents the experiment ID. The standard for associating a flight, such as an OS flight (pre-release build), or an experiment, such as a web site UX experiment, with an event is to record the flight / experiment IDs in Part A of the common schema.
 - **locale**  Represents the locale of the operating system.
 - **bootId**  An integer value that represents the boot session. This value starts at 0 on first boot after OS install and increments after every reboot.
+- **os**  Represents the operating system name.
+- **ver**  Represents the OS version, and its format is OS dependent.
 
 
 ### Common Data Extensions.User
@@ -148,7 +151,7 @@ The following fields are available:
 
 ### Common Data Extensions.Consent UI Event
 
-This User Account Control (UAC) diagnostic data point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
+This User Account Control (UAC) telemetry point collects information on elevations that originate from low integrity levels. This occurs when a process running at low integrity level (IL) requires higher (administrator) privileges, and therefore requests for elevation via UAC (consent.exe). By better understanding the processes requesting these elevations, Microsoft can in turn improve the detection and handling of potentially malicious behavior in this path.
 
 The following fields are available:
 
@@ -253,106 +256,269 @@ The following fields are available:
 
 ## Appraiser events
 
-### Microsoft.Windows.Appraiser.General.RunContext
+### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
 
-This event indicates what should be expected in the data payload.
+This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client.
 
 The following fields are available:
 
-- **AppraiserBranch**  The source branch in which the currently running version of Appraiser was built.
-- **AppraiserProcess**  The name of the process that launched Appraiser.
-- **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **Context**  Indicates what mode Appraiser is running in. Example: Setup or Diagnostic Data.
-- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
-- **Time**  The client time of the event.
+- **PCFP**  An ID for the system, calculated by hashing hardware identifiers. 
+- **SystemProcessorLahfSahf**  The count of the number of this particular object type present on this device.
+- **SystemProcessorCompareExchange**  The count of the number of this particular object type present on this device.
+- **SystemProcessorSse2**  The count of the number of this particular object type present on this device.
+- **SystemProcessorNx**  The count of the number of this particular object type present on this device.
+- **SystemWim**  The count of the number of this particular object type present on this device.
+- **SystemWlan**  The count of the number of this particular object type present on this device.
+- **DatasourceDevicePnp_RS1**  The total DataSourceDevicePnp objects targeting Windows 10 version 1607 on this device.
+- **DecisionDevicePnp_RS1**  The total DecisionDevicePnp objects targeting Windows 10 version 1607 on this device.
+- **InventorySystemBios**  The count of the number of this particular object type present on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS1**  The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
+- **DecisionMatchingInfoPostUpgrade_RS1**  The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1607 on this device.
+- **SystemMemory**  The count of the number of this particular object type present on this device.
+- **SystemProcessorPrefetchW**  The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_RS1**  The total DatasourceSystemBios objects targeting Windows 10 version 1607 present on this device.
+- **DecisionSystemBios_RS1**  The total DecisionSystemBios objects targeting Windows 10 version 1607 on this device.
+- **DataSourceMatchingInfoPassive_RS1**  The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
+- **DecisionMatchingInfoPassive_RS1**  The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1607 on this device.
+- **InventoryUplevelDriverPackage**  The count of the number of this particular object type present on this device.
+- **DatasourceDriverPackage_RS1**  The total DataSourceDriverPackage objects targeting Windows 10 version 1607 on this device.
+- **DecisionDriverPackage_RS1**  The total DecisionDriverPackage objects targeting Windows 10 version 1607 on this device.
+- **Wmdrm_RS1**  An ID for the system, calculated by hashing hardware identifiers. 
+- **DecisionTest_RS1**  An ID for the system, calculated by hashing hardware identifiers. 
+- **SystemWindowsActivationStatus**  The count of the number of this particular object type present on this device.
+- **SystemTouch**  The count of the number of this particular object type present on this device.
+- **InventoryApplicationFile**  The count of the number of this particular object type present on this device.
+- **InventoryLanguagePack**  The count of InventoryLanguagePack objects present on this machine.
+- **InventoryMediaCenter**  The count of the number of this particular object type present on this device.
+- **DatasourceSystemBios_RS3**  The total DatasourceSystemBios objects targeting the next release of Windows on this device.
+- **DecisionSystemBios_RS3**  The total DecisionSystemBios objects targeting the next release of Windows on this device.
+- **DatasourceApplicationFile_RS3**  The total DecisionApplicationFile objects targeting the next release of Windows on this device. 
+- **DatasourceDevicePnp_RS3**  The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
+- **DatasourceDriverPackage_RS3**  The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoBlock_RS3**  The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPassive_RS3**  The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DataSourceMatchingInfoPostUpgrade_RS3**  The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DecisionApplicationFile_RS3**  The total DecisionApplicationFile objects targeting the next release of Windows on this device.
+- **DecisionDevicePnp_RS3**  The total DecisionDevicePnp objects targeting the next release of Windows on this device.
+- **DecisionDriverPackage_RS3**  The total DecisionDriverPackage objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoBlock_RS3**  The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPassive_RS3**  The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
+- **DecisionMatchingInfoPostUpgrade_RS3**  The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
+- **DecisionMediaCenter_RS3**  The total DecisionMediaCenter objects targeting the next release of Windows on this device.
+- **Wmdrm_RS3**  The total Wmdrm objects targeting the next release of Windows on this device.
+- **DatasourceApplicationFile_RS1**  An ID for the system, calculated by hashing hardware identifiers. 
+- **DecisionApplicationFile_RS1**  An ID for the system, calculated by hashing hardware identifiers. 
+- **DataSourceMatchingInfoBlock_RS1**  The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1607 on this device.
+- **DecisionMatchingInfoBlock_RS1**  The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1607 present on this device.
+- **DecisionMediaCenter_RS1**  The total DecisionMediaCenter objects targeting Windows 10 version 1607 present on this device.
 
 
-### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
 
-A summary event indicating the parameters and result of a diagnostic data run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
+This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
 
 The following fields are available:
 
-- **AppraiserBranch**  The source branch in which the version of Appraiser that is running was built.
-- **AppraiserDataVersion**  The version of the data files being used by the Appraiser diagnostic data run.
-- **AppraiserProcess**  The name of the process that launched Appraiser.
-- **AppraiserVersion**  The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
-- **AuxFinal**  Obsolete, always set to false
-- **AuxInitial**  Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
-- **DeadlineDate**  A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
-- **EnterpriseRun**  Indicates if the diagnostic data run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
-- **FullSync**  Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
-- **InventoryFullSync**  Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
-- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
-- **PerfBackoff**  Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
-- **PerfBackoffInsurance**  Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
-- **RunAppraiser**  Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
-- **RunDate**  The date that the diagnostic data run was stated, expressed as a filetime.
-- **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional diagnostic data on an infrequent schedule and only from machines at diagnostic data levels higher than Basic.
-- **RunOnline**  Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
-- **RunResult**  The hresult of the Appraiser diagnostic data run.
-- **SendingUtc**  Indicates if the Appraiser client is sending events during the current diagnostic data run.
-- **StoreHandleIsNotNull**  Obsolete, always set to false
-- **TelementrySent**  Indicates if diagnostic data was successfully sent.
-- **ThrottlingUtc**  Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also diagnostic data reliability.
-- **Time**  The client time of the event.
-- **VerboseMode**  Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
-- **WhyFullSyncWithoutTablePrefix**  Indicates the reason or reasons that a full sync was generated.
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **SdbEntries**  Deprecated in RS3. An array of fields indicating the SDB entries that apply to this file.
 
 
-### Microsoft.Windows.Appraiser.General.EnterpriseScenarioWithDiagTrackServiceRunning
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
 
-The event that indicates that Appraiser has been triggered to run an enterprise scenario while the DiagTrack service is installed. This event can only be sent if a special flag is used to trigger the enterprise scenario.
+This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
 
 The following fields are available:
 
-- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
-- **Time**  The client time of the event.
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
 
-This event represents the basic metadata about a file on the system.  The file must be part of an app and either have a block in the compatibility database or are part of an anti-virus program.
+This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
+
+This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **SdbEntries**  Deprecated in RS3. An array of fields indicating the SDB entries that apply to this file.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
+
+This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
+
+This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **SdbEntries**  Deprecated in RS3. An array of fields indicating the SDB entries that apply to this file.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
+
+This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
+
+This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileAdd
+
+Deprecated in RS3. This event sends compatibility information about a file to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file that is generating the events.
+- **AvDisplayName**  If it is an anti-virus app, this is its display name.
+- **CompatModelIndex**  The compatibility prediction for this file.
+- **HasCitData**  Is the file present in CIT data?
+- **HasUpgradeExe**  Does the anti-virus app have an upgrade.exe file?
+- **IsAv**  Is the file an anti-virus reporting EXE?
+- **ResolveAttempted**  This will always be an empty string when sending telemetry.
+- **SdbEntries**  An array of fields that indicates the SDB entries that apply to this file.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
+
+This event indicates that the DatasourceApplicationFile object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
+
+This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
+
+This event sends compatibility data for a PNP device, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ActiveNetworkConnection**  Is the device an active network device?
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **IsBootCritical**  Is the device boot critical?
+- **SdbEntries**  An array of fields indicating the SDB entries that apply to this device.
+- **WuDriverCoverage**  Is there a driver uplevel for this device according to Windows Update?
+- **WuDriverUpdateId**  The Windows Update ID of the applicable uplevel driver
+- **WuPopulatedFromId**  The expected up-level driver matching ID based on driver coverage from Windows Update
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
+
+This event indicates that the DatasourceDevicePnp object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
+
+This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
+
+This event sends compatibility database data about driver packages to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **SdbEntries**  Deprecated in RS3. An array of fields indicating the SDB entries that apply to this driver package.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
+
+This event indicates that the DatasourceDriverPackage object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
+
+This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
+
+This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **AvDisplayName** If the app is an anti-virus app, this is its display name.
-- **AvProductState** Represents state of antivirus program with respect to whether it's turned on and the signatures are up-to-date.
-- **BinaryType**  A binary type.  Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
-- **BinFileVersion**  An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
-- **BinProductVersion**  An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
-- **BoeProgramId**  If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
-- **CompanyName**  The company name of the vendor who developed this file.
-- **FileId**  A hash that uniquely identifies a file.
-- **FileVersion**  The File version field from the file metadata under Properties -> Details.
-- **HasUpgradeExe** Does the anti-virus app have an upgrade.exe file?
-- **IsAv** Is the file an anti-virus reporting EXE?
-- **LinkDate**  The date and time that this file was linked on.
-- **LowerCaseLongPath**  The full file path to the file that was inventoried on the device.
-- **Name**  The name of the file that was inventoried.
-- **ProductName**  The Product name field from the file metadata under Properties -> Details.
-- **ProductVersion**  The Product version field from the file metadata under Properties -> Details.
-- **ProgramId**  A hash of the Name, Version, Publisher, and Language of an application used to identify it.
-- **Size**  The size of the file (in hexadecimal bytes).
+- **SdbEntries**  An array of fields indicating the SDB entries that apply to this BIOS.
 
-### Microsoft.Windows.Inventory.Core.InventoryApplicationDriverAdd
 
-This event represents the drivers that an application installs.
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
+
+This event indicates that the DatasourceSystemBios object is no longer present.
 
 The following fields are available:
 
-- **InventoryVersion** The version of the inventory component 
-- **Programids** The unique program identifier the driver is associated with.
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-## Microsoft.Windows.Inventory.Core.InventoryApplicationDriverStartSync
+### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
 
-This event indicates that a new set of InventoryApplicationDriverStartAdd events will be sent. 
+This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
 
 The following fields are available:
 
-- **InventoryVersion** The version of the inventory component.
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
 
 ### Microsoft.Windows.Appraiser.General.DecisionApplicationFileAdd
 
@@ -380,13 +546,98 @@ The following fields are available:
 - **SdbReinstallUpgradeWarn**  The file is tagged as needing to be reinstalled after upgrade with a warning in the SDB. It does not block upgrade.
 - **SoftBlock**  The file is softblocked in the SDB and has a warning.
 
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockAdd
 
-This event sends blocking data about any compatibility blocking entries hit on the system that are not directly related to specific applications or devices, to help keep Windows up-to-date.
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
+
+This event indicates Indicates that the DecisionApplicationFile object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
+
+This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
+
+This event sends compatibility decision data about a PNP device to help keep Windows up-to-date.
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the appraiser file generating the events.
+- **AssociatedDriverIsBlocked**  Is the driver associated with this PNP device blocked?
+- **AssociatedDriverWillNotMigrate**  Will the driver associated with this plug-and-play device migrate?
+- **BlockAssociatedDriver**  Should the driver associated with this PNP device be blocked?
+- **BlockingDevice**  Is this PNP device blocking upgrade?
+- **BlockUpgradeIfDriverBlocked**  Is the PNP device both boot critical and does not have a driver included with the OS?
+- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork**  Is this PNP device the only active network device?
+- **DisplayGenericMessage**  Will a generic message be shown during Setup for this PNP device?
+- **DriverAvailableInbox**  Is a driver included with the operating system for this PNP device?
+- **DriverAvailableOnline**  Is there a driver for this PNP device on Windows Update?
+- **DriverAvailableUplevel**  Is there a driver on Windows Update or included with the operating system for this PNP device?
+- **DriverBlockOverridden**  Is there is a driver block on the device that has been overridden?
+- **NeedsDismissAction**  Will the user would need to dismiss a warning during Setup for this device?
+- **NotRegressed**  Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
+- **SdbDeviceBlockUpgrade**  Is there an SDB block on the PNP device that blocks upgrade?
+- **SdbDriverBlockOverridden**  Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
+
+This event indicates that the DecisionDevicePnp object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
+
+This event indicates that the DecisionDevicePnp object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
+
+This event sends decision data about driver package compatibility to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **DriverBlockOverridden**  Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
+- **DriverIsDeviceBlocked**  Was the driver package was blocked because of a device block?
+- **DriverIsDriverBlocked**  Is the driver package blocked because of a driver block?
+- **DriverShouldNotMigrate**  Should the driver package be migrated during upgrade?
+- **SdbDriverBlockOverridden**  Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
+
+This event indicates that the DecisionDriverPackage object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
+
+This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
 
 ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockAdd
 
@@ -403,13 +654,23 @@ The following fields are available:
 - **SdbBlockUpgradeUntilUpdate**  Is a matching info block blocking upgrade but has the until update tag?
 
 
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveAdd
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
 
-This event sends compatibility database information about non-blocking compatibility entries on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event indicates that the DecisionMatchingInfoBlock object is no longer present.
 
 The following fields are available:
 
-- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
+
+This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
 
 ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveAdd
 
@@ -422,13 +683,22 @@ The following fields are available:
 - **MigApplication**  Is there a matching info block with a mig for the current mode of upgrade?
 
 
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeAdd
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
 
-This event sends compatibility database information about entries requiring reinstallation after an upgrade on the system that are not keyed by either applications or devices, to help keep Windows up-to-date.
+This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
 
 The following fields are available:
 
-- **AppraiserVersion**  The version of the appraiser file generating the events.
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
+
+This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
 ### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeAdd
@@ -444,93 +714,46 @@ The following fields are available:
 - **SdbReinstallUpgrade**  The file is tagged as needing to be reinstalled after upgrade in the compatibility database (but is not blocking upgrade).
 
 
-### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpAdd
+### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
 
-This event sends compatibility data for a PNP device, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **ActiveNetworkConnection**  Is the device an active network device?
-- **AppraiserVersion**  The version of the appraiser file generating the events.
-- **IsBootCritical**  Is the device boot critical?
-- **WuDriverCoverage**  Is there a driver uplevel for this device according to Windows Update?
-- **WuDriverUpdateId**  The Windows Update ID of the applicable uplevel driver.
-- **WuPopulatedFromId**  The expected uplevel driver matching ID based on driver coverage from Windows Update.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionDevicePnpAdd
-
-This event sends compatibility decision data about a PNP device to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AssociatedDriverWillNotMigrate** Will the driver associated with this plug-and-play device migrate?
-- **AppraiserVersion**  The version of the appraiser file generating the events.
-- **AssociatedDriverIsBlocked**  Is the driver associated with this PNP device blocked?
-- **BlockAssociatedDriver**  Should the driver associated with this PNP device be blocked?
-- **BlockingDevice**  Is this PNP device blocking upgrade?
-- **BlockUpgradeIfDriverBlocked**  Is the PNP device both boot critical and does not have a driver included with the OS?
-- **BlockUpgradeIfDriverBlockedAndOnlyActiveNetwork**  Is this PNP device the only active network device?
-- **DisplayGenericMessage**  Will a generic message be shown during Setup for this PNP device?
-- **DriverAvailableInbox**  Is a driver included with the operating system for this PNP device?
-- **DriverAvailableOnline**  Is there a driver for this PNP device on Windows Update?
-- **DriverAvailableUplevel**  Is there a driver on Windows Update or included with the operating system for this PNP device?
-- **DriverBlockOverridden**  Is there is a driver block on the device that has been overridden?
-- **NeedsDismissAction**  Will the user would need to dismiss a warning during Setup for this device?
-- **NotRegressed**  Does the device have a problem code on the source OS that is no better than the one it would have on the target OS?
-- **SdbDeviceBlockUpgrade**  Is there an SDB block on the PNP device that blocks upgrade?
-- **SdbDriverBlockOverridden**  Is there an SDB block on the PNP device that blocks upgrade, but that block was overridden?
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageAdd
-
-This event sends compatibility database data about driver packages to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the appraiser file generating the events.
-
-### Microsoft.Windows.Appraiser.General.DecisionDriverPackageAdd
-
-This event sends decision data about driver package compatibility to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the appraiser file generating the events.
-- **DriverBlockOverridden**  Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
-- **DriverIsDeviceBlocked**  Was the driver package was blocked because of a device block?
-- **DriverIsDriverBlocked**  Is the driver package blocked because of a driver block?
-- **DriverShouldNotMigrate**  Should the driver package be migrated during upgrade?
-- **SdbDriverBlockOverridden**  Does the driver package have an SDB block that blocks it from migrating, but that block has been overridden?
-
-
-### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
-
-This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
+This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **BiosDate**  The release date of the BIOS in UTC format.
-- **BiosName**  The name field from Win32_BIOS.
-- **Manufacturer**  The manufacturer field from Win32_ComputerSystem.
-- **Model**  The model field from Win32_ComputerSystem.
 
 
-### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
 
-This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
+This event sends decision data about the presence of Windows Media Center, to help keep Windows up-to-date.
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **Blocking**  Is the device from upgrade due to memory restrictions?
-- **MemoryRequirementViolated**  Was a memory requirement violated?
-- **pageFile**  The current committed memory limit for the system or the current process, whichever is smaller (in bytes).
-- **ram**  The amount of memory on the device.
-- **ramKB**  The amount of memory (in KB).
-- **virtual**  The size of the user-mode portion of the virtual address space of the calling process (in bytes).
-- **virtualKB**  The amount of virtual memory (in KB).
+- **BlockingApplication**  Is there any application issues that interfere with upgrade due to Windows Media Center?
+- **MediaCenterActivelyUsed**  If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true?
+- **MediaCenterIndicators**  Do any indicators imply that Windows Media Center is in active use?
+- **MediaCenterInUse**  Is Windows Media Center actively being used?
+- **MediaCenterPaidOrActivelyUsed**  Is Windows Media Center actively being used or is it running on a supported edition?
+- **NeedsDismissAction**  Are there any actions that can be dismissed coming from Windows Media Center?
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
+
+This event indicates that the DecisionMediaCenter object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
+
+This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
 ### Microsoft.Windows.Appraiser.General.DecisionSystemBiosAdd
@@ -544,101 +767,77 @@ The following fields are available:
 - **HasBiosBlock**  Does the device have a BIOS block?
 
 
-### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosAdd
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
 
-This event sends compatibility database information about the BIOS to help keep Windows up-to-date.
+This event indicates that the DecisionSystemBios object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
+
+This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.GatedRegChange
+
+This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date.
+
+The following fields are available:
+
+- **NewData**  The data in the registry value after the scan completed.
+- **OldData**  The previous data in the registry value before the scan ran.
+- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
+- **RegKey**  The registry key name for which a result is being sent.
+- **RegValue**  The registry value for which a result is being sent.
+- **Time**  The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileAdd
+
+This event represents the basic metadata about a file on the system.  The file must be part of an app and either have a block in the compatibility database or are part of an anti-virus program.
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **SdbEntries**  An array of fields indicating the SDB entries that apply to this BIOS.
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
-
-This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **Blocking**  Is the upgrade blocked due to the processor?
-- **CompareExchange128Support**  Does the CPU support CompareExchange128?
+- **BinaryType**  A binary type. Example: UNINITIALIZED, ZERO_BYTE, DATA_ONLY, DOS_MODULE, NE16_MODULE, PE32_UNKNOWN, PE32_I386, PE32_ARM, PE64_UNKNOWN, PE64_AMD64, PE64_ARM64, PE64_IA64, PE32_CLR_32, PE32_CLR_IL, PE32_CLR_IL_PREFER32, PE64_CLR_64
+- **BinFileVersion**  An attempt to clean up FileVersion at the client that tries to place the version into 4 octets.
+- **BinProductVersion**  An attempt to clean up ProductVersion at the client that tries to place the version into 4 octets.
+- **BoeProgramId**  If there is no entry in Add/Remove Programs, this is the ProgramID that is generated from the file metadata.
+- **CompanyName**  The company name of the vendor who developed this file.
+- **FileId**  A hash that uniquely identifies a file.
+- **FileVersion**  The File version field from the file metadata under Properties -> Details.
+- **LinkDate**  The date and time that this file was linked on.
+- **LowerCaseLongPath**  The full file path to the file that was inventoried on the device.
+- **Name**  The name of the file that was inventoried.
+- **ProductName**  The Product name field from the file metadata under Properties -> Details.
+- **ProductVersion**  The Product version field from the file metadata under Properties -> Details.
+- **ProgramId**  A hash of the Name, Version, Publisher, and Language of an application used to identify it.
+- **Size**  The size of the file (in hexadecimal bytes).
 
 
-### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
 
-This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **Blocking**  Is the upgrade blocked due to the processor?
-- **LahfSahfSupport**  Does the CPU support LAHF/SAHF?
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
-
-This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
+This event indicates that the InventoryApplicationFile object is no longer present.
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **Blocking**  Is the upgrade blocked due to the processor?
-- **NXDriverResult**  The result of the driver used to do a non-deterministic check for NX support.
-- **NXProcessorSupport**  Does the processor support NX?
 
 
-### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
+### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
 
-This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up-to-date.
+This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **Blocking**  Is the upgrade blocked due to the processor?
-- **PrefetchWSupport**  Does the processor support PrefetchW?
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
-
-This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **Blocking**  Is the upgrade blocked due to the processor?
-- **SSE2ProcessorSupport**  Does the processor support SSE2?
-
-
-### Microsoft.Windows.Appraiser.General.SystemWimAdd
-
-This event sends data indicating whether the operating system is running from a compressed WIM file, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **IsWimBoot**  Is the current operating system running from a compressed WIM file?
-- **RegistryWimBootValue**  The raw value from the registry that is used to indicate if the device is running from a WIM.
-
-
-### Microsoft.Windows.Appraiser.General.SystemTouchAdd
-
-This event sends data indicating whether the system supports touch, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **IntegratedTouchDigitizerPresent**  Is there an integrated touch digitizer?
-- **MaximumTouches**  The maximum number of touch points supported by the device hardware.
-
-
-### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
-
-This event sends data indicating whether the current operating system is activated, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **WindowsIsLicensedApiValue**  The result from the API that's used to indicate if operating system is activated.
-- **WindowsNotActivatedDecision**  Is the current operating system activated?
 
 
 ### Microsoft.Windows.Appraiser.General.InventoryLanguagePackAdd
@@ -652,19 +851,22 @@ The following fields are available:
 - **LanguagePackCount**  How many language packs are installed?
 
 
-### Microsoft.Windows.Appraiser.General.SystemWlanAdd
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
 
-This event sends data indicating whether the system has WLAN, and if so, whether it uses an emulated driver that could block an upgrade, to help keep Windows up-to-date.
+This event indicates that the InventoryLanguagePack object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
+
+This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **Blocking**  Is the upgrade blocked because of an emulated WLAN driver?
-- **HasWlanBlock**  Does the emulated WLAN driver have an upgrade block?
-- **WlanEmulatedDriver**  Does the device have an emulated WLAN driver?
-- **WlanExists**  Does the device support WLAN at all?
-- **WlanModulePresent**  Are any WLAN modules present?
-- **WlanNativeDriver**  Does the device have a non-emulated WLAN driver?
 
 
 ### Microsoft.Windows.Appraiser.General.InventoryMediaCenterAdd
@@ -683,75 +885,62 @@ The following fields are available:
 - **IsSupported**  Does the running OS support Windows Media Center?
 
 
-### Microsoft.Windows.Appraiser.General.DecisionMediaCenterAdd
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
 
-This event sends decision data about the presence of Windows Media Center, to help keep Windows up-to-date.
+This event indicates that the InventoryMediaCenter object is no longer present.
 
 The following fields are available:
 
-- **AppraiserVersion**  The version of the Appraiser file generating the events.
-- **BlockingApplication**  Is there any application issues that interfere with upgrade due to Windows Media Center?
-- **MediaCenterActivelyUsed**  If Windows Media Center is supported on the edition, has it been run at least once and are the MediaCenterIndicators are true?
-- **MediaCenterIndicators**  Do any indicators imply that Windows Media Center is in active use?
-- **MediaCenterInUse**  Is Windows Media Center actively being used?
-- **MediaCenterPaidOrActivelyUsed**  Is Windows Media Center actively being used or is it running on a supported edition?
-- **NeedsDismissAction**  Are there any actions that can be dismissed coming from Windows Media Center?
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.ChecksumTotalPictureCount
+### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
 
-This event lists the types of objects and how many of each exist on the client device. This allows for a quick way to ensure that the records present on the server match what is present on the client.
+This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
 
 The following fields are available:
 
-- **DatasourceApplicationFile_RS2**  The total DatasourceApplicationFile objects targeting Windows 10 version 1703 present on this device.
-- **DatasourceDevicePnp_RS2**  The total DatasourceDevicePnp objects targeting Windows 10 version 1703 present on this device.
-- **DatasourceDriverPackage_RS2**  The total DatasourceDriverPackage objects targeting Windows 10 version 1703 present on this device.
-- **DataSourceMatchingInfoBlock_RS2**  The total DataSourceMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
-- **DataSourceMatchingInfoPassive_RS2**  The total DataSourceMatchingInfoPassive objects targeting Windows 10 version 1703 present on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS2**  The total DataSourceMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device.
-- **DatasourceSystemBios_RS2**  The total DatasourceSystemBios objects targeting Windows 10 version 1703 present on this device.
-- **DecisionApplicationFile_RS2**  The total DecisionApplicationFile objects targeting Windows 10 version 1703 present on this device.
-- **DecisionDevicePnp_RS2**  The total DecisionDevicePnp objects targeting Windows 10 version 1703 present on this device.
-- **DecisionDriverPackage_RS2**  The total DecisionDriverPackage objects targeting Windows 10 version 1703 present on this device.
-- **DecisionMatchingInfoBlock_RS2**  The total DecisionMatchingInfoBlock objects targeting Windows 10 version 1703 present on this device.
-- **DecisionMatchingInfoPassive_RS2**  The total DecisionMatchingInfoPassive objects targeting Windows 10 version 1703 present on this device.
-- **DecisionMatchingInfoPostUpgrade_RS2**  The total DecisionMatchingInfoPostUpgrade objects targeting Windows 10 version 1703 present on this device.
-- **DecisionMediaCenter_RS2**  The total DecisionMediaCenter objects targeting Windows 10 version 1703 present on this device.
-- **DecisionSystemBios_RS2**  The total DecisionSystemBios objects targeting Windows 10 version 1703 present on this device.
-- **InventoryApplicationFile**  The total InventoryApplicationFile objects that are present on this device.
-- **InventoryLanguagePack**  The total InventoryLanguagePack objects that are present on this device.
-- **InventoryMediaCenter**  The total InventoryMediaCenter objects that are present on this device.
-- **InventorySystemBios**  The total InventorySystemBios objects that are present on this device.
-- **InventoryUplevelDriverPackage**  The total InventoryUplevelDriverPackage objects that are present on this device.
-- **PCFP**  An ID for the system that is calculated by hashing hardware identifiers.
-- **SystemMemory**  The total SystemMemory objects that are present on this device.
-- **SystemProcessorCompareExchange**  The total SystemProcessorCompareExchange objects that are present on this device.
-- **SystemProcessorLahfSahf**  The total SystemProcessorLahfSahf objects that are present on this device.
-- **SystemProcessorNx**  The total SystemProcessorNx objects that are present on this device.
-- **SystemProcessorPrefetchW**  The total SystemProcessorPrefetchW objects that are present on this device.
-- **SystemProcessorSse2**  The total SystemProcessorSse2 objects that are present on this device.
-- **SystemTouch**  The total SystemTouch objects that are present on this device.
-- **SystemWim**  The total SystemWim objects that are present on this device
-- **SystemWindowsActivationStatus**  The total SystemWindowsActivationStatus objects that are present on this device.
-- **SystemWlan**  The total SystemWlan objects that are present on this device.
-- **Wmdrm_RS2**  The total Wmdrm objects targeting Windows 10 version 1703 present on this device.
-- **DatasourceApplicationFile_RS3**  "The total DecisionApplicationFile objects targeting the next release of Windows on this device. "
-- **DatasourceDevicePnp_RS3**  The total DatasourceDevicePnp objects targeting the next release of Windows on this device.
-- **DatasourceDriverPackage_RS3**  The total DatasourceDriverPackage objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoBlock_RS3**  The total DataSourceMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoPassive_RS3**  The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
-- **DataSourceMatchingInfoPostUpgrade_RS3**  The total DataSourceMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DatasourceSystemBios_RS3**  The total DatasourceSystemBios objects targeting the next release of Windows on this device.
-- **DecisionApplicationFile_RS3**  The total DecisionApplicationFile objects targeting the next release of Windows on this device.
-- **DecisionDevicePnp_RS3**  The total DecisionDevicePnp objects targeting the next release of Windows on this device.
-- **DecisionDriverPackage_RS3**  The total DecisionDriverPackage objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoBlock_RS3**  The total DecisionMatchingInfoBlock objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoPassive_RS3**  The total DataSourceMatchingInfoPassive objects targeting the next release of Windows on this device.
-- **DecisionMatchingInfoPostUpgrade_RS3**  The total DecisionMatchingInfoPostUpgrade objects targeting the next release of Windows on this device.
-- **DecisionMediaCenter_RS3**  The total DecisionMediaCenter objects targeting the next release of Windows on this device.
-- **DecisionSystemBios_RS3**  The total DecisionSystemBios objects targeting the next release of Windows on this device.
-- **Wmdrm_RS3**  The total Wmdrm objects targeting the next release of Windows on this device.
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosAdd
+
+This event sends basic metadata about the BIOS to determine whether it has a compatibility block.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **BiosDate**  The release date of the BIOS in UTC format.
+- **BiosName**  The name field from Win32_BIOS.
+- **Manufacturer**  The manufacturer field from Win32_ComputerSystem.
+- **Model**  The model field from Win32_ComputerSystem.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
+
+This event indicates that the InventorySystemBios object is no longer present. 
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
+
+This event indicates that a new set of InventorySystemBiosAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
+
+This event indicates that the InventoryUplevelDriverPackage object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
 ### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageStartSync
@@ -763,6 +952,103 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
+### Microsoft.Windows.Appraiser.General.RunContext
+
+This event indicates what should be expected in the data payload. 
+
+The following fields are available:
+
+- **AppraiserBranch**  The source branch in which the currently running version of Appraiser was built.
+- **AppraiserProcess**  The name of the process that launched Appraiser.
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Context**  Indicates what mode Appraiser is running in. Example: Setup or Telemetry.
+- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
+- **Time**  The client time of the event.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryAdd
+
+This event sends data on the amount of memory on the system and whether it meets requirements, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Blocking**  Is the device from upgrade due to memory restrictions?
+- **MemoryRequirementViolated**  Was a memory requirement violated?
+- **pageFile**  The current committed memory limit for the system or the current process, whichever is smaller (in bytes).
+- **ram**  The amount of memory on the device.
+- **ramKB**  The amount of memory (in KB).
+- **virtual**  The size of the user-mode portion of the virtual address space of the calling process (in bytes).
+- **virtualKB**  The amount of virtual memory (in KB).
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryRemove
+
+This event that the SystemMemory object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
+
+This event indicates that a new set of SystemMemoryAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeAdd
+
+This event sends data indicating whether the system supports the CompareExchange128 CPU requirement, to help keep Windows up to date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **CompareExchange128Support**  Does the CPU support CompareExchange128?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
+
+This event indicates that the SystemProcessorCompareExchange object is no longer present. 
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
+
+This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfAdd
+
+This event sends data indicating whether the system supports the LahfSahf CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **LahfSahfSupport**  Does the CPU support LAHF/SAHF?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
+
+This event indicates that the SystemProcessorLahfSahf object is no longer present. 
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
 ### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfStartSync
 
 This event indicates that a new set of SystemProcessorLahfSahfAdd events will be sent.
@@ -772,48 +1058,27 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxAdd
 
-This event indicates that a new set of SystemProcessorSse2Add events will be sent.
+This event sends data indicating whether the system supports the NX CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **NXDriverResult**  The result of the driver used to do a non-deterministic check for NX support.
+- **NXProcessorSupport**  Does the processor support NX?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
+
+This event indicates that the SystemProcessorNx object is no longer present.
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.InventorySystemBiosStartSync
-
-This event indicates that a new set of InventorySystemBiosAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.DecisionSystemBiosStartSync
-
-This event indicates that a new set of DecisionSystemBiosAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemMemoryStartSync
-
-This event indicates that a new set of SystemMemoryAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeStartSync
-
-This event indicates that a new set of SystemProcessorCompareExchangeAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
 ### Microsoft.Windows.Appraiser.General.SystemProcessorNxStartSync
 
 This event  indicates that a new set of SystemProcessorNxAdd events will be sent.
@@ -823,6 +1088,26 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWAdd
+
+This event sends data indicating whether the system supports the PrefetchW CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **PrefetchWSupport**  Does the processor support PrefetchW?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
+
+This event indicates that the SystemProcessorPrefetchW object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
 ### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWStartSync
 
 This event indicates that a new set of SystemProcessorPrefetchWAdd events will be sent.
@@ -832,18 +1117,49 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.SystemWimStartSync
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Add
 
-This event indicates that a new set of SystemWimAdd events will be sent.
+This event sends data indicating whether the system supports the SSE2 CPU requirement, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **Blocking**  Is the upgrade blocked due to the processor?
+- **SSE2ProcessorSupport**  Does the processor support SSE2?
+
+
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
+
+This event indicates that the SystemProcessorSse2 object is no longer present.
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosStartSync
+### Microsoft.Windows.Appraiser.General.SystemProcessorSse2StartSync
 
-This event indicates that a new set of DatasourceSystemBiosAdd events will be sent.
+This event indicates that a new set of SystemProcessorSse2Add events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchAdd
+
+This event sends data indicating whether the system supports touch, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **IntegratedTouchDigitizerPresent**  Is there an integrated touch digitizer?
+- **MaximumTouches**  The maximum number of touch points supported by the device hardware.
+
+
+### Microsoft.Windows.Appraiser.General.SystemTouchRemove
+
+This event indicates that the SystemTouch object is no longer present. 
 
 The following fields are available:
 
@@ -859,9 +1175,67 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageEndSync
+### Microsoft.Windows.Appraiser.General.SystemWimAdd
 
-This event indicates that a full set of DatasourceDriverPackageAdd events has been sent.
+This event sends data indicating whether the operating system is running from a compressed WIM file, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **IsWimBoot**  Is the current operating system running from a compressed WIM file?
+- **RegistryWimBootValue**  The raw value from the registry that is used to indicate if the device is running from a WIM.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimRemove
+
+This event indicates that the SystemWim object is no longer present. 
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWimStartSync
+
+This event indicates that a new set of SystemWimAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusAdd
+
+This event sends data indicating whether the current operating system is activated, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **WindowsIsLicensedApiValue**  The result from the API that's used to indicate if operating system is activated.
+- **WindowsNotActivatedDecision**  Is the current operating system activated?
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
+
+This event indicates that the SystemWindowsActivationStatus object is no longer present.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
+
+This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
+
+The following fields are available:
+
+- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+
+
+### Microsoft.Windows.Appraiser.General.SystemWlanRemove
+
+This event indicates that the SystemWlan object is no longer present. 
 
 The following fields are available:
 
@@ -876,171 +1250,38 @@ The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
-### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusStartSync
 
-This event indicates that a new set of SystemWindowsActivationStatusAdd events will be sent.
+### Microsoft.Windows.Appraiser.General.TelemetryRunHealth
+
+A summary event indicating the parameters and result of a telemetry run. This allows the rest of the data sent over the course of the run to be properly contextualized and understood, which is then used to keep Windows up-to-date.
 
 The following fields are available:
 
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionMediaCenterStartSync
-
-This event indicates that a new set of DecisionMediaCenterAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventoryMediaCenterStartSync
-
-This event indicates that a new set of InventoryMediaCenterAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveStartSync
-
-This event indicates that a new set of DecisionMatchingInfoPassiveAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveStartSync
-
-This event indicates that a new set of DataSourceMatchingInfoPassiveAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventoryApplicationFileStartSync
-
-This event indicates indicates that a new set of InventoryApplicationFileAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeStartSync
-
-This event indicates that a new set of DecisionMatchingInfoPostUpgradeAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.WmdrmStartSync
-
-This event indicates that a new set of WmdrmAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveEndSync
-
-This event indicates that a full set of DataSourceMatchingInfoPassiveAdd events have been sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockStartSync
-
-This event indicates that a new set of DecisionMatchingInfoBlockAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileStartSync
-
-This event indicates that a new set of DatasourceApplicationFileAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpStartSync
-
-This event indicates that a new set of DatasourceDevicePnpAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockStartSync
-
-This event indicates that a full set of DataSourceMatchingInfoBlockStAdd events have been sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionApplicationFileStartSync
-
-This event indicates that a new set of DecisionApplicationFileAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventoryLanguagePackStartSync
-
-This event indicates that a new set of InventoryLanguagePackAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeStartSync
-
-This event indicates that a new set of DataSourceMatchingInfoPostUpgradeAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-### Microsoft.Windows.Appraiser.General.DecisionDevicePnpStartSync
-
-This event indicates that the DecisionDevicePnp object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageStartSync
-
-This event indicates that a new set of DatasourceDriverPackageAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionDriverPackageStartSync
-
-This event indicates that a new set of DecisionDriverPackageAdd events will be sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
+- **AppraiserBranch**  The source branch in which the version of Appraiser that is running was built.
+- **AppraiserDataVersion**  The version of the data files being used by the Appraiser telemetry run.
+- **AppraiserProcess**  The name of the process that launched Appraiser.
+- **AppraiserVersion**  The file version (major, minor and build) of the Appraiser DLL, concatenated without dots.
+- **AuxFinal**  Obsolete, always set to false
+- **AuxInitial**  Obsolete, indicates if Appraiser is writing data files to be read by the Get Windows 10 app.
+- **DeadlineDate**  A timestamp representing the deadline date, which is the time until which appraiser will wait to do a full scan.
+- **EnterpriseRun**  Indicates if the telemetry run is an enterprise run, which means appraiser was run from the command line with an extra enterprise parameter.
+- **FullSync**  Indicates if Appraiser is performing a full sync, which means that full set of events representing the state of the machine are sent. Otherwise, only the changes from the previous run are sent.
+- **InventoryFullSync**  Indicates if inventory is performing a full sync, which means that the full set of events representing the inventory of machine are sent.
+- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
+- **PerfBackoff**  Indicates if the run was invoked with logic to stop running when a user is present. Helps to understand why a run may have a longer elapsed time than normal.
+- **PerfBackoffInsurance**  Indicates if appraiser is running without performance backoff because it has run with perf backoff and failed to complete several times in a row.
+- **RunAppraiser**  Indicates if Appraiser was set to run at all. If this if false, it is understood that data events will not be received from this device.
+- **RunDate**  The date that the telemetry run was stated, expressed as a filetime.
+- **RunGeneralTel**  Indicates if the generaltel.dll component was run. Generaltel collects additional telemetry on an infrequent schedule and only from machines at telemetry levels higher than Basic.
+- **RunOnline**  Indicates if appraiser was able to connect to Windows Update and theefore is making decisions using up-to-date driver coverage information.
+- **RunResult**  The hresult of the Appraiser telemetry run.
+- **SendingUtc**  Indicates if the Appraiser client is sending events during the current telemetry run.
+- **StoreHandleIsNotNull**  Obsolete, always set to false
+- **TelementrySent**  Indicates if telemetry was successfully sent.
+- **ThrottlingUtc**  Indicates if the Appraiser client is throttling its output of CUET events to avoid being disabled. This increases runtime but also telemetry reliability.
+- **Time**  The client time of the event.
+- **VerboseMode**  Indicates if appraiser ran in Verbose mode, which is a test-only mode with extra logging.
+- **WhyFullSyncWithoutTablePrefix**  Indicates the reason or reasons that a full sync was generated.
 
 
 ### Microsoft.Windows.Appraiser.General.WmdrmAdd
@@ -1059,257 +1300,6 @@ The following fields are available:
 - **WmdrmNonPermanent**  Indicates if the system has any files with non-permanent licenses.
 - **WmdrmPurchased**  Indicates if the system has any files with permanent licenses.
 
-### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageAdd
-
-This event is only runs during setup. It provides a listing of the uplevel driver packages that were downloaded before the upgrade. Is critical to understanding if failures in setup can be traced to not having sufficient uplevel drivers before the upgrade.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-- **BootCritical**  Is the driver package marked as boot critical?
-- **Build**  The build value from the driver package.
-- **CatalogFile**  The name of the catalog file within the driver package.
-- **Class**  The device class from the driver package.
-- **ClassGuid**  The device class GUID from the driver package.
-- **Date**  The date from the driver package.
-- **Inbox**  Is the driver package of a driver that is included with Windows?
-- **OriginalName**  The original name of the INF file before it was renamed. Generally a path under $WINDOWS.~BT\Drivers\DU
-- **Provider**  The provider of the driver package.
-- **PublishedName**  The name of the INF file, post-rename.
-- **Revision**  The revision of the driver package.
-- **SignatureStatus**  Indicates if the driver package is signed. Unknown:0, Unsigned:1, Signed: 2
-- **VersionMajor**  The major version of the driver package.
-- **VersionMinor**  The minor version of the driver package.
-
-### Microsoft.Windows.Appraiser.General.GatedRegChange
-
-This event sends data about the results of running a set of quick-blocking instructions, to help keep Windows up to date.
-
-The following fields are available:
-
-- **NewData**  The data in the registry value after the scan completed.
-- **OldData**  The previous data in the registry value before the scan ran.
-- **PCFP**  An ID for the system calculated by hashing hardware identifiers.
-- **RegKey**  The registry key name for which a result is being sent.
-- **RegValue**  The registry value for which a result is being sent.
-- **Time**  The client time of the event.
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceApplicationFileRemove
-
-This event indicates that the DatasourceApplicationFile object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceDevicePnpRemove
-
-This event indicates that the DatasourceDevicePnp object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceDriverPackageRemove
-
-This event indicates that the DatasourceDriverPackage object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorSse2Remove
-
-This event indicates that the SystemProcessorSse2 object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventoryUplevelDriverPackageRemove
-
-This event indicates that the InventoryUplevelDriverPackage object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionMediaCenterRemove
-
-This event indicates that the DecisionMediaCenter object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventoryMediaCenterRemove
-
-This event indicates that the InventoryMediaCenter object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DatasourceSystemBiosRemove
-
-This event indicates that the DatasourceSystemBios object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionApplicationFileRemove
-
-This event indicates Indicates that the DecisionApplicationFile object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPostUpgradeRemove
-
-This event indicates that the DecisionMatchingInfoPostUpgrade object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemTouchRemove
-
-"This event indicates that the SystemTouch object is no longer present. "
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemWindowsActivationStatusRemove
-
-This event indicates that the SystemWindowsActivationStatus object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemWlanRemove
-
-"This event indicates that the SystemWlan object is no longer present. "
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPostUpgradeRemove
-
-This event indicates that the DataSourceMatchingInfoPostUpgrade object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorNxRemove
-
-This event indicates that the SystemProcessorNx object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoBlockRemove
-
-This event indicates that the DataSourceMatchingInfoBlock object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionDevicePnpRemove
-
-This event indicates that the DecisionDevicePnp object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoPassiveRemove
-
-This event Indicates that the DecisionMatchingInfoPassive object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemMemoryRemove
-
-This event that the SystemMemory object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionMatchingInfoBlockRemove
-
-This event indicates that the DecisionMatchingInfoBlock object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DataSourceMatchingInfoPassiveRemove
-
-This event indicates that the DataSourceMatchingInfoPassive object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventoryApplicationFileRemove
-
-This event indicates that the InventoryApplicationFile object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemWimRemove
-
-"This event indicates that the SystemWim object is no longer present. "
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventorySystemBiosRemove
-
-"This event indicates that the InventorySystemBios object is no longer present. "
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
 
 ### Microsoft.Windows.Appraiser.General.WmdrmRemove
 
@@ -1320,70 +1310,27 @@ The following fields are available:
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.SystemProcessorLahfSahfRemove
+### Microsoft.Windows.Appraiser.General.WmdrmStartSync
 
-"This event indicates that the SystemProcessorLahfSahf object is no longer present. "
+This event indicates that a new set of WmdrmAdd events will be sent.
 
 The following fields are available:
 
 - **AppraiserVersion**  The version of the Appraiser file that is generating the events.
 
 
-### Microsoft.Windows.Appraiser.General.InventoryLanguagePackRemove
-
-This event indicates that the InventoryLanguagePack object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionDriverPackageRemove
-
-This event indicates that the DecisionDriverPackage object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.DecisionSystemBiosRemove
-
-This event indicates that the DecisionSystemBios object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorCompareExchangeRemove
-
-"This event indicates that the SystemProcessorCompareExchange object is no longer present. "
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.SystemProcessorPrefetchWRemove
-
-This event indicates that the SystemProcessorPrefetchW object is no longer present.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
-
-### Microsoft.Windows.Appraiser.General.InventoryDriverBinaryEndSync
-
-This event indicates that a full set of InventoryDriverBinaryAdd events has been sent.
-
-The following fields are available:
-
-- **AppraiserVersion**  The version of the Appraiser file that is generating the events.
-
 ## Census events
 
+### Census.App
+
+This event sends version data about the Apps running on this device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **CensusVersion**  The version of Census that generated the current data for this device.
+- **IEVersion**  Retrieves which version of Internet Explorer is running on this device.
+
+
 ### Census.Battery
 
 This event sends type and capacity data about the battery on the device, as well as the number of connected standby devices in use, type to help keep Windows up to date.
@@ -1397,6 +1344,16 @@ The following fields are available:
 - **IsAlwaysOnAlwaysConnectedCapable**  Represents whether the battery enables the device to be AlwaysOnAlwaysConnected . Boolean value.
 
 
+### Census.Camera
+
+This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
+
+The following fields are available:
+
+- **FrontFacingCameraResolution**  Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0.
+- **RearFacingCameraResolution**  Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0.
+
+
 ### Census.Enterprise
 
 This event sends data about Azure presence, type, and cloud domain use in order to provide an understanding of the use and integration of devices in an enterprise, cloud, and server environment.
@@ -1408,7 +1365,7 @@ The following fields are available:
 - **CDJType**  Represents the type of cloud domain joined for the machine.
 - **CommercialId**  Represents the GUID for the commercial entity which the device is a member of.  Will be used to reflect insights back to customers.
 - **ContainerType**  The type of container, such as process or virtual machine hosted.
-- **EnrollmentType** Represents the type of enrollment, such as MDM or Intune, for a particular device.
+- **EnrollmentType**  Defines the type of MDM enrollment on the device.
 - **HashedDomain**  The hashed representation of the user domain used for login.
 - **IsCloudDomainJoined**  Is this device joined to an Azure Active Directory (AAD) tenant? true/false
 - **IsDERequirementMet**  Represents if the device can do device encryption.
@@ -1422,48 +1379,6 @@ The following fields are available:
 - **SystemCenterID**  The SCCM ID is an anonymized one-way hash of the Active Directory Organization identifier
 
 
-### Census.App
-
-This event sends version data about the Apps running on this device, to help keep Windows up to date.
-
-The following fields are available:
-
-- **CensusVersion**  The version of Census that generated the current data for this device.
-- **IEVersion**  Retrieves which version of Internet Explorer is running on this device.
-
-
-### Census.Camera
-
-This event sends data about the resolution of cameras on the device, to help keep Windows up to date.
-
-The following fields are available:
-
-- **FrontFacingCameraResolution**  Represents the resolution of the front facing camera in megapixels. If a front facing camera does not exist, then the value is 0.
-- **RearFacingCameraResolution**  Represents the resolution of the rear facing camera in megapixels. If a rear facing camera does not exist, then the value is 0.
-
-
-### Census.UserDisplay
-
-This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date.
-
-The following fields are available:
-
-- **InternalPrimaryDisplayLogicalDPIX**  Retrieves the logical DPI in the x-direction of the internal display.
-- **InternalPrimaryDisplayLogicalDPIY**  Retrieves the logical DPI in the y-direction of the internal display.
-- **InternalPrimaryDisplayPhysicalDPIX**  Retrieves the physical DPI in the x-direction of the internal display.
-- **InternalPrimaryDisplayPhysicalDPIY**  Retrieves the physical DPI in the y-direction of the internal display.
-- **InternalPrimaryDisplayResolutionHorizontal**  Retrieves the number of pixels in the horizontal direction of the internal display.
-- **InternalPrimaryDisplayResolutionVertical**  Retrieves the number of pixels in the vertical direction of the internal display.
-- **InternalPrimaryDisplaySizePhysicalH**  Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
-- **InternalPrimaryDisplaySizePhysicalY**  Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
-- **InternalPrimaryDisplayType**  Represents the type of technology used in the monitor, such as Plasma, LED, LCOS, etc.
-- **NumberofExternalDisplays**  Retrieves the number of external displays connected to the machine
-- **NumberofInternalDisplays**  Retrieves the number of internal displays in a machine.
-- **VRAMDedicated**  Retrieves the video RAM in MB.
-- **VRAMDedicatedSystem**  Retrieves the amount of memory on the dedicated video card.
-- **VRAMSharedSystem**  Retrieves the amount of RAM memory that the video card can use.
-
-
 ### Census.Firmware
 
 This event sends data about the BIOS and startup embedded in the device, to help keep Windows up to date.
@@ -1482,7 +1397,7 @@ This event sends Windows Insider data from customers participating in improvemen
 
 The following fields are available:
 
-- **DeviceSampleRate**  The diagnostic data sample rate assigned to the device.
+- **DeviceSampleRate**  The telemetry sample rate assigned to the device.
 - **EnablePreviewBuilds**  Used to enable Windows Insider builds on a device.
 - **FlightIds**  A list of the different Windows Insider builds on this device.
 - **FlightingBranchName**  The name of the Windows Insider branch currently used by the device.
@@ -1493,23 +1408,22 @@ The following fields are available:
 
 ### Census.Hardware
 
-This event sends data about the device, including hardware type, OEM brand, model line, model, diagnostic data level setting, and TPM support, to help keep Windows up-to-date.
+This event sends data about the device, including hardware type, OEM brand, model line, model, telemetry level setting, and TPM support, to help keep Windows up-to-date.
 
 The following fields are available:
 
 - **ActiveMicCount**  The number of active microphones attached to the device.
 - **ChassisType**  Represents the type of device chassis, such as desktop or low profile desktop. The possible values can range between 1 - 36.
 - **ComputerHardwareID**  Identifies a device class that is represented by a hash of different SMBIOS fields.
-- **D3DMaxFeatureLevel** The supported Direct3D version.
-- **DeviceColor**  Indicates a color of the device.
+- **D3DMaxFeatureLevel**  Supported Direct3D version.
 - **DeviceForm**  Indicates the form as per the device classification.
 - **DeviceName**  The device name that is set by the user.
 - **DigitizerSupport**  Is a digitizer supported?
 - **DUID**  The device unique ID.
-- **Gyroscope** Indicates whether the device has a gyroscope.
+- **Gyroscope**  Indicates whether the device has a gyroscope (a mechanical component that measures and maintains orientation).
 - **InventoryId**  The device ID used for compatibility testing.
-- **Magnetometer** Indicates whether the device has a magnetometer.
-- **NFCProximity** Indicates whether the device supports NFC.
+- **Magnetometer**  Indicates whether the device has a magnetometer (a mechanical component that works like a compass).
+- **NFCProximity**  Indicates whether the device supports NFC (a set of communication protocols that helps establish communication when applicable devices are brought close together.)
 - **OEMDigitalMarkerFileName**  The name of the file placed in the \Windows\system32\drivers directory that specifies the OEM and model name of the device.
 - **OEMManufacturerName**  The device manufacturer name.  The OEMName for an inactive device is not reprocessed even if the clean OEM name is changed at a later date.
 - **OEMModelBaseBoard**  The baseboard model used by the OEM.
@@ -1525,11 +1439,12 @@ The following fields are available:
 - **PowerPlatformRole**  The OEM preferred power management profile. It's used to help to identify the basic form factor of the device.
 - **SoCName**  The firmware manufacturer of the device.
 - **StudyID**  Used to identify retail and non-retail device.
-- **TelemetryLevel**  The diagnostic data level the user has opted into, such as Basic or Enhanced.
-- **TelemetryLevelLimitEnhanced** The diagnostic data level for Windows Analytics-based solutions.
-- **TelemetrySettingAuthority**  Determines who set the diagnostic data level, such as GP, MDM, or the user.
+- **TelemetryLevel**  The telemetry level the user has opted into, such as Basic or Enhanced.
+- **TelemetryLevelLimitEnhanced**  The telemetry level for Windows Analytics-based solutions.
+- **TelemetrySettingAuthority**  Determines who set the telemetry level, such as GP, MDM, or the user.
 - **TPMVersion**  The supported Trusted Platform Module (TPM) on the device. If no TPM is present, the value is 0.
 - **VoiceSupported**  Does the device have a cellular radio capable of making voice calls?
+- **DeviceColor**  Indicates a color of the device.
 
 
 ### Census.Memory
@@ -1572,9 +1487,9 @@ This event sends data about the operating system such as the version, locale, up
 The following fields are available:
 
 - **ActivationChannel**  Retrieves the retail license key or Volume license key for a machine.
-- **AssignedAccessStatus** The kiosk configuration mode.
+- **AssignedAccessStatus**  Kiosk configuration mode.
 - **CompactOS**  Indicates if the Compact OS feature from Win10 is enabled.
-- **DeveloperUnlockStatus**  "Represents if a device has been developer unlocked by the user or Group Policy. "
+- **DeveloperUnlockStatus**  Represents if a device has been developer unlocked by the user or Group Policy. 
 - **DeviceTimeZone**  The time zone that is set on the device. Example: Pacific Standard Time
 - **GenuineState**  Retrieves the ID Value specifying the OS Genuine check.
 - **InstallationType**  Retrieves the type of OS installation. (Clean, Upgrade, Reset, Refresh, Update).
@@ -1584,10 +1499,9 @@ The following fields are available:
 - **IsPortableOperatingSystem**  Retrieves whether OS is running Windows-To-Go
 - **IsSecureBootEnabled**  Retrieves whether Boot chain is signed under UEFI.
 - **LanguagePacks**  The list of language packages installed on the device.
-- **LicenseStateReason**  Retrieves why (or how) a system is licensed or unlicensed.  The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the Microsoft Store.
+- **LicenseStateReason**  Retrieves why (or how) a system is licensed or unlicensed.  The HRESULT may indicate an error code that indicates a key blocked error, or it may indicate that we are running an OS License granted by the MS store.
 - **OA3xOriginalProductKey**  Retrieves the License key stamped by the OEM to the machine.
 - **OSEdition**  Retrieves the version of the current OS.
-- **OSInstallDateTime**  Retrieves the date the OS was installed using ISO 8601 (Date part) == yyyy-mm-dd
 - **OSInstallType**  Retrieves a numeric description of what install was used on the device i.e. clean, upgrade, refresh, reset, etc
 - **OSOOBEDateTime**  Retrieves Out of Box Experience (OOBE) Date in Coordinated Universal Time (UTC).
 - **OSSKU**  Retrieves the Friendly Name of OS Edition.
@@ -1614,34 +1528,30 @@ This event sends data about the processor (architecture, speed, number of cores,
 
 The following fields are available:
 
-- **KvaShadow** Microcode info of the processor.
-- **MMSettingOverride** Microcode setting of the processor.
-- **MMSettingOverrideMask** Microcode setting override of the processor.
-- **ProcessorArchitecture**  Retrieves the processor architecture of the installed operating system. 
-- **ProcessorClockSpeed**  Retrieves the clock speed of the processor in MHz.
-- **ProcessorCores**  Retrieves the number of cores in the processor.
-- **ProcessorIdentifier**  The processor identifier of a manufacturer.
-- **ProcessorManufacturer**  Retrieves the name of the processor's manufacturer.
-- **ProcessorModel**  Retrieves the name of the processor model.
+- **ProcessorArchitecture**  Retrieves the processor architecture of the installed operating system.
+- **ProcessorClockSpeed**  Clock speed of the processor in MHz.
+- **ProcessorCores**  Number of logical cores in the processor.
+- **ProcessorIdentifier**  Processor Identifier of a manufacturer.
+- **ProcessorManufacturer**  Name of the processor manufacturer.
+- **ProcessorModel**  Name of the processor model.
 - **ProcessorPhysicalCores**  Number of physical cores in the processor.
-- **ProcessorUpdateRevision** The microcode version.
-- **SocketCount**  Number of physical CPU sockets of the machine.
-- **SpeculationControl** If the system has enabled protections needed to validate the speculation control vulnerability.
+- **ProcessorUpdateRevision**  Microcode revision
+- **SocketCount**  Count of CPU sockets.
 
 
 ### Census.Security
 
 This event provides information on about security settings used to help keep Windows up-to-date and secure.
 
-- **AvailableSecurityProperties** Enumerates and reports state on the relevant security properties for Device Guard.
-- **CGRunning** Is Credential Guard running?
-- **DGState** A summary of the Device Guard state.
-- **HVCIRunning** Is HVCI running?
-- **IsSawGuest** Describes whether the device is running as a Secure Admin Workstation Guest.
-- **IsSawHost** Describes whether the device is running as a Secure Admin Workstation Host.
-- **RequiredSecurityProperties** Describes the required security properties to enable virtualization-based security.
-- **SecureBootCapable** Is this device capable of running Secure Boot?
-- **VBSState** Is virtualization-based security enabled, disabled, or running?
+The following fields are available:
+
+- **AvailableSecurityProperties**  This field helps to enumerate and report state on the relevant security properties for Device Guard
+- **CGRunning**  Credential Guard isolates and hardens key system and user secrets against compromise, helping to minimize the impact and breadth of a Pass the Hash style attack in the event that malicious code is already running via a local or network based vector. This field tells if Credential Guard is running.
+- **DGState**  This field summarizes Device Guard state
+- **HVCIRunning**  Hypervisor Code Integrity (HVCI) enables Device Guard to help protect kernel mode processes and drivers from vulnerability exploits and zero days. HVCI uses the processor’s functionality to force all software running in kernel mode to safely allocate memory. This field tells if HVCI is running
+- **RequiredSecurityProperties**  This field describes the required security properties to enable virtualization-based security
+- **SecureBootCapable**  Systems that support Secure Boot can have the feature turned off via BIOS. This field tells if the system is capable of running Secure Boot, regardless of the BIOS setting.
+- **VBSState**  Virtualization-based security (VBS) uses the hypervisor to help protect the kernel and other parts of the operating system. Credential Guard and Hypervisor Code Integrity (HVCI) both depend on VBS to isolate/protect secrets, and kernel-mode code integrity validation.  VBS has a tri-state that can be Disabled, Enabled, or Running.
 
 
 ### Census.Speech
@@ -1654,14 +1564,13 @@ The following fields are available:
 - **GPAllowInputPersonalization**  Indicates if a Group Policy setting has enabled speech functionalities.
 - **HolographicSpeechInputDisabled**  Holographic setting that represents if the attached HMD devices have speech functionality disabled by the user.
 - **HolographicSpeechInputDisabledRemote**  Indicates if a remote policy has disabled speech functionalities for the HMD devices.
-- **KWSEnabled**  "Cortana setting that represents if a user has enabled the ""Hey Cortana"" keyword spotter (KWS)."
+- **KWSEnabled**  Cortana setting that represents if a user has enabled the "Hey Cortana" keyword spotter (KWS).
 - **MDMAllowInputPersonalization**  Indicates if an MDM policy has enabled speech functionalities.
-- **RemotelyManaged**  Indicates if the device is being controlled by a remote admininistrator (MDM or Group Policy) in the context of speech functionalities.
+- **RemotelyManaged**  Indicates if the device is being controlled by a remote administrator (MDM or Group Policy) in the context of speech functionalities.
 - **SpeakerIdEnabled**  Cortana setting that represents if keyword detection has been trained to try to respond to a single user's voice.
 - **SpeechServicesEnabled**  Windows setting that represents whether a user is opted-in for speech services on the device.
 
 
-
 ### Census.Storage
 
 This event sends data about the total capacity of the system volume and primary disk, to help keep Windows up to date.
@@ -1672,14 +1581,26 @@ The following fields are available:
 - **PrimaryDiskType**  Retrieves an enumerator value of type STORAGE_BUS_TYPE that indicates the type of bus to which the device is connected. This should be used to interpret the raw device properties at the end of this structure (if any).
 - **SystemVolumeTotalCapacity**  Retrieves the size of the partition that the System volume is installed on in MB.
 
-### Census.Userdefault
 
-This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
+### Census.UserDisplay
+
+This event sends data about the logical/physical display size, resolution and number of internal/external displays, and VRAM on the system, to help keep Windows up to date.
 
 The following fields are available:
 
-- **DefaultApp**  The current uer's default program selected for the following extension or protocol: .html,.htm,.jpg,.jpeg,.png,.mp3,.mp4, .mov,.pdf
-- **DefaultBrowserProgId**  The ProgramId of the current user's default browser
+- **InternalPrimaryDisplayLogicalDPIX**  Retrieves the logical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayLogicalDPIY**  Retrieves the logical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIX**  Retrieves the physical DPI in the x-direction of the internal display.
+- **InternalPrimaryDisplayPhysicalDPIY**  Retrieves the physical DPI in the y-direction of the internal display.
+- **InternalPrimaryDisplayResolutionHorizontal**  Retrieves the number of pixels in the horizontal direction of the internal display.
+- **InternalPrimaryDisplayResolutionVertical**  Retrieves the number of pixels in the vertical direction of the internal display.
+- **InternalPrimaryDisplaySizePhysicalH**  Retrieves the physical horizontal length of the display in mm. Used for calculating the diagonal length in inches .
+- **InternalPrimaryDisplaySizePhysicalY**  Retrieves the physical vertical length of the display in mm. Used for calculating the diagonal length in inches
+- **NumberofExternalDisplays**  Retrieves the number of external displays connected to the machine
+- **NumberofInternalDisplays**  Retrieves the number of internal displays in a machine.
+- **VRAMDedicated**  Retrieves the video RAM in MB.
+- **VRAMDedicatedSystem**  Retrieves the amount of memory on the dedicated video card.
+- **VRAMSharedSystem**  Retrieves the amount of RAM memory that the video card can use.
 
 
 ### Census.UserNLS
@@ -1694,26 +1615,32 @@ The following fields are available:
 - **KeyboardInputLanguages**  The Keyboard input languages installed on the device.
 - **SpeechInputLanguages**  The Speech Input languages installed on the device.
 
+
+### Census.Userdefault
+
+This event sends data about the current user's default preferences for browser and several of the most popular extensions and protocols, to help keep Windows up to date.
+
+The following fields are available:
+
+- **DefaultApp**  The current uer's default program selected for the following extension or protocol: .html,.htm,.jpg,.jpeg,.png,.mp3,.mp4, .mov,.pdf
+- **DefaultBrowserProgId**  The ProgramId of the current user's default browser
+
+
 ### Census.VM
 
 This event sends data indicating whether virtualization is enabled on the device, and its various characteristics, to help keep Windows up to date.
 
 The following fields are available:
 
-- **CloudService** Indicates which cloud service, if any, that this virtual machine is running within.
+- **CloudService**  Indicates which cloud service, if any, that this virtual machine is running within.
 - **HyperVisor**  Retrieves whether the current OS is running on top of a Hypervisor.
 - **IOMMUPresent**  Represents if an input/output memory management unit (IOMMU) is present.
-- **isVDI** Is the device using Virtual Desktop Infrastructure?
-- **IsVirtualDevice**  Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#HASH#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#HASH#1 Hypervisors.
+- **IsVDI**  Is the device using Virtual Desktop Infrastructure?
+- **IsVirtualDevice**  Retrieves that when the Hypervisor is Microsoft's Hyper-V Hypervisor or other Hv#1 Hypervisor, this field will be set to FALSE for the Hyper-V host OS and TRUE for any guest OS's. This field should not be relied upon for non-Hv#1 Hypervisors.
 - **SLATSupported**  Represents whether Second Level Address Translation (SLAT) is supported by the hardware.
 - **VirtualizationFirmwareEnabled**  Represents whether virtualization is enabled in the firmware.
 
 
-
-
-
-
-
 ### Census.WU
 
 This event sends data about the Windows update server and other App store policies, to help keep Windows up to date.
@@ -1725,12 +1652,12 @@ The following fields are available:
 - **AppStoreAutoUpdateMDM**  Retrieves the App Auto Update value for MDM: 0 - Disallowed. 1 - Allowed. 2 - Not configured. Default: [2] Not configured
 - **AppStoreAutoUpdatePolicy**  Retrieves the Microsoft Store App Auto Update group policy setting
 - **DelayUpgrade**  Retrieves the Windows upgrade flag for delaying upgrades.
-- **OSAssessmentFeatureOutOfDate** How many days has it been since a the last feature update was released but the device did not install it?
-- **OSAssessmentForFeatureUpdate** Is the device is on the latest feature update?
-- **OSAssessmentForQualityUpdate** Is the device on the latest quality update?
-- **OSAssessmentForSecurityUpdate** Is the device  on the latest security update?
-- **OSAssessmentQualityOutOfDate** How many days has it been since a the last quality update was released but the device did not install it?
-- **OSAssessmentReleaseInfoTime** The freshness of release information used to perform an assessment.
+- **OSAssessmentFeatureOutOfDate**  How many days has it been since a the last feature update was released but the device did not install it?
+- **OSAssessmentForFeatureUpdate**  Is the device is on the latest feature update?
+- **OSAssessmentForQualityUpdate**  Is the device on the latest quality update?
+- **OSAssessmentForSecurityUpdate**  Is the device  on the latest security update?
+- **OSAssessmentQualityOutOfDate**  How many days has it been since a the last quality update was released but the device did not install it?
+- **OSAssessmentReleaseInfoTime**  The freshness of release information used to perform an assessment.
 - **OSRollbackCount**  The number of times feature updates have rolled back on the device.
 - **OSRolledBack**  A flag that represents when a feature update has rolled back during setup.
 - **OSUninstalled**  A flag that represents when a feature update is uninstalled on a device .
@@ -1744,6 +1671,7 @@ The following fields are available:
 - **WUPauseState**  Retrieves WU setting to determine if updates are paused
 - **WUServer**  Retrieves the HTTP(S) URL of the WSUS server that is used by Automatic Updates and API callers (by default).
 
+
 ### Census.Xbox
 
 This event sends data about the Xbox Console, such as Serial Number and DeviceId, to help keep Windows up to date.
@@ -1756,105 +1684,198 @@ The following fields are available:
 - **XboxLiveSandboxId**  Retrieves the developer sandbox id if the device is internal to MS.
 
 
+## Deployment events
+
+### DeploymentTelemetry.Deployment_End
+
+Event to indicate that a Deployment 360 API has completed. 
+
+The following fields are available:
+
+- **ClientId**  Client ID of user utilizing the D360 API
+- **ErrorCode**  Error code of action
+- **FlightId**  Flight being used
+- **Mode**  Phase in upgrade 
+- **RelatedCV**  CV of any other related events
+- **Result**  End result of action
+
+
+### DeploymentTelemetry.Deployment_Initialize
+
+Event to indicate that the Deployment 360 APIs have been initialized for use.
+
+The following fields are available:
+
+- **ClientId**  Client ID of user utilizing the D360 API
+- **ErrorCode**  Error code of action
+- **FlightId**  Flight being used
+- **RelatedCV**  CV of any other related events
+- **Result**  Phase Setup is in
+
+
+### DeploymentTelemetry.Deployment_SetupBoxLaunch
+
+Event to indicate that the Deployment 360 APIs have launched Setup Box.
+
+The following fields are available:
+
+- **ClientId**  Client ID of user utilizing the D360 API
+- **FlightId**  Flight being used
+- **Quiet**  Whether Setup will run in quiet mode or in full
+- **RelatedCV**  CV of any other related events
+- **SetupMode**  Phase Setup is in 
+
+
+### DeploymentTelemetry.Deployment_SetupBoxResult
+
+Event to indicate that the Deployment 360 APIs have received a return from Setup Box.
+
+The following fields are available:
+
+- **ClientId**  Client ID of user utilizing the D360 API
+- **ErrorCode**  Error code of action
+- **FlightId**  Flight being used
+- **Quiet**  Whether Setup will run in quiet mode or in full
+- **RelatedCV**  Correlation vector of any other related events
+- **SetupMode**  Phase that Setup is in
+
+
+### DeploymentTelemetry.Deployment_Start
+
+Event to indicate that a Deployment 360 API has been called.
+
+The following fields are available:
+
+- **ClientId**  Client ID of user utilizing the D360 API
+- **FlightId**  Flight being used
+- **Mode**  Phase in upgrade 
+- **RelatedCV**  CV of any other related events
 
 
 ## Diagnostic data events
 
-### TelClientSynthetic.AuthorizationInfo_Startup
-
-This event sends data indicating that a device has undergone a change of diagnostic data opt-in level detected at UTC startup, to help keep Windows up to date.
-
-The following fields are available:
-
-- **CanAddMsaToMsTelemetry**  True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
-- **CanCollectAnyTelemetry**  True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
-- **CanCollectCoreTelemetry**  True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
-- **CanCollectHeartbeats**  True if UTC is allowed to collect heartbeats.
-- **CanCollectOsTelemetry**  True if UTC is allowed to collect diagnostic data from the OS provider groups.
-- **CanPerformDiagnosticEscalations**  True if UTC is allowed to perform all scenario escalations.
-- **CanPerformScripting**  True if UTC is allowed to perform scripting.
-- **CanPerformTraceEscalations**  True if UTC is allowed to perform scenario escalations with tracing actions.
-- **CanReportScenarios**  True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
-- **PreviousPermissions**  Bitmask representing the previously configured permissions since the diagnostic data client was last started.
-- **TransitionFromEverythingOff**  True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
-
-
 ### TelClientSynthetic.AuthorizationInfo_RuntimeTransition
 
-This event sends data indicating that a device has undergone a change of diagnostic data opt-in level during the runtime of the device (not at UTC boot or offline), to help keep Windows up to date.
+Fired by UTC at state transitions to signal what data we are allowed to collect.
 
 The following fields are available:
 
-- **CanAddMsaToMsTelemetry**  True if UTC is allowed to add MSA user identity onto diagnostic data from the OS provider groups.
-- **CanCollectAnyTelemetry**  True if UTC is allowed to collect non-OS diagnostic data. Non-OS diagnostic data is responsible for providing its own opt-in mechanism.
-- **CanCollectCoreTelemetry**  True if UTC is allowed to collect data which is tagged with both MICROSOFT_KEYWORD_CRITICAL_DATA and MICROSOFT_EVENTTAG_CORE_DATA.
-- **CanCollectHeartbeats**  True if UTC is allowed to collect heartbeats.
-- **CanCollectOsTelemetry**  True if UTC is allowed to collect diagnostic data from the OS provider groups.
-- **CanPerformDiagnosticEscalations**  True if UTC is allowed to perform all scenario escalations.
-- **CanPerformScripting**  True if UTC is allowed to perform scripting.
-- **CanPerformTraceEscalations**  True if UTC is allowed to perform scenario escalations with tracing actions.
-- **CanReportScenarios**  True if UTC is allowed to load and report scenario completion, failure, and cancellation events.
-- **PreviousPermissions**  Bitmask representing the previously configured permissions since the diagnostic data opt-in level was last changed.
-- **TransitionFromEverythingOff**  True if this transition is moving from not allowing core diagnostic data to allowing core diagnostic data.
+- **CanAddMsaToMsTelemetry**  True if we can add MSA PUID and CID to telemetry, false otherwise.
+- **CanCollectAnyTelemetry**  True if we are allowed to collect partner telemetry, false otherwise.
+- **CanCollectCoreTelemetry**  True if we can collect CORE/Basic telemetry, false otherwise.
+- **CanCollectHeartbeats**  True if we can collect heartbeat telemetry, false otherwise.
+- **CanCollectOsTelemetry**  True if we can collect diagnostic data telemetry, false otherwise.
+- **CanCollectWindowsAnalyticsEvents**  True if we can collect Windows Analytics data, false otherwise.
+- **CanPerformDiagnosticEscalations**  True if we can perform diagnostic escalation collection, false otherwise.
+- **CanPerformTraceEscalations**  True if we can perform trace escalation collection, false otherwise.
+- **CanReportScenarios**  True if we can report scenario completions, false otherwise.
+- **PreviousPermissions**  Bitmask of previous telemetry state.
+- **TransitionFromEverythingOff**  True if we are transitioning from all telemetry being disabled, false otherwise.
 
 
-### TelClientSynthetic.ConnectivityHeartBeat_0
+### TelClientSynthetic.AuthorizationInfo_Startup
 
-This event sends data about the connectivity status of the Connected User Experience and Telemetry component that uploads diagnostic data events. If an unrestricted free network (such as Wi-Fi) is available, this event updates the last successful upload time. Otherwise, it checks whether a Connectivity Heartbeat event was fired in the past 24 hours, and if not, it fires an event. A Connectivity Heartbeat event also fires when a device recovers from costed network to free network.
+Fired by UTC at startup to signal what data we are allowed to collect.
 
 The following fields are available:
 
-- **CensusExitCode**  Returns last execution codes from census client run.
-- **CensusStartTime**  Returns timestamp corresponding to last successful census run.
-- **CensusTaskEnabled**  Returns Boolean value for the census task (Enable/Disable) on client machine.
-- **LastConnectivityLossTime**  Retrieves the last time the device lost free network.
-- **LastConntectivityLossTime**  Retrieves the last time the device lost free network.
-- **NetworkState**  Retrieves the network state: 0 = No network. 1 = Restricted network. 2 = Free network.
-- **NoNetworkTime**  Retrieves the time spent with no network (since the last time) in seconds.
-- **RestrictedNetworkTime**  Retrieves the time spent on a metered (cost restricted) network in seconds.
+- **CanAddMsaToMsTelemetry**  True if we can add MSA PUID and CID to telemetry, false otherwise.
+- **CanCollectAnyTelemetry**  True if we are allowed to collect partner telemetry, false otherwise.
+- **CanCollectCoreTelemetry**  True if we can collect CORE/Basic telemetry, false otherwise.
+- **CanCollectHeartbeats**  True if we can collect heartbeat telemetry, false otherwise.
+- **CanCollectOsTelemetry**  True if we can collect diagnostic data telemetry, false otherwise.
+- **CanCollectWindowsAnalyticsEvents**  True if we can collect Windows Analytics data, false otherwise.
+- **CanPerformDiagnosticEscalations**  True if we can perform diagnostic escalation collection, false otherwise.
+- **CanPerformTraceEscalations**  True if we can perform trace escalation collection, false otherwise.
+- **CanReportScenarios**  True if we can report scenario completions, false otherwise.
+- **PreviousPermissions**  Bitmask of previous telemetry state.
+- **TransitionFromEverythingOff**  True if we are transitioning from all telemetry being disabled, false otherwise.
 
 
 ### TelClientSynthetic.HeartBeat_5
 
-This event sends data about the health and quality of the diagnostic data data from the given device, to help keep Windows up to date. It also enables data analysts to determine how 'trusted' the data is from a given device.
+Fired by UTC as a heartbeat signal.
 
 The following fields are available:
 
-- **AgentConnectionErrorsCount**  The number of non-timeout errors associated with the host/agent channel.
-- **CensusExitCode**  The last exit code of the Census task.
-- **CensusStartTime**  The time of the last Census run.
-- **CensusTaskEnabled**  Indicates whether Census is enabled.
-- **ConsumerDroppedCount**  The number of events dropped by the consumer layer of the diagnostic data client.
-- **CriticalDataDbDroppedCount**  The number of critical data sampled events that were dropped at the database layer.
-- **CriticalDataThrottleDroppedCount**  The number of critical data sampled events that were dropped because of throttling.
-- **CriticalOverflowEntersCounter**  The number of times a critical overflow mode was entered into the event database.
-- **DbCriticalDroppedCount**  The total number of dropped critical events in the event database.
-- **DbDroppedCount**  The number of events that were dropped because the database was full.
-- **DecodingDroppedCount**  The number of events dropped because of decoding failures.
-- **EnteringCriticalOverflowDroppedCounter**  The number of events that was dropped because a critical overflow mode was initiated.
-- **EtwDroppedBufferCount**  The number of buffers dropped in the CUET ETW session.
-- **EtwDroppedCount**  The number of events dropped by the ETW layer of the diagnostic data client.
-- **EventSubStoreResetCounter**  The number of times the event database was reset.
-- **EventSubStoreResetSizeSum**  The total size of the event database across all resets reports in this instance.
-- **EventsUploaded**  The number of events that have been uploaded.
-- **Flags**  Flags that indicate device state, such as network, battery, and opt-in state.
-- **FullTriggerBufferDroppedCount**  The number of events that were dropped because the trigger buffer was full.
-- **HeartBeatSequenceNumber**  A monotonically increasing heartbeat counter.
-- **InvalidHttpCodeCount**  The number of invalid HTTP codes received from Vortex.
-- **LastAgentConnectionError**  The last non-timeout error that happened in the host/agent channel.
-- **LastEventSizeOffender**  The name of the last event that exceeded the maximum event size.
-- **LastInvalidHttpCode**  The last invalid HTTP code received from Vortex.
-- **MaxActiveAgentConnectionCount**  The maximum number of active agents during this heartbeat timeframe.
-- **MaxInUseScenarioCounter**  The soft maximum number of scenarios loaded by the Connected User Experiences and Telemetry component.
-- **PreviousHeartBeatTime**  The time of last heartbeat event. This allows chaining of events.
-- **SettingsHttpAttempts**  The number of attempts to contact the OneSettings service.
-- **SettingsHttpFailures**  The number of failures from contacting the OneSettings service.
-- **ThrottledDroppedCount**  The number of events dropped due to throttling of noisy providers.
-- **UploaderDroppedCount**  The number of events dropped by the uploader layer of the diagnostic data client.
-- **VortexFailuresTimeout**  The number of timeout failures received from Vortex.
-- **VortexHttpAttempts**  The number of attempts to contact the Vortex service.
-- **VortexHttpFailures4xx**  The number of 400-499 error codes received from Vortex.
-- **VortexHttpFailures5xx**  The number of 500-599 error codes received from Vortex.
+- **AgentConnectionErrorsCount**  Number of non-timeout errors associated with the host/agent channel.
+- **CensusExitCode**  Last exit code of�Census task.
+- **CensusStartTime**  Time of last Census run.
+- **CensusTaskEnabled**  True if Census is enabled, false otherwise.
+- **CompressedBytesUploaded**  Number of compressed bytes uploaded.
+- **ConsumerDroppedCount**  Number of events dropped at consumer layer of telemetry client.
+- **CriticalDataDbDroppedCount**  Number of critical data sampled events dropped at the database layer.
+- **CriticalDataThrottleDroppedCount**  Number of critical data sampled events dropped due to�throttling.
+- **CriticalOverflowEntersCounter**  Number of times critical overflow mode was entered in event DB.
+- **DbCriticalDroppedCount**  Total number of dropped critical events in event DB.
+- **DbDroppedCount**  Number of events dropped due to DB fullness.
+- **DbDroppedFailureCount**  Number of events dropped due to DB failures.
+- **DbDroppedFullCount**  Number of events dropped due to DB fullness.
+- **DecodingDroppedCount**  Number of events dropped due to decoding failures.
+- **EnteringCriticalOverflowDroppedCounter**  Number of events dropped due to critical overflow mode being initiated.
+- **EtwDroppedBufferCount**  Number of buffers dropped in the UTC ETW session.
+- **EtwDroppedCount**  Number of events dropped at ETW layer of telemetry client.
+- **EventsPersistedCount**  Number of events that reached the PersistEvent stage.
+- **EventSubStoreResetCounter**  Number of times event DB was reset.
+- **EventSubStoreResetSizeSum**  Total size of event DB across all resets reports in this instance.
+- **EventsUploaded**  Number of events uploaded.
+- **Flags**  Flags indicating device state such as network state, battery state, and opt-in state.
+- **FullTriggerBufferDroppedCount**  Number of events dropped due to trigger buffer being full.
+- **HeartBeatSequenceNumber**  The sequence number of this heartbeat.
+- **InvalidHttpCodeCount**  Number of invalid HTTP codes received from contacting Vortex.
+- **LastAgentConnectionError**  Last non-timeout error encountered in the host/agent channel.
+- **LastEventSizeOffender**  Event name of last event which exceeded max event size.
+- **LastInvalidHttpCode**  Last invalid HTTP code received from Vortex.
+- **MaxActiveAgentConnectionCount**  Maximum number of active agents during this�heartbeat timeframe.
+- **MaxInUseScenarioCounter**  Soft maximum number of scenarios loaded by UTC.
+- **PreviousHeartBeatTime**  Time of last heartbeat event (allows chaining of events).
+- **SettingsHttpAttempts**  Number of attempts to contact OneSettings service.
+- **SettingsHttpFailures**  Number of failures from contacting�OneSettings service.
+- **ThrottledDroppedCount**  Number of events dropped due to throttling of noisy providers.
+- **UploaderDroppedCount**  Number of events dropped at the uploader layer of telemetry client.
+- **VortexFailuresTimeout**  Number of time out failures�received from Vortex.
+- **VortexHttpAttempts**  Number of attempts to contact Vortex.
+- **VortexHttpFailures4xx**  Number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx**  Number of 500-599 error codes received from Vortex.
+- **VortexHttpResponseFailures**  Number of Vortex responses that are not 2XX or 400.
+- **VortexHttpResponsesWithDroppedEvents**  Number of Vortex responses containing at least 1 dropped event.
+- **EventStoreLifetimeResetCounter**  Number of times event DB was reset for the lifetime of UTC.
+- **EventStoreResetCounter**  Number of times event DB was reset.
+- **EventStoreResetSizeSum**  Total size of event DB across all resets reports in this instance.
+
+
+### TelClientSynthetic.HeartBeat_Aria_5
+
+Telemetry client ARIA heartbeat event.
+
+The following fields are available:
+
+- **CompressedBytesUploaded**  Number of compressed bytes uploaded.
+- **CriticalDataDbDroppedCount**  Number of critical data sampled events dropped at the database layer.
+- **CriticalOverflowEntersCounter**  Number of times critical overflow mode was entered in event DB.
+- **DbCriticalDroppedCount**  Total number of dropped critical events in event DB.
+- **DbDroppedCount**  Number of events dropped at the DB layer.
+- **DbDroppedFailureCount**  Number of events dropped due to DB failures.
+- **DbDroppedFullCount**  Number of events dropped due to DB fullness.
+- **EnteringCriticalOverflowDroppedCounter**  Number of events dropped due to critical overflow mode being initiated.
+- **EventsPersistedCount**  Number of events that reached the PersistEvent stage.
+- **EventSubStoreResetCounter**  Number of times event DB was reset.
+- **EventSubStoreResetSizeSum**  Total size of event DB across all resets reports in this instance.
+- **EventsUploaded**  Number of events uploaded.
+- **HeartBeatSequenceNumber**  The sequence number of this heartbeat.
+- **InvalidHttpCodeCount**  Number of invalid HTTP codes received from contacting Vortex.
+- **LastEventSizeOffender**  Event name of last event which exceeded max event size.
+- **LastInvalidHttpCode**  Last invalid HTTP code received from Vortex.
+- **PreviousHeartBeatTime**  The FILETIME of the previous heartbeat fire.
+- **SettingsHttpAttempts**  Number of attempts to contact OneSettings service.
+- **SettingsHttpFailures**  Number of failures from contacting OneSettings service. 
+- **UploaderDroppedCount**  Number of events dropped at the uploader layer of telemetry client.
+- **VortexFailuresTimeout**  Number of time out failures received from Vortex.
+- **VortexHttpAttempts**  Number of attempts to contact Vortex.
+- **VortexHttpFailures4xx**  Number of 400-499 error codes received from Vortex.
+- **VortexHttpFailures5xx**  Number of 500-599 error codes received from Vortex.
+- **VortexHttpResponseFailures**  Number of Vortex responses that are not 2XX or 400.
+- **VortexHttpResponsesWithDroppedEvents**  Number of Vortex responses containing at least 1 dropped event.
 
 
 ### TelClientSynthetic.PrivacySettingsAfterCreatorsUpdate
@@ -1867,80 +1888,551 @@ The following fields are available:
 - **PreUpgradeSettings**  The privacy settings before a feature update.
 
 
+## Direct to update events
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicability
+
+Event to indicate that the Coordinator CheckApplicability call succeeded.
+
+The following fields are available:
+
+- **ApplicabilityResult**  Result of CheckApplicability function.
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCheckApplicabilityGenericFailure
+
+Event to indicate that we have received an unexpected error in the DTU Coordinators CheckApplicability call.
+
+The following fields are available:
+
+- **hResult**  HRESULT of the failure.
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitGenericFailure
+
+Commit call.
+
+The following fields are available:
+
+- **hResult**  HRESULT of the failure.
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorCommitSuccess
+
+Event to indicate that the Coordinator Commit call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadGenericFailure
+
+Event to indicate that we have received an unexpected error in the DTU Coordinator Download call.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadIgnoredFailure
+
+Event to indicate that we have received an error in the DTU Coordinator Download call that will be ignored.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorDownloadSuccess
+
+Event to indicate that the Coordinator Download call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownGenericFailure
+
+Event to indicate that we have received an unexpected error in the DTU Coordinator HandleShutdown call.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinate version of DTU.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorHandleShutdownSuccess
+
+Event to indicate that the Coordinator HandleShutdown call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeGenericFailure
+
+Event to indicate that we have received an unexpected error in the DTU Coordinator Initialize call.
+
+The following fields are available:
+
+- **hResult**  HRESULT of the failure.
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInitializeSuccess
+
+Event to indicate that the Coordinator Initialize call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallGenericFailure
+
+Event to indicate that we have received an unexpected error in the DTU Coordinator Install call.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallIgnoredFailure
+
+Event to indicate that we have received an error in the DTU Coordinator Install call that will be ignored. 
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorInstallSuccess
+
+Event to indicate that the Coordinator Install call succeeded. 
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorProgressCallBack
+
+Event to indicate Coordinator's progress callback has been called. 
+
+The following fields are available:
+
+- **Current Deploy Phase's percentage completed**  Trigger which fired UXLauncher.
+- **DeployPhase**  Current Deploy Phase.
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadyGenericFailure
+
+Event to indicate that we have received an unexpected error in the DTU Coordinator SetCommitReady call. 
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorSetCommitReadySuccess
+
+Event to indicate that the Coordinator SetCommitReady call succeeded. 
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiGenericFailure
+
+Event to indicate that we have received an unexpected error in the DTU Coordinator WaitForRebootUi call.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run.
+- **ClientID**  Client ID being run.
+- **CoordinatorVersion**  Coordinator version of DTU.
+- **CV**  Correlation vector.
+- **hResult**  HRESULT of the failure.
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiNotShown
+
+Event to indicate that the Coordinator WaitForRebootUi call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+- **hResult**  HRESULT of the failure
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSelection
+
+Event to indicate the user selected an option on the Reboot UI.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+- **rebootUiSelection**  Selection on the Reboot UI
+
+
+### Microsoft.Windows.DirectToUpdate.DTUCoordinatorWaitForRebootUiSuccess
+
+Event to indicate that the Coordinator WaitForRebootUi call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityGenericFailure
+
+Event to indicate that we have received an unexpected error in the DTU Handler CheckApplicability call.
+
+The following fields are available:
+
+- **hResult**  HRESULT of the failure
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+- **CV_new**  New correlation vector
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalGenericFailure
+
+Event to indicate that we have received an unexpected error in the DTU Handler CheckApplicabilityInternal call.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+- **hResult**  HRESULT of the failure
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilityInternalSuccess
+
+Event to indicate that the Handler CheckApplicabilityInternal call succeeded.
+
+The following fields are available:
+
+- **ApplicabilityResult**  Result of CheckApplicability function
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckApplicabilitySuccess
+
+Event to indicate that the Handler CheckApplicability call succeeded.
+
+The following fields are available:
+
+- **ApplicabilityResult**  Result of CheckApplicability function
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+- **CV_new**  New correlation vector
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionGenericFailure
+
+Event to indicate that we have received an unexpected error in the DTU Handler CheckIfCoordinatorMinApplicableVersion call.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+- **hResult**  HRESULT of the failure
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCheckIfCoordinatorMinApplicableVersionSuccess
+
+Event to indicate that the Handler CheckIfCoordinatorMinApplicableVersion call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **CheckIfCoordinatorMinApplicableVersionResult**  Result of CheckIfCoordinatorMinApplicableVersion function
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitGenericFailure
+
+Event to indicate that we have received an unexpected error in the DTU Handler Commit call.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+- **CV_new**  New correlation vector
+- **hResult**  HRESULT of the failure
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerCommitSuccess
+
+Event to indicate that the Handler Commit call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+- **CV_new**  New correlation vector
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabAlreadyDownloaded
+
+Event to indicate that the Handler Download and Extract cab returned a value indicating that the cab trying to be downloaded has already been downloaded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabFailure
+
+Event to indicate that the Handler Download and Extract cab call failed.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+- **DownloadAndExtractCabFunction_failureReason**  Reason why the DownloadAndExtractCab function failed
+- **hResult**  HRESULT of the failure
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadAndExtractCabSuccess
+
+Event to indicate that the Handler Download and Extract cab call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadGenericFailure
+
+Event to indicate that we have received an unexpected error in the DTU Handler Download call.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+- **hResult**  HRESULT of the failure
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerDownloadSuccess
+
+Event to indicate that the Handler Download call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeGenericFailure
+
+Event to indicate that we have received an unexpected error in the DTU Handler Initialize call.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+- **DownloadAndExtractCabFunction_hResult**  HRESULT of the DownloadAndExtractCab function
+- **hResult**  HRESULT of the failure
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerInitializeSuccess
+
+Event to indicate that the Handler Initialize call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+- **DownloadAndExtractCabFunction_hResult**  HRESULT of the DownloadAndExtractCab function
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallGenericFailure
+
+Event to indicate that we have received an unexpected error in the DTU Handler Install call.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+- **hResult**  HRESULT of the failure
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerInstallSuccess
+
+Event to indicate that the Coordinator Install call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadyGenericFailure
+
+Event to indicate that we have received an unexpected error in the DTU Handler SetCommitReady call.
+
+The following fields are available:
+
+- **hResult**  HRESULT of the failure
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerSetCommitReadySuccess
+
+Event to indicate that the Handler SetCommitReady call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiGenericFailure
+
+Event to indicate that we have received an unexpected error in the DTU Handler WaitForRebootUi call.
+
+The following fields are available:
+
+- **hResult**  HRESULT of the failure
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+
+
+### Microsoft.Windows.DirectToUpdate.DTUHandlerWaitForRebootUiSuccess
+
+Event to indicate that the Handler WaitForRebootUi call succeeded.
+
+The following fields are available:
+
+- **CampaignID**  Campaign ID being run
+- **ClientID**  Client ID being run
+- **CoordinatorVersion**  Coordinator version of DTU
+- **CV**  Correlation vector
+
+
 ## DxgKernelTelemetry events
 
-### DxgKrnlTelemetry.GPUAdapterInventoryV2
-
-This event sends basic GPU and display driver information to keep Windows and display drivers up-to-date.
-
-The following fields are available:
-
-- **aiSeqId**  The event sequence ID.
-- **bootId**  The system boot ID.
-- **ComputePreemptionLevel**  The maximum preemption level supported by GPU for compute payload.
-- **DedicatedSystemMemoryB**  The amount of system memory dedicated for GPU use (in bytes).
-- **DedicatedVideoMemoryB**  The amount of dedicated VRAM of the GPU (in bytes).
-- **DisplayAdapterLuid**  The display adapter LUID.
-- **DriverDate**  The date of the display driver.
-- **DriverRank**  The rank of the display driver.
-- **DriverVersion**  The display driver version.
-- **GPUDeviceID**  The GPU device ID.
-- **GPUPreemptionLevel**  The maximum preemption level supported by GPU for graphics payload.
-- **GPURevisionID**  The GPU revision ID.
-- **GPUVendorID**  The GPU vendor ID.
-- **InterfaceId**  The GPU interface ID.
-- **IsDisplayDevice**  Does the GPU have displaying capabilities?
-- **IsHybridDiscrete**  Does the GPU have discrete GPU capabilities in a hybrid device?
-- **IsHybridIntegrated**  Does the GPU have integrated GPU capabilities in a hybrid device?
-- **IsLDA**  Is the GPU comprised of Linked Display Adapters?
-- **IsMiracastSupported**  Does the GPU support Miracast?
-- **IsMismatchLDA**  Is at least one device in the Linked Display Adapters chain from a different vendor?
-- **IsMPOSupported**  Does the GPU support Multi-Plane Overlays?
-- **IsMsMiracastSupported**  Are the GPU Miracast capabilities driven by a Microsoft solution?
-- **IsPostAdapter**  Is this GPU the POST GPU in the device?
-- **IsRenderDevice**  Does the GPU have rendering capabilities?
-- **IsSoftwareDevice**  Is this a software implementation of the GPU?
-- **MeasureEnabled**  Is the device listening to MICROSOFT_KEYWORD_MEASURES?
-- **SharedSystemMemoryB**  The amount of system memory shared by GPU and CPU (in bytes).
-- **SubSystemID**  The subsystem ID.
-- **SubVendorID**  The GPU sub vendor ID.
-- **TelemetryEnabled**  Is the device listening to MICROSOFT_KEYWORD_TELEMETRY?
-- **TelInvEvntTrigger**  What triggered this event to be logged?  Example: 0 (GPU enumeration) or 1 (DxgKrnlTelemetry provider toggling)
-- **version**  The event version.
-- **WDDMVersion**  The Windows Display Driver Model version.
-- **NumVidPnSources**  The number of supported display output sources.
-- **NumVidPnTargets**  The number of supported display output targets.
-
-
 ## Fault Reporting events
 
-### Microsoft.Windows.FaultReporting.AppCrashEvent
-
-"This event sends data about crashes for both native and managed applications, to help keep Windows up to date. The data includes information about the crashing process and a summary of its exception record. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the crash to the Watson service, and the WER event will contain the same ReportID (see field 14 of crash event, field 19 of WER event) as the crash event for the crash being reported. AppCrash is emitted once for each crash handled by WER (e.g. from an unhandled exception or FailFast or ReportException). Note that Generic Watson event types (e.g. from PLM) that may be considered crashes"" by a user DO NOT emit this event."
-
-The following fields are available:
-
-- **AppName**  The name of the app that has crashed.
-- **AppSessionGuid**  GUID made up of process ID and is used as a correlation vector for process instances in the diagnostic data backend.
-- **AppTimeStamp**  The date/time stamp of the app.
-- **AppVersion**  The version of the app that has crashed.
-- **ExceptionCode**  The exception code returned by the process that has crashed.
-- **ExceptionOffset**  The address where the exception had occurred.
-- **Flags**  "Flags indicating how reporting is done. For example, queue the report, do not offer JIT debugging, or do not terminate the process after reporting. "
-- **ModName**  Exception module name (e.g. bar.dll).
-- **ModTimeStamp**  The date/time stamp of the module.
-- **ModVersion**  The version of the module that has crashed.
-- **PackageFullName**  Store application identity.
-- **PackageRelativeAppId**  Store application identity.
-- **ProcessArchitecture**  Architecture of the crashing process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
-- **ProcessCreateTime**  The time of creation of the process that has crashed.
-- **ProcessId**  The ID of the process that has crashed.
-- **ReportId**  A GUID used to identify the report. This can used to track the report across Watson.
-- **TargetAppId**  The kernel reported AppId of the application being reported.
-- **TargetAppVer**  The specific version of the application being reported
-- **TargetAsId**  The sequence number for the hanging process.
-
-
 ## Feature update events
 
 ### Microsoft.Windows.Upgrade.Uninstall.UninstallFailed
@@ -1957,49 +2449,264 @@ The following fields are available:
 
 Indicates that the uninstall was properly configured and that a system reboot was initiated
 
-The following fields are available:
 
-- **name**  Name of the event
+
+### Microsoft.Windows.Upgrade.Uninstall.UninstallGoBackButtonClicked
+
+This event sends basic metadata about the starting point of uninstalling a feature update which helps us ensure customers can safely revert to a well-known state if the update caused any problems. 
+
 
 
 ## Hang Reporting events
 
-### Microsoft.Windows.HangReporting.AppHangEvent
+## Inventory events
 
-This event sends data about hangs for both native and managed applications, to help keep Windows up to date. It does not contain any Watson bucketing information. The bucketing information is recorded in a Windows Error Reporting (WER) event that is generated when the WER client reports the hang to the Watson service, and the WER event will contain the same ReportID (see field 13 of hang event, field 19 of WER event) as the hang event for the hang being reported. AppHang is reported only on PC devices. It handles classic Win32 hangs and is emitted only once per report. Some behaviors that may be perceived by a user as a hang are reported by app managers (e.g. PLM/RM/EM) as Watson Generics and will not produce AppHang events.
+### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
+
+This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object. 
 
 The following fields are available:
 
-- **AppName**  The name of the app that has hung.
-- **AppSessionGuid**  GUID made up of process id used as a correlation vector for process instances in the diagnostic data backend.
-- **AppVersion**  The version of the app that has hung.
-- **PackageFullName**  Store application identity.
-- **PackageRelativeAppId**  Store application identity.
-- **ProcessArchitecture**  Architecture of the hung process, as one of the PROCESSOR_ARCHITECTURE_* constants: 0: PROCESSOR_ARCHITECTURE_INTEL. 5: PROCESSOR_ARCHITECTURE_ARM. 9: PROCESSOR_ARCHITECTURE_AMD64. 12: PROCESSOR_ARCHITECTURE_ARM64.
-- **ProcessCreateTime**  The time of creation of the process that has hung.
-- **ProcessId**  The ID of the process that has hung.
-- **ReportId**  A GUID used to identify the report. This can used to track the report across Watson.
-- **TargetAppId**  The kernel reported AppId of the application being reported.
-- **TargetAppVer**  The specific version of the application being reported.
-- **TargetAsId**  The sequence number for the hanging process.
-- **TypeCode**  Bitmap describing the hang type.
-- **WaitingOnAppName**  If this is a cross process hang waiting for an application, this has the name of the application.
-- **WaitingOnAppVersion**  If this is a cross process hang, this has the version of the application for which it is waiting.
-- **WaitingOnPackageFullName**  If this is a cross process hang waiting for a package, this has the full name of the package for which it is waiting.
-- **WaitingOnPackageRelativeAppId**  If this is a cross process hang waiting for a package, this has the relative application id of the package.
+- **DriverPackageExtended**  A count of driverpackageextended objects in cache
+- **FileSigningInfo**  A count of file signing objects in cache
+- **InventoryApplication**  A count of application objects in cache
+- **InventoryApplicationFile**  A count of application file objects in cache
+- **InventoryDeviceContainer**  A count of device container objects in cache
+- **InventoryDeviceInterface**  A count of PNP device interface objects in cache
+- **InventoryDeviceMediaClass**  A count of device media objects in cache
+- **InventoryDevicePnp**  A count of devicepnp objects in cache
+- **InventoryDeviceUsbHubClass**  A count of device usb objects in cache
+- **InventoryDriverBinary**  A count of driver binary objects in cache
+- **InventoryDriverPackage**  A count of device objects in cache
 
 
-## Inventory events
+### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
 
-### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
+This event sends inventory component versions for the Device Inventory data.
 
-This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent
+The following fields are available:
+
+- **aeinv**  The version of the App inventory component.
+- **devinv**  The file version of the Device inventory component.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
+
+This event sends basic metadata about an application on the system to help keep Windows up to date.
+
+The following fields are available:
+
+- **HiddenArp**  Indicates whether a program hides itself from showing up in ARP.
+- **InstallDate**  The date the application was installed (a best guess based on folder creation date heuristics).
+- **InstallDateArpLastModified**  The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015  00:00:00
+- **InstallDateFromLinkFile**  The estimated date of install based on the links to the files.  Passed as an array.
+- **InstallDateMsi**  The install date if the application was installed via MSI. Passed as an array.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **Language**  The language code of the program.
+- **MsiPackageCode**  A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
+- **MsiProductCode**  A GUID that describe the MSI Product.
+- **Name**  The name of the application
+- **OSVersionAtInstallTime**  The four octets from the OS version at the time of the application's install.
+- **PackageFullName**  The package full name for a Store application.
+- **ProgramInstanceId**  A hash of the file IDs in an app.
+- **Publisher**  The Publisher of the application. Location pulled from depends on the 'Source' field.
+- **RootDirPath**  The path to the root directory where the program was installed.
+- **Source**  How the program was installed (ARP, MSI, Appx, etc...)
+- **StoreAppType**  A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
+- **Type**  One of ("Application", "Hotfix", "BOE", "Service", "Unknown"). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen.
+- **Version**  The version number of the program.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
+
+This event provides the basic metadata about the frameworks an application may depend on
+
+The following fields are available:
+
+- **FileId**  A hash that uniquely identifies a file
+- **Frameworks**  The list of frameworks this file depends on
+- **InventoryVersion**  The version of the inventory file generating the events
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
+
+This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent
 
 The following fields are available:
 
 - **InventoryVersion**  The version of the inventory file generating the events
 
 
+### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
+
+This event indicates that a new set of InventoryApplicationAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
+
+This event sends basic metadata about a device container (such as a monitor or printer as opposed to a PNP device) to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **Categories**  A comma separated list of functional categories in which the container belongs.
+- **DiscoveryMethod**  The discovery method for the device container.
+- **FriendlyName**  The name of the device container.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **IsActive**  Is the device connected, or has it been seen in the last 14 days?
+- **IsConnected**  For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
+- **IsMachineContainer**  Is the container the root device itself?
+- **IsNetworked**  Is this a networked device?
+- **IsPaired**  Does the device container require pairing?
+- **Manufacturer**  The manufacturer name for the device container.
+- **ModelId**  A model GUID.
+- **ModelName**  The model name.
+- **ModelNumber**  The model number for the device container.
+- **PrimaryCategory**  The primary category for the device container.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
+
+This event indicates that the InventoryDeviceContainer object is no longer present.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
+
+This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
+
+This event retrieves information about what sensor interfaces are available on the device.
+
+The following fields are available:
+
+- **Accelerometer3D**  Indicates if an Accelerator3D sensor is found.
+- **ActivityDetection**  Indicates if an Activity Detection sensor is found.
+- **AmbientLight**  Indicates if an Ambient Light sensor is found.
+- **Barometer**  Indicates if a Barometer sensor is found.
+- **Custom**  Indicates if a Custom sensor is found.
+- **EnergyMeter**  Indicates if an Energy sensor is found.
+- **FloorElevation**  Indicates if a Floor Elevation sensor is found.
+- **GeomagneticOrientation**  Indicates if a Geo Magnetic Orientation sensor is found.
+- **GravityVector**  Indicates if a Gravity Detector sensor is found.
+- **Gyrometer3D**  Indicates if a Gyrometer3D sensor is found.
+- **Humidity**  Indicates if a Humidity sensor is found.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **LinearAccelerometer**  Indicates if a Linear Accelerometer sensor is found.
+- **Magnetometer3D**  Indicates if a Magnetometer3D sensor is found.
+- **Orientation**  Indicates if an Orientation sensor is found.
+- **Pedometer**  Indicates if a Pedometer sensor is found.
+- **Proximity**  Indicates if a Proximity sensor is found.
+- **RelativeOrientation**  Indicates if a Relative Orientation sensor is found.
+- **SimpleDeviceOrientation**  Indicates if a Simple Device Orientation sensor is found.
+- **Temperature**  Indicates if a Temperature sensor is found.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
+
+This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
+
+This event sends additional metadata about a PNP device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
+
+The following fields are available:
+
+- **Audio_CaptureDriver**  The Audio device capture driver endpoint.
+- **Audio_RenderDriver**  The Audio device render driver endpoint.
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
+
+This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
+
+This event represents the basic metadata about a PNP device and its associated driver
+
+The following fields are available:
+
+- **BusReportedDescription**  System-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the computer.
+- **Class**  A unique identifier for the driver installed.
+- **ClassGuid**  Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
+- **COMPID**  INF file name (the name could be renamed by OS, such as oemXX.inf)
+- **ContainerId**  The version of the inventory binary generating the events.
+- **Description**  The current error code for the device.
+- **DeviceState**  The device description.
+- **DriverId**  DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
+- **DriverName**  A unique identifier for the driver installed.
+- **DriverPackageStrongName**  The immediate parent directory name in the Directory field of InventoryDriverPackage
+- **DriverVerDate**  Name of the .sys image file (or wudfrd.sys if using user mode driver framework).
+- **DriverVerVersion**  The immediate parent directory name in the Directory field of InventoryDriverPackage.
+- **Enumerator**  The date of the driver loaded for the device.
+- **HWID**  The version of the driver loaded for the device. 
+- **Inf**  The bus that enumerated the device.
+- **InstallState**  The device installation state.  One of these values: https://msdn.microsoft.com/en-us/library/windows/hardware/ff543130.aspx
+- **InventoryVersion**  List of hardware ids for the device.
+- **LowerClassFilters**  Lower filter class drivers IDs installed for the device
+- **LowerFilters**  Lower filter drivers IDs installed for the device
+- **Manufacturer**  INF file name (the name could be renamed by OS, such as oemXX.inf)
+- **MatchingID**  Device installation state.
+- **Model**  The version of the inventory binary generating the events.
+- **ParentId**  Lower filter class drivers IDs installed for the device.
+- **ProblemCode**  Lower filter drivers IDs installed for the device.
+- **Provider**  The device manufacturer.
+- **Service**  The device service name
+- **STACKID**  Represents the hardware ID or compatible ID that Windows uses to install a device instance.
+- **UpperClassFilters**  Upper filter drivers IDs installed for the device
+- **UpperFilters**  The device model.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
+
+This event indicates that the InventoryDevicePnpRemove object is no longer present.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
+
+This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
 ### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassAdd
 
 This event sends basic metadata about the USB hubs on the device
@@ -2011,85 +2718,237 @@ The following fields are available:
 - **TotalUserConnectableTypeCPorts**  Total number of connectable USB Type C ports
 
 
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
+### Microsoft.Windows.Inventory.Core.InventoryDeviceUsbHubClassStartSync
 
-This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule
+This event indicates that a new set of InventoryDeviceUsbHubClassAdd events will be sent
 
 The following fields are available:
 
-- **Count**  Count of total Microsoft Office VBA rule violations
+- **InventoryVersion**  The version of the inventory file generating the events
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
+
+This event provides the basic metadata about driver binaries running on the system
+
+The following fields are available:
+
+- **DriverCheckSum**  The checksum of the driver file.
+- **DriverCompany**  The company name that developed the driver.
+- **DriverInBox**  Is the driver included with the operating system?
+- **DriverIsKernelMode**  Is it a kernel mode driver?
+- **DriverName**  The file name of the driver.
+- **DriverPackageStrongName**  The strong name of the driver package
+- **DriverSigned**  The strong name of the driver package
+- **DriverTimeStamp**  The low 32 bits of the time stamp of the driver file.
+- **DriverType**  A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000.
+- **DriverVersion**  The version of the driver file.
+- **ImageSize**  The size of the driver file.
+- **Inf**  The name of the INF file.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **Product**  The product name that is included in the driver file.
+- **ProductVersion**  The product version that is included in the driver file.
+- **Service**  The device service name
+- **WdfVersion**  The Windows Driver Framework version.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
+
+This event indicates that the InventoryDriverBinary object is no longer present.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
+
+This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
+
+This event sends basic metadata about drive packages installed on the system  to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **Class**  The class name for the device driver.
+- **ClassGuid**  The class GUID for the device driver.
+- **Date**  The driver package date.
+- **Directory**  The path to the driver package.
+- **DriverInBox**  Is the driver included with the operating system?
+- **Inf**  The INF name of the driver package.
+- **InventoryVersion**  The version of the inventory file generating the events.
+- **Provider**  The provider for the driver package.
+- **SubmissionId**  The HLK submission ID for the driver package.
+- **Version**  The version of the driver package.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
+
+This event indicates that the InventoryDriverPackageRemove object is no longer present.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
+
+### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
+
+This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
+
+The following fields are available:
+
+- **InventoryVersion**  The version of the inventory file generating the events.
+
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInAdd
 
-This event provides data on the installed Office Add-ins.
+Provides data on the installed Office Add-ins
+
+The following fields are available:
+
+- **AddInCLSID**  CLSID key for the office addin
+- **AddInId**  Office addin ID
+- **BinFileTimestamp**  Timestamp of the Office addin
+- **BinFileVersion**  Version of the Office addin
+- **Description**  Office addin description
+- **FileId**  FileId of the Office addin
+- **FriendlyName**  Friendly name for office addin
+- **FullPath**  Unexpanded path to the office addin
+- **LoadBehavior**  Uint32 that describes the load behavior
+- **LoadTime**  Load time for the office addin
+- **OfficeApplication**  The office application for this addin
+- **OfficeArchitecture**  Architecture of the addin
+- **OfficeVersion**  The office version for this addin
+- **OutlookCrashingAddin**  Boolean that indicates if crashes have been found for this addin
+- **Provider**  Name of the provider for this addin
 
-- **AddInCLSID** The CLSID key office for the Office addin.
-- **AddInId** The identifier of the Office addin.
-- **AddinType** The type of the Office addin.
-- **BinFileTimestamp** The timestamp of the Office addin.
-- **BinFileVersion** The version of the Office addin.
-- **Description** The description of the Office addin.
-- **FileId** The file ID of the Office addin.
-- **FriendlyName** The friendly name of the Office addin.
-- **FullPath** The full path to the Office addin.
-- **LoadBehavior** A Uint32 that describes the load behavior.
-- **LoadTime** The load time for the Office addin.
-- **OfficeApplication** The OIffice application for this addin.
-- **OfficeArchitecture** The architecture of the addin.
-- **OfficeVersion** The Office version for this addin.
-- **OutlookCrashingAddin** A boolean value that indicates if crashes have been found for this addin.
-- **ProductCompany** The name of the company associated with the Office addin.
-- **ProductName** The product name associated with the Office addin.
-- **ProductVersion** The version associated with the Office addin.
-- **ProgramId** The unique program identifier of the Office addin.
-- **Provider** The provider name for this addin.
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInRemove
 
-This event indicates that the particular data object represented by the objectInstanceId is no longer present.
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
+
+This event includes the Office-related Internet Explorer features
+
+The following fields are available:
+
+- **OIeFeatureAddon**  Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_ADDON_MANAGEMENT feature lets applications hosting the WebBrowser Control to respect add-on management selections made using the Add-on Manager feature of Internet Explorer. Add-ons disabled by the user or by administrative group policy will also be disabled in applications that enable this feature.
+- **OIeMachineLockdown**  Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_LOCALMACHINE_LOCKDOWN feature is enabled, Internet Explorer applies security restrictions on content loaded from the user's local machine, which helps prevent malicious behavior involving local files.
+- **OIeMimeHandling**  Flag indicating which Microsoft Office products have this setting enabled. When the FEATURE_MIME_HANDLING feature control is enabled, Internet Explorer handles MIME types more securely. Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
+- **OIeMimeSniffing**  Flag indicating which Microsoft Office products have this setting enabled. Determines a file's type by examining its bit signature. Windows Internet Explorer uses this information to determine how to render the file. The FEATURE_MIME_SNIFFING feature, when enabled, allows to be set differently for each security zone by using the URLACTION_FEATURE_MIME_SNIFFING URL action flag
+- **OIeNoAxInstall**  Flag indicating which Microsoft Office products have this setting enabled. When a webpage attempts to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request. When a webpage tries to load or install an ActiveX control that isn't already installed, the FEATURE_RESTRICT_ACTIVEXINSTALL feature blocks the request
+- **OIeNoDownload**  Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_RESTRICT_FILEDOWNLOAD feature blocks file download requests that navigate to a resource, that display a file download dialog box, or that are not initiated explicitly by a user action (for example, a mouse click or key press). Only applies to Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2)
+- **OIeObjectCaching**  Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_OBJECT_CACHING feature prevents webpages from accessing or instantiating ActiveX controls cached from different domains or security contexts
+- **OIePasswordDisable**  Flag indicating which Microsoft Office products have this setting enabled. After Windows Internet Explorer 6 for Windows XP Service Pack 2 (SP2), Internet Explorer no longer allows usernames and passwords to be specified in URLs that use the HTTP or HTTP protocols. URLs using other protocols, such as FTP, still allow usernames and passwords
+- **OIeSafeBind**  Flag indicating which Microsoft Office products have this setting enabled.  The FEATURE_SAFE_BINDTOOBJECT feature performs additional safety checks when calling MonikerBindToObject to create and initialize Microsoft ActiveX controls. Specifically, prevent the control from being created if COMPAT_EVIL_DONT_LOAD is in the registry for the control
+- **OIeSecurityBand**  Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_SECURITYBAND feature controls the display of the Internet Explorer Information bar. When enabled, the Information bar appears when file download or code installation is restricted
+- **OIeUncSaveCheck**  Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_UNC_SAVEDFILECHECK feature enables the Mark of the Web (MOTW) for local files loaded from network locations that have been shared by using the Universal Naming Convention (UNC)
+- **OIeValidateUrl**  Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_VALIDATE_NAVIGATE_URL feature control prevents Windows Internet Explorer from navigating to a badly formed URL
+- **OIeWebOcPopup**  Flag indicating which Microsoft Office products have this setting enabled. The FEATURE_WEBOC_POPUPMANAGEMENT feature allows applications hosting the WebBrowser Control to receive the default Internet Explorer pop-up window management behavior
+- **OIeWinRestrict**  Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_WINDOW_RESTRICTIONS feature adds several restrictions to the size and behavior of popup windows
+- **OIeZoneElevate**  Flag indicating which Microsoft Office products have this setting enabled. When enabled, the FEATURE_ZONE_ELEVATION feature prevents pages in one zone from navigating to pages in a higher security zone unless the navigation is generated by the user
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
+
+This event provides data on the Office identifiers
+
+The following fields are available:
+
+- **OAudienceData**  Sub-identifier for Microsoft Office release management, identifying the pilot group for a device  
+- **OAudienceId**  Microsoft Office identifier for Microsoft Office release management, identifying the pilot group for a device
+- **OMID**  Identifier for the Office SQM Machine
+- **OPlatform**  Whether the installed Microsoft Office product is 32-bit or 64-bit
+- **OTenantId**  Unique GUID representing the Microsoft O365 Tenant 
+- **OVersion**  Installed version of Microsoft Office. For example, 16.0.8602.1000
+- **OWowMID**  Legacy Microsoft Office telemetry identifier (SQM Machine ID) for WoW systems (32-bit Microsoft Office on 64-bit Windows)
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
 
-There are no fields in this event.
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsAdd
 
-This event provides insight data on the installed Office products.
+This event provides insight data on the installed Office products
 
 The following fields are available:
 
-- **OfficeApplication** The name of the Office application.
-- **OfficeArchitecture** The bitness of the Office application.
-- **OfficeVersion** The version of the Office application.
-- **Value** The insights collected about this entity.
+- **OfficeApplication**  The name of the Office application.
+- **OfficeArchitecture**  The bitness of the Office application.
+- **OfficeVersion**  The version of the Office application.
+- **Value**  The insights collected about this entity. 
+
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsRemove
 
-This event indicates that the particular data object represented by the objectInstanceId is no longer present.
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
+
 
-There are no fields in this event.
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeInsightsStartSync
 
 This diagnostic event indicates that a new sync is being generated for this object type.
 
-There are no fields in this event.
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
+
+This event list all installed Office products
+
+The following fields are available:
+
+- **OC2rApps**  A GUID the describes the Office Click-To-Run apps
+- **OC2rSkus**  Comma-delimited list (CSV) of Office Click-To-Run products installed on the device. For example, Office 2016 ProPlus 
+- **OMsiApps**  Comma-delimited list (CSV) of Office MSI products installed on the device. For example, Microsoft Word 
+- **OProductCodes**  A GUID that describes the Office MSI products
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
 
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsAdd
 
-This event describes various Office settings.
+This event describes various Office settings
 
 The following fields are available:
 
-- **BrowserFlags** Browser flags for Office-related products.
-- **ExchangeProviderFlags** Provider policies for Office Exchange.
-- **SharedComputerLicensing** Office shared computer licensing policies.
+- **BrowserFlags**  Browser flags for Office-related products
+- **ExchangeProviderFlags**  Provider policies for Office Exchange
+- **SharedComputerLicensing**  Office shared computer licensing policies
+
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeSettingsStartSync
 
-Diagnostic event to indicate a new sync is being generated for this object type. 
+Diagnostic event to indicate a new sync is being generated for this object type.
+
 
-There are no fields in this event.
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAAdd
 
@@ -2122,45 +2981,60 @@ The following fields are available:
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARemove
 
-This event indicates that the particular data object represented by the objectInstanceId is no longer present.
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsAdd
+
+This event provides data on Microsoft Office VBA rule violations, including a rollup count per violation type, giving an indication of remediation requirements for an organization. The event identifier is a unique GUID, associated with the validation rule
+
+The following fields are available:
+
+- **Count**  Count of total Microsoft Office VBA rule violations
 
-There are no fields in this event.
 
 ### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsRemove
 
-This event indicates that the particular data object represented by the objectInstanceId is no longer present.
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
 
-There are no fields in this event.
 
-### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkStartSync
 
-This event indicates that a new set of InventoryApplicationFrameworkAdd events will be sent
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
+
+This event indicates that a new sync is being generated for this object type.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
+
+Diagnostic event to indicate a new sync is being generated for this object type.
+
+
+
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoAdd
+
+Provides data on Unified Update Platform (UUP) products and what version they are at.
 
 The following fields are available:
 
-- **InventoryVersion**  The version of the inventory file generating the events
+- **Identifier**  UUP identifier
+- **LastActivatedVersion**  Last activated version
+- **PreviousVersion**  Previous version
+- **Source**  UUP source
+- **Version**  UUP version
 
 
-### Microsoft.Windows.Inventory.Core.InventoryApplicationFrameworkAdd
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoRemove
 
-This event provides the basic metadata about the frameworks an application may depend on
-
-The following fields are available:
-
-- **FileId**  A hash that uniquely identifies a file
-- **Frameworks**  The list of frameworks this file depends on
-- **InventoryVersion**  The version of the inventory file generating the events
-- **ProgramId**  A hash of the Name, Version, Publisher, and Language of an application used to identify it
+Indicates that this particular data object represented by the objectInstanceId is no longer present.
 
 
-### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
 
-These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up-to-date.
+### Microsoft.Windows.Inventory.General.InventoryMiscellaneousUUPInfoStartSync
 
-The following fields are available:
+Diagnostic event to indicate a new sync is being generated for this object type.
 
-- **IndicatorValue**  The indicator value
-- **Value**  Describes an operating system indicator that may be relevant for the device upgrade.
 
 
 ### Microsoft.Windows.Inventory.Indicators.Checksum
@@ -2173,1566 +3047,25 @@ The following fields are available:
 - **PCFP**  Equivalent to the InventoryId field that is found in other core events.
 
 
-### Microsoft.Windows.Inventory.Core.InventoryApplicationAdd
+### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorAdd
 
-This event sends basic metadata about an application on the system to help keep Windows up to date.
+These events represent the basic metadata about the OS indicators installed on the system which are used for keeping the device up-to-date.
 
 The following fields are available:
 
-- **HiddenArp**  Indicates whether a program hides itself from showing up in ARP.
-- **InstallDate**  The date the application was installed (a best guess based on folder creation date heuristics).
-- **InstallDateArpLastModified**  The date of the registry ARP key for a given application. Hints at install date but not always accurate. Passed as an array. Example: 4/11/2015  00:00:00
-- **InstallDateFromLinkFile**  The estimated date of install based on the links to the files.  Passed as an array.
-- **InstallDateMsi**  The install date if the application was installed via MSI. Passed as an array.
-- **InventoryVersion**  The version of the inventory file generating the events.
-- **Language**  The language code of the program.
-- **MsiPackageCode**  A GUID that describes the MSI Package. Multiple 'Products' (apps) can make up an MsiPackage.
-- **MsiProductCode**  A GUID that describe the MSI Product.
-- **Name**  The name of the application
-- **OSVersionAtInstallTime**  The four octets from the OS version at the time of the application's install.
-- **PackageFullName**  The package full name for a Store application.
-- **ProgramInstanceId**  A hash of the file IDs in an app.
-- **Publisher**  The Publisher of the application. Location pulled from depends on the 'Source' field.
-- **RootDirPath**  The path to the root directory where the program was installed.
-- **Source**  How the program was installed (ARP, MSI, Appx, etc...)
-- **StoreAppType**  A sub-classification for the type of Microsoft Store app, such as UWP or Win8StoreApp.
-- **Type**  "One of (""Application"", ""Hotfix"", ""BOE"", ""Service"", ""Unknown""). Application indicates Win32 or Appx app, Hotfix indicates app updates (KBs), BOE indicates it's an app with no ARP or MSI entry, Service indicates that it is a service. Application and BOE are the ones most likely seen."
-- **Version**  The version number of the program.
+- **IndicatorValue**  The indicator value
 
 
-### Microsoft.Windows.Inventory.Core.InventoryApplicationRemove
-
-This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryApplicationStartSync
-
-This event indicates that a new set of InventoryApplicationAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerRemove
-
-This event indicates that the InventoryDeviceContainer object is no longer present.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDriverPackageAdd
-
-This event sends basic metadata about drive packages installed on the system  to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **Class**  The class name for the device driver.
-- **ClassGuid**  The class GUID for the device driver.
-- **Date**  The driver package date.
-- **Directory**  The path to the driver package.
-- **DriverInBox** Is the driver included with the operating system?
-- **Inf**  The INF name of the driver package.
-- **InventoryVersion**  The version of the inventory file generating the events.
-- **Provider**  The provider for the driver package.
-- **SubmissionId**  The HLK submission ID for the driver package.
-- **Version**  The version of the driver package.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryStartSync
-
-This event indicates that a new set of InventoryDriverBinaryAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryRemove
-
-This event indicates that the InventoryDriverBinary object is no longer present.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDriverPackageRemove
-
-This event indicates that the InventoryDriverPackageRemove object is no longer present.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDevicePnpRemove
-
-This event indicates that the InventoryDevicePnpRemove object is no longer present.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerAdd
-
-This event sends basic metadata about a device container (such as a monitor or printer as opposed to a PNP device) to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **Categories**  A comma separated list of functional categories in which the container belongs.
-- **DiscoveryMethod**  The discovery method for the device container.
-- **FriendlyName**  The name of the device container.
-- **InventoryVersion**  The version of the inventory file generating the events.
-- **IsActive**  Is the device connected, or has it been seen in the last 14 days?
-- **IsConnected**  For a physically attached device, this value is the same as IsPresent. For wireless a device, this value represents a communication link.
-- **IsMachineContainer**  Is the container the root device itself?
-- **IsNetworked**  Is this a networked device?
-- **IsPaired**  Does the device container require pairing?
-- **Manufacturer**  The manufacturer name for the device container.
-- **ModelId**  A model GUID.
-- **ModelName**  The model name.
-- **ModelNumber**  The model number for the device container.
-- **PrimaryCategory**  The primary category for the device container.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceContainerStartSync
-
-This event indicates that a new set of InventoryDeviceContainerAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassStartSync
-
-This event indicates that a new set of InventoryDeviceMediaClassSAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDriverPackageStartSync
-
-This event indicates that a new set of InventoryDriverPackageAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassRemove
-
-This event indicates that the InventoryDeviceMediaClassRemove object is no longer present.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDevicePnpStartSync
-
-This event indicates that a new set of InventoryDevicePnpAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceMediaClassAdd
-
-This event sends additional metadata about a PNP device that is specific to a particular class of devices to help keep Windows up to date while reducing overall size of data payload.
-
-The following fields are available:
-
-- **Audio_CaptureDriver**  The Audio device capture driver endpoint.
-- **Audio_RenderDriver**  The Audio device render driver endpoint.
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDevicePnpAdd
-
-This event represents the basic metadata about a PNP device and its associated driver
-
-The following fields are available:
-
-- **class**  The device setup class of the driver loaded for the device
-- **classGuid**  The device class GUID from the driver package
-- **COMPID**  A JSON array the provides the value and order of the compatible ID tree for the device.
-- **ContainerId**  A system-supplied GUID that uniquely groups the functional devices associated with a single-function or multifunction device installed in the device.
-- **description**  The device description
-- **deviceState**  DeviceState is a bitmask of the following: DEVICE_IS_CONNECTED 0x0001 (currently only for container). DEVICE_IS_NETWORK_DEVICE 0x0002 (currently only for container). DEVICE_IS_PAIRED 0x0004 (currently only for container). DEVICE_IS_ACTIVE 0x0008 (currently never set). DEVICE_IS_MACHINE 0x0010 (currently only for container). DEVICE_IS_PRESENT 0x0020 (currently always set). DEVICE_IS_HIDDEN 0x0040. DEVICE_IS_PRINTER 0x0080 (currently only for container). DEVICE_IS_WIRELESS 0x0100. DEVICE_IS_WIRELESS_FAT 0x0200. The most common values are therefore: 32 (0x20)= device is present. 96 (0x60)= device is present but hidden. 288 (0x120)= device is a wireless device that is present
-- **DriverId**  A unique identifier for the installed device.
-- **DriverName**  The name of the driver image file.
-- **driverPackageStrongName**  The immediate parent directory name in the Directory field of InventoryDriverPackage.
-- **driverVerDate**  The date of the driver loaded for the device
-- **driverVerVersion**  The version of the driver loaded for the device
-- **enumerator**  The bus that enumerated the device
-- **HWID**  A JSON array that provides the value and order of the HWID tree for the device.
-- **Inf**  The INF file name.
-- **installState**  The device installation state.  One of these values: https://msdn.microsoft.com/library/windows/hardware/ff543130.aspx
-- **InventoryVersion**  The version of the inventory file generating the events.
-- **lowerClassFilters**  Lower filter class drivers IDs installed for the device.
-- **lowerFilters**  Lower filter drivers IDs installed for the device
-- **manufacturer**  The device manufacturer
-- **matchingID**  Represents the hardware ID or compatible ID that Windows uses to install a device instance
-- **model**  The device model
-- **parentId**  Device instance id of the parent of the device
-- **ProblemCode**  The current error code for the device.
-- **provider**  The device provider
-- **service**  The device service name#N##N##N##N##N#
-- **STACKID**  A JSON array that provides the value and order of the STACKID tree for the device.
-- **upperClassFilters**  Upper filter class drivers IDs installed for the device
-- **upperFilters**  Upper filter drivers IDs installed for the device
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDriverBinaryAdd
-
-This event provides the basic metadata about driver binaries running on the system
-
-The following fields are available:
-
-- **DriverCheckSum**  The checksum of the driver file.
-- **DriverCompany**  The company name that developed the driver.
-- **driverInBox**  Is the driver included with the operating system?
-- **driverIsKernelMode**  Is it a kernel mode driver?
-- **DriverName**  The file name of the driver.
-- **driverPackageStrongName**  The strong name of the driver package
-- **driverSigned**  The strong name of the driver package
-- **DriverTimeStamp**  The low 32 bits of the time stamp of the driver file.
-- **DriverType**  A bitfield of driver attributes: 1. define DRIVER_MAP_DRIVER_TYPE_PRINTER 0x0001. 2. define DRIVER_MAP_DRIVER_TYPE_KERNEL 0x0002. 3. define DRIVER_MAP_DRIVER_TYPE_USER 0x0004. 4. define DRIVER_MAP_DRIVER_IS_SIGNED 0x0008. 5. define DRIVER_MAP_DRIVER_IS_INBOX 0x0010. 6. define DRIVER_MAP_DRIVER_IS_WINQUAL 0x0040. 7. define DRIVER_MAP_DRIVER_IS_SELF_SIGNED 0x0020. 8. define DRIVER_MAP_DRIVER_IS_CI_SIGNED 0x0080. 9. define DRIVER_MAP_DRIVER_HAS_BOOT_SERVICE 0x0100. 10. define DRIVER_MAP_DRIVER_TYPE_I386 0x10000. 11. define DRIVER_MAP_DRIVER_TYPE_IA64 0x20000. 12. define DRIVER_MAP_DRIVER_TYPE_AMD64 0x40000. 13. define DRIVER_MAP_DRIVER_TYPE_ARM 0x100000. 14. define DRIVER_MAP_DRIVER_TYPE_THUMB 0x200000. 15. define DRIVER_MAP_DRIVER_TYPE_ARMNT 0x400000. 16. define DRIVER_MAP_DRIVER_IS_TIME_STAMPED 0x800000.
-- **DriverVersion**  The version of the driver file.
-- **ImageSize**  The size of the driver file.
-- **Inf**  The name of the INF file.
-- **InventoryVersion**  The version of the inventory file generating the events.
-- **Product**  The product name that is included in the driver file.
-- **ProductVersion**  The product version that is included in the driver file.
-- **service**  The device service name
-- **WdfVersion**  The Windows Driver Framework version.
-
-
-### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicator
-
-This event sends value data about the markers on custom devices, to help keep Windows up to date. The formal name for markers is UEX Indicators. See marker list for definitions.
-
-The following fields are available:
-
-- **IndicatorValue**  Value of the marker/indicator
-- **Key**  Name of the marker/indicator
-
-
-### Microsoft.Windows.Inventory.Core.AmiTelCacheVersions
-
-This event sends inventory component versions for the Device Inventory data.
-
-The following fields are available:
-
-- **aeinv**  The version of the App inventory component.
-- **devinv**  The file version of the Device inventory component.
-
-
-### Microsoft.Windows.Inventory.Core.AmiTelCacheChecksum
-
-This event captures basic checksum data about the device inventory items stored in the cache for use in validating data completeness for Microsoft.Windows.Inventory.Core events. The fields in this event may change over time, but they will always represent a count of a given object.
-
-The following fields are available:
-
-- **Device**  A count of device objects in cache
-- **DeviceCensus**  A count of devicecensus objects in cache
-- **DriverPackageExtended**  A count of driverpackageextended objects in cache
-- **File**  A count of file objects in cache
-- **FileSigningInfo**  A count of file signing info objects in cache.
-- **Generic**  A count of generic objects in cache
-- **HwItem**  A count of hwitem objects in cache
-- **InventoryApplication**  A count of application objects in cache
-- **InventoryApplicationFile**  A count of application file objects in cache
-- **InventoryDeviceContainer**  A count of device container objects in cache
-- **InventoryDeviceInterface**  A count of inventory device interface objects in cache.
-- **InventoryDeviceMediaClass**  A count of device media objects in cache
-- **InventoryDevicePnp**  A count of devicepnp objects in cache
-- **InventoryDriverBinary**  A count of driver binary objects in cache
-- **InventoryDriverPackage**  A count of device objects in cache
-- **Metadata**  A count of metadata objects in cache
-- **Orphan**  A count of orphan file objects in cache
-- **Programs**  A count of program objects in cache
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceStartSync
-
-This event indicates that a new set of InventoryDeviceInterfaceAdd events will be sent.
-
-The following fields are available:
-
-- **InventoryVersion**  The version of the inventory file generating the events.
-
-
-### Microsoft.Windows.Inventory.Core.InventoryDeviceInterfaceAdd
-
-This event retrieves information about what sensor interfaces are available on the device.
-
-The following fields are available:
-
-- **Accelerometer3D**  Indicates if an Accelerator3D sensor is found.
-- **ActivityDetection**  Indicates if an Activity Detection sensor is found.
-- **AmbientLight**  Indicates if an Ambient Light sensor is found.
-- **Barometer**  Indicates if a Barometer sensor is found.
-- **Custom**  Indicates if a Custom sensor is found.
-- **EnergyMeter** Indicates if an Energy sensor is found.
-- **FloorElevation**  Indicates if a Floor Elevation sensor is found.
-- **GeomagneticOrientation**  Indicates if a Geo Magnetic Orientation sensor is found.
-- **GravityVector**  Indicates if a Gravity Detector sensor is found.
-- **Gyrometer3D**  Indicates if a Gyrometer3D sensor is found.
-- **Humidity**  Indicates if a Humidity sensor is found.
-- **InventoryVersion**  The version of the inventory file generating the events.
-- **LinearAccelerometer**  Indicates if a Linear Accelerometer sensor is found.
-- **Magnetometer3D**  Indicates if a Magnetometer3D sensor is found.
-- **Orientation**  Indicates if an Orientation sensor is found.
-- **Pedometer**  Indicates if a Pedometer sensor is found.
-- **Proximity**  Indicates if a Proximity sensor is found.
-- **RelativeOrientation**  Indicates if a Relative Orientation sensor is found.
-- **SimpleDeviceOrientation**  Indicates if a Simple Device Orientation sensor is found.
-- **Temperature**  Indicates if a Temperature sensor is found.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeAddInStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersAdd
-
-This event provides data on the installed Office identifiers.
-
-- **OAudienceData** The Office Audience descriptor.
-- **OAudienceId** The Office Audience ID.
-- **OMID** The Office machine ID.
-- **OPlatform** The Office architecture.
-- **OVersion** The Office version
-- **OTenantId** The Office 365 Tenant GUID.
-- **OWowMID** The Office machine ID.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIdentifiersStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsAdd
-
-This event provides data on the installed Office-related Internet Explorer features.
-
-- **OIeFeatureAddon** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeMachineLockdown** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeMimeHandling** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeMimeSniffing** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeNoAxInstall** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeNoDownload** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeObjectCaching** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIePasswordDisable** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeSafeBind** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeSecurityBand** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeUncSaveCheck** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeValidateUrl** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeWebOcPopup** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeWinRestrict** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-- **OIeZoneElevate** For more information, see the Office-related [Internet Feature Control Keys](https://msdn.microsoft.com/library/ee330720.aspx).
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeIESettingsStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsAdd
-
-This event describes the Office products that are installed.
-
-- **OC2rApps** The Office Click-to-Run apps.
-- **OC2rSkus** The Office Click-to-Run products.
-- **OMsiApps** The Office MSI apps.
-- **OProductCodes** The Office MSI product code.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeProductsStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBARuleViolationsStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
-### Microsoft.Windows.Inventory.General.InventoryMiscellaneousOfficeVBAStartSync
-
-This event indicates that a new sync is being generated for this object type.
-
-There are no fields in this event.
-
 ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorRemove
 
 This event is a counterpart to InventoryMiscellaneousUexIndicatorAdd that indicates that the item has been removed.
 
-There are no fields in this event.
+
 
 ### Microsoft.Windows.Inventory.Indicators.InventoryMiscellaneousUexIndicatorStartSync
 
 This event indicates that a new set of InventoryMiscellaneousUexIndicatorAdd events will be sent.
 
-There are no fields in this event.
-
-## OneDrive events
-
-### Microsoft.OneDrive.Sync.Updater.OfficeRegistration
-
-This event determines the status of the OneDrive integration with Microsoft Office.
-
-The following fields are available:
-
-- **isValid**  Is the Microsoft Office registration valid?
-
-
-### Microsoft.OneDrive.Sync.Updater.UpdateTierReg
-
-This event determines status of the update tier registry values.
-
-The following fields are available:
-
-- **regReadEnterpriseHr**  The HResult of the enterprise reg read value.
-- **regReadTeamHr**  The HResult of the team reg read value.
-
-
-### Microsoft.OneDrive.Sync.Updater.RepairResult
-
-The event determines the result of the installation repair.
-
-The following fields are available:
-
-- **hr**  The HResult of the operation.
-
-
-### Microsoft.OneDrive.Sync.Updater.UpdateXmlDownloadHResult
-
-This event determines the status when downloading the OneDrive update configuration file.
-
-The following fields are available:
-
-- **hr**  The HResult of the operation.
-
-
-### Microsoft.OneDrive.Sync.Updater.SetupBinaryDownloadHResult
-
-This event indicates the status when downloading the OneDrive setup file.
-
-The following fields are available:
-
-- **hr**  The HResult of the operation.
-
-
-### Microsoft.OneDrive.Sync.Updater.UpdateOverallResult
-
-This event determines the outcome of the operation.
-
-The following fields are available:
-
-- **hr**  The HResult of the operation.
-- **IsLoggingEnabled**  Is logging enabled?
-- **UpdaterVersion**  The version of the updater.
-
-
-### Microsoft.OneDrive.Sync.Updater.WebConnectionStatus
-
-This event determines the error code that was returned when verifying Internet connectivity.
-
-The following fields are available:
-
-- **winInetError**  The HResult of the operation.
-
-
-### Microsoft.OneDrive.Sync.Updater.OverlayIconStatus
-
-This event indicates if the OneDrive overlay icon is working correctly. 0 = healthy; 1 = can be fixed; 2 = broken
-
-The following fields are available:
-
-- **32bit**  The status of the OneDrive overlay icon on a 32-bit operating system.
-- **64bit**  The status of the OneDrive overlay icon on a 64-bit operating system.
-- **SixtyFourBit**  The status of the OneDrive overlay icon on a 32-bit operating system.
-- **ThirtyTwoBit**  The status of the OneDrive overlay icon on a 64-bit operating system.
-
-
-### Microsoft.OneDrive.Sync.Updater.ComponentInstallState
-
-This event determines the installation state of dependent OneDrive components.
-
-The following fields are available:
-
-- **ComponentName**  The name of the dependent component.
-- **isInstalled**  Is the dependent component installed?
-
-
-### Microsoft.OneDrive.Sync.Updater.CommonData
-
-This event contains basic OneDrive configuration data that helps to diagnose failures.
-
-The following fields are available:
-
-- **AppVersion**  The version of the app.
-- **BuildArch**  Is the architecture x86 or x64?
-- **Environment**  Is the device on the production or int service?
-- **IsMSFTInternal**  Is this an internal Microsoft device?
-- **MachineGuid**  The CEIP machine ID.
-- **Market**  Which market is this in?
-- **OfficeVersion**  The version of Office that is installed.
-- **OneDriveDeviceId**  The OneDrive device ID.
-- **OSDeviceName**  Only if the device is internal to Microsoft, the device name.
-- **OSUserName**  Only if the device is internal to Microsoft, the user name.
-- **UserGuid**  A unique global user identifier.
-
-
-### Microsoft.OneDrive.Sync.Setup.APIOperation
-
-This event includes basic data about install and uninstall OneDrive API operations.
-
-The following fields are available:
-
-- **APIName**  The name of the API.
-- **Duration**  How long the operation took.
-- **IsSuccess**  Was the operation successful?
-- **ResultCode**  The result code.
-- **ScenarioName**  The name of the scenario.
-
-
-### Microsoft.OneDrive.Sync.Setup.RegisterStandaloneUpdaterAPIOperation
-
-This event is related to registering or unregistering the OneDrive update task.
-
-The following fields are available:
-
-- **APIName**  The name of the API.
-- **IsSuccess**  Was the operation successful?
-- **RegisterNewTaskResult**  The HResult of the RegisterNewTask operation.
-- **ScenarioName**  The name of the scenario.
-- **UnregisterOldTaskResult**  The HResult of the UnregisterOldTask operation.
-
-
-### Microsoft.OneDrive.Sync.Setup.EndExperience
-
-This event includes a success or failure summary of the installation.
-
-The following fields are available:
-
-- **APIName**  The name of the API.
-- **HResult**  Indicates the result code of the event
-- **IsSuccess**  Was the operation successful?
-- **ScenarioName**  The name of the scenario.
-
-
-### Microsoft.OneDrive.Sync.Setup.OSUpgradeInstallationOperation
-
-This event is related to the OS version when the OS is upgraded with OneDrive installed.
-
-The following fields are available:
-
-- **CurrentOneDriveVersion**  The current version of OneDrive.
-- **CurrentOSBuildBranch**  The current branch of the operating system.
-- **CurrentOSBuildNumber**  The current build number of the operating system.
-- **CurrentOSVersion**  The current version of the operating system.
-- **HResult**  The HResult of the operation.
-- **SourceOSBuildBranch**  The source branch of the operating system.
-- **SourceOSBuildNumber**  The source build number of the operating system.
-- **SourceOSVersion**  The source version of the operating system.
-
-
-### Microsoft.OneDrive.Sync.Setup.SetupCommonData
-
-This event contains basic OneDrive configuration data that helps to diagnose failures.
-
-The following fields are available:
-
-- **AppVersion**  The version of the app.
-- **BuildArchitecture**  Is the architecture x86 or x64?
-- **Environment**  Is the device on the production or int service?
-- **MachineGuid**  The CEIP machine ID.
-- **Market**  Which market is this in?
-- **MSFTInternal**  Is this an internal Microsoft device?
-- **OfficeVersionString**  The version of Office that is installed.
-- **OSDeviceName**  Only if the device is internal to Microsoft, the device name.
-- **OSUserName**  Only if the device is internal to Microsoft, the user name.
-- **UserGuid**  The CEIP user ID.
-
-
-## Setup events
-
-### SetupPlatformTel.SetupPlatformTelActivityStarted
-
-"This event sends basic metadata about the update installation process generated by SetupPlatform to help keep Windows up to date. "
-
-The following fields are available:
-
-- **Name**  The name of the dynamic update type. Example: GDR driver
-
-
-### SetupPlatformTel.SetupPlatformTelActivityEvent
-
-This event sends basic metadata about the SetupPlatform update installation process, to help keep Windows up-to-date
-
-The following fields are available:
-
-- **ActivityId**  Provides a unique Id to correlate events that occur between a activity start event, and a stop event
-- **ActivityName**  Provides a friendly name of the package type that belongs to the ActivityId (Setup, LanguagePack, GDR, Driver, etc.)
-- **FieldName**  Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
-- **GroupName**  Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
-- **value**  Value associated with the corresponding event name. For example, time-related events will include the system time
-
-
-### SetupPlatformTel.SetupPlatformTelEvent
-
-This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios.
-
-The following fields are available:
-
-- **FieldName**  Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
-- **Value**  Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time.
-- **GroupName**  Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
-
-
-## Shared PC events
-
-### Microsoft.Windows.SharedPC.AccountManager.DeleteUserAccount
-
-Activity for deletion of a user account for devices set up for Shared PC mode as part of the Transient Account Manager to help keep Windows up to date. Deleting unused user accounts on shared devices frees up disk space to improve Windows Update success rates.
-
-The following fields are available:
-
-- **accountType**  The type of account that was deleted. Example: AD, AAD, or Local
-- **userSid**  The security identifier of the account.
-- **wilActivity**  Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager.
-
-
-### Microsoft.Windows.SharedPC.AccountManager.SinglePolicyEvaluation
-
-Activity for run of the Transient Account Manager that determines if any user accounts should be deleted for devices set up for Shared PC mode to help keep Windows up to date. Deleting unused user accounts on shared devices frees up disk space to improve Windows Update success rates
-
-The following fields are available:
-
-- **wilActivity**  Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager.
-- **totalAccountCount**  The number of accounts on a device after running the Transient Account Manager policies.
-- **evaluationTrigger**  When was the Transient Account Manager policies ran? Example: At log off or during maintenance hours
-
-
-## Software update events
-
-### SoftwareUpdateClientTelemetry.UpdateDetected
-
-This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
-
-The following fields are available:
-
-- **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable
-- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
-- **NumberOfApplicableUpdates**  The number of updates which were ultimately deemed applicable to the system after the detection process is complete
-- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
-- **WUDeviceID**  The unique device ID controlled by the software distribution client
-- **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
-- **ServiceGuid**  An ID which represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.)
-
-
-### SoftwareUpdateClientTelemetry.SLSDiscovery
-
-This event sends data about the ability of Windows to discover the location of a backend server with which it must connect to perform updates or content acquisition, in order to determine disruptions in availability of update services and provide context for Windows Update errors.
-
-The following fields are available:
-
-- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **HResult**  Indicates the result code of the event (success, cancellation, failure code HResult)
-- **IsBackground**  Indicates whether the SLS discovery event took place in the foreground or background
-- **NextExpirationTime**  Indicates when the SLS cab expires
-- **ServiceID**  An ID which represents which service the software distribution client is connecting to (Windows Update, Microsoft Store, etc.)
-- **SusClientId**  The unique device ID controlled by the software distribution client
-- **UrlPath**  Path to the SLS cab that was downloaded
-- **WUAVersion**  The version number of the software distribution client
-
-
-### SoftwareUpdateClientTelemetry.Commit
-
-This event sends data on whether the Update Service has been called to execute an upgrade, to help keep Windows up to date.
-
-The following fields are available:
-
-- **BiosFamily**  The family of the BIOS (Basic Input Output System).
-- **BiosName**  The name of the device BIOS.
-- **BiosReleaseDate**  The release date of the device BIOS.
-- **BiosSKUNumber**  The sku number of the device BIOS.
-- **BIOSVendor**  The vendor of the BIOS.
-- **BiosVersion**  The version of the BIOS.
-- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
-- **ClientVersion**  The version number of the software distribution client.
-- **DeviceModel**  What is the device model.
-- **EventInstanceID**  A globally unique identifier for event instance.
-- **EventScenario**  State of call
-- **EventType**  "Possible values are ""Child"", ""Bundle"", or ""Driver""."
-- **HandlerType**  Indicates the kind of content (app, driver, windows patch, etc.)
-- **RevisionNumber**  Unique revision number of Update
-- **ServerId**  Identifier for the service to which the software distribution client is connecting, such as Windows Update and Microsoft Store.
-- **SystemBIOSMajorRelease**  Major version of the BIOS.
-- **SystemBIOSMinorRelease**  Minor version of the BIOS.
-- **UpdateId**  Unique Update ID
-- **WUDeviceID**  UniqueDeviceID
-- **BundleRevisionNumber**  Identifies the revision number of the content bundle
-- **FlightId**  The specific id of the flight the device is getting
-- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
-
-
-### SoftwareUpdateClientTelemetry.DownloadCheckpoint
-
-This event provides a checkpoint between each of the Windows Update download phases for UUP content
-
-The following fields are available:
-
-- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough
-- **FileId**  A hash that uniquely identifies a file
-- **FileName**  Name of the downloaded file
-- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
-- **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult)
-- **EventType**  "Possible values are ""Child"", ""Bundle"", ""Relase"" or ""Driver"""
-- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
-- **ClientVersion**  The version number of the software distribution client
-- **FlightId**  The unique identifier for each flight
-- **RevisionNumber**  Unique revision number of Update
-- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.)
-- **UpdateId**  Unique Update ID
-- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
-
-
-### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
-
-This event identifies whether updates have been tampered with and protects against man-in-the-middle attacks.
-
-The following fields are available:
-
-- **EventScenario**  The purpose of this event, such as scan started, scan succeeded, or scan failed.
-- **ExtendedStatusCode**  The secondary status code of the event.
-- **LeafCertId**  Integral ID from the FragmentSigning data for certificate that failed.
-- **MetadataIntegrityMode**  The mode of the transport metadata integrity check. 0 = unknown; 1 = ignore; 2 = audit; 3 = enforce
-- **MetadataSignature**  A base64-encoded string of the signature associated with the update metadata (specified by revision ID).
-- **RevisionId**  The revision ID for a specific piece of content.
-- **RevisionNumber**  The revision number for a specific piece of content.
-- **ServiceGuid**  Identifies the service to which the software distribution client is connected, Example: Windows Update or Microsoft Store
-- **SHA256OfLeafCertPublicKey**  A base64 encoding of the hash of the Base64CertData in the FragmentSigning data of the leaf certificate.
-- **SHA256OfTimestampToken**  A base64-encoded string of hash of the timestamp token blob.
-- **SignatureAlgorithm**  The hash algorithm for the metadata signature.
-- **StatusCode**  The status code of the event.
-- **TimestampTokenId**  The time this was created. It is encoded in a timestamp blob and will be zero if the token is malformed.
-- **UpdateId**  The update ID for a specific piece of content.
-- **TimestampTokenCertThumbprint**  "The thumbprint of the encoded timestamp token. "
-- **ValidityWindowInDays**  The validity window that's in effect when verifying the timestamp.
-- **ListOfSHA256OfIntermediateCerData**  A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
-- **RawMode**  The raw unparsed mode string from the SLS response. This field is null if not applicable.
-- **RawValidityWindowInDays**  The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
-- **SHA256OfLeafCerData**  A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
-- **EndpointUrl**  The endpoint URL where the device obtains update metadata. This is used to distinguish between test, staging, and production environments.
-- **SLSPrograms**  A test program to which a device may have opted in. Example: Insider Fast
-
-
-### SoftwareUpdateClientTelemetry.Download
-
-This event sends tracking data about the software distribution client download of the content for that update, to help keep Windows up to date.
-
-The following fields are available:
-
-- **ActiveDownloadTime**  How long the download took, in seconds, excluding time where the update wasn't actively being downloaded.
-- **AppXBlockHashValidationFailureCount**  A count of the number of blocks that have failed validation after being downloaded.
-- **AppXDownloadScope**  Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
-- **BiosFamily**  The family of the BIOS (Basic Input Output System).
-- **BiosName**  The name of the device BIOS.
-- **BiosReleaseDate**  The release date of the device BIOS.
-- **BiosSKUNumber**  The sku number of the device BIOS.
-- **BIOSVendor**  The vendor of the BIOS.
-- **BiosVersion**  The version of the BIOS.
-- **BundleBytesDownloaded**  How many bytes were downloaded for the specific content bundle.
-- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
-- **BundleRepeatFailFlag**  Indicates whether this particular update bundle had previously failed to download.
-- **BundleRevisionNumber**  Identifies the revision number of the content bundle.
-- **BytesDownloaded**  How many bytes were downloaded for an individual piece of content (not the entire bundle).
-- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
-- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
-- **CbsDownloadMethod**  Indicates whether the download was a full-file download or a partial/delta download.
-- **CDNCountryCode**  Two letter country abbreviation for the CDN's location.
-- **CDNId**  ID which defines which CDN the software distribution client downloaded the content from.
-- **ClientManagedByWSUSServer**  Indicates whether the client is managed by Windows Server Update Services (WSUS).
-- **ClientVersion**  The version number of the software distribution client.
-- **CurrentMobileOperator**  The mobile operator the device is currently connected to.
-- **DeviceModel**  What is the device model.
-- **DeviceOEM**  What OEM does this device belong to.
-- **DownloadPriority**  Indicates whether a download happened at background, normal, or foreground priority.
-- **DownloadScenarioId**  A unique ID for a given download used to tie together WU and DO events.
-- **DownloadType**  Differentiates the download type of SIH downloads between Metadata and Payload downloads.
-- **Edition**  Indicates the edition of Windows being used.
-- **EventInstanceID**  A globally unique identifier for event instance.
-- **EventNamespaceID**  Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
-- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
-- **EventType**  Possible values are Child, Bundle, or Driver.
-- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
-- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
-- **FlightBranch**  The branch that a device is on if participating in flighting (pre-release builds).
-- **FlightBuildNumber**  If this download was for a flight (pre-release build), this indicates the build number of that flight.
-- **FlightId**  The specific id of the flight (pre-release build) the device is getting.
-- **FlightRing**  The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
-- **HandlerType**  Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
-- **HardwareId**  If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
-- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
-- **HostName**  The hostname URL the content is downloading from.
-- **IPVersion**  Indicates whether the download took place over IPv4 or IPv6.
-- **IsAOACDevice**  Is it Always On, Always Connected?
-- **IsDependentSet**  Indicates whether a driver is a part of a larger System Hardware/Firmware Update
-- **IsWUfBDualScanEnabled**  Indicates if Windows Update for Business dual scan is enabled on the device.
-- **IsWUfBEnabled**  Indicates if Windows Update for Business is enabled on the device.
-- **NetworkCostBitMask**  Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.)
-- **NetworkRestrictionStatus**  "More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be ""metered."""
-- **PackageFullName**  The package name of the content.
-- **PhonePreviewEnabled**  Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
-- **PlatformRole**  The PowerPlatformRole as defined on MSDN
-- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
-- **ProcessorArchitecture**  Processor architecture of the system (x86, AMD64, ARM).
-- **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
-- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
-- **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to download.
-- **RevisionNumber**  Identifies the revision number of this specific piece of content.
-- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
-- **Setup360Phase**  If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
-- **ShippingMobileOperator**  The mobile operator that a device shipped on.
-- **StatusCode**  Indicates the result of a Download event (success, cancellation, failure code HResult).
-- **SystemBIOSMajorRelease**  Major version of the BIOS.
-- **SystemBIOSMinorRelease**  Minor version of the BIOS.
-- **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
-- **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
-- **TargetMetadataVersion**  For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
-- **ThrottlingServiceHResult**  Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
-- **TimeToEstablishConnection**  Time (in ms) it took to establish the connection prior to beginning downloaded.
-- **TotalExpectedBytes**  The total count of bytes that the download is expected to be.
-- **UpdateId**  An identifier associated with the specific piece of content.
-- **UpdateImportance**  Indicates whether a piece of content was marked as Important, Recommended, or Optional.
-- **UsedDO**  Whether the download used the delivery optimization service.
-- **UsedSystemVolume**  Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
-- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **WUSetting**  Indicates the users' current updating settings.
-
-
-### SoftwareUpdateClientTelemetry.CheckForUpdates
-
-This event sends tracking data about the software distribution client check for content that is applicable to a device, to help keep Windows up to date
-
-The following fields are available:
-
-- **ActivityMatchingId**  Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
-- **AllowCachedResults**  Indicates if the scan allowed using cached results.
-- **BiosFamily**  The family of the BIOS (Basic Input Output System).
-- **BiosName**  The name of the device BIOS.
-- **BiosReleaseDate**  The release date of the device BIOS.
-- **BiosSKUNumber**  The sku number of the device BIOS.
-- **BIOSVendor**  The vendor of the BIOS.
-- **BiosVersion**  The version of the BIOS.
-- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
-- **CapabilityDetectoidGuid**  The GUID for a hardware applicability detectoid that could not be evaluated.
-- **CDNCountryCode**  Two letter country abbreviation for the CDN's location.
-- **CDNId**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **ClientVersion**  The version number of the software distribution client.
-- **CurrentMobileOperator**  The mobile operator the device is currently connected to.
-- **DeviceModel**  What is the device model.
-- **DriverError**  The error code hit during a driver scan. This is 0 if no error was encountered.
-- **EventInstanceID**  A globally unique identifier for event instance.
-- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
-- **ExtendedMetadataCabUrl**  Hostname that is used to download an update.
-- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
-- **FailedUpdateGuids**  The GUIDs for the updates that failed to be evaluated during the scan.
-- **FailedUpdatesCount**  The number of updates that failed to be evaluated during the scan.
-- **FlightBranch**  The branch that a device is on if participating in flighting (pre-release builds).
-- **FlightRing**  The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
-- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
-- **IPVersion**  Indicates whether the download took place over IPv4 or IPv6
-- **IsWUfBDualScanEnabled**  Indicates if Windows Update for Business dual scan is enabled on the device.
-- **IsWUfBEnabled**  Indicates if Windows Update for Business is enabled on the device.
-- **MetadataIntegrityMode**  The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
-- **MSIError**  The last error that was encountered during a scan for updates.
-- **NetworkConnectivityDetected**  Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
-- **NumberOfApplicationsCategoryScanEvaluated**  The number of categories (apps) for which an app update scan checked
-- **NumberOfLoop**  The number of round trips the scan required
-- **NumberOfNewUpdatesFromServiceSync**  The number of updates which were seen for the first time in this scan
-- **NumberOfUpdatesEvaluated**  The total number of updates which were evaluated as a part of the scan
-- **NumFailedMetadataSignatures**  The number of metadata signatures checks which failed for new metadata synced down.
-- **Online**  Indicates if this was an online scan.
-- **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
-- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
-- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
-- **ScanDurationInSeconds**  The number of seconds a scan took
-- **ScanEnqueueTime**  The number of seconds it took to initialize a scan
-- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.).
-- **ServiceUrl**  The environment URL a device is configured to scan with
-- **ShippingMobileOperator**  The mobile operator that a device shipped on.
-- **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
-- **SyncType**  Describes the type of scan the event was
-- **SystemBIOSMajorRelease**  Major version of the BIOS.
-- **SystemBIOSMinorRelease**  Minor version of the BIOS.
-- **TotalNumMetadataSignatures**  The total number of metadata signatures checks done for new metadata that was synced down.
-- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable
-- **NumberOfApplicableUpdates**  The number of updates which were ultimately deemed applicable to the system after the detection process is complete
-- **WebServiceRetryMethods**  Web service method requests that needed to be retried to complete operation.
-- **BranchReadinessLevel**  The servicing branch configured on the device.
-- **DeferralPolicySources**  Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
-- **DeferredUpdates**  Update IDs which are currently being deferred until a later time
-- **DriverExclusionPolicy**  Indicates if the policy for not including drivers with Windows Update is enabled.
-- **FeatureUpdateDeferral**  The deferral period configured for feature OS updates on the device (in days).
-- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
-- **FeatureUpdatePausePeriod**  The pause duration configured for feature OS updates on the device (in days).
-- **QualityUpdateDeferral**  The deferral period configured for quality OS updates on the device (in days).
-- **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
-- **QualityUpdatePausePeriod**  The pause duration configured for quality OS updates on the device (in days).
-- **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
-- **PausedUpdates**  A list of UpdateIds which that currently being paused.
-- **PauseFeatureUpdatesEndTime**  If feature OS updates are paused on the device, this is the date and time for the end of the pause time window.
-- **PauseFeatureUpdatesStartTime**  If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
-- **PauseQualityUpdatesEndTime**  If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
-- **PauseQualityUpdatesStartTime**  If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
-- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
-- **TargetMetadataVersion**  For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
-- **Context**  Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
-- **DriverSyncPassPerformed**  Were drivers scanned this time?
-
-
-### SoftwareUpdateClientTelemetry.Install
-
-This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date.
-
-The following fields are available:
-
-- **BiosFamily**  The family of the BIOS (Basic Input Output System).
-- **BiosName**  The name of the device BIOS.
-- **BiosReleaseDate**  The release date of the device BIOS.
-- **BiosSKUNumber**  The sku number of the device BIOS.
-- **BIOSVendor**  The vendor of the BIOS.
-- **BiosVersion**  The version of the BIOS.
-- **BundleBytesDownloaded**  How many bytes were downloaded for the specific content bundle?
-- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
-- **BundleRepeatFailFlag**  Has this particular update bundle previously failed to install?
-- **BundleRevisionNumber**  Identifies the revision number of the content bundle.
-- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
-- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
-- **CbsDownloadMethod**  Was the download a full download or a partial download?
-- **ClientManagedByWSUSServer**  Is the client managed by Windows Server Update Services (WSUS)?
-- **ClientVersion**  The version number of the software distribution client.
-- **CSIErrorType**  The stage of CBS installation where it failed.
-- **CurrentMobileOperator**  Mobile operator that device is currently connected to.
-- **DeviceModel**  What is the device model.
-- **DeviceOEM**  What OEM does this device belong to.
-- **DownloadPriority**  The priority of the download activity.
-- **DownloadScenarioId**  A unique ID for a given download used to tie together WU and DO events.
-- **DriverPingBack**  Contains information about the previous driver and system state.
-- **Edition**  Indicates the edition of Windows being used.
-- **EventInstanceID**  A globally unique identifier for event instance.
-- **EventNamespaceID**  Indicates whether the event succeeded or failed. Has the format EventType+Event where Event is Succeeded, Cancelled, Failed, etc.
-- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
-- **EventType**  Possible values are Child, Bundle, or Driver.
-- **ExtendedErrorCode**  The extended error code.
-- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
-- **FeatureUpdatePause**  Are feature OS updates paused on the device?
-- **FlightBranch**  The branch that a device is on if participating in the Windows Insider Program.
-- **FlightBuildNumber**  If this installation was for a Windows Insider build, this is the build number of that build.
-- **FlightId**  The specific ID of the Windows Insider build the device is getting.
-- **FlightRing**  The ring that a device is on if participating in the Windows Insider Program.
-- **HandlerType**  Indicates what kind of content is being installed. Example: app, driver, Windows update
-- **HardwareId**  If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
-- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
-- **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
-- **IsAOACDevice**  Is it Always On, Always Connected? (Mobile device usage model)
-- **IsDependentSet**  Is the driver part of a larger System Hardware/Firmware update?
-- **IsFinalOutcomeEvent**  Does this event signal the end of the update/upgrade process?
-- **IsFirmware**  Is this update a firmware update?
-- **IsSuccessFailurePostReboot**  Did it succeed and then fail after a restart?
-- **IsWUfBDualScanEnabled**  Is Windows Update for Business dual scan enabled on the device?
-- **IsWUfBEnabled**  Is Windows Update for Business enabled on the device?
-- **MergedUpdate**  Was the OS update and a BSP update merged for installation?
-- **MsiAction**  The stage of MSI installation where it failed.
-- **MsiProductCode**  The unique identifier of the MSI installer.
-- **PackageFullName**  The package name of the content being installed.
-- **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting being introduced.
-- **PlatformRole**  The PowerPlatformRole as defined on MSDN.
-- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
-- **ProcessorArchitecture**  Processor architecture of the system (x86, AMD64, ARM).
-- **QualityUpdatePause**  Are quality OS updates paused on the device?
-- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
-- **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to install.
-- **RepeatSuccessInstallFlag**  Indicates whether this specific piece of content had previously installed successful, for example if another user had already installed it.
-- **RevisionNumber**  The revision number of this specific piece of content.
-- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Microsoft Store, etc.).
-- **Setup360Phase**  If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
-- **ShippingMobileOperator**  The mobile operator that a device shipped on.
-- **StatusCode**  Indicates the result of an installation event (success, cancellation, failure code HResult).
-- **SystemBIOSMajorRelease**  Major version of the BIOS.
-- **SystemBIOSMinorRelease**  Minor version of the BIOS.
-- **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
-- **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
-- **TransactionCode**  The ID which represents a given MSI installation
-- **UpdateId**  Unique update ID
-- **UpdateImportance**  Indicates whether a piece of content was marked as Important, Recommended, or Optional.
-- **UsedSystemVolume**  Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
-- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
-- **WUSetting**  Indicates the user's current updating settings.
-
-
-### SoftwareUpdateClientTelemetry.DownloadHeartbeat
-
-This event allows tracking of ongoing downloads and contains data to explain the current state of the download
-
-The following fields are available:
-
-- **BundleID**  Identifier associated with the specific content bundle. If this value is found, it shouldn't report as all zeros
-- **BytesTotal**  Total bytes to transfer for this content
-- **BytesTransferred**  Total bytes transferred for this content at the time of heartbeat
-- **ConnectionStatus**  Indicates the connectivity state of the device at the time of heartbeat
-- **CurrentError**  Last (transient) error encountered by the active download
-- **DownloadFlags**  Flags indicating if power state is ignored
-- **DownloadState**  Current state of the active download for this content (queued, suspended, or progressing)
-- **IsNetworkMetered**  "Indicates whether Windows considered the current network to be ?metered"""
-- **MOAppDownloadLimit**  Mobile operator cap on size of application downloads, if any
-- **MOUpdateDownloadLimit**  Mobile operator cap on size of operating system update downloads, if any
-- **PowerState**  Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
-- **RelatedCV**  "The previous correlation vector that was used by the client, before swapping with a new one "
-- **ResumeCount**  Number of times this active download has resumed from a suspended state
-- **ServiceID**  "Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) "
-- **SuspendCount**  Number of times this active download has entered a suspended state
-- **SuspendReason**  Last reason for why this active download entered a suspended state
-- **CallerApplicationName**  Name provided by the caller who initiated API calls into the software distribution client
-- **ClientVersion**  The version number of the software distribution client
-- **EventType**  "Possible values are ""Child"", ""Bundle"", or ""Driver"""
-- **FlightId**  The unique identifier for each flight
-- **RevisionNumber**  Identifies the revision number of this specific piece of content
-- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc)
-- **UpdateId**  "Identifier associated with the specific piece of content "
-- **WUDeviceID**  "Unique device id controlled by the software distribution client "
-
-
-## Update events
-
-### Update360Telemetry.UpdateAgentPostRebootResult
-
-This event collects information for both Mobile and Desktop regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario
-
-The following fields are available:
-
-- **ErrorCode**  The error code returned for the current post reboot phase
-- **FlightId**  The unique identifier for each flight
-- **ObjectId**  Unique value for each Update Agent mode
-- **RelatedCV**  Correlation vector value generated from the latest USO scan
-- **Result**  Indicates the Hresult
-- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **SessionId**  Unique value for each Update Agent mode attempt
-- **UpdateId**  Unique ID for each update
-- **PostRebootResult**  Indicates the Hresult
-
-
-### Update360Telemetry.UpdateAgent_Initialize
-
-This event sends data during the initialize phase of updating Windows.
-
-The following fields are available:
-
-- **ErrorCode**  The error code returned for the current initialize phase.
-- **FlightId**  Unique ID for each flight.
-- **FlightMetadata**  Contains the FlightId and the build being flighted.
-- **ObjectId**  Unique value for each Update Agent mode.
-- **RelatedCV**  Correlation vector value generated from the latest USO scan.
-- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **SessionData**  Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios).
-- **SessionId**  Unique value for each Update Agent mode attempt .
-- **UpdateId**  Unique ID for each update.
-- **Result**  Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
-
-
-### Update360Telemetry.UpdateAgent_DownloadRequest
-
-This event sends data during the download request phase of updating Windows.
-
-The following fields are available:
-
-- **ErrorCode**  The error code returned for the current download request phase.
-- **ObjectId**  Unique value for each Update Agent mode.
-- **PackageCountOptional**  Number of optional packages requested.
-- **PackageCountRequired**  Number of required packages requested.
-- **PackageCountTotal**  Total number of packages needed.
-- **RelatedCV**  Correlation vector value generated from the latest USO scan.
-- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **SessionId**  Unique value for each Update Agent mode attempt.
-- **PackageSizeCanonical**  Size of canonical packages in bytes
-- **PackageSizeDiff**  Size of diff packages in bytes
-- **PackageSizeExpress**  Size of express packages in bytes
-- **Result**  Result of the download request phase of update.
-- **FlightId**  Unique ID for each flight.
-- **UpdateId**  Unique ID for each update.
-- **PackageCountTotalCanonical**  Total number of canonical packages.
-- **PackageCountTotalDiff**  Total number of diff packages.
-- **PackageCountTotalExpress**  Total number of express packages.
-- **DeletedCorruptFiles**  Indicates if UpdateAgent found any corrupt payload files and whether the payload was deleted.
-- **RangeRequestState**  Represents the state of the download range request.
-
-
-### Update360Telemetry.UpdateAgent_Install
-
-This event sends data during the install phase of updating Windows.
-
-The following fields are available:
-
-- **ErrorCode**  The error code returned for the current install phase.
-- **ObjectId**  Unique value for each Update Agent mode.
-- **RelatedCV**  Correlation vector value generated from the latest scan.
-- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **SessionId**  Unique value for each Update Agent mode attempt.
-- **Result**  "Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled "
-- **FlightId**  Unique ID for each flight.
-- **UpdateId**  Unique ID for each update.
-
-
-### Update360Telemetry.UpdateAgent_ModeStart
-
-This event sends data for the start of each mode during the process of updating Windows.
-
-The following fields are available:
-
-- **Mode**  Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
-- **ObjectId**  Unique value for each Update Agent mode.
-- **RelatedCV**  The correlation vector value generated from the latest scan.
-- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **SessionId**  Unique value for each Update Agent mode attempt.
-- **FlightId**  Unique ID for each flight.
-- **UpdateId**  Unique ID for each update.
-
-
-### Update360Telemetry.UpdateAgent_SetupBoxLaunch
-
-This event sends data during the launching of the setup box when updating Windows.
-
-The following fields are available:
-
-- **ObjectId**  Unique value for each Update Agent mode.
-- **Quiet**  Indicates whether setup is running in quiet mode. 0 = false 1 = true
-- **RelatedCV**  Correlation vector value generated from the latest scan.
-- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **SessionId**  Unique value for each Update Agent mode attempt.
-- **FlightId**  Unique ID for each flight.
-- **UpdateId**  Unique ID for each update.
-- **SetupMode**  Setup mode 1 = predownload, 2 = install, 3 = finalize
-- **SandboxSize**  The size of the sandbox folder on the device.
-
-
-## Update notification events
-
-### Microsoft.Windows.UpdateNotificationPipeline.JavascriptJavascriptCriticalGenericMessage
-
-This event indicates that Javascript is reporting a schema and a set of values for critical diagnostic data.
-
-The following fields are available:
-
-- **CampaignConfigVersion**  Configuration version for the current campaign
-- **CampaignID**  Currently campaign that's running on UNP
-- **ConfigCatalogVersion**  Current catalog version of UNP
-- **ContentVersion**  Content version for the current campaign on UNP
-- **CV**  Correlation vector
-- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
-- **key1**  Interaction data for the UI
-- **key10**  Interaction data for the UI
-- **key11**  Interaction data for the UI
-- **key12**  Interaction data for the UI
-- **key13**  Interaction data for the UI
-- **key14**  Interaction data for the UI
-- **key15**  Interaction data for the UI
-- **key16**  Interaction data for the UI
-- **key17**  Interaction data for the UI
-- **key18**  Interaction data for the UI
-- **key19**  Interaction data for the UI
-- **key2**  Interaction data for the UI
-- **key20**  Interaction data for the UI
-- **key21**  Interaction data for the UI
-- **key22**  Interaction data for the UI
-- **key23**  Interaction data for the UI
-- **key24**  Interaction data for the UI
-- **key25**  Interaction data for the UI
-- **key26**  Interaction data for the UI
-- **key27**  Interaction data for the UI
-- **key28**  Interaction data for the UI
-- **key29**  Interaction data for the UI
-- **key3**  Interaction data for the UI
-- **key30**  Interaction data for the UI
-- **key4**  Interaction data for the UI
-- **key5**  Interaction data for the UI
-- **key6**  Interaction data for the UI
-- **key7**  Interaction data for the UI
-- **key8**  Interaction data for the UI
-- **key9**  Interaction data for the UI
-- **PackageVersion**  Current package version of UNP
-- **schema**  Type of UI interaction
-
-
-### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignHeartbeat
-
-This event is sent at the start of each campaign, to be used as a heartbeat
-
-The following fields are available:
-
-- **CampaignConfigVersion**  Configuration version for the current campaign
-- **CampaignID**  Currently campaign that's running on UNP
-- **ConfigCatalogVersion**  Current catalog version of UNP
-- **ContentVersion**  Content version for the current campaign on UNP
-- **CV**  Correlation vector
-- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
-- **PackageVersion**  Current UNP package version
-
-
-### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerCleaningCampaign
-
-This event indicates that the Campaign Manager is cleaning up the campaign content
-
-The following fields are available:
-
-- **CampaignConfigVersion**  Configuration version for the current campaign
-- **CampaignID**  Current campaign that's running on UNP
-- **ConfigCatalogVersion**  Current catalog version of UNP
-- **ContentVersion**  Content version for the current campaign on UNP
-- **CV**  Correlation vector
-- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
-- **PackageVersion**  Current UNP package version
-
-
-### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerGetIsCamppaignCompleteFailed
-
-This event is sent when a campaign completion status query fails
-
-The following fields are available:
-
-- **CampaignConfigVersion**  Configuration version for the current campaign
-- **CampaignID**  Current campaign that's running on UNP
-- **ConfigCatalogVersion**  Current catalog version of UNP
-- **ContentVersion**  Content version for the current campaign on UNP
-- **CV**  Correlation vector
-- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
-- **hresult**  HRESULT of the failure
-- **PackageVersion**  Current UNP package version
-
-
-### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat
-
-This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat
-
-The following fields are available:
-
-- **CampaignConfigVersion**  Configuration version for the current campaign
-- **CampaignID**  Currently campaign that's running on UNP
-- **ConfigCatalogVersion**  Current catalog version of UNP
-- **ContentVersion**  Content version for the current campaign on UNP
-- **CV**  Correlation vector
-- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
-- **PackageVersion**  Current UNP package version
-
-
-### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerRunCampaignFailed
-
-This event is sent when the Campaign Manager encounters an unexpected error while running the campaign
-
-The following fields are available:
-
-- **CampaignConfigVersion**  Configuration version for the current campaign
-- **CampaignID**  Currently campaign that's running on UNP
-- **ConfigCatalogVersion**  Current catalog version of UNP
-- **ContentVersion**  Content version for the current campaign on UNP
-- **CV**  Correlation vector
-- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
-- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
-- **hresult**  HRESULT of the failure#N#
-- **PackageVersion**  Current UNP package version
-
-
-## Upgrade events
-
-### Setup360Telemetry.PreDownloadUX
-
-The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.PredownloadUX indicates the outcome of the PredownloadUX portion of the update process.
-
-The following fields are available:
-
-- **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber**  The build number of the previous operating system.
-- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous operating system).
-- **InstanceId**  Unique GUID that identifies each instance of setuphost.exe.
-- **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Examplle: Boot, Media, Update, MCT
-- **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
-- **State**  The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId**  A string to uniquely identify a group of events.
-- **WuId**  Windows Update client ID.
-
-
-### Setup360Telemetry.UnexpectedEvent
-
-This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date.
-
-The following fields are available:
-
-- **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber**  The build number of the previous OS.
-- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
-- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
-- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId**  A string to uniquely identify a group of events.
-- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
-
-
-### Setup360Telemetry.PreInstallQuiet
-
-This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up to date.
-
-The following fields are available:
-
-- **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber**  The build number of the previous OS.
-- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
-- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
-- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback etc.
-- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario**  Setup360 flow type (Boot, Media, Update, MCT)
-- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId**  A string to uniquely identify a group of events.
-- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
-
-
-### Setup360Telemetry.Finalize
-
-This event sends data indicating that the device has invoked the finalize phase of the upgrade, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber**  The build number of the previous OS.
-- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
-- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
-- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId**  A string to uniquely identify a group of events.
-- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
-
-
-### Setup360Telemetry.PostRebootInstall
-
-This event sends data indicating that the device has invoked the postrebootinstall phase of the upgrade, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **ClientId**  With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber**  The build number of the previous OS.
-- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
-- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
-- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result**  The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId**  A string to uniquely identify a group of events.
-- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
-
-
-### Setup360Telemetry.PreDownloadQuiet
-
-This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date.
-
-The following fields are available:
-
-- **ClientId**  Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber**  The build number of the previous OS.
-- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous operating system).
-- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
-- **ReportId**  Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
-- **TestId**  A string to uniquely identify a group of events.
-- **WuId**  This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
-
-
-### Setup360Telemetry.OsUninstall
-
-The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.OSUninstall indicates the outcome of an OS uninstall.
-
-The following fields are available:
-
-- **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber**  The build number of the previous OS.
-- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
-- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
-- **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId**  A string to uniquely identify a group of events.
-- **WuId**  Windows Update client ID.
-
-
-### Setup360Telemetry.Downlevel
-
-This event sends data indicating that the device has invoked the downlevel phase of the upgrade. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **ClientId**  If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber**  The build number of the downlevel OS.
-- **HostOsSkuName**  The operating system edition which is running Setup360 instance (downlevel OS).
-- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
-- **ReportId**  In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result**  The result of Setup360. It's an HRESULT error code that can be used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
-- **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
-- **State**  Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId**  A string that uniquely identifies a group of events.
-- **WuId**  This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
-
-
-### Setup360Telemetry.PreInstallUX
-
-This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10.  Specifically, the Setup360Telemetry.PreinstallUX indicates the outcome of the PreinstallUX portion of the update process.
-
-The following fields are available:
-
-- **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
-- **HostOSBuildNumber**  The build number of the previous OS.
-- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
-- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
-- **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
-- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
-- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
-- **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
-- **Setup360Scenario**  The Setup360 flow type, Example: Boot, Media, Update, MCT
-- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
-- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
-- **TestId**  A string to uniquely identify a group of events.
-- **WuId**  Windows Update client ID.
-
-
-### Setup360Telemetry.Setup360
-
-This event sends data about OS deployment scenarios, to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **FieldName**  Retrieves the data point.
-- **FlightData**  Specifies a unique identifier for each group of Windows Insider builds.
-- **InstanceId**  Retrieves a unique identifier for each instance of a setup session.
-- **ReportId**  Retrieves the report ID.
-- **ScenarioId**  Retrieves the deployment scenario.
-- **Value**  Retrieves the value associated with the corresponding FieldName.
-- **ClientId**  Retrieves the upgrade ID: Upgrades via Windows Update - specifies the WU clientID. All other deployment - static string.
-
-
-## Windows as a Service diagnostic events
-
-### Microsoft.Windows.WaaSMedic.SummaryEvent
-
-This event provides the results from the WaaSMedic engine
-
-The following fields are available:
-
-- **detectionSummary**  Result of each detection that ran
-- **featureAssessmentImpact**  Windows as a Service (WaaS) Assessment impact on feature updates
-- **insufficientSessions**  True, if the device has enough activity to be eligible for update diagnostics. False, if otherwise
-- **isManaged**  Indicates the device is managed for updates
-- **isWUConnected**  Indicates the device is connected to Windows Update
-- **noMoreActions**  All available WaaSMedic diagnostics have run. There are no pending diagnostics and corresponding actions
-- **qualityAssessmentImpact**  Windows as a Service (WaaS) Assessment impact for quality updates
-- **remediationSummary**  Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on
-- **usingBackupFeatureAssessment**  The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup feature assessments, which are determined programmatically on the client#N#
-- **usingBackupQualityAssessment**  The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup quality assessments, which are determined programmatically on the client#N#
-- **versionString**  Installed version of the WaaSMedic engine
-- **hrEngineResult**  Indicates the WaaSMedic engine operation error codes
-
-
-### Microsoft.Windows.WaaSMedic.Summary
-
-This event provides the results of the WaaSMedic diagnostic run
-
-The following fields are available:
-
-- **detectionSummary**  Result of each detection that ran
-- **remediationSummary**  Result of each operation performed on a device to fix an invalid state or configuration that's preventing the device from getting updates. For example, if Windows Update service is turned off, the fix is to turn the it back on
-- **versionString**  Installed version of the WaaSMedic engine
-- **featureAssessmentImpact**  Windows as a Service (WaaS) Assessment impact on feature updates
-- **insufficientSessions**  True, if the device has enough activity to be eligible for update diagnostics. False, if otherwise
-- **isManaged**  Indicates the device is managed for updates
-- **isWUConnected**  Indicates the device is connected to Windows Update
-- **noMoreActions**  All available WaaSMedic diagnostics have run. There are no pending diagnostics and corresponding actions
-- **qualityAssessmentImpact**  Windows as a Service (WaaS) Assessment impact for quality updates
-- **usingBackupFeatureAssessment**  The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup feature assessments, which are determined programmatically on the client
-- **usingBackupQualityAssessment**  The WaaSMedic engine contacts Windows as a Service (WaaS) Assessment to determine whether the device is up-to-date. If WaaS Assessment isn't available, the engine falls back to backup quality assessments, which are determined programmatically on the client
-
-
-## Windows Error Reporting events
-
-### Microsoft.Windows.WERVertical.OSCrash
-
-This event sends binary data from the collected dump file wheneveer a bug check occurs, to help keep Windows up to date. The is the OneCore version of this event.
-
-The following fields are available:
-
-- **BootId**  Uint32 identifying the boot number for this device.
-- **BugCheckCode**  "Uint64 ""bugcheck code"" that identifies a proximate cause of the bug check."
-- **BugCheckParameter1**  Uint64 parameter providing additional information.
-- **BugCheckParameter2**  Uint64 parameter providing additional information.
-- **BugCheckParameter3**  Uint64 parameter providing additional information.
-- **BugCheckParameter4**  Uint64 parameter providing additional information.
-- **DumpFileAttributes**  Codes that identify the type of data contained in the dump file
-- **DumpFileSize**  Size of the dump file
-- **IsValidDumpFile**  True if the dump file is valid for the debugger, false otherwise
-- **ReportId**  WER Report Id associated with this bug check (used for finding the corresponding report archive in Watson).
 
 
 ## Microsoft Store events
@@ -3749,23 +3082,74 @@ The following fields are available:
 - **CategoryId**  The Item Category ID.
 - **ClientAppId**  The identity of the app that initiated this operation.
 - **HResult**  The result code of the last action performed before this operation.
-- **IntentPFNs**  Intent Product Family Name
 - **IsBundle**  Is this a bundle?
 - **IsInteractive**  Was this requested by a user?
 - **IsMandatory**  Was this a mandatory update?
 - **IsRemediation**  Was this a remediation install?
 - **IsRestore**  Is this automatically restoring a previously acquired product?
 - **IsUpdate**  Flag indicating if this is an update.
-- **IsWin32**  Flag indicating if this is a Win32 app (not used).
 - **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
 - **PFN**  The product family name of the product being installed.
 - **ProductId**  The identity of the package or packages being installed.
 - **SystemAttemptNumber**  The total number of automatic attempts at installation before it was canceled.
-- **UpdateId**  Update ID (if this is an update)
 - **UserAttemptNumber**  The total number of user attempts at installation before it was canceled.
 - **WUContentId**  The Windows Update content ID
 
 
+### Microsoft.Windows.StoreAgent.Telemetry.BeginGetInstalledContentIds
+
+This event is sent when an inventory of the apps installed is started to determine whether updates for those apps are available. It's used to help keep Windows up-to-date and secure.
+
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.BeginUpdateMetadataPrepare
+
+This event is sent when the Store Agent cache is refreshed with any available package updates. It's used to help keep Windows up-to-date and secure.
+
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation
+
+This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **AggregatedPackageFullNames**  The names of all package or packages to be downloaded and installed.
+- **AttemptNumber**  Total number of installation attempts.
+- **BundleId**  The identity of the Windows Insider build that is associated with this product.
+- **CategoryId**  The identity of the package or packages being installed.
+- **ClientAppId**  The identity of the app that initiated this operation.
+- **IsBundle**  Is this a bundle?
+- **IsInteractive**  Was this requested by a user?
+- **IsMandatory**  Is this a mandatory update?
+- **IsRemediation**  Is this repairing a previous installation?
+- **IsRestore**  Is this an automatic restore of a previously acquired product?
+- **IsUpdate**  Is this a product update?
+- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
+- **PFN**  The name of all packages to be downloaded and installed.
+- **PreviousHResult**  The previous HResult code.
+- **PreviousInstallState**  Previous installation state before it was canceled.
+- **ProductId**  The name of the package or packages requested for installation.
+- **RelatedCV**  Correlation Vector of a previous performed action on this product.
+- **SystemAttemptNumber**  Total number of automatic attempts to install before it was canceled.
+- **UserAttemptNumber**  Total number of user attempts to install before it was canceled.
+- **WUContentId**  The Windows Update content ID
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest
+
+This event is sent after the app installations or updates. It's used to help keep Windows up-to-date and secure
+
+The following fields are available:
+
+- **CatalogId**  The Store Product ID of the app being installed.
+- **HResult**  HResult code of the action being performed.
+- **IsBundle**  Is this a bundle?
+- **PackageFamilyName**  The name of the package being installed.
+- **ProductId**  The Store Product ID of the product being installed.
+- **SkuId**  Specific edition of the item being installed.
+
+
 ### Microsoft.Windows.StoreAgent.Telemetry.EndAcquireLicense
 
 This event is sent after the license is acquired when a product is being installed. It's used to help keep Windows up-to-date and secure.
@@ -3778,20 +3162,16 @@ The following fields are available:
 - **CategoryId**  The identity of the package or packages being installed.
 - **ClientAppId**  The identity of the app that initiated this operation.
 - **HResult**  HResult code to show the result of the operation (success/failure).
-- **IntentPFNs**  Intent Product Family Name
 - **IsBundle**  Is this a bundle?
 - **IsInteractive**  Did the user initiate the installation?
 - **IsMandatory**  Is this a mandatory update?
 - **IsRemediation**  Is this repairing a previous installation?
 - **IsRestore**  Is this happening after a device restore?
 - **IsUpdate**  Is this an update?
-- **IsWin32**  Flag indicating if this is a Win32app.
-- **ParentBundledId**  The product's parent bundle ID.
 - **ParentBundleId**  The parent bundle ID (if it's part of a bundle).
 - **PFN**  Product Family Name of the product being installed.
 - **ProductId**  The Store Product ID for the product being installed.
 - **SystemAttemptNumber**  The number of attempts by the system to acquire this product.
-- **UpdateId**  The update ID (if this is an update)
 - **UserAttemptNumber**  The number of attempts by the user to acquire this product
 - **WUContentId**  The Windows Update content ID
 
@@ -3810,19 +3190,16 @@ The following fields are available:
 - **DownloadSize**  The total size of the download.
 - **ExtendedHResult**  Any extended HResult error codes.
 - **HResult**  The result code of the last action performed.
-- **IntentPFNs**  Intent Product Family Name
 - **IsBundle**  Is this a bundle?
 - **IsInteractive**  Is this initiated by the user?
 - **IsMandatory**  Is this a mandatory installation?
 - **IsRemediation**  Is this repairing a previous installation?
 - **IsRestore**  Is this a restore of a previously acquired product?
 - **IsUpdate**  Is this an update?
-- **IsWin32**  Flag indicating if this is a Win32 app (unused).
 - **ParentBundleId**  The parent bundle ID (if it's part of a bundle).
 - **PFN**  The Product Family Name of the app being download.
 - **ProductId**  The Store Product ID for the product being installed.
 - **SystemAttemptNumber**  The number of attempts by the system to download.
-- **UpdateId**  Update ID (if this is an update)
 - **UserAttemptNumber**  The number of attempts by the user to download.
 - **WUContentId**  The Windows Update content ID.
 
@@ -3858,19 +3235,16 @@ The following fields are available:
 - **ClientAppId**  The identity of the app that initiated this operation.
 - **ExtendedHResult**  The extended HResult error code.
 - **HResult**  The result code of the last action performed.
-- **IntentPFNs**  Intent Product Family Name
 - **IsBundle**  Is this a bundle?
 - **IsInteractive**  Is this an interactive installation?
 - **IsMandatory**  Is this a mandatory installation?
 - **IsRemediation**  Is this repairing a previous installation?
 - **IsRestore**  Is this automatically restoring a previously acquired product?
 - **IsUpdate**  Is this an update?
-- **IsWin32**  Flag indicating if this a Win32 app (unused).
 - **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
 - **PFN**  Product Family Name of the product being installed.
 - **ProductId**  The Store Product ID for the product being installed.
 - **SystemAttemptNumber**  The total number of system attempts.
-- **UpdateId**  Update ID (if this is an update)
 - **UserAttemptNumber**  The total number of user attempts.
 - **WUContentId**  The Windows Update content ID
 
@@ -3900,19 +3274,16 @@ The following fields are available:
 - **CategoryId**  The identity of the package or packages being installed.
 - **ClientAppId**  The identity of the app that initiated this operation.
 - **HResult**  The result code of the last action performed.
-- **IntentPFNs**  The licensing identity of this package.
 - **IsBundle**  Is this a bundle?
 - **IsInteractive**  Is this user requested?
 - **IsMandatory**  Is this a mandatory update?
 - **IsRemediation**  Is this repairing a previous installation?
 - **IsRestore**  Is this restoring previously acquired content?
 - **IsUpdate**  Is this an update?
-- **IsWin32**  Flag indicating if this a Win32 app (unused).
 - **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
 - **PFN**  The name of the package or packages requested for install.
 - **ProductId**  The Store Product ID for the product being installed.
 - **SystemAttemptNumber**  The total number of system attempts.
-- **UpdateId**  Update ID (if this is an update)
 - **UserAttemptNumber**  The total number of user attempts.
 - **WUContentId**  The Windows Update content ID
 
@@ -3923,6 +3294,7 @@ This event is sent between download and installation to see if there is app data
 
 The following fields are available:
 
+- **AggregatedPackageFullNames**  The name of all packages to be downloaded and installed.
 - **AttemptNumber**  The total number of retry attempts before it was canceled.
 - **BundleId**  The identity of the build associated with this product.
 - **CategoryId**  The identity of the package or packages being installed.
@@ -3940,8 +3312,39 @@ The following fields are available:
 - **SystemAttemptNumber**  The total number of system attempts.
 - **UserAttemptNumber**  The total number of system attempts.
 - **WUContentId**  The Windows Update content ID
-- **IntentPFNs**  The licensing identity of this package.
-- **AggregatedPackageFullNames**  The name of all packages to be downloaded and installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare
+
+This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **HResult**  The result code of the last action performed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
+
+The FulfillmentComplete event is fired at the end of an app install or update.  We use this to track the very end of the install/update process.  StoreAgent events are needed to help keep Windows pre-installed 1st party apps up to date and secure, such as the mail and calendar apps. App update failure can be unique across devices and without this data from every device we will not be able to track the success/failure and fix any future vulnerabilities related to these built in Windows Apps.
+
+The following fields are available:
+
+- **CatalogId**  The CatalogId is the name of the product catalog from which this app was chosen.
+- **FailedRetry**  Was the installation or update retry successful?
+- **HResult**  The HResult code of the operation.
+- **PFN**  The Package Family Name of the app that is being installed or updated.
+- **ProductId**  The product ID of the app that is being updated or installed.
+
+
+### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
+
+The FulfillmentInitiate event is fired at the start of an app install or update.  We use this to track the very beginning of the install/update process.  StoreAgent events are needed to help keep Windows pre-installed 1st party apps up to date and secure, such as the mail and calendar apps. App update failure can be unique across devices and without this data from every device we will not be able to track the success/failure and fix any future vulnerabilities related to these built in Windows Apps.
+
+The following fields are available:
+
+- **PFN**  The Package Family Name of the app that is being installed or updated.
+- **ProductId**  The product ID of the app that is being updated or installed.
+- **CatalogId**  The CatalogId is the name of the product catalog from which this app was chosen.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.InstallOperationRequest
@@ -3963,6 +3366,7 @@ This event is sent when a product install or update is paused either by a user o
 
 The following fields are available:
 
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
 - **AttemptNumber**  The total number of retry attempts before it was canceled.
 - **BundleId**  The identity of the build associated with this product.
 - **CategoryId**  The identity of the package or packages being installed.
@@ -3982,8 +3386,6 @@ The following fields are available:
 - **SystemAttemptNumber**  The total number of system attempts.
 - **UserAttemptNumber**  The total number of user attempts.
 - **WUContentId**  The Windows Update content ID
-- **IntentPFNs**  The licensing identity of this package.
-- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.ResumeInstallation
@@ -3992,16 +3394,19 @@ This event happens when a product install or update is resumed either by a user
 
 The following fields are available:
 
+- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
 - **AttemptNumber**  The number of retry attempts before it was canceled.
 - **BundleId**  The identity of the build associated with this product.
 - **CategoryId**  The identity of the package or packages being installed.
 - **ClientAppId**  The identity of the app that initiated this operation.
+- **HResult**  The result code of the last action performed before this operation.
 - **IsBundle**  Is this a bundle?
 - **IsInteractive**  Is this user requested?
 - **IsMandatory**  Is this a mandatory update?
 - **IsRemediation**  Is this repairing a previous installation?
 - **IsRestore**  Is this restoring previously acquired content?
 - **IsUpdate**  Is this an update?
+- **IsUserRetry**  Did the user initiate the retry?
 - **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
 - **PFN**  The name of the package or packages requested for install.
 - **PreviousHResult**  The previous HResult error code.
@@ -4011,48 +3416,15 @@ The following fields are available:
 - **SystemAttemptNumber**  The total number of system attempts.
 - **UserAttemptNumber**  The total number of user attempts.
 - **WUContentId**  The Windows Update content ID
-- **IntentPFNs**  Intent Product Family Name
-- **AggregatedPackageFullNames**  The names of all packages to be downloaded and installed.
-- **HResult**  The result code of the last action performed before this operation.
-- **IsUserRetry**  Did the user initiate the retry?
 
 
-### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
+### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest
 
-This event happens an app for a user needs to be updated. It's used to help keep Windows up-to-date and secure.
+This event happens when a product install or update is resumed by a user and on installation retries. It's used to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
-- **PFamN**  The name of the product that is requested for update.
-
-
-### Microsoft.Windows.StoreAgent.Telemetry.CancelInstallation
-
-This event is sent when an app update or installation is canceled while in interactive mode. This can be canceled by the user or the system. It's used to help keep Windows up-to-date and secure.
-
-The following fields are available:
-
-- **AttemptNumber**  Total number of installation attempts.
-- **BundleId**  The identity of the Windows Insider build that is associated with this product.
-- **CategoryId**  The identity of the package or packages being installed.
-- **ClientAppId**  The identity of the app that initiated this operation.
-- **IsBundle**  Is this a bundle?
-- **IsInteractive**  Was this requested by a user?
-- **IsMandatory**  Is this a mandatory update?
-- **IsRemediation**  Is this repairing a previous installation?
-- **IsRestore**  Is this an automatic restore of a previously acquired product?
-- **IsUpdate**  Is this a product update?
-- **ParentBundleId**  The product ID of the parent (if this product is part of a bundle).
-- **PFN**  The name of all packages to be downloaded and installed.
-- **PreviousHResult**  The previous HResult code.
-- **PreviousInstallState**  Previous installation state before it was canceled.
-- **ProductId**  The name of the package or packages requested for installation.
-- **RelatedCV**  Correlation Vector of a previous performed action on this product.
-- **SystemAttemptNumber**  Total number of automatic attempts to install before it was canceled.
-- **UserAttemptNumber**  Total number of user attempts to install before it was canceled.
-- **WUContentId**  The Windows Update content ID
-- **IntentPFNs**  Intent Product Family Name
-- **AggregatedPackageFullNames**  The names of all package or packages to be downloaded and installed.
+- **ProductId**  The Store Product ID for the product being installed.
 
 
 ### Microsoft.Windows.StoreAgent.Telemetry.SearchForUpdateOperationRequest
@@ -4066,243 +3438,1197 @@ The following fields are available:
 - **SkuId**  Specfic edition of the app being updated.
 
 
-### Microsoft.Windows.StoreAgent.Telemetry.EndUpdateMetadataPrepare
+### Microsoft.Windows.StoreAgent.Telemetry.UpdateAppOperationRequest
 
-This event happens after a scan for available app updates. It's used to help keep Windows up-to-date and secure.
+This event happens an app for a user needs to be updated. It's used to help keep Windows up-to-date and secure.
 
 The following fields are available:
 
-- **HResult**  The result code of the last action performed.
+- **PFamN**  The name of the product that is requested for update.
 
 
-### Microsoft.Windows.StoreAgent.Telemetry.CompleteInstallOperationRequest
+## OneDrive events
 
-This event is sent after the app installations or updates. It's used to help keep Windows up-to-date and secure
+## Privacy consent logging events
+
+### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentCompleted
+
+This event is used to determine whether the user successfully completed the privacy consent experience.
 
 The following fields are available:
 
-- **CatalogId**  The Store Product ID of the app being installed.
-- **HResult**  HResult code of the action being performed.
-- **IsBundle**  Is this a bundle?
-- **PackageFamilyName**  The name of the package being installed.
-- **ProductId**  The Store Product ID of the product being installed.
-- **SkuId**  Specific edition of the item being installed.
+- **presentationVersion**  Which display version of the privacy consent experience the user completed
+- **privacyConsentState**  The current state of the privacy consent experience
+- **settingsVersion**  Which setting version of the privacy consent experience the user completed
+- **userOobeExitReason**  The exit reason of the privacy consent experience
 
 
-### Microsoft.Windows.StoreAgent.Telemetry.ResumeOperationRequest
+### Microsoft.Windows.Shell.PrivacyConsentLogging.PrivacyConsentStatus
 
-This event happens when a product install or update is resumed by a user and on installation retries. It's used to help keep Windows up-to-date and secure.
+Event tells us effectiveness of new privacy experience.
 
 The following fields are available:
 
-- **ProductId**  The Store Product ID for the product being installed.
+- **isAdmin**  Whether the current user is an administrator or not
+- **isLaunching**  Whether or not the privacy consent experience will be launched
+- **isSilentElevation**  Whether the current user has enabled silent elevation
+- **privacyConsentState**  The current state of the privacy consent experience
+- **userRegionCode**  The current user's region setting
 
 
-### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentComplete
+## Setup events
 
-This event is sent at the end of an app install or update and is used to track the very end of the install or update process.
+### SetupPlatformTel.SetupPlatformTelEvent
+
+This service retrieves events generated by SetupPlatform, the engine that drives the various deployment scenarios.
 
 The following fields are available:
 
-- **FailedRetry**  Was the installation or update retry successful?
-- **HResult**  The HResult code of the operation.
-- **PFN**  The Package Family Name of the app that is being installed or updated.
-- **ProductId**  The product ID of the app that is being updated or installed.
+- **FieldName**  Retrieves the event name/data point. Examples: InstallStartTime, InstallEndtime, OverallResult etc.
+- **GroupName**  Retrieves the groupname the event belongs to. Example: Install Information, DU Information, Disk Space Information etc.
+- **Value**  Retrieves the value associated with the corresponding event name (Field Name). For example: For time related events this will include the system time.
 
 
-### Microsoft.Windows.StoreAgent.Telemetry.FulfillmentInitiate
+## Shared PC events
 
-This event is sent at the beginning of an app install or update and is used to track the very beginning of the install or update process.
+### Microsoft.Windows.SharedPC.AccountManager.DeleteUserAccount
+
+Activity for deletion of a user account for devices set up for Shared PC mode as part of the Transient Account Manager to help keep Windows up to date. Deleting un-used user accounts on Education/Shared PCs frees up disk space to improve Windows Update success rates.
 
 The following fields are available:
 
-- **PFN**  The Package Family Name of the app that is being installed or updated.
-- **ProductId**  The product ID of the app that is being updated or installed.
+- **accountType**  The type of account that was deleted. Example: AD, AAD, or Local
+- **deleteState**  Whether the attempted deletion of the user account was successful.
+- **userSid**  The security identifier of the account.
+- **wilActivity**  Windows Error Reporting data collected when there is a failure in deleting a user account with the Transient Account Manager.
+
+
+### Microsoft.Windows.SharedPC.AccountManager.SinglePolicyEvaluation
+
+Activity for run of the Transient Account Manager that determines if any user accounts should be deleted for devices set up for Shared PC mode to help keep Windows up to date. Deleting unused user accounts on shared devices frees up disk space to improve Windows Update success rates
+
+The following fields are available:
+
+- **totalAccountCount**  The number of accounts on a device after running the Transient Account Manager policies.
+- **wilActivity**  Windows Error Reporting data collected when there is a failure in evaluating accounts to be deleted with the Transient Account Manager.
+- **evaluationTrigger**  When was the Transient Account Manager policies ran? Example: At log off or during maintenance hours
+
+
+## SIH events
+
+### SIHEngineTelemetry.EvalApplicability
+
+This event is sent when targeting logic is evaluated to determine if a device is eligible for a given action.
+
+The following fields are available:
+
+- **ActionReasons**  If an action has been assessed as inapplicable, the additional logic prevented it.
+- **AdditionalReasons**  If an action has been assessed as inapplicable, the additional logic prevented it.
+- **CachedEngineVersion**  The engine DLL version that is being used.
+- **EventInstanceID**  A unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **HandlerReasons**  If an action has been assessed as inapplicable, the installer technology-specific logic prevented it.
+- **IsExecutingAction**  If the action is presently being executed.
+- **ServiceGuid**  A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.)
+- **SihclientVersion**  The client version that is being used.
+- **StandardReasons**  If an action has been assessed as inapplicable, the standard logic the prevented it.
+- **StatusCode**  Result code of the event (success, cancellation, failure code HResult).
+- **UpdateID**  A unique identifier for the action being acted upon.
+- **WuapiVersion**  The Windows Update API version that is currently installed.
+- **WuaucltVersion**  The Windows Update client version that is currently installed.
+- **WuauengVersion**  The Windows Update engine version that is currently installed.
+- **WUDeviceID**  The unique identifier controlled by the software distribution client.
+
+
+### SIHEngineTelemetry.SLSActionData
+
+This event reports if the SIH client was able to successfully parse the manifest describing the actions to be evaluated.
+
+The following fields are available:
+
+- **CachedEngineVersion**  The engine DLL version that is being used.
+- **EventInstanceID**  A unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of sending this event – whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **FailedParseActions**  The list of actions that were not successfully parsed.
+- **ParsedActions**  The list of actions that were successfully parsed.
+- **ServiceGuid**  A unique identifier that represents which service the software distribution client is connecting to (SIH, Windows Update, Windows Store, etc.)
+- **SihclientVersion**  The client version that is being used.
+- **WuapiVersion**  The Windows Update API version that is currently installed.
+- **WuaucltVersion**  The Windows Update client version that is currently installed.
+- **WuauengVersion**  The Windows Update engine version that is currently installed.
+- **WUDeviceID**  The unique identifier controlled by the software distribution client.
+
+
+## Software update events
+
+### SoftwareUpdateClientTelemetry.CheckForUpdates
+
+Scan process event on Windows Update client (see eventscenario field for specifics, e.g.: started/failed/succeeded)
+
+The following fields are available:
+
+- **ActivityMatchingId**  Contains a unique ID identifying a single CheckForUpdates session from initialization to completion.
+- **AllowCachedResults**  Indicates if the scan allowed using cached results.
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
+- **CurrentMobileOperator**  The mobile operator the device is currently connected to.
+- **DriverSyncPassPerformed**  Were drivers scanned this time?
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed.
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
+- **FlightBranch**  The branch that a device is on if participating in flighting (pre-release builds).
+- **FlightRing**  The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
+- **IPVersion**  Indicates whether the download took place over IPv4 or IPv6
+- **IsWUfBDualScanEnabled**  Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled**  Indicates if Windows Update for Business is enabled on the device.
+- **MetadataIntegrityMode**  The mode of the update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce
+- **NumberOfApplicationsCategoryScanEvaluated**  The number of categories (apps) for which an app update scan checked
+- **NumberOfLoop**  The number of round trips the scan required
+- **NumberOfNewUpdatesFromServiceSync**  The number of updates which were seen for the first time in this scan
+- **NumberOfUpdatesEvaluated**  The total number of updates which were evaluated as a part of the scan
+- **NumFailedMetadataSignatures**  The number of metadata signatures checks which failed for new metadata synced down.
+- **Online**  Indicates if this was an online scan.
+- **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting (pre-release builds) being introduced.
+- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **ScanDurationInSeconds**  The number of seconds a scan took
+- **ScanEnqueueTime**  The number of seconds it took to initialize a scan
+- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Windows Store, etc.).
+- **ServiceUrl**  The environment URL a device is configured to scan with
+- **ShippingMobileOperator**  The mobile operator that a device shipped on.
+- **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult).
+- **SyncType**  Describes the type of scan the event was
+- **TotalNumMetadataSignatures**  The total number of metadata signatures checks done for new metadata that was synced down.
+- **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable
+- **BiosFamily**  The family of the BIOS (Basic Input Output System).
+- **BiosName**  The name of the device BIOS.
+- **BiosReleaseDate**  The release date of the device BIOS.
+- **BiosSKUNumber**  The sku number of the device BIOS.
+- **BIOSVendor**  The vendor of the BIOS.
+- **BiosVersion**  The version of the BIOS.
+- **BranchReadinessLevel**  The servicing branch configured on the device.
+- **ClientVersion**  The version number of the software distribution client.
+- **DeferralPolicySources**  Sources for any update deferral policies defined (GPO = 0x10, MDM = 0x100, Flight = 0x1000, UX = 0x10000).
+- **DeferredUpdates**  Update IDs which are currently being deferred until a later time
+- **DeviceModel**  What is the device model.
+- **DriverExclusionPolicy**  Indicates if the policy for not including drivers with Windows Update is enabled.
+- **EventInstanceID**  A globally unique identifier for event instance.
+- **FeatureUpdateDeferral**  The deferral period configured for feature OS updates on the device (in days).
+- **FeatureUpdatePausePeriod**  The pause duration configured for feature OS updates on the device (in days).
+- **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
+- **NumberOfApplicableUpdates**  The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **PausedUpdates**  A list of UpdateIds which that currently being paused.
+- **PauseFeatureUpdatesEndTime**  If feature OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseFeatureUpdatesStartTime**  If feature OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **PauseQualityUpdatesEndTime**  If quality OS updates are paused on the device, this is the date and time for the end of the pause time window.
+- **PauseQualityUpdatesStartTime**  If quality OS updates are paused on the device, this is the date and time for the beginning of the pause time window.
+- **QualityUpdateDeferral**  The deferral period configured for quality OS updates on the device (in days).
+- **QualityUpdatePausePeriod**  The pause duration configured for quality OS updates on the device (in days).
+- **SystemBIOSMajorRelease**  Major version of the BIOS.
+- **SystemBIOSMinorRelease**  Minor version of the BIOS.
+- **WebServiceRetryMethods**  Web service method requests that needed to be retried to complete operation.
+- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **CachedEngineVersion**  For self-initiated healing, the version of the SIH engine that is cached on the device. If the SIH engine does not exist, the value is null.
+- **TargetMetadataVersion**  For self-initiated healing, this is the target version of the SIH engine to download (if needed). If not, the value is null.
+- **IsWUfBFederatedScanDisabled**  Indicates if Windows Update for Business federated scan is disabled on the device.
+- **CapabilityDetectoidGuid**  The GUID for a hardware applicability detectoid that could not be evaluated.
+- **CDNCountryCode**  Two letter country abbreviation for the CDN's location.
+- **CDNId**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **DriverError**  The error code hit during a driver scan. This is 0 if no error was encountered.
+- **ExtendedMetadataCabUrl**  Hostname that is used to download an update.
+- **FailedUpdateGuids**  The GUIDs for the updates that failed to be evaluated during the scan.
+- **FailedUpdatesCount**  The number of updates that failed to be evaluated during the scan.
+- **MSIError**  The last error that was encountered during a scan for updates.
+- **NetworkConnectivityDetected**  Indicates the type of network connectivity that was detected. 0 - IPv4, 1 - IPv6
+- **Context**  Gives context on where the error has occurred. Example: AutoEnable, GetSLSData, AddService, Misc, or Unknown
+
+
+### SoftwareUpdateClientTelemetry.Commit
+
+This event tracks the commit process post the update installation when software update client is trying to update the device.
+
+The following fields are available:
+
+- **BiosFamily**  Device family as defined in the system BIOS
+- **BiosName**  Name of the system BIOS
+- **BiosReleaseDate**  Release date of the system BIOS
+- **BiosSKUNumber**  Device SKU as defined in the system BIOS
+- **BIOSVendor**  Vendor of the system BIOS
+- **BiosVersion**  Version of the system BIOS
+- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.  
+- **BundleRevisionNumber**  Identifies the revision number of the content bundle  
+- **CallerApplicationName**  Name provided by the caller who initiated API calls into the software distribution client 
+- **ClientVersion**  Version number of the software distribution client
+- **DeviceModel**  Device model as defined in the system bios 
+- **EventInstanceID**  A globally unique identifier for event instance
+- **EventScenario**  Indicates the purpose of the event - whether because scan started, succeded, failed, etc.
+- **EventType**  Possible values are &quot;Child&quot;, &quot;Bundle&quot;, &quot;Relase&quot; or &quot;Driver&quot;.
+- **FlightId**  The specific id of the flight the device is getting  
+- **HandlerType**  Indicates the kind of content (app, driver, windows patch, etc.)  
+- **RevisionNumber**  Identifies the revision number of this specific piece of content
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
+- **SystemBIOSMajorRelease**  Major release version of the system bios 
+- **SystemBIOSMinorRelease**  Minor release version of the system bios 
+- **UpdateId**  Identifier associated with the specific piece of content 
+- **WUDeviceID**  Unique device id controlled by the software distribution client 
+
+
+### SoftwareUpdateClientTelemetry.Download
+
+Download process event for target update on Windows Update client (see eventscenario field for specifics, e.g.: started/failed/succeeded)
+
+The following fields are available:
+
+- **ActiveDownloadTime**  How long the download took, in seconds, excluding time where the update wasn't actively being downloaded.
+- **AppXBlockHashValidationFailureCount**  A count of the number of blocks that have failed validation after being downloaded.
+- **AppXDownloadScope**  Indicates the scope of the download for application content. For streaming install scenarios, AllContent - non-streaming download, RequiredOnly - streaming download requested content required for launch, AutomaticOnly - streaming download requested automatic streams for the app, and Unknown - for events sent before download scope is determined by the Windows Update client.
+- **BiosFamily**  The family of the BIOS (Basic Input Output System).
+- **BiosName**  The name of the device BIOS.
+- **BiosReleaseDate**  The release date of the device BIOS.
+- **BiosSKUNumber**  The sku number of the device BIOS.
+- **BIOSVendor**  The vendor of the BIOS.
+- **BiosVersion**  The version of the BIOS.
+- **BundleBytesDownloaded**  How many bytes were downloaded for the specific content bundle.
+- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailFlag**  Indicates whether this particular update bundle had previously failed to download.
+- **BundleRevisionNumber**  Identifies the revision number of the content bundle.
+- **BytesDownloaded**  How many bytes were downloaded for an individual piece of content (not the entire bundle).
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
+- **CbsDownloadMethod**  Indicates whether the download was a full-file download or a partial/delta download.
+- **CDNCountryCode**  Two letter country abbreviation for the CDN's location.
+- **CDNId**  ID which defines which CDN the software distribution client downloaded the content from.
+- **ClientVersion**  The version number of the software distribution client.
+- **CurrentMobileOperator**  The mobile operator the device is currently connected to.
+- **DeviceModel**  What is the device model.
+- **DownloadPriority**  Indicates whether a download happened at background, normal, or foreground priority.
+- **EventInstanceID**  A globally unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started downloading content, or whether it was cancelled, succeeded, or failed.
+- **EventType**  Possible values are Child, Bundle, or Driver.
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FeatureUpdatePause**  Indicates whether feature OS updates are paused on the device.
+- **FlightBranch**  The branch that a device is on if participating in flighting (pre-release builds).
+- **FlightBuildNumber**  If this download was for a flight (pre-release build), this indicates the build number of that flight.
+- **FlightId**  The specific id of the flight (pre-release build) the device is getting.
+- **FlightRing**  The ring (speed of getting builds) that a device is on if participating in flighting (pre-release builds).
+- **HandlerType**  Indicates what kind of content is being downloaded (app, driver, windows patch, etc.).
+- **HardwareId**  If this download was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
+- **HostName**  The hostname URL the content is downloading from.
+- **IPVersion**  Indicates whether the download took place over IPv4 or IPv6.
+- **IsDependentSet**  Indicates whether a driver is a part of a larger System Hardware/Firmware Update
+- **IsWUfBDualScanEnabled**  Indicates if Windows Update for Business dual scan is enabled on the device.
+- **IsWUfBEnabled**  Indicates if Windows Update for Business is enabled on the device.
+- **NetworkCostBitMask**  Indicates what kind of network the device is connected to (roaming, metered, over data cap, etc.)
+- **NetworkRestrictionStatus**  More general version of NetworkCostBitMask, specifying whether Windows considered the current network to be "metered."
+- **PackageFullName**  The package name of the content.
+- **PhonePreviewEnabled**  Indicates whether a phone was opted-in to getting preview builds, prior to flighting (pre-release builds) being introduced.
+- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **QualityUpdatePause**  Indicates whether quality OS updates are paused on the device.
+- **RegulationReason**  The reason that the update is regulated
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to download.
+- **RevisionNumber**  Identifies the revision number of this specific piece of content.
+- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **Setup360Phase**  If the download is for an operating system upgrade, this datapoint indicates which phase of the upgrade is underway.
+- **ShippingMobileOperator**  The mobile operator that a device shipped on.
+- **StatusCode**  Indicates the result of a Download event (success, cancellation, failure code HResult).
+- **SystemBIOSMajorRelease**  Major version of the BIOS.
+- **SystemBIOSMinorRelease**  Minor version of the BIOS.
+- **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **ThrottlingServiceHResult**  Result code (success/failure) while contacting a web service to determine whether this device should download content yet.
+- **TimeToEstablishConnection**  Time (in ms) it took to establish the connection prior to beginning downloaded.
+- **TotalExpectedBytes**  The total count of bytes that the download is expected to be.
+- **UpdateId**  An identifier associated with the specific piece of content.
+- **UpdateImportance**  Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **UsedDO**  Whether the download used the delivery optimization service.
+- **UsedSystemVolume**  Indicates whether the content was downloaded to the device's main system storage drive, or an alternate storage drive.
+- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+- **DownloadScenarioId**  A unique ID for a given download used to tie together WU and DO events.
+
+
+### SoftwareUpdateClientTelemetry.DownloadCheckpoint
+
+This event provides a checkpoint between each of the Windows Update download phases for UUP content
+
+The following fields are available:
+
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
+- **ClientVersion**  The version number of the software distribution client
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **EventType**  Possible values are "Child", "Bundle", "Relase" or "Driver"
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough
+- **FileId**  A hash that uniquely identifies a file
+- **FileName**  Name of the downloaded file
+- **FlightId**  The unique identifier for each flight
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **RevisionNumber**  Unique revision number of Update
+- **ServiceGuid**  An ID which represents which service the software distribution client is checking for content (Windows Update, Microsoft Store, etc.)
+- **StatusCode**  Indicates the result of a CheckForUpdates event (success, cancellation, failure code HResult)
+- **UpdateId**  Unique Update ID
+- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+
+
+### SoftwareUpdateClientTelemetry.DownloadHeartbeat
+
+This event allows tracking of ongoing downloads and contains data to explain the current state of the download
+
+The following fields are available:
+
+- **BytesTotal**  Total bytes to transfer for this content
+- **BytesTransferred**  Total bytes transferred for this content at the time of heartbeat
+- **CallerApplicationName**  Name provided by the caller who initiated API calls into the software distribution client 
+- **ClientVersion**  The version number of the software distribution client
+- **ConnectionStatus**  Indicates the connectivity state of the device at the time of heartbeat
+- **CurrentError**  Last (transient) error encountered by the active download
+- **DownloadFlags**  Flags indicating if power state is ignored
+- **DownloadState**  Current state of the active download for this content (queued, suspended, or progressing)
+- **EventType**  Possible values are "Child", "Bundle", or "Driver"
+- **FlightId**  The unique identifier for each flight
+- **IsNetworkMetered**  Indicates whether Windows considered the current network to be ?metered"
+- **MOAppDownloadLimit**  Mobile operator cap on size of application downloads, if any
+- **MOUpdateDownloadLimit**  Mobile operator cap on size of operating system update downloads, if any
+- **PowerState**  Indicates the power state of the device at the time of heartbeart (DC, AC, Battery Saver, or Connected Standby)
+- **RelatedCV**  The previous correlation vector that was used by the client, before swapping with a new one
+- **ResumeCount**  Number of times this active download has resumed from a suspended state
+- **RevisionNumber**  Identifies the revision number of this specific piece of content
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Microsoft Store, etc) 
+- **SuspendCount**  Number of times this active download has entered a suspended state
+- **SuspendReason**  Last reason for why this active download entered a suspended state
+- **UpdateId**  Identifier associated with the specific piece of content 
+- **WUDeviceID**  Unique device id controlled by the software distribution client  
+
+
+### SoftwareUpdateClientTelemetry.Install
+
+This event sends tracking data about the software distribution client installation of the content for that update, to help keep Windows up to date.
+
+The following fields are available:
+
+- **BiosFamily**  The family of the BIOS (Basic Input Output System).
+- **BiosName**  The name of the device BIOS.
+- **BiosReleaseDate**  The release date of the device BIOS.
+- **BiosSKUNumber**  The sku number of the device BIOS.
+- **BIOSVendor**  The vendor of the BIOS.
+- **BiosVersion**  The version of the BIOS.
+- **BundleId**  Identifier associated with the specific content bundle; should not be all zeros if the bundleID was found.
+- **BundleRepeatFailFlag**  Has this particular update bundle previously failed to install?
+- **BundleRevisionNumber**  Identifies the revision number of the content bundle.
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client.
+- **ClientVersion**  The version number of the software distribution client.
+- **CSIErrorType**  The stage of CBS installation where it failed.
+- **CurrentMobileOperator**  Mobile operator that device is currently connected to.
+- **DeviceModel**  What is the device model.
+- **DriverPingBack**  Contains information about the previous driver and system state.
+- **EventInstanceID**  A globally unique identifier for event instance.
+- **EventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **EventType**  Possible values are Child, Bundle, or Driver.
+- **ExtendedErrorCode**  The extended error code.
+- **ExtendedStatusCode**  Secondary error code for certain scenarios where StatusCode wasn't specific enough.
+- **FeatureUpdatePause**  Are feature OS updates paused on the device?
+- **FlightBranch**  The branch that a device is on if participating in the Windows Insider Program.
+- **FlightBuildNumber**  If this installation was for a Windows Insider build, this is the build number of that build.
+- **FlightId**  The specific ID of the Windows Insider build the device is getting.
+- **FlightRing**  The ring that a device is on if participating in the Windows Insider Program.
+- **HandlerType**  Indicates what kind of content is being installed. Example: app, driver, Windows update
+- **HardwareId**  If this install was for a driver targeted to a particular device model, this ID indicates the model of the device.
+- **HomeMobileOperator**  The mobile operator that the device was originally intended to work with.
+- **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
+- **IsDependentSet**  Is the driver part of a larger System Hardware/Firmware update?
+- **IsFinalOutcomeEvent**  Does this event signal the end of the update/upgrade process?
+- **IsFirmware**  Is this update a firmware update?
+- **IsSuccessFailurePostReboot**  Did it succeed and then fail after a restart?
+- **IsWUfBDualScanEnabled**  Is Windows Update for Business dual scan enabled on the device?
+- **IsWUfBEnabled**  Is Windows Update for Business enabled on the device?
+- **MergedUpdate**  Was the OS update and a BSP update merged for installation?
+- **MsiAction**  The stage of MSI installation where it failed.
+- **MsiProductCode**  The unique identifier of the MSI installer.
+- **PackageFullName**  The package name of the content being installed.
+- **PhonePreviewEnabled**  Indicates whether a phone was getting preview build, prior to flighting being introduced.
+- **ProcessName**  The process name of the caller who initiated API calls, in the event where CallerApplicationName was not provided.
+- **QualityUpdatePause**  Are quality OS updates paused on the device?
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **RepeatFailFlag**  Indicates whether this specific piece of content had previously failed to install.
+- **RevisionNumber**  The revision number of this specific piece of content.
+- **ServiceGuid**  An ID which represents which service the software distribution client is installing content for (Windows Update, Windows Store, etc.).
+- **Setup360Phase**  If the install is for an operating system upgrade, indicates which phase of the upgrade is underway.
+- **ShippingMobileOperator**  The mobile operator that a device shipped on.
+- **StatusCode**  Indicates the result of an installation event (success, cancellation, failure code HResult).
+- **SystemBIOSMajorRelease**  Major version of the BIOS.
+- **SystemBIOSMinorRelease**  Minor version of the BIOS.
+- **TargetGroupId**  For drivers targeted to a specific device model, this ID indicates the distribution group of devices receiving that driver.
+- **TargetingVersion**  For drivers targeted to a specific device model, this is the version number of the drivers being distributed to the device.
+- **TransactionCode**  The ID which represents a given MSI installation
+- **UpdateId**  Unique update ID
+- **UpdateImportance**  Indicates whether a piece of content was marked as Important, Recommended, or Optional.
+- **UsedSystemVolume**  Indicates whether the content was downloaded and then installed from the device's main system storage drive, or an alternate storage drive.
+- **WUDeviceID**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue.
+
+
+### SoftwareUpdateClientTelemetry.UpdateDetected
+
+This event sends data about an AppX app that has been updated from the Microsoft Store, including what app needs an update and what version/architecture is required, in order to understand and address problems with apps getting required updates.
+
+The following fields are available:
+
+- **ApplicableUpdateInfo**  Metadata for the updates which were detected as applicable
+- **CallerApplicationName**  The name provided by the caller who initiated API calls into the software distribution client
+- **IntentPFNs**  Intended application-set metadata for atomic update scenarios.
+- **NumberOfApplicableUpdates**  The number of updates which were ultimately deemed applicable to the system after the detection process is complete
+- **RelatedCV**  The previous Correlation Vector that was used before swapping with a new one
+- **ServiceGuid**  An ID which represents which service the software distribution client is connecting to (Windows Update, Windows Store, etc.)
+- **WUDeviceID**  The unique device ID controlled by the software distribution client
+
+
+### SoftwareUpdateClientTelemetry.UpdateMetadataIntegrity
+
+Ensures Windows Updates are secure and complete. Event helps to identify whether update content has been tampered with and protects against man-in-the-middle attack.
+
+The following fields are available:
+
+- **EndpointUrl**  URL of the endpoint where client obtains update metadata. Used to identify test vs staging vs production environments.
+- **EventScenario**  Indicates the purpose of the event - whether because scan started, succeded, failed, etc.
+- **ExtendedStatusCode**  Secondary status code for certain scenarios where StatusCode was not specific enough. 
+- **LeafCertId**  Integral id from the FragmentSigning data for certificate which failed. 
+- **MetadataIntegrityMode**  Mode of update transport metadata integrity check. 0-Unknown, 1-Ignoe, 2-Audit, 3-Enforce 
+- **MetadataSignature**  Base64 string of the signature associated with the update metadata (specified by revision id)
+- **RevisionId**  Identifies the revision of this specific piece of content
+- **RevisionNumber**  Identifies the revision number of this specific piece of content
+- **ServiceGuid**  Identifier for the service to which the software distribution client is connecting (Windows Update, Windows Store, etc)
+- **SHA256OfLeafCertPublicKey**  Base64 encoding of hash of the Base64CertData in the FragmentSigning data of leaf certificate. 
+- **SHA256OfTimestampToken**  Base64 string of hash of the timestamp token blob
+- **SignatureAlgorithm**  Hash algorithm for the metadata signature
+- **SLSPrograms**  A test program a machine may be opted in. Examples include "Canary" and "Insider Fast".
+- **StatusCode**  Result code of the event (success, cancellation, failure code HResult)
+- **TimestampTokenId**  Created time encoded in the timestamp blob. This will be zeroed if the token is itself malformed and decoding failed. 
+- **UpdateId**  Identifier associated with the specific piece of content 
+- **RawMode**  Raw unparsed mode string from the SLS response. May be null if not applicable. 
+- **TimestampTokenCertThumbprint**  The thumbprint of the encoded timestamp token. 
+- **ValidityWindowInDays**  The validity window that's in effect when verifying the timestamp.
+- **CallerApplicationName**  Name of application making the Windows Update request. Used to identify context of request.
+- **ListOfSHA256OfIntermediateCerData**  A semicolon delimited list of base64 encoding of hashes for the Base64CerData in the FragmentSigning data of an intermediate certificate.
+- **RawValidityWindowInDays**  The raw unparsed validity window string in days of the timestamp token. This field is null if not applicable.
+- **SHA256OfLeafCerData**  A base64 encoding of the hash for the Base64CerData in the FragmentSigning data of the leaf certificate.
+
+
+## Update events
+
+### Update360Telemetry.UpdateAgentCommit
+
+This event collects information regarding the commit phase of the new UUP (Unified Update Platform) update scenario, which is leveraged by both Mobile and Desktop. 
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current install phase. 
+- **FlightId**  Unique ID for each flight. 
+- **ObjectId**  Unique value for each Update Agent mode. 
+- **RelatedCV**  Correlation vector value generated from the latest USO scan. 
+- **Result**  Outcome of the install phase of the update. 
+- **ScenarioId**  Indicates the update scenario. 
+- **SessionId**  Unique value for each update attempt. 
+- **UpdateId**  Unique ID for each update. 
+
+
+### Update360Telemetry.UpdateAgentDownloadRequest
+
+  The UpdateAgent_DownloadRequest event sends data for the download request phase of updating Windows via the new UUP (Unified Update Platform) scenario. Applicable to PC and Mobile.
+
+The following fields are available:
+
+- **DeletedCorruptFiles**  Boolean indicating whether corrupt payload was deleted. 
+- **ErrorCode**  The error code returned for the current download request phase.
+- **FlightId**  Unique ID for each flight.
+- **ObjectId**  Unique value for each Update Agent mode (same concept as InstanceId for Setup360)
+- **PackageCountOptional**  Number of optional packages requested. 
+- **PackageCountRequired**  Number of required packages requested.
+- **PackageCountTotal**  Total number of packages needed. 
+- **PackageCountTotalCanonical**  Total number of canonical packages.
+- **PackageCountTotalDiff**  Total number of diff packages. 
+- **PackageCountTotalExpress**  Total number of express packages.
+- **PackageSizeCanonical**  Size of canonical packages in bytes.
+- **PackageSizeDiff**  Size of diff packages in bytes. 
+- **PackageSizeExpress**  Size of express packages in bytes.
+- **RangeRequestState**  Indicates the range request type used. 
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  Outcome of the download request phase of update.
+- **ScenarioId**  Indicates the update scenario. 
+- **SessionId**  Unique value for each attempt (same value for initialize, download, install commit phases)
+- **UpdateId**  Unique ID for each update.
+- **PackageExpressType**  Type of express package.
+
+
+### Update360Telemetry.UpdateAgentExpand
+
+  This event collects information regarding the expansion phase of the new UUP (Unified Update Platform) update scenario; which is leveraged by both Mobile and Desktop. 
+
+The following fields are available:
+
+- **ElapsedTickCount**  Time taken for expand phase. 
+- **EndFreeSpace**  Free space after expand phase. 
+- **EndSandboxSize**  Sandbox size after expand phase. 
+- **ErrorCode**  The error code returned for the current install phase. 
+- **FlightId**  Unique ID for each flight. 
+- **ObjectId**  Unique value for each Update Agent mode. 
+- **RelatedCV**  Correlation vector value generated from the latest USO scan. 
+- **ScenarioId**  Indicates the update scenario. 
+- **SessionId**  Unique value for each update attempt. 
+- **StartFreeSpace**  Free space before expand phase. 
+- **StartSandboxSize**  Sandbox size after expand phase. 
+- **UpdateId**  Unique ID for each update. 
+
+
+### Update360Telemetry.UpdateAgentFellBackToCanonical
+
+This event collects information when express could not be used and we fall back to canonical during the new UUP (Unified Update Platform) update scenario, which is leveraged by both Mobile and Desktop. 
+
+The following fields are available:
+
+- **FlightId**  The error code returned for the current install phase. 
+- **ObjectId**  Unique value for each Update Agent mode. 
+- **PackageCount**  Number of packages that feel back to canonical. 
+- **PackageList**  PackageIds which fell back to canonical. 
+- **RelatedCV**  Correlation vector value generated from the latest USO scan. 
+- **ScenarioId**  Indicates the update scenario. 
+- **SessionId**  Unique value for each update attempt. 
+- **UpdateId**  Unique ID for each update. 
+
+
+### Update360Telemetry.UpdateAgentInitialize
+
+  The UpdateAgentInitialize event sends data for the initialize phase of updating Windows via the new UUP (Unified Update Platform) scenario. Applicable to both PCs and Mobile. 
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current install phase.  
+- **FlightId**  Unique ID for each flight. 
+- **FlightMetadata**  Contains the FlightId and the build being flighted. 
+- **ObjectId**  Unique value for each Update Agent mode. 
+- **RelatedCV**  Correlation vector value generated from the latest USO scan.
+- **Result**  Outcome of the install phase of the update. 
+- **ScenarioId**  Unique value for each update attempt.  
+- **SessionData**  String containing instructions to update agent for processing FODs and DUICs (Null for other scenarios).  
+- **SessionId**  Unique value for each update attempt.  
+- **UpdateId**  Unique ID for each update. 
+
+
+### Update360Telemetry.UpdateAgentInstall
+
+The UpdateAgentInstall event sends data for the install phase of updating Windows. 
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current install phase.
+- **FlightId**  Unique value for each Update Agent mode (same concept as InstanceId for Setup360). 
+- **ObjectId**  Correlation vector value generated from the latest USO scan. 
+- **RelatedCV**  Correlation vector value generated from the latest USO scan. 
+- **Result**  The result for the current install phase.
+- **ScenarioId**  Indicates the update scenario. 
+- **SessionId**  Unique value for each update attempt. 
+- **UpdateId**  Unique ID for each update. 
+
+
+### Update360Telemetry.UpdateAgentMerge
+
+The UpdateAgentMerge event sends data on the merge phase when updating Windows.
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current merge phase. 
+- **FlightId**  Unique ID for each flight.
+- **ObjectId**  Unique value for each Update Agent mode. 
+- **RelatedCV**  Related correlation vector value. 
+- **Result**  Outcome of the merge phase of the update. 
+- **ScenarioId**  Indicates the update scenario. 
+- **SessionId**  Unique value for each attempt. 
+- **UpdateId**  Unique ID for each update. 
+
+
+### Update360Telemetry.UpdateAgentModeStart
+
+The UpdateAgentModeStart event sends data for the start of each mode during the process of updating Windows via the new UUP (Unified Update Platform) scenario. Applicable to both PCs and Mobile.
+
+The following fields are available:
+
+- **FlightId**  Unique ID for each flight. 
+- **Mode**  Indicates the mode that has started. 
+- **ObjectId**  Unique value for each Update Agent mode.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan. 
+- **ScenarioId**  Indicates the update scenario. 
+- **SessionId**  Unique value for each update attempt. 
+- **UpdateId**  Unique ID for each update.
+- **Version**  Version of update
+
+
+### Update360Telemetry.UpdateAgentPostRebootResult
+
+This event collects information for both Mobile and Desktop regarding the post reboot phase of the new UUP (Unified Update Platform) update scenario
+
+The following fields are available:
+
+- **ErrorCode**  The error code returned for the current post reboot phase
+- **FlightId**  The unique identifier for each flight
+- **ObjectId**  Unique value for each Update Agent mode
+- **PostRebootResult**  Indicates the Hresult
+- **RelatedCV**  Correlation vector value generated from the latest USO scan
+- **ScenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **SessionId**  Unique value for each Update Agent mode attempt
+- **UpdateId**  Unique ID for each update
+
+
+### Update360Telemetry.UpdateAgentSetupBoxLaunch
+
+The UpdateAgent_SetupBoxLaunch event sends data for the launching of the setup box when updating Windows via the new UUP (Unified Update Plaform) scenario. This event is only applicable to PCs. 
+
+The following fields are available:
+
+- **FlightId**  Unique ID for each flight. 
+- **FreeSpace**  Free space on OS partition. 
+- **InstallCount**  Number of install attempts using the same sandbox. 
+- **ObjectId**  Unique value for each Update Agent mode. 
+- **Quiet**  Indicates whether setup is running in quiet mode. 
+- **RelatedCV**  Correlation vector value generated from the latest USO scan. 
+- **SandboxSize**  Size of the sandbox. 
+- **ScenarioId**  Indicates the update scenario. 
+- **SessionId**  Unique value for each update attempt.  
+- **SetupMode**  Mode of setup to be launched. 
+- **UpdateId**  Unique ID for each Update.  
+- **UserSession**  Indicates whether install was invoked by user actions. 
+- **ContainsExpressPackage**  Indicates whether the download package is express.
+
+
+## Update notification events
+
+### Microsoft.Windows.UpdateNotificationPipeline.JavascriptJavascriptCriticalGenericMessage
+
+Event to indicate that Javascript is reporting a schema and a set of values for critical telemetry.
+
+The following fields are available:
+
+- **CampaignConfigVersion**  Config version of current campaign
+- **CampaignID**  Currently running campaign on UNP
+- **ConfigCatalogVersion**  Current catalog version of UNP
+- **ContentVersion**  Content version of the current campaign on UNP
+- **CV**  Correlation vector
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
+- **GlobalEventCounter**  Client side counter which indicates ordering of events sent by this user
+- **key1**  UI interaction data
+- **key10**  UI interaction data
+- **key11**  UI interaction data
+- **key12**  UI interaction data
+- **key13**  UI interaction data
+- **key14**  UI interaction data
+- **key15**  UI interaction data
+- **key16**  UI interaction data
+- **key17**  UI interaction data
+- **key2**  UI interaction data
+- **key3**  UI interaction data
+- **key4**  UI interaction data
+- **key5**  UI interaction data
+- **key6**  UI interaction data
+- **key7**  Interaction data for the UI
+- **key8**  Interaction data for the UI
+- **key9**  UI interaction data
+- **PackageVersion**  Current package version of UNP
+- **schema**  UI interaction type
+- **key18**  UI interaction data
+- **key19**  UI interaction data
+- **key20**  UI interaction data
+- **key21**  Interaction data for the UI
+- **key22**  UI interaction data
+- **key23**  UI interaction data
+- **key24**  UI interaction data
+- **key25**  UI interaction data
+- **key26**  UI interaction data
+- **key27**  UI interaction data
+- **key28**  Interaction data for the UI
+- **key29**  UI interaction data
+- **key30**  UI interaction data
+
+
+### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignHeartbeat
+
+This event is sent at the start of each campaign, to be used as a heartbeat
+
+The following fields are available:
+
+- **CampaignConfigVersion**  Configuration version for the current campaign
+- **CampaignID**  Currently campaign that's running on UNP
+- **ConfigCatalogVersion**  Current catalog version of UNP
+- **ContentVersion**  Content version for the current campaign on UNP
+- **CV**  Correlation vector
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
+- **PackageVersion**  Current UNP package version
+
+
+### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerCleaningCampaign
+
+This event indicates that the Campaign Manager is cleaning up the campaign content
+
+The following fields are available:
+
+- **CampaignConfigVersion**  Configuration version for the current campaign
+- **CampaignID**  Current campaign that's running on UNP
+- **ConfigCatalogVersion**  Current catalog version of UNP
+- **ContentVersion**  Content version for the current campaign on UNP
+- **CV**  Correlation vector
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
+- **PackageVersion**  Current UNP package version
+
+
+### Microsoft.Windows.UpdateNotificationPipeline.UNPCampaignManagerHeartbeat
+
+This event is sent at the start of the CampaignManager event and is intended to be used as a heartbeat
+
+The following fields are available:
+
+- **CampaignConfigVersion**  Configuration version for the current campaign
+- **CampaignID**  Currently campaign that's running on UNP
+- **ConfigCatalogVersion**  Current catalog version of UNP
+- **ContentVersion**  Content version for the current campaign on UNP
+- **CV**  Correlation vector
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
+- **PackageVersion**  Current UNP package version
+
+
+### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerGetIsCamppaignCompleteFailed
+
+This event is sent when a campaign completion status query fails
+
+The following fields are available:
+
+- **CampaignConfigVersion**  Configuration version for the current campaign
+- **CampaignID**  Current campaign that's running on UNP
+- **ConfigCatalogVersion**  Current catalog version of UNP
+- **ContentVersion**  Content version for the current campaign on UNP
+- **CV**  Correlation vector
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
+- **hresult**  HRESULT of the failure
+- **PackageVersion**  Current UNP package version
+
+
+### Microsoft.Windows.UpdateNotificationPipeline.UnpCampaignManagerRunCampaignFailed
+
+This event is sent when the Campaign Manager encounters an unexpected error while running the campaign
+
+The following fields are available:
+
+- **CampaignConfigVersion**  Configuration version for the current campaign
+- **CampaignID**  Currently campaign that's running on UNP
+- **ConfigCatalogVersion**  Current catalog version of UNP
+- **ContentVersion**  Content version for the current campaign on UNP
+- **CV**  Correlation vector
+- **DetectorVersion**  Most recently run detector version for the current campaign on UNP
+- **GlobalEventCounter**  Client-side counter that indicates the event ordering sent by the user
+- **hresult**  HRESULT of the failure 
+- **PackageVersion**  Current UNP package version
+
+
+## Upgrade events
+
+### Setup360Telemetry.Downlevel
+
+This event sends data indicating that the device has invoked the downlevel phase of the upgrade. It's used to help keep Windows up-to-date and secure.
+
+The following fields are available:
+
+- **ClientId**  If using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but it can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the downlevel OS.
+- **HostOsSkuName**  The operating system edition which is running Setup360 instance (downlevel OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  In the Windows Update scenario, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result**  The result of Setup360. It's an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
+- **State**  Exit state of given Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  A string that uniquely identifies a group of events.
+- **WuId**  This is the Windows Update Client ID. In the Windows Update scenario, this is the same as the clientId.
+- **FlightData**  Unique value that identifies the flight.
+
+
+### Setup360Telemetry.Finalize
+
+This event sends data indicating that the device has invoked the finalize phase of the upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  Unique value that identifies the flight.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
+- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.OsUninstall
+
+The event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10. Specifically, the Setup360Telemetry.OSUninstall indicates the outcome of an OS uninstall.
+
+The following fields are available:
+
+- **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  Exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  Windows Update client ID.
+- **FlightData**  Unique value that identifies the flight.
+
+
+### Setup360Telemetry.PostRebootInstall
+
+This event sends data indicating that the device has invoked the postrebootinstall phase of the upgrade, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **ClientId**  With Windows Update, this is the Windows Update client ID that is passed to Setup. In Media setup, the default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that's used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as ClientId.
+- **FlightData**  Unique value that identifies the flight.
+
+
+### Setup360Telemetry.PreDownloadQuiet
+
+This event sends data indicating that the device has invoked the predownload quiet phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId**  Using Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **FlightData**  Unique value that identifies the flight.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous operating system).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
+- **ReportId**  Using Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, canceled
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  This is the Windows Update Client ID. Using Windows Update, this is the same as the clientId.
+
+
+### Setup360Telemetry.PreDownloadUX
+
+This event sends data regarding OS Updates and Upgrades from Windows 7.X, Windows 8.X, Windows 10 and RS.  Specifically the Setup360Telemetry.PredownloadUX indicates the outcome of the PredownloadUX portion of the update process
+
+The following fields are available:
+
+- **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous operating system.
+- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous operating system).
+- **InstanceId**  Unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Examplle: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of the target OS).
+- **State**  The exit state of the Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  Windows Update client ID.
+- **FlightData**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+
+
+### Setup360Telemetry.PreInstallQuiet
+
+This event sends data indicating that the device has invoked the preinstall quiet phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
+- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback etc.
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used to diagnose errors.
+- **Setup360Scenario**  Setup360 flow type (Boot, Media, Update, MCT)
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+- **FlightData**  Unique value that identifies the flight.
+
+
+### Setup360Telemetry.PreInstallUX
+
+This event sends data regarding OS updates and upgrades from Windows 7, Windows 8, and Windows 10.  Specifically, the Setup360Telemetry.PreinstallUX indicates the outcome of the PreinstallUX portion of the update process.
+
+The following fields are available:
+
+- **ClientId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running the Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe.
+- **ReportId**  For Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that is used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type, Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  Windows Update client ID.
+- **FlightData**  Unique value that identifies the flight.
+
+
+### Setup360Telemetry.Setup360
+
+This event sends data about OS deployment scenarios, to help keep Windows up-to-date.
+
+The following fields are available:
+
+- **FieldName**  Retrieves the data point.
+- **FlightData**  Specifies a unique identifier for each group of Windows Insider builds.
+- **InstanceId**  Retrieves a unique identifier for each instance of a setup session.
+- **ReportId**  Retrieves the report ID.
+- **ScenarioId**  Retrieves the deployment scenario.
+- **Value**  Retrieves the value associated with the corresponding FieldName.
+- **ClientId**  Retrieves the upgrade ID: Upgrades via Windows Update - specifies the WU clientID. All other deployment - static string.
+
+
+### Setup360Telemetry.UnexpectedEvent
+
+This event sends data indicating that the device has invoked the unexpected event phase of the upgrade, to help keep Windows up to date.
+
+The following fields are available:
+
+- **ClientId**  With Windows Update, this will be the Windows Update client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value.
+- **HostOSBuildNumber**  The build number of the previous OS.
+- **HostOsSkuName**  The OS edition which is running Setup360 instance (previous OS).
+- **InstanceId**  A unique GUID that identifies each instance of setuphost.exe
+- **ReportId**  With Windows Update, this is the updateID that is passed to Setup. In media setup, this is the GUID for the install.wim.
+- **Setup360Extended**  Extension of result - more granular information about phase/action when the potential failure happened
+- **Setup360Mode**  The phase of Setup360. Example: Predownload, Install, Finalize, Rollback
+- **Setup360Result**  The result of Setup360. This is an HRESULT error code that can be used used to diagnose errors.
+- **Setup360Scenario**  The Setup360 flow type. Example: Boot, Media, Update, MCT
+- **SetupVersionBuildNumber**  The build number of Setup360 (build number of target OS).
+- **State**  The exit state of a Setup360 run. Example: succeeded, failed, blocked, cancelled
+- **TestId**  A string to uniquely identify a group of events.
+- **WuId**  This is the Windows Update Client ID. With Windows Update, this is the same as the clientId.
+- **FlightData**  Unique value that identifies the flight.
+
+
+## Windows as a Service diagnostic events
+
+### Microsoft.Windows.WaaSMedic.SummaryEvent
+
+Result of the WaaSMedic operation.
+
+The following fields are available:
+
+- **detectionSummary**  Result of each applicable detection that was ran.
+- **featureAssessmentImpact**  WaaS Assessment impact for feature updates.
+- **hrEngineResult**  Error code from the engine operation.
+- **isManaged**  Device is managed for updates.
+- **isWUConnected**  Device is connected to Windows Update.
+- **noMoreActions**  No more applicable diagnostics.
+- **qualityAssessmentImpact**  WaaS Assessment impact for quality updates. 
+- **remediationSummary**  Result of each applicable resolution that was ran.
+- **usingBackupFeatureAssessment**  Relying on backup feature assessment. 
+- **usingBackupQualityAssessment**  Relying on backup quality assessment.
+- **versionString**  Version of the WaaSMedic engine. 
+- **usingCachedFeatureAssessment**  WaaS Medic run did not get OS build age from the network on the previous run.
+- **usingCachedQualityAssessment**  WaaS Medic run did not get OS revision age from the network on the previous run.
+- **insufficientSessions**  Device not eligible for diagnostics.
+
+
+## Windows Error Reporting events
+
+## Windows Error Reporting MTT events
+
+### Microsoft.Windows.WER.MTT.Denominator
+
+This event provides a denominator to calculate MTTF (mean-time-to-failure) for crashes and other errors to help keep Windows up to date.
+
+The following fields are available:
+
+- **Value**  Standard UTC emitted DP value structure
+
+
+## Windows Update CSP events
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureFailed
+
+The Execute Rollback Feature Failed event sends basic telemetry on the failure of the Feature Rollback. This functionality supports our feature by providing IT Admins the ability to see the operation failed, allowing them to do further triage of the device.
+
+The following fields are available:
+
+- **current**  Result of currency check
+- **dismOperationSucceeded**  Dism uninstall operation status
+- **hResult**  Failure Error code
+- **oSVersion**  Build number of the machine
+- **paused**  Machine's pause status
+- **rebootRequestSucceeded**  Reboot CSP call success status
+- **wUfBConnected**  Result of WUfB connection check
+
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureNotApplicable
+
+The Execute Rollback Feature Not Applicable event sends basic telemetry on the applicability of the Feature Rollback, to support the functionality of Feature Rollback. This event provides critical information for the feature because it will alert IT Admins that devices they are attempting to rollback Features updates are not applicable.
+
+The following fields are available:
+
+- **current**  Result of currency check
+- **dismOperationSucceeded**  Dism uninstall operation status
+- **oSVersion**  Build number of the machine
+- **paused**  Machine's pause status
+- **rebootRequestSucceeded**  Reboot CSP call success status
+- **wUfBConnected**  Result of WUfB connection check
+
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureStarted
+
+The Execute Rollback Feature Started event sends basic information on the start process to provide information that the Feature Rollback has started.
+
+
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackFeatureSucceeded
+
+The Execute Rollback Feature Succeed event sends basic telemetry on the success of the Rollback of the Feature updates. This functionality supports our feature by providing insights to IT Admins of the success of the Feature rollback.
+
+
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityFailed
+
+The Execute Rollback Quality Failed event sends basic telemetry on the failure of the rollback of the Quality/LCU builds. This functionality supports our feature by providing IT Admins the ability to see the operation failed allowing them to do further triage of the device.
+
+The following fields are available:
+
+- **current**  Result of currency check
+- **dismOperationSucceeded**  Dism uninstall operation status
+- **hResult**  Failure Error code
+- **oSVersion**  Build number of the machine
+- **paused**  Machine's pause status
+- **rebootRequestSucceeded**  Reboot CSP call success status
+- **wUfBConnected**  Result of WUfB connection check
+
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityNotApplicable
+
+The Execute Rollback Quality Not Applicable event sends basic telemetry on the applicability of the Quality Rollback, to support the functionality of Quality Rollback. This event provides critical information for feature because it will alert IT Admins that devices they are attempting to rollback Quality updates are not applicable.
+
+The following fields are available:
+
+- **current**  Result of currency check
+- **dismOperationSucceeded**  Dism uninstall operation status
+- **oSVersion**  Build number of the machine
+- **paused**  Machine's pause status
+- **rebootRequestSucceeded**  Reboot CSP call success status
+- **wUfBConnected**  Result of WUfB connection check
+
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualityStarted
+
+The Execute Rollback Quality Started event sends basic information on the start process to provide information that the Quality Rollback has started.
+
+
+
+### Microsoft.Windows.UpdateCsp.ExecuteRollBackQualitySucceeded
+
+The Execute Rollback Quality Succeed event sends basic telemetry on the success of the rollback of the Quality/LCU builds. This functionality supports our feature by providing insights to IT Admins of the success of the Quality rollback.
+
 
 
 ## Windows Update Delivery Optimization events
 
-### Microsoft.OSG.DU.DeliveryOptClient.DownloadCompleted
-
-This event describes when a download has completed with Delivery Optimization. It's used to understand and address problems regarding downloads.
-
-The following fields are available:
-
-- **background**  Is the download a background download?
-- **bytesFromCDN**  The number of bytes received from a CDN source.
-- **bytesFromGroupPeers**  The number of bytes received from a peer in the same domain group.
-- **bytesFromIntPeers**  The number of bytes received from peers not in the same LAN or in the same domain group.
-- **bytesFromPeers**  The number of bytes received from a peer in the same LAN.
-- **bytesRequested**  The total number of bytes requested for download.
-- **cdnConnectionCount**  The total number of connections made to the CDN.
-- **cdnErrorCodes**  A list of CDN connection errors since the last FailureCDNCommunication event.
-- **cdnErrorCounts**  The number of times each error in cdnErrorCodes was encountered.
-- **cdnIp**  The IP address of the source CDN.
-- **clientTelId**  A random number used for device sampling.
-- **doErrorCode**  The Delivery Optimization error code that was returned.
-- **downlinkBps**  The maximum measured available download bandwidth (in bytes per second).
-- **downlinkUsageBps**  The download speed (in bytes per second).
-- **downloadMode**  The download mode used for this file download session.
-- **fileID**  The ID of the file being downloaded.
-- **fileSize**  The size of the file being downloaded.
-- **groupConnectionCount**  The total number of connections made to peers in the same group.
-- **internetConnectionCount**  The total number of connections made to peers not in the same LAN or the same group.
-- **lanConnectionCount**  The total number of connections made to peers in the same LAN.
-- **numPeers**  The total number of peers used for this download.
-- **restrictedUpload**  Is the upload restricted?
-- **scenarioID**  The ID of the scenario.
-- **sessionID**  The ID of the download session.
-- **totalTimeMs**  Duration of the download (in seconds).
-- **updateID**  The ID of the update being downloaded.
-- **uplinkBps**  The maximum measured available upload bandwidth (in bytes per second).
-- **uplinkUsageBps**  The upload speed (in bytes per second).
-- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
-- **isVpn**  Is the device connected to a Virtual Private Network?
-- **usedMemoryStream**  Did the download use memory streaming?
-
-
-### Microsoft.OSG.DU.DeliveryOptClient.DownloadPaused
-
-This event represents a temporary suspension of a download with Delivery Optimization. It's used to understand and address problems regarding downloads.
-
-The following fields are available:
-
-- **background**  Is the download a background download?
-- **clientTelId**  A random number used for device sampling.
-- **errorCode**  The error code that was returned.
-- **fileID**  The ID of the file being paused.
-- **reasonCode**  The reason for pausing the download.
-- **scenarioID**  The ID of the scenario.
-- **sessionID**  The ID of the download session.
-- **updateID**  The ID of the update being paused.
-- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
-- **isVpn**  Is the device connected to a Virtual Private Network?
-
-
-### Microsoft.OSG.DU.DeliveryOptClient.JobError
-
-This event represents a Windows Update job error. It allows for investigation of top errors.
-
-The following fields are available:
-
-- **clientTelId**  A random number used for device sampling.
-- **errorCode**  The error code returned.
-- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
-- **fileID**  The ID of the file being downloaded.
-- **jobID**  The Windows Update job ID.
-
-
-### Microsoft.OSG.DU.DeliveryOptClient.DownloadCanceled
-
-This event describes when a download was canceled with Delivery Optimization. It's used to understand and address problems regarding downloads.
-
-The following fields are available:
-
-- **background**  Is the download being done in the background?
-- **bytesFromCDN**  The number of bytes received from a CDN source.
-- **bytesFromGroupPeers**  The number of bytes received from a peer in the same group.
-- **bytesFromIntPeers**  The number of bytes received from peers not in the same LAN or in the same group.
-- **bytesFromPeers**  The number of bytes received from a peer in the same LAN.
-- **cdnErrorCodes**  A list of CDN connection errors since the last FailureCDNCommunication event.
-- **cdnErrorCounts**  The number of times each error in cdnErrorCodes was encountered.
-- **clientTelId**  A random number used for device sampling.
-- **doErrorCode**  The Delivery Optimization error code that was returned.
-- **errorCode**  The error code that was returned.
-- **experimentId**  When running a test, this is used to correlate events that are part of the same test.
-- **fileID**  The ID of the file being downloaded.
-- **isVpn**  Is the device connected to a Virtual Private Network?
-- **scenarioID**  The ID of the scenario.
-- **sessionID**  The ID of the file download session.
-- **updateID**  The ID of the update being downloaded.
-- **usedMemoryStream**  Did the download use memory streaming?
-
-
 ### Microsoft.OSG.DU.DeliveryOptClient.DownloadStarted
 
-This event describes the start of a new download with Delivery Optimization. It's used to understand and address problems regarding downloads.
+This event sends data describing the start of a new download to enable Delivery Optimization. It's used to understand and address problems regarding downloads.
 
 The following fields are available:
 
-- **background**  Is the download a background download?
-- **cdnUrl**  The URL of the CDN.
-- **clientTelId**  A random number used for device sampling.
-- **deviceProfile**  Identifies the usage or form factor. Example: Desktop or Xbox
-- **diceRoll**  The dice roll value used in sampling events.
-- **doClientVersion**  The version of the Delivery Optimization client.
-- **doErrorCode**  The Delivery Optimization error code that was returned.
-- **downloadMode**  The download mode used for this file download session.
-- **errorCode**  The error code that was returned.
-- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
-- **fileID**  The ID of the file being downloaded.
-- **filePath**  The path where the file will be written.
-- **groupID**  ID for the group.
-- **isVpn**  Is the device connected to a Virtual Private Network?
-- **jobID**  The ID of the Windows Update job.
-- **minDiskSizeGB**  The minimum disk size (in GB) required for Peering.
-- **minDiskSizePolicyEnforced**  Is the minimum disk size enforced via policy?
-- **minFileSizePolicy**  The minimum content file size policy to allow the download using Peering.
-- **peerID**  The ID for this Delivery Optimization client.
-- **scenarioID**  The ID of the scenario.
-- **sessionID**  The ID of the download session.
-- **updateID**  The ID of the update being downloaded.
-- **usedMemoryStream**  Did the download use memory streaming?
-- **costFlags**  A set of flags representing network cost.
-
-
-### Microsoft.OSG.DU.DeliveryOptClient.FailureCdnCommunication
-
-This event represents a failure to download from a CDN with Delivery Optimization. It's used to understand and address problems regarding downloads.
-
-The following fields are available:
-
-- **cdnIp**  The IP address of the CDN.
-- **cdnUrl**  The URL of the CDN.
-- **clientTelId**  A random number used for device sampling.
-- **errorCode**  The error code that was returned.
-- **errorCount**  The total number of times this error code was seen since the last FailureCdnCommunication event was encountered.
-- **httpStatusCode**  The HTTP status code returned by the CDN.
-- **sessionID**  The ID of the download session.
-- **cdnHeaders**  The HTTP headers returned by the CDN.
-- **experimentId**  When running a test, this is used to correlate with other events that are part of the same test.
-- **fileID**  The ID of the file being downloaded.
-- **isHeadRequest**  The type of  HTTP request that was sent to the CDN. Example: HEAD or GET
-- **requestSize**  The size of the range requested from the CDN.
-- **responseSize**  The size of the range response received from the CDN.
+- **background**  If the download is happening in the background
+- **bytesRequested**  Number of bytes requested for download.
+- **cdnUrl**  Number of bytes requested for download
+- **costFlags**  Url of the source CDN
+- **deviceProfile**  Network cost flags
+- **diceRoll**  Identifies the usage or form factor (Desktop, Xbox, VM, etc)
+- **doClientVersion**  Random number used for determining if a client will use peering
+- **doErrorCode**  Version of the Delivery Optimization client
+- **downloadMode**  Delivery Optimization error code returned
+- **downloadModeSrc**  DownloadMode used (CdnOnly = 0, Lan = 1, Group = 2, Internet = 3, Simple = 99, Bypass = 100)
+- **errorCode**  Source of the DownloadMode setting (KvsProvider: 0, GeoProvider: 1, GeoVerProvider: 2, CpProvider: 3, DiscoveryProvider: 4, RegistryProvider: 5, GroupPolicyProvider: 6, MdmProvider: 7, SettingsProvider: 8, InvalidProviderType: 9)
+- **experimentId**  Error code returned
+- **fileID**  Used to correlate client/services calls that are part of the same test during A/B testing
+- **filePath**  ID of the File being downloaded
+- **fileSize**  Path to where the downloaded file will be written
+- **fileSizeCaller**  Total filesize of the file that was downloaded
+- **groupID**  Value for total file size provided by our caller
+- **isVpn**  ID for the group
+- **jobID**  If the machine is connected to a Virtual Private Network
+- **peerID**  Minimum filesize policy set for the device to allow Peering with Delivery Optimization
+- **predefinedCallerName**  Name of the API caller
+- **sessionID**  Name of the API Caller
+- **setConfigs**  ID of the Update being downloaded
+- **updateID**  ID for the file download session
+- **usedMemoryStream**  ID of the Update being downloaded
+- **callerName**  Name of the API Caller
+- **minDiskSizeGB**  Identifier for the Windows Update Job
+- **minDiskSizePolicyEnforced**  The minimum disk size policy set for the device to allow Peering with Delivery Optimization
+- **minFileSizePolicy**  If there is an enforced mininum disk size requirement for peering
+- **scenarioID**  ID for the Scenario
+- **isEncrypted**  Whether the download is encrypted
 
 
 ## Windows Update events
 
-### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentAnalysisSummary
 
-This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+This event collects information regarding the state of devices and drivers on the system following a reboot after the install phase of the new device manifest UUP (Unified Update Platform) update scenario which is used to install a device manifest describing a set of driver packages.
 
 The following fields are available:
 
-- **flightId**  The unique identifier for each flight
-- **mode**  Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
-- **objectId**  Unique value for each Update Agent mode
-- **relatedCV**  Correlation vector value generated from the latest scan
-- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **sessionId**  Unique value for each Update Agent mode attempt
-- **updateId**  Unique ID for each update
-
-
-### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize
-
-This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
-
-The following fields are available:
-
-- **errorCode**  The error code returned for the current initialize phase
-- **flightId**  The unique identifier for each flight
-- **flightMetadata**  Contains the FlightId and the build being flighted
-- **objectId**  Unique value for each Update Agent mode
-- **relatedCV**  Correlation vector value generated from the latest USO scan
-- **result**  Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
-- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate#N#
-- **sessionData**  Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios)
-- **sessionId**  "Unique value for each Update Agent mode attempt "
-- **updateId**  Unique ID for each update
+- **activated**  Whether the entire device manifest update is considered activated and in use.
+- **analysisErrorCount**  How many driver packages that could not be analyzed because errors were hit during the analysis.
+- **flightId**  Unique ID for each flight. 
+- **missingDriverCount**  How many driver packages that were delivered by the device manifest that are missing from the system.
+- **missingUpdateCount**  How many updates that were part of the device manifest that are missing from the system.
+- **objectId**  Unique value for each diagnostics session. 
+- **publishedCount**  How many drivers packages that were delivered by the device manifest that are published and available to be used on devices.
+- **relatedCV**  Correlation vector value generated from the latest USO scan. 
+- **scenarioId**  Indicates the update scenario. 
+- **sessionId**  Unique value for each update session. 
+- **summary**  A summary string that contains some basic information about driver packages that are part of the device manifest and any devices on the system that those driver packages match on.
+- **summaryAppendError**  A Boolean indicating if there was an error appending more information to the summary string.
+- **truncatedDeviceCount**  How many devices are missing from the summary string due to there not being enough room in the string.
+- **truncatedDriverCount**  How many driver packages are missing from the summary string due to there not being enough room in the string.
+- **unpublishedCount**  How many drivers packages that were delivered by the device manifest that are still unpublished and unavailable to be used on devices.
+- **updateId**  Unique ID for each Update. 
 
 
 ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentCommit
@@ -4321,22 +4647,6 @@ The following fields are available:
 - **updateId**  The unique identifier for each Update
 
 
-### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall
-
-This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
-
-The following fields are available:
-
-- **errorCode**  The error code returned for the current install phase
-- **flightId**  The unique identifier for each flight
-- **objectId**  Unique value for each Update Agent mode
-- **relatedCV**  Correlation vector value generated from the latest scan
-- **result**  Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
-- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
-- **sessionId**  Unique value for each Update Agent mode attempt
-- **updateId**  Unique ID for each update
-
-
 ### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentDownloadRequest
 
 This event collects information regarding the download request phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
@@ -4364,6 +4674,435 @@ The following fields are available:
 - **updateId**  Unique ID for each update
 
 
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInitialize
+
+This event sends data for initializing a new update session for the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+
+The following fields are available:
+
+- **errorCode**  The error code returned for the current initialize phase
+- **flightId**  The unique identifier for each flight
+- **flightMetadata**  Contains the FlightId and the build being flighted
+- **objectId**  Unique value for each Update Agent mode
+- **relatedCV**  Correlation vector value generated from the latest USO scan
+- **result**  Result of the initialize phase of update. 0 = Succeeded, 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate 
+- **sessionData**  Contains instructions to update agent for processing FODs and DUICs (Null for other scenarios)
+- **sessionId**  Unique value for each Update Agent mode attempt 
+- **updateId**  Unique ID for each update
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentInstall
+
+This event collects information regarding the install phase of the new device manifest UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages
+
+The following fields are available:
+
+- **errorCode**  The error code returned for the current install phase
+- **flightId**  The unique identifier for each flight
+- **objectId**  Unique value for each Update Agent mode
+- **relatedCV**  Correlation vector value generated from the latest scan
+- **result**  Result of the install phase of update. 0 = Succeeded 1 = Failed, 2 = Cancelled, 3 = Blocked, 4 = BlockCancelled
+- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **sessionId**  Unique value for each Update Agent mode attempt
+- **updateId**  Unique ID for each update
+
+
+### Microsoft.Windows.Update.DeviceUpdateAgent.UpdateAgentModeStart
+
+This event sends data for the start of each mode during the process of updating device manifest assets via the UUP (Unified Update Platform) update scenario, which is used to install a device manifest describing a set of driver packages.
+
+The following fields are available:
+
+- **flightId**  The unique identifier for each flight
+- **mode**  Indicates that the Update Agent mode that has started. 1 = Initialize, 2 = DownloadRequest, 3 = Install, 4 = Commit
+- **objectId**  Unique value for each Update Agent mode
+- **relatedCV**  Correlation vector value generated from the latest scan
+- **scenarioId**  The scenario ID. Example: MobileUpdate, DesktopLanguagePack, DesktopFeatureOnDemand, or DesktopDriverUpdate
+- **sessionId**  Unique value for each Update Agent mode attempt
+- **updateId**  Unique ID for each update
+
+
+### Microsoft.Windows.Update.NotificationUx.DialogNotificationToBeDisplayed
+
+Dialog notification about to be displayed to user.
+
+The following fields are available:
+
+- **AcceptAutoModeLimit**  Maximum number of days for a device to automatically enter Auto Reboot mode 
+- **AutoToAutoFailedLimit**  Maximum number of days for Auto Reboot mode to fail before RebootFailed dialog will be shown 
+- **DeviceLocalTime**  Time of dialog shown on local device 
+- **EngagedModeLimit**  Number of days to switch between DTE dialogs 
+- **EnterAutoModeLimit**  Maximum number of days for a device to enter Auto Reboot mode 
+- **ETag**  OneSettings versioning value 
+- **IsForcedEnabled**  Is Forced Reboot mode enabled for this device?
+- **IsUltimateForcedEnabled**  Is Ultimate Forced Reboot mode enabled for this device?
+- **NotificationUxState**  Which dialog is shown (ENUM)?
+- **NotificationUxStateString**  Which dialog is shown (string mapping)?
+- **RebootUxState**  Engaged/Auto/Forced/UltimateForced 
+- **RebootUxStateString**  Engaged/Auto/Forced/UltimateForced 
+- **RebootVersion**  Version of DTE 
+- **SkipToAutoModeLimit**  The minimum length of time to pass in reboot pending before a machine can be put into auto mode
+- **UpdateId**  The ID of the update that is pending reboot to finish installation 
+- **UpdateRevision**  The revision of the update that is pending reboot to finish installation 
+- **UtcTime**  The Coordinated Universal Time when the dialog notification will be displayed.
+- **DaysSinceRebootRequired**  Number of days since reboot was required.
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootAcceptAutoDialog
+
+Enhanced Engaged reboot accept auto dialog was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime**  Local time of the device sending the event 
+- **ETag**  OneSettings ETag 
+- **ExitCode**  Dialog exit code - user response 
+- **RebootVersion**  Reboot flow version 
+- **UpdateId**  Id of pending update 
+- **UpdateRevision**  Revision number of the pending update 
+- **UserResponseString**  User response to the reboot dialog 
+- **UtcTime**  The Coordinated Universal Time that dialog was displayed
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootFirstReminderDialog
+
+Enhanced Engaged reboot first reminder dialog was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime**  Time of dialog shown on local device 
+- **ETag**  OneSettings versioning value 
+- **ExitCode**  Indicates how users exited the dialog 
+- **RebootVersion**  Version of DTE 
+- **UpdateId**  The id of the update that is pending reboot to finish installation 
+- **UpdateRevision**  The revision of the update that is pending reboot to finish installation 
+- **UserResponseString**  The option that user chose on this dialog 
+- **UtcTime**  The Coordinated Universal Time that dialog was displayed
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootForcedPrecursorDialog
+
+Enhanced Engaged reboot forced precursor dialog was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime**  Time of dialog shown on local device 
+- **ETag**  OneSettings versioning value 
+- **ExitCode**  Indicates how users exited the dialog 
+- **RebootVersion**  Version of DTE 
+- **UpdateId**  The id of the update that is pending reboot to finish installation 
+- **UpdateRevision**  The revision of the update that is pending reboot to finish installation 
+- **UserResponseString**  The option that user chose on this dialog 
+- **UtcTime**  The Coordinated Universal Time that dialog was displayed
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootForcedWarningDialog
+
+Enhanced Engaged forced warning dialog was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime**  Time of dialog shown on local device 
+- **ETag**  OneSettings versioning value 
+- **ExitCode**  Indicates how users exited the dialog 
+- **RebootVersion**  Version of DTE 
+- **UpdateId**  The id of the update that is pending reboot to finish installation 
+- **UpdateRevision**  The revision of the update that is pending reboot to finish installation 
+- **UserResponseString**  The option that user chose on this dialog 
+- **UtcTime**  The Coordinated Universal Time that dialog was displayed
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootFailedDialog
+
+Enhanced Engaged reboot reboot failed dialog was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime**  Dialog exit code - user response
+- **ETag**  OneSettings versioning value 
+- **ExitCode**  Indicates how users exited the dialog 
+- **RebootVersion**  Version of DTE 
+- **UpdateId**  The ID of the update that is pending reboot to finish installation 
+- **UpdateRevision**  The revision of the update that is pending reboot to finish installation 
+- **UserResponseString**  The option that user chose on this dialog 
+- **UtcTime**  The Coordinated Universal Time that dialog was displayed
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootRebootImminentDialog
+
+Enhanced Engaged reboot reboot imminent dialog was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime**  Time of dialog shown on local device 
+- **ETag**  OneSettings versioning value 
+- **ExitCode**  Indicates how users exited the dialog 
+- **RebootVersion**  Version of DTE 
+- **UpdateId**  The ID of the update that is pending reboot to finish installation 
+- **UpdateRevision**  The revision of the update that is pending reboot to finish installation 
+- **UserResponseString**  The option that user chose on this dialog 
+- **UtcTime**  The Coordinated Universal Time that dialog was displayed
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootSecondReminderDialog
+
+Enhanced Engaged reboot second reminder dialog was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime**  Time of dialog shown on local device 
+- **ETag**  OneSettings versioning value 
+- **ExitCode**  Indicates how users exited the dialog 
+- **RebootVersion**  Version of DTE 
+- **UpdateId**  The ID of the update that is pending reboot to finish installation 
+- **UpdateRevision**  The revision of the update that is pending reboot to finish installation 
+- **UserResponseString**  The option that user chose on this dialog 
+- **UtcTime**  The Coordinated Universal Time that dialog was displayed
+
+
+### Microsoft.Windows.Update.NotificationUx.EnhancedEngagedRebootThirdReminderDialog
+
+Enhanced Engaged reboot third reminder dialog was displayed.
+
+The following fields are available:
+
+- **DeviceLocalTime**  Time of dialog shown on local device 
+- **ETag**  OneSettings versioning value 
+- **ExitCode**  Indicates how users exited the dialog 
+- **RebootVersion**  Version of DTE 
+- **UpdateId**  The ID of the update that is pending reboot to finish installation 
+- **UpdateRevision**  The revision of the update that is pending reboot to finish installation 
+- **UserResponseString**  The option that user chose on this dialog 
+- **UtcTime**  The Coordinated Universal Time that dialog was displayed
+
+
+### Microsoft.Windows.Update.NotificationUx.RebootScheduled
+
+Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update
+
+The following fields are available:
+
+- **activeHoursApplicable**  True, If Active Hours applicable on this device. False, otherwise
+- **rebootArgument**  Argument for the reboot task. It also represents specific reboot related action
+- **rebootOutsideOfActiveHours**  True, if a reboot is scheduled outside of active hours. False, otherwise
+- **rebootScheduledByUser**  True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically
+- **rebootState**  The state of the reboot
+- **revisionNumber**  Revision number of the update that is getting installed with this reboot
+- **scheduledRebootTime**  Time of the scheduled reboot
+- **scheduledRebootTimeInUTC**  Time of the scheduled reboot in Coordinated Universal Time
+- **updateId**  ID of the update that is getting installed with this reboot
+- **wuDeviceid**  Unique device ID used by Windows Update
+- **IsEnhancedEngagedReboot**  Whether this is an Enhanced Engaged reboot
+
+
+### Microsoft.Windows.Update.Orchestrator.ActivityRestrictedByActiveHoursPolicy
+
+A policy is present that may restrict update activity to outside of active hours.
+
+The following fields are available:
+
+- **activeHoursEnd**  The end of the active hours window
+- **activeHoursStart**  The start of the active hours window
+- **wuDeviceid**  Device ID
+
+
+### Microsoft.Windows.Update.Orchestrator.BlockedByActiveHours
+
+Update activity blocked due to active hours being currently active.
+
+The following fields are available:
+
+- **blockReason**  The current state of the update process
+- **updatePhase**  The current state of the update process
+- **wuDeviceid**  Device ID
+- **activeHoursEnd**  The end of the active hours window
+- **activeHoursStart**  The start of the active hours window
+
+
+### Microsoft.Windows.Update.Orchestrator.BlockedByBatteryLevel
+
+Update activity blocked due to low battery level.
+
+The following fields are available:
+
+- **batteryLevel**  The current battery charge capacitity
+- **batteryLevelThreshold**  The battery capacity threshold to stop update activity
+- **blockReason**  The current state of the update process
+- **updatePhase**  The current state of the update process
+- **wuDeviceid**  Device ID
+
+
+### Microsoft.Windows.Update.Orchestrator.CommitFailed
+
+This events tracks when a device needs to restart after an update but did not.
+
+The following fields are available:
+
+- **errorCode**  The error code that was returned.
+- **wuDeviceid**  The Windows Update device GUID.
+
+
+### Microsoft.Windows.Update.Orchestrator.DTUCompletedWhenWuFlightPendingCommit
+
+Event to indicate that DTU completed installation of the ESD, when WU was already Pending Commit of the feature update.
+
+The following fields are available:
+
+- **wuDeviceid**  Device ID used by WU 
+
+
+### Microsoft.Windows.Update.Orchestrator.DTUEnabled
+
+Inbox DTU functionality enabled.
+
+The following fields are available:
+
+- **wuDeviceid**  Device ID.
+
+
+### Microsoft.Windows.Update.Orchestrator.DTUInitiated
+
+Inbox DTU functionality intiated.
+
+The following fields are available:
+
+- **dtuErrorCode**  Return code from creating the DTU Com Server.
+- **isDtuApplicable**  Determination of whether DTU is applicable to the machine it is running on.
+- **wuDeviceid**  Return code from creating the DTU Com Server.
+
+
+### Microsoft.Windows.Update.Orchestrator.DeferRestart
+
+Indicates that a restart required for installing updates was postponed.
+
+The following fields are available:
+
+- **displayNeededReason**  Semicolon-separated list of reasons reported for display needed
+- **eventScenario**  Indicates the purpose of the event - whether because scan started, succeded, failed, etc
+- **filteredDeferReason**  The raised reason that the USO did not restart (e.g. user active, low battery) that were ignorable
+- **gameModeReason**  Name of the executable that caused the game mode state check to trigger.
+- **ignoredReason**  Semicolon-separated list of reasons that were intentionally ignored.
+- **revisionNumber**  Update ID revision number
+- **systemNeededReason**  Semicolon-separated list of reasons reported for system needed.
+- **updateId**  Update ID
+- **updateScenarioType**  Update session type
+- **wuDeviceid**  Windows Update Device GUID
+- **raisedDeferReason**  The reason that the USO did not restart (e.g. user active, low battery)
+
+
+### Microsoft.Windows.Update.Orchestrator.Detection
+
+A scan for an update occurred.
+
+The following fields are available:
+
+- **detectionBlockingPolicy**  State of update action
+- **detectionBlockreason**  Reason for detection not completing.
+- **eventScenario**  End to end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
+- **interactive**  Identifies if session is User Initiated.
+- **scanTriggerSource**  Source of the triggered scan.
+- **updateScenarioType**  The update session type.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+- **detectionRetryMode**  If we retry to scan
+- **errorCode**  The returned error code.
+- **deferReason**  Reason for postponing detection 
+- **flightID**  Flight info 
+- **revisionNumber**  Update version 
+- **updateId**  Update ID - GUID 
+- **networkStatus**  Error info
+
+
+### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
+
+Reboot postponed due to needing a display
+
+The following fields are available:
+
+- **displayNeededReason**  Reason the display is needed
+- **eventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
+- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date
+- **revisionNumber**  Revision number of the update
+- **updateId**  Update ID
+- **updateScenarioType**  The update session type
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date
+- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+
+
+### Microsoft.Windows.Update.Orchestrator.Download
+
+This event sends launch data for a Windows Update download to help keep Windows up to date.
+
+The following fields are available:
+
+- **deferReason**  Reason for download not completing
+- **errorCode**  An error code represented as a hexadecimal value
+- **eventScenario**  End to end update session ID.
+- **flightID**  Unique update ID.
+- **interactive**  Identifies if session is user initiated.
+- **revisionNumber**  Update revision number.
+- **updateId**  Update ID.
+- **updateScenarioType**  The update session type.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.Escalation
+
+Event sent when USO takes an Escalation action on device.
+
+The following fields are available:
+
+- **configVersion**  Escalation config version on device 
+- **escalationAction**  Indicate the specific escalation action that took place on device
+- **updateClassificationGUID**  GUID of the update the device is offered
+- **updateId**  ID of the update the device is offered
+- **wuDeviceid**  Device ID used by WU
+
+
+### Microsoft.Windows.Update.Orchestrator.EscalationRiskLevels
+
+Event sent during update scan, download, install. Indicates that the device is at risk of being out-of-date.
+
+The following fields are available:
+
+- **configVersion**  Escalation config version on device
+- **downloadElapsedTime**  How long since the download is required on device
+- **downloadRiskLevel**  At-risk level of download phase
+- **installElapsedTime**  How long since the install is required on device
+- **installRiskLevel**  At-risk level of install phase
+- **isSediment**  WaaSmedic's assessment of whether is device is at risk or not
+- **scanElapsedTime**  How long since the scan is required on device
+- **scanRiskLevel**  At-risk level of scan phase
+- **wuDeviceid**  Device id used by WU
+
+
+### Microsoft.Windows.Update.Orchestrator.EscalationsRefreshFailed
+
+USO has a set of escalation actions to prevent a device from becoming out-of-date, and the actions are triggered based on the Escalation config that USO obtains from OneSettings. This event is sent when USO fails to refresh the escalation config from OneSettings.
+
+The following fields are available:
+
+- **configVersion**  Current escalation config version on device
+- **errorCode**  Error code for the refresh failure
+- **wuDeviceid**  Device ID used by WU
+
+
+### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
+
+The Update is no longer Applicable to this device
+
+The following fields are available:
+
+- **EventPublishedTime**  Flight specific info
+- **flightID**  Update ID revision number
+- **revisionNumber**  Update ID - GUID
+- **updateId**  Update session type
+- **updateScenarioType**  Last status of update
+- **UpdateStatus**  Is UUP fallback configured?
+- **UUPFallBackConfigured**  Windows Update Device GUID
+- **wuDeviceid**  Windows Update Device GUID
+
+
 ### Microsoft.Windows.Update.Orchestrator.GameActive
 
 This event indicates that an enabled GameMode process prevented the device from restarting to complete an update
@@ -4375,94 +5114,102 @@ The following fields are available:
 - **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
 
 
-### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationCompleted
+### Microsoft.Windows.Update.Orchestrator.InitiatingReboot
 
-This event sends data collected at the end of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date.
+This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date.
 
 The following fields are available:
 
-- **MigrationDurationInMilliseconds**  How long the DMF migration took (in milliseconds)
-- **MigrationEndTime**  A system timestamp of when the DMF migration completed.
-- **RevisionNumbers**  A collection of revision numbers for the updates associated with the DMF session.
-- **UpdateIds**  A collection of GUIDs for updates that are associated with the DMF session.
-- **WuClientId**  The GUID of the Windows Update client responsible for triggering the DMF migration
-
-
-### Microsoft.Windows.Update.DataMigrationFramework.DmfMigrationStarted
-
-This event sends data collected at the beginning of the Data Migration Framework (DMF) and parameters involved in its invocation, to help keep Windows up to date.
-
-The following fields are available:
-
-- **MigrationMicrosoftPhases**  Revision numbers for the updates that were installed.
-- **MigrationOEMPhases**  WU Update IDs for the updates that were installed.
-- **MigrationStartTime**  The timestamp representing the beginning of the DMF migration
-- **WuClientId**  The GUID of the Windows Update client invoking DMF
-- **RevisionNumbers**  A collection of the revision numbers associated with the UpdateIds.
-- **UpdateIds**  A collection of GUIDs identifying the upgrades that are running.
-
-
-### Microsoft.Windows.Update.DataMigrationFramework.MigratorResult
-
-This event sends DMF migrator data to help keep Windows up to date.
-
-The following fields are available:
-
-- **CurrentStep**  This is the last step the migrator reported before returning a result. This tells us how far through the individual migrator the device was before failure.
-- **ErrorCode**  The result (as an HRESULT) of the migrator that just completed.
-- **MigratorId**  A GUID identifying the migrator that just completed.
-- **MigratorName**  The name of the migrator that just completed.
-- **RunDurationInSeconds**  The time it took for the migrator to complete.
-- **TotalSteps**  Migrators report progress in number of completed steps against the total steps. This is the total number of steps.
-
-
-### Microsoft.Windows.Update.Orchestrator.Download
-
-This event sends launch data for a Windows Update download to help keep Windows up to date.
-
-The following fields are available:
-
-- **deferReason**  Reason for download not completing
-- **detectionDeferreason**  Reason for download not completing
-- **errorCode**  An error code represented as a hexadecimal value
-- **eventScenario**  End to end update session ID.
-- **flightID**  Unique update ID.
-- **interactive**  Identifies if session is user initiated.
-- **revisionNumber**  Update revision number.
+- **EventPublishedTime**  Time of the event.
+- **flightID**  Unique update ID
+- **interactive**  Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
+- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **revisionNumber**  Revision number of the update.
 - **updateId**  Update ID.
 - **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
 - **wuDeviceid**  Unique device ID used by Windows Update.
 
 
-### Microsoft.Windows.Update.Orchestrator.FlightInapplicable
+### Microsoft.Windows.Update.Orchestrator.Install
 
-This event sends data on whether the update was applicable to the device, to help keep Windows up to date.
-
-The following fields are available:
-
-- **EventPublishedTime**  time that the event was generated
-- **revisionNumber**  Revision Number of the Update
-- **updateId**  Unique Update ID
-- **UpdateStatus**  Integer that describes Update state
-- **wuDeviceid**  Unique Device ID
-- **flightID**  Unique Update ID
-- **updateScenarioType**  The update session type.
-
-
-### Microsoft.Windows.Update.Orchestrator.PostInstall
-
-This event sends data about lite stack devices (mobile, IOT, anything non-PC) immediately before data migration is launched to help keep Windows up to date.
+This event sends launch data for a Windows Update install to help keep Windows up to date.
 
 The following fields are available:
 
 - **batteryLevel**  Current battery capacity in mWh or percentage left.
-- **bundleId**  Update grouping ID.
-- **bundleRevisionnumber**  Bundle revision number.
-- **errorCode**  Hex code for the error message, to allow lookup of the specific error.
+- **deferReason**  Reason for install not completing.
 - **eventScenario**  End to end update session ID.
-- **flightID**  Unique update ID.
-- **sessionType**  Interactive vs. Background.
+- **interactive**  Identifies if session is user initiated.
+- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
 - **wuDeviceid**  Unique device ID used by Windows Update.
+- **flightID**  Unique update ID
+- **flightUpdate**  Flight update
+- **ForcedRebootReminderSet**  A boolean value that indicates if a forced reboot will happen for updates.
+- **installRebootinitiatetime**  The time it took for a reboot to be attempted.
+- **minutesToCommit**  The time it took to install updates.
+- **revisionNumber**  Update revision number.
+- **updateId**  Update ID.
+- **errorCode**  The error code reppresented by a hexadecimal value.
+- **installCommitfailedtime**  The time it took for a reboot to happen but the upgrade failed to progress.
+
+
+### Microsoft.Windows.Update.Orchestrator.PostInstall
+
+Event sent after Update install completes.
+
+The following fields are available:
+
+- **batteryLevel**  Battery level percentage  
+- **bundleId**  Update ID - GUID  
+- **bundleRevisionnumber**  Update ID revision number   
+- **errorCode**  Error value 
+- **eventScenario**  State of update action 
+- **sessionType**  Update session type 
+- **wuDeviceid**  Windows Update device GUID
+- **flightID**  The flight ID of the device
+- **updateScenarioType**  The scenario type of this update
+
+
+### Microsoft.Windows.Update.Orchestrator.PowerMenuOptionsChanged
+
+This event is sent when the options in power menu changed, usually due to an update pending reboot, or after a update is installed. 
+
+The following fields are available:
+
+- **powermenuNewOptions**  The new options after the power menu changed 
+- **powermenuOldOptions**  The old options before the power menu changed 
+- **rebootPendingMinutes**  If the power menu changed because a reboot is pending due to a update, how long that reboot has been pending 
+- **wuDeviceid**  If the power menu changed because a reboot is pending due to a update, the device ID recorded by WU 
+
+
+### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
+
+This event is generated right before the shutdown and commit operations
+
+The following fields are available:
+
+- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
+
+
+### Microsoft.Windows.Update.Orchestrator.Progress
+
+Event sent when the download of a update reaches a milestone change, such as network cost policy changed, a internal phase has completed, or a transient state has changed.
+
+The following fields are available:
+
+- **errorCode**  Error info
+- **flightID**  Flight info
+- **interactive**  Is USO session interactive or non-interactive?
+- **networkCostPolicy**  The current network cost policy on device
+- **revisionNumber**  Update ID revision number
+- **updateId**  Update ID - GUID
+- **updateScenarioType**  Update Session type
+- **updateState**  Subphase of the download
+- **UpdateStatus**  Subphase of the update
+- **wuDeviceid**  Device ID
 
 
 ### Microsoft.Windows.Update.Orchestrator.RebootFailed
@@ -4475,7 +5222,6 @@ The following fields are available:
 - **deferReason**  Reason for install not completing.
 - **EventPublishedTime**  The time that the reboot failure occurred.
 - **flightID**  Unique update ID.
-- **installRebootDeferreason**  Reason for reboot not occurring.
 - **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
 - **RebootResults**  Hex code indicating failure reason. Typically, we expect this to be a specific USO generated hex code.
 - **revisionNumber**  Update revision number.
@@ -4485,6 +5231,74 @@ The following fields are available:
 - **wuDeviceid**  Unique device ID used by Windows Update.
 
 
+### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
+
+This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date.
+
+The following fields are available:
+
+- **RebootTaskRestoredTime**  Time at which this reboot task was restored.
+- **wuDeviceid**  Device id on which the reboot is restored
+
+
+### Microsoft.Windows.Update.Orchestrator.ScanTriggered
+
+Indicates that Update Orchestrator has started a scan operation.
+
+The following fields are available:
+
+- **errorCode**  Error info
+- **eventScenario**  Indicates the purpose of sending this event
+- **interactive**  Whether or not the scan is interactive.
+- **isScanPastSla**  Has the SLA elapsed for scanning?
+- **isScanPastTriggerSla**  Has the SLA elapsed for triggering a scan?
+- **minutesOverScanSla**  How many minutes over the scan SLA is the scan?
+- **minutesOverScanTriggerSla**  How many minutes over the scan trigger SLA is the scan?
+- **scanTriggerSource**  What caused the scan?
+- **updateScenarioType**  The type of scenario we are in.
+- **wuDeviceid**  WU Device ID of the machine.
+
+
+### Microsoft.Windows.Update.Orchestrator.SystemNeeded
+
+This event sends data about why a device is unable to reboot, to help keep Windows up to date.
+
+The following fields are available:
+
+- **eventScenario**  End to end update session ID.
+- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
+- **revisionNumber**  Update revision number.
+- **systemNeededReason**  Reason ID
+- **updateId**  Update ID.
+- **updateScenarioType**  The update session type.
+- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
+- **wuDeviceid**  Unique device ID used by Windows Update.
+
+
+### Microsoft.Windows.Update.Orchestrator.TerminatedByActiveHours
+
+Update activity was stopped due to active hours starting.
+
+The following fields are available:
+
+- **activeHoursEnd**  The end of the active hours window
+- **activeHoursStart**  The start of the active hours window
+- **updatePhase**  The current state of the update process
+- **wuDeviceid**  Device ID
+
+
+### Microsoft.Windows.Update.Orchestrator.TerminatedByBatteryLevel
+
+Update activity was stopped due to a low battery level.
+
+The following fields are available:
+
+- **batteryLevel**  The current battery charge capacity
+- **batteryLevelThreshold**  The battery capacity threshold to stop update activity
+- **updatePhase**  The current state of the update process
+- **wuDeviceid**  Device ID
+
+
 ### Microsoft.Windows.Update.Orchestrator.UpdatePolicyCacheRefresh
 
 This event sends data on whether Update Management Policies were enabled on a device, to help keep Windows up to date.
@@ -4504,85 +5318,13 @@ This event sends data about whether an update required a reboot to help keep Win
 
 The following fields are available:
 
-- **revisionNumber**  Update revision number.
-- **updateId**  Update ID.
-- **wuDeviceid**  Unique device ID used by Windows Update.
 - **flightID**  Unique update ID.
 - **interactive**  Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
-- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
-- **updateScenarioType**  The update session type.
-
-
-### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled
-
-This event sends data about a required reboot that is scheduled with no user interaction, to help keep Windows up to date.
-
-The following fields are available:
-
-- **activeHoursApplicable**  True, If Active Hours applicable on this device. False, otherwise.
-- **forcedReboot**  True, if a reboot is forced on the device. Otherwise, this is False
-- **rebootArgument**  Argument for the reboot task. It also represents specific reboot related action.
-- **rebootOutsideOfActiveHours**  True, if a reboot is scheduled outside of active hours. False, otherwise.
-- **rebootScheduledByUser**  True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically.
-- **revisionNumber**  Revision number of the update that is getting installed with this reboot.
-- **scheduledRebootTime**  Time of the scheduled reboot
-- **updateId**  Update ID of the update that is getting installed with this reboot.
-- **wuDeviceid**  Unique device ID used by Windows Update.
-- **rebootState**  The state of the reboot.
-
-
-### Microsoft.Windows.Update.Orchestrator.Detection
-
-This event sends launch data for a Windows Update scan to help keep Windows up to date.
-
-The following fields are available:
-
-- **deferReason**  Reason why the device could not check for updates.
-- **detectionBlockreason**  Reason for detection not completing.
-- **detectionDeferreason**  A log of deferral reasons for every update state.
-- **errorCode**  The returned error code.
-- **eventScenario**  End to end update session ID, or indicates the purpose of sending this event - whether because the software distribution just started installing content, or whether it was cancelled, succeeded, or failed.
-- **flightID**  A unique update ID.
-- **interactive**  Identifies if session is User Initiated.
 - **revisionNumber**  Update revision number.
 - **updateId**  Update ID.
 - **updateScenarioType**  The update session type.
-- **wuDeviceid**  Unique device ID used by Windows Update.
-
-
-### Microsoft.Windows.Update.Orchestrator.InitiatingReboot
-
-This event sends data about an Orchestrator requesting a reboot from power management to help keep Windows up to date.
-
-The following fields are available:
-
-- **EventPublishedTime**  Time of the event.
-- **revisionNumber**  Revision number of the update.
-- **updateId**  Update ID.
-- **wuDeviceid**  Unique device ID used by Windows Update.
-- **flightID**  Unique update ID
-- **interactive**  Indicates the reboot initiation stage of the update process was entered as a result of user action or not.
-- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
 - **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
-- **updateScenarioType**  The update session type.
-
-
-### Microsoft.Windows.Update.Ux.MusUpdateSettings.RebootScheduled
-
-This event sends basic information for scheduling a device restart to install security updates. It's used to help keep Windows up-to-date.
-
-The following fields are available:
-
-- **activeHoursApplicable**  Is the restart respecting Active Hours?
-- **rebootArgument**  The arguments that are passed to the OS for the restarted.
-- **rebootOutsideOfActiveHours**  Was the restart scheduled outside of Active Hours?
-- **rebootScheduledByUser**  Was the restart scheduled by the user? If the value is false, the restart was scheduled by the device.
-- **rebootState**  The state of the restart.
-- **revisionNumber**  The revision number of the OS being updated.
-- **scheduledRebootTime**  Time of the scheduled reboot
-- **updateId**  The Windows Update device GUID.
-- **wuDeviceid**  The Windows Update device GUID.
-- **forcedReboot**  True, if a reboot is forced on the device. Otherwise, this is False
+- **wuDeviceid**  Unique device ID used by Windows Update.
 
 
 ### Microsoft.Windows.Update.Ux.MusNotification.RebootNoLongerNeeded
@@ -4594,148 +5336,118 @@ The following fields are available:
 - **UtcTime**  The Coordinated Universal Time that the restart was no longer needed.
 
 
-### Microsoft.Windows.Update.Ux.MusNotification.ToastDisplayedToScheduleReboot
+### Microsoft.Windows.Update.Ux.MusNotification.RebootRequestReasonsToIgnore
 
-This event is sent when a toast notification is shown to the user about scheduling a device restart.
+This event is sent when the reboot can be deferred based on some reasons, before reboot attempts.
 
 The following fields are available:
 
-- **UtcTime**  The Coordinated Universal Time when the toast notification was shown.
+- **Reason**  The reason sent which will cause the reboot to defer.
 
 
-### Microsoft.Windows.Update.Orchestrator.RestoreRebootTask
+### Microsoft.Windows.Update.Ux.MusNotification.RebootScheduled
 
-This event sends data indicating that a reboot task is missing unexpectedly on a device and the task is restored because a reboot is still required, to help keep Windows up to date.
+The RebootScheduled event sends basic information for scheduling a update related reboot to facilitate the flow of getting security updates and keeping Windows up to date. 
 
 The following fields are available:
 
-- **RebootTaskRestoredTime**  Time at which this reboot task was restored.
-- **revisionNumber**  Update revision number.
-- **updateId**  Update ID.
-- **wuDeviceid**  Device id on which the reboot is restored
+- **activeHoursApplicable**  Whether Active Hours applies. 
+- **rebootArgument**  The reboot arguments 
+- **rebootOutsideOfActiveHours**  If reboot was outside of Active Hours
+- **rebootScheduledByUser**  If the reboot was scheduled by the user, or the system. 
+- **rebootState**  Which state the reboot is in
+- **revisionNumber**  Revision number of the OS
+- **scheduledRebootTime**  Time the reboot was scheduled for. 
+- **scheduledRebootTimeInUTC**  Time the reboot was scheduled for in UTC
+- **updateId**  UpdateId to identify which update is being scheduled.
+- **wuDeviceid**  Unique DeviceID
+- **IsEnhancedEngagedReboot**  If Enhanced reboot was enabled.
 
 
-### Microsoft.Windows.Update.Orchestrator.SystemNeeded
+### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerFirstReadyToReboot
 
-This event sends data about why a device is unable to reboot, to help keep Windows up to date.
+This event is fired the first time when the reboot is required.
+
+
+
+### Microsoft.Windows.Update.Ux.MusNotification.UxBrokerScheduledTask
+
+This event is sent when MUSE broker schedules a task.
 
 The following fields are available:
 
-- **eventScenario**  End to end update session ID.
-- **revisionNumber**  Update revision number.
-- **systemNeededReason**  Reason ID
-- **updateId**  Update ID.
-- **wuDeviceid**  Unique device ID used by Windows Update.
-- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
-- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
-- **updateScenarioType**  The update session type.
+- **TaskArgument**  The arguments with which the task is scheduled. 
+- **TaskName**  Name of the task.
 
 
-### Microsoft.Windows.Update.UpdateStackServicing.CheckForUpdates
+## Windows Update mitigation events
 
-This event sends data about the UpdateStackServicing check for updates, to help keep Windows up to date.
+### Mitigation360Telemetry.MitigationCustom.CleanupSafeOsImages
+
+This event sends data specific to the CleanupSafeOsImages mitigation used for OS Updates. 
 
 The following fields are available:
 
-- **BspVersion**  The version of the BSP.
-- **CallerApplicationName**  The name of the USS scheduled task. Example UssScheduled or UssBoot
-- **ClientVersion**  The version of the client.
-- **CommercializationOperator**  The name of the operator.
-- **DetectionVersion**  The string returned from the GetDetectionVersion export of the downloaded detection DLL.
-- **DeviceName**  The name of the device.
-- **EventInstanceID**  The USS session ID.
-- **EventScenario**  The scenario of the event. Example: Started, Failed, or Succeeded
-- **OemName**  The name of the manufacturer.
-- **ServiceGuid**  The GUID of the service.
-- **StatusCode**  The HRESULT code of the operation.
-- **WUDeviceID**  The Windows Update device ID.
+- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. 
+- **FlightId**  Unique identifier for each flight. 
+- **InstanceId**  Unique GUID that identifies each instances of setuphost.exe. 
+- **MitigationScenario**  The update scenario in which the mitigation was executed. 
+- **MountedImageCount**  Number of mounted images. 
+- **MountedImageMatches**  Number of mounted images that were under %systemdrive%\$Windows.~BT. 
+- **MountedImagesFailed**  Number of mounted images under %systemdrive%\$Windows.~BT that could not be removed. 
+- **MountedImagesRemoved**    Number of mounted images under %systemdrive%\$Windows.~BT that were successfully removed. 
+- **MountedImagesSkipped**  Number of mounted images that were not under %systemdrive%\$Windows.~BT. 
+- **RelatedCV**  Correlation vector value generated from the latest USO scan. 
+- **Result**  HResult of this operation. 
+- **ScenarioId**  ID indicating the mitigation scenario. 
+- **ScenarioSupported**  Indicates whether the scenario was supported. 
+- **SessionId**  Unique value for each update attempt. 
+- **UpdateId**  Unique ID for each Update. 
+- **WuId**  Unique ID for the Windows Update client. 
 
 
-### Microsoft.Windows.Update.Orchestrator.CommitFailed
+### Mitigation360Telemetry.MitigationCustom.FixAppXReparsePoints
 
-This events tracks when a device needs to restart after an update but did not.
+This event sends data specific to the FixAppXReparsePoints mitigation used for OS updates.
 
 The following fields are available:
 
-- **errorCode**  The error code that was returned.
-- **wuDeviceid**  The Windows Update device GUID.
+- **ClientId**  Unique identifier for each flight. 
+- **FlightId**  Unique GUID that identifies each instances of setuphost.exe. 
+- **InstanceId**  The update scenario in which the mitigation was executed. 
+- **MitigationScenario**  Correlation vector value generated from the latest USO scan. 
+- **RelatedCV**  Number of reparse points that are corrupted but we failed to fix them.
+- **ReparsePointsFailed**  Number of reparse points that were corrupted and were fixed by this mitigation.
+- **ReparsePointsFixed**  Number of reparse points that are not corrupted and no action is required.
+- **ReparsePointsSkipped**  HResult of this operation.
+- **Result**  ID indicating the mitigation scenario.
+- **ScenarioId**  Indicates whether the scenario was supported.
+- **ScenarioSupported**  Unique value for each update attempt. 
+- **SessionId**  Unique ID for each Update. 
+- **UpdateId**  Unique ID for the Windows Update client.
+- **WuId**  Unique ID for the Windows Update client.
 
 
-### Microsoft.Windows.Update.Orchestrator.Install
+### Mitigation360Telemetry.MitigationCustom.FixupEditionId
 
-This event sends launch data for a Windows Update install to help keep Windows up to date.
+This event sends data specific to the FixupEditionId mitigation used for OS updates.
 
 The following fields are available:
 
-- **batteryLevel**  Current battery capacity in mWh or percentage left.
-- **deferReason**  Reason for install not completing.
-- **eventScenario**  End to end update session ID.
-- **interactive**  Identifies if session is user initiated.
-- **wuDeviceid**  Unique device ID used by Windows Update.
-- **flightUpdate**  Flight update
-- **installRebootinitiatetime**  The time it took for a reboot to be attempted.
-- **minutesToCommit**  The time it took to install updates.
-- **revisionNumber**  Update revision number.
-- **updateId**  Update ID.
-- **errorCode**  The error code reppresented by a hexadecimal value.
-- **installCommitfailedtime**  The time it took for a reboot to happen but the upgrade failed to progress.
-- **flightID**  Unique update ID
-- **ForcedRebootReminderSet**  A boolean value that indicates if a forced reboot will happen for updates.
-- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date.
-- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date.
-- **updateScenarioType**  The update session type.
+- **ClientId**  In the WU scenario, this will be the WU client ID that is passed to Setup. In Media setup, default value is Media360, but can be overwritten by the caller to a unique value. 
+- **EditionIdUpdated**  Determine whether EditionId was changed.
+- **FlightId**  Unique identifier for each flight. 
+- **InstanceId**    Unique GUID that identifies each instances of setuphost.exe. 
+- **MitigationScenario**  The update scenario in which the mitigation was executed. 
+- **ProductEditionId**  Expected EditionId value based on GetProductInfo.
+- **ProductType**  Value returned by GetProductInfo.
+- **RegistryEditionId**  EditionId value in the registry.
+- **RelatedCV**  Correlation vector value generated from the latest USO scan. 
+- **Result**  HResult of this operation. 
+- **ScenarioId**  ID indicating the mitigation scenario. 
+- **ScenarioSupported**  Indicates whether the scenario was supported. 
+- **SessionId**  Unique value for each update attempt.
+- **UpdateId**  Unique ID for each update. 
+- **WuId**  Unique ID for the Windows Update client. 
 
 
-### Microsoft.Windows.Update.Orchestrator.PreShutdownStart
-
-This event is generated right before the shutdown and commit operations
-
-The following fields are available:
-
-- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
-
-
-### Microsoft.Windows.Update.Orchestrator.DeferRestart
-
-This event indicates that a restart required for installing updates was postponed
-
-The following fields are available:
-
-- **filteredDeferReason**  Indicates the raised, but ignorable, reasons that the USO didn't restart (for example, user active or low battery)
-- **raisedDeferReason**  Indicates the reason that the USO didn't restart. For example, user active or low battery
-- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
-- **eventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-
-
-### Microsoft.Windows.Update.Orchestrator.DisplayNeeded
-
-Reboot postponed due to needing a display
-
-The following fields are available:
-
-- **displayNeededReason**  Reason the display is needed
-- **eventScenario**  Indicates the purpose of sending this event - whether because the software distribution just started checking for content, or whether it was cancelled, succeeded, or failed
-- **rebootOutsideOfActiveHours**  Indicates the timing that the reboot was to occur to ensure the correct update process and experience is provided to keep Windows up to date
-- **revisionNumber**  Revision number of the update
-- **updateId**  Update ID
-- **updateScenarioType**  The update session type
-- **uxRebootstate**  Indicates the exact state of the user experience at the time the required reboot was initiated to ensure the correct update process and experience is provided to keep Windows up to date
-- **wuDeviceid**  The unique identifier of a specific device, used to identify how many devices are encountering success or a particular issue
-
-
-### Microsoft.Windows.Update.NotificationUx.RebootScheduled
-
-Indicates when a reboot is scheduled by the system or a user for a security, quality, or feature update
-
-The following fields are available:
-
-- **activeHoursApplicable**  True, If Active Hours applicable on this device. False, otherwise
-- **rebootArgument**  Argument for the reboot task. It also represents specific reboot related action
-- **rebootOutsideOfActiveHours**  True, if a reboot is scheduled outside of active hours. False, otherwise
-- **rebootScheduledByUser**  True, if a reboot is scheduled by user. False, if a reboot is scheduled automatically
-- **rebootState**  The state of the reboot
-- **revisionNumber**  Revision number of the update that is getting installed with this reboot
-- **scheduledRebootTime**  Time of the scheduled reboot
-- **updateId**  ID of the update that is getting installed with this reboot
-- **wuDeviceid**  Unique device ID used by Windows Update
-- **scheduledRebootTimeInUTC**  Time of the scheduled reboot in Coordinated Universal Time
\ No newline at end of file
diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index 1668b99505..9eae6cb71d 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: high
 author: jdeckerms
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Change history for Configure Windows 10
diff --git a/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md b/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
index ce9e5b4792..b3e7a68de0 100644
--- a/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
+++ b/windows/configuration/configure-windows-diagnostic-data-in-your-organization.md
@@ -139,6 +139,9 @@ Info collected at the Enhanced and Full levels of diagnostic data is typically g
 
 All diagnostic data data is encrypted using SSL and uses certificate pinning during transfer from the device to the Microsoft Data Management Service. With Windows 10, data is uploaded on a schedule that is sensitive to event priority, battery use, and network cost. Real-time events, such as Windows Defender Advanced Threat Protection, are always sent immediately. Normal events are not uploaded on metered networks, unless you are on a metered server connection. On a free network, normal events can be uploaded every 4 hours if on battery, or every 15 minutes if on A/C power. Diagnostic and crash data are only uploaded on A/C power and free networks.
 
+The data transmitted at the Basic and Enhanced data diagnostic levels is quite small; typically less than 1 MB per device per day,  but occasionally up to 2 MB per device per day).
+
+
 ### Endpoints
 
 The Microsoft Data Management Service routes data back to our secure cloud storage. Only Microsoft personnel with a valid business justification are permitted access.
@@ -308,7 +311,7 @@ In Windows 10, version 1709, we introduce the **Limit Enhanced diagnostic data t
 
 ### Full level
 
-The **Full** level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels.
+The **Full** level gathers data necessary to identify and to help fix problems, following the approval process described below. This level also includes data from the **Basic**, **Enhanced**, and **Security** levels. This is the default level for Windows 10 Pro.
 
 Additionally, at this level, devices opted in to the [Windows Insider Program](http://insider.windows.com) will send events, such as reliability and app responsiveness. that can show Microsoft how pre-release binaries and features are performing. These events help us make decisions on which builds are flighted. All devices in the [Windows Insider Program](http://insider.windows.com) are automatically set to this level.
 
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index 7d84bee306..2b16353cf8 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -89,11 +89,11 @@ When you have the Start layout that you want your users to see, use the [Export-
 
 **To export the Start layout to an .xml file**
 
-1.  From Start, open **Windows PowerShell**.
+1.  Right Click Start, select **Windows PowerShell (Admin)**.
 
-2.  At the Windows PowerShell command prompt, enter the following command:
+2.  At the Administrator: Windows PowerShell command prompt, enter the following command:
 
-    `export-startlayout –path <path><file name>.xml `
+    `Export-StartLayout –path <path><file name>.xml `
 
     In the previous command, `-path` is a required parameter that specifies the path and file name for the export file. You can specify a local path or a UNC path (for example, \\\\FileServer01\\StartLayouts\\StartLayoutMarketing.xml).
 
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index f8c9a70845..6b09d39819 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: high
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Guidelines for choosing an app for assigned access (kiosk mode)
@@ -81,9 +81,6 @@ Follow the [best practices guidance for developing a kiosk app for assigned acce
 
 The above guidelines may help you select or develop an appropriate Windows app for your assigned access experience. Once you have selected your app, we recommend that you thoroughly test the assigned access experience to ensure that your device provides a good customer experience.
 
-## Learn more
-
-[Customizing Your Device Experience with Assigned Access](https://channel9.msdn.com/Events/Build/2016/P508)
 
 
 
diff --git a/windows/configuration/index.md b/windows/configuration/index.md
index d8cfdf2e49..8549e7204a 100644
--- a/windows/configuration/index.md
+++ b/windows/configuration/index.md
@@ -19,15 +19,6 @@ Enterprises often need to apply custom configurations to devices for their users
 
 | Topic | Description |
 | --- | --- |
-| [Configure Windows diagnostic data in your organization](configure-windows-diagnostic-data-in-your-organization.md) | Use this article to make informed decisions about how you can configure Windows diagnostic data in your organization. |
-|[Diagnostic Data Viewer overview](diagnostic-data-viewer-overview.md) |Learn about the categories of diagnostic data your device is sending to Microsoft, along with how it's being used.|
-| [Windows 10, version 1709 basic diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields.md) | Learn about diagnostic data that is collected at the basic level in Windows 10, version 1709. |
-| [Windows 10, version 1703 basic level Windows diagnostic events and fields](basic-level-windows-diagnostic-events-and-fields-1703.md)| Learn about diagnostic data that is collected at the basic level in Windows 10, version 1703.|
-| [Windows 10, version 1709 enhanced telemetry events and fields used by Windows Analytics](enhanced-diagnostic-data-windows-analytics-events-and-fields.md)|Learn about diagnostic data that is collected by Windows Analytics.|
-| [Windows 10, version 1709 diagnostic data for the Full telemetry level](windows-diagnostic-data.md) | Learn about diagnostic data that is collected at the full level in Windows 10, version 1709. |
-| [Windows 10, version 1703 diagnostic data for the Full telemetry level](windows-diagnostic-data-1703.md) | Learn about diagnostic data that is collected at the full level in Windows 10, version 1703. |
-|[Beginning your General Data Protection Regulation (GDPR) journey for Windows 10](gdpr-win10-whitepaper.md)|Learn about Windows 10 and the upcoming GDPR-compliance requirements.|
-| [Manage connections from Windows operating system components to Microsoft services](manage-connections-from-windows-operating-system-components-to-microsoft-services.md) | Learn about the network connections that Windows components make to Microsoft and also the privacy settings that affect data that is shared with either Microsoft or apps and how they can be managed by an IT Pro. |
 | [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Wi-Fi Sense automatically connects you to Wi-Fi, so you can get online quickly in more places. It can connect you to open Wi-Fi hotspots it knows about through crowdsourcing, or to Wi-Fi networks your contacts have shared with you by using Wi-Fi Sense. The initial settings for Wi-Fi Sense are determined by the options you chose when you first set up your PC with Windows 10.  |
 | [Configure kiosk and shared devices running Windows 10 desktop editions](kiosk-shared-pc.md) | These topics help you configure Windows 10 devices to be shared by multiple users or to run as a kiosk device that runs a single app. |
 | [Configure Windows 10 Mobile devices](mobile-devices/configure-mobile.md) | These topics help you configure the features and apps and Start screen for a device running Windows 10 Mobile, as well as how to configure a kiosk device that runs a single app.  |
diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md
index a39822d01e..e75ba24cdb 100644
--- a/windows/configuration/kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: edu, security
 author: jdeckerms
 ms.localizationpriority: medium
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ms.author: jdecker
 ---
 
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index acf6fd26ea..b590917cbd 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: edu, security
 author: jdeckerms
 ms.localizationpriority: high
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ms.author: jdecker
 ---
 
diff --git a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index e911b6fde5..848ec3a7c5 100644
--- a/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/configuration/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -25,7 +25,7 @@ Learn about the network connections that Windows components make to Microsoft an
 
 If you want to minimize connections from Windows to Microsoft services, or configure particular privacy settings, this article covers the settings that you could consider. You can configure diagnostic data at the lowest level for your edition of Windows, and also evaluate which other connections Windows makes to Microsoft services you want to turn off in your environment from the list in this article.
 
-You can configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
+You can configure diagnostic data at the Security/Basic level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
 
 To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). 
 This baseline was created in the same way as the [Windows security baselines](/windows/device-security/windows-security-baselines) that are often used to efficiently configure Windows to a known secure state. 
@@ -44,9 +44,9 @@ We are always striving to improve our documentation and welcome your feedback. Y
 
 Here's a list of changes that were made to this article for Windows 10, version 1803:
 
-- Added a policy to turn off privacy notifications
-- Added a policy to turn off  configuration updates for the Books Library
-- Added a policy to turn off Address Bar drop-down list suggestions
+- Added a policy to turn off notifications network usage
+- Added a policy for Microsoft Edge to turn off configuration updates for the Books Library
+- Added a policy for Microsoft Edge to turn off Address Bar drop-down list suggestions
 
 ## What's new in Windows 10, version 1709 Enterprise edition
 
@@ -87,8 +87,6 @@ Here's a list of changes that were made to this article for Windows 10, version
 
 The following sections list the components that make network connections to Microsoft services by default. You can configure these settings to control the data that is sent to Microsoft. To prevent Windows from sending any data to Microsoft, configure diagnostic data at the Security level, turn off Windows Defender diagnostic data and MSRT reporting, and turn off all of these connections.
 
-If you're running Windows 10, they will be included in the next update for the Long Term Servicing Branch.
-
 ### Settings for Windows 10 Enterprise edition 
 
 The following table lists management options for each setting, beginning with Windows 10 Enterprise version 1703.
@@ -397,7 +395,7 @@ To turn off Insider Preview builds for Windows 10:
 
     -or -
 
--  Create a new REG\_DWORD registry setting **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PreviewBuilds!AllowBuildPreview** to 0 (zero)
+-  Create a new REG\_DWORD registry setting named **AllowBuildPreview** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\PreviewBuilds** with a vlue of 0 (zero)
 
     -or-
 
@@ -956,7 +954,7 @@ To turn off **Location for this device**:
 
    -or-
 
--   Create a REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy**, with a value of 2 (two).
+-   Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
     -or-
 
@@ -1617,6 +1615,10 @@ For Windows 10:
 
 -   Apply the Licensing/DisallowKMSClientOnlineAVSValidation MDM policy from the [Policy CSP](http://msdn.microsoft.com/library/windows/hardware/dn904962.aspx) where 0 is disabled (default) and 1 is enabled.
 
+   -or-
+
+- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
+
 For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core:
 
 - Apply the Group Policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Software Protection Platform** &gt; **Turn off KMS Client Online AVS Validation**
@@ -1647,7 +1649,7 @@ You can control if your settings are synchronized:
 
     -or-
 
--   Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync!DisableSettingSyncUserOverride** with a value of 1 (one).
+-   Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one).
 
     -or-
 
@@ -1760,7 +1762,7 @@ You can stop downloading definition updates:
 
     -or-
 
--   Create a new REG\_SZ registry setting named **FallbackOrder** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates!** with a value of **FileShares**.
+-   Create a new REG\_SZ registry setting named **FallbackOrder** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows Defender\Updates** with a value of **FileShares**.
 
 For Windows 10 only, you can stop Enhanced Notifications:
 
@@ -1824,7 +1826,7 @@ If you're not running Windows 10, version 1607 or later, you can use the other o
         -   Set the **Turn off fun facts, tips, tricks, and more on lock screen** check box.
 
         > [!NOTE] 
-        > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenImage**, with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization!LockScreenOverlaysDisabled**, with a value of 1 (one).
+        > This will only take effect if the policy is applied before the first logon. If you cannot apply the **Force a specific default lock screen image** policy before the first logon to the device, you can apply this policy: **Computer Configuration** &gt; **Administrative Templates** &gt; **Control Panel** &gt; **Personalization** &gt; **Do not display the lock screen**. Alternatively, you can create a new REG\_SZ registry setting nameed **LockScreenImage** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of **C:\\windows\\web\\screen\\lockscreen.jpg** and create a new REG\_DWORD registry setting named **LockScreenOverlaysDisabled** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\Personalization** with a value of 1 (one).
             
 
     -   **Computer Configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **Cloud Content** &gt; **Do not show Windows tips**.
diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
index 1e514987ed..02b9e7e88b 100644
--- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md
+++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
@@ -53,7 +53,7 @@ When multiple provisioning packages are available for device provisioning, the c
 
 The valid value range of package rank level is 0 to 99. 
 
-When setting conflicts are encountered, the final values provisioned on the device are determined by the owner type precedence and the rank level of the packages containing the settings. For example, the value of a setting in a package with owner **System Integrator** and rank level **3** takes precedence over the same setting in a package with owner **OEM** and rank level **4**. This is because the System Integrator owner type has the higher precedence over the OEM owner type. For packages with the same owner type, the package rank level determines the package from which the setting values get provisioned on the device. 
+When setting conflicts are encountered, the final values provisioned on the device are determined by the owner type precedence and the rank level of the packages containing the settings. For packages with the same owner type, the package rank level determines the package from which the setting values get provisioned on the device. 
 
 ## Windows provisioning XML
 
diff --git a/windows/configuration/setup-kiosk-digital-signage.md b/windows/configuration/setup-kiosk-digital-signage.md
index b7614eab9c..42ce7ef57b 100644
--- a/windows/configuration/setup-kiosk-digital-signage.md
+++ b/windows/configuration/setup-kiosk-digital-signage.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: manage
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: high
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education
@@ -201,13 +201,12 @@ Clear-AssignedAccess
 >Account type: Local standard user 
 
 >[!IMPORTANT]
->When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows}(https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).
+>When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).
+
 
-Edit the registry to have an account automatically logged on.
 When you use the **Provision kiosk devices** wizard in Windows Configuration Designer, you can configure the kiosk to run either a Universal Windows app or a Classic Windows application.
 
->[!IMPORTANT]
->When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
+
 
 
 [Install Windows Configuration Designer](provisioning-packages/provisioning-install-icd.md), then open Windows Configuration Designer and select **Provision kiosk devices**. After you name your project, and click **Next**, configure the settings as shown in the following table.
@@ -232,7 +231,8 @@ When you use the **Provision kiosk devices** wizard in Windows Configuration Des
 >[!TIP]
 >You can also use [an XML file to configure both multi-app and single-app kiosks.](lock-down-windows-10-to-specific-apps.md)
 
-
+>[!IMPORTANT]
+>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
 
 
 
diff --git a/windows/configuration/wcd/wcd-accountmanagement.md b/windows/configuration/wcd/wcd-accountmanagement.md
index 4059154f89..fa63667601 100644
--- a/windows/configuration/wcd/wcd-accountmanagement.md
+++ b/windows/configuration/wcd/wcd-accountmanagement.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # AccountManagement (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-accounts.md b/windows/configuration/wcd/wcd-accounts.md
index feb7e1fd05..634f668550 100644
--- a/windows/configuration/wcd/wcd-accounts.md
+++ b/windows/configuration/wcd/wcd-accounts.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Accounts (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-assignedaccess.md b/windows/configuration/wcd/wcd-assignedaccess.md
index a7f0190a2d..8826fda44a 100644
--- a/windows/configuration/wcd/wcd-assignedaccess.md
+++ b/windows/configuration/wcd/wcd-assignedaccess.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # AssignedAccess (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-automatictime.md b/windows/configuration/wcd/wcd-automatictime.md
index 8a63d101ea..6a1cf3d4e8 100644
--- a/windows/configuration/wcd/wcd-automatictime.md
+++ b/windows/configuration/wcd/wcd-automatictime.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # AutomaticTime (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-browser.md b/windows/configuration/wcd/wcd-browser.md
index 59c881e8d5..f05f37908b 100644
--- a/windows/configuration/wcd/wcd-browser.md
+++ b/windows/configuration/wcd/wcd-browser.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Browser (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-calling.md b/windows/configuration/wcd/wcd-calling.md
index d99f8c29e0..eac321d014 100644
--- a/windows/configuration/wcd/wcd-calling.md
+++ b/windows/configuration/wcd/wcd-calling.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Calling (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-cellcore.md b/windows/configuration/wcd/wcd-cellcore.md
index 934671ef78..3b03be572a 100644
--- a/windows/configuration/wcd/wcd-cellcore.md
+++ b/windows/configuration/wcd/wcd-cellcore.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # CellCore (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-connections.md b/windows/configuration/wcd/wcd-connections.md
index c37e8b2381..417868145f 100644
--- a/windows/configuration/wcd/wcd-connections.md
+++ b/windows/configuration/wcd/wcd-connections.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Connections (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-connectivityprofiles.md b/windows/configuration/wcd/wcd-connectivityprofiles.md
index a51c0a8ea4..d9e4b4c677 100644
--- a/windows/configuration/wcd/wcd-connectivityprofiles.md
+++ b/windows/configuration/wcd/wcd-connectivityprofiles.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # ConnectivityProfiles (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-countryandregion.md b/windows/configuration/wcd/wcd-countryandregion.md
index 0a883e0e0d..7e0322107e 100644
--- a/windows/configuration/wcd/wcd-countryandregion.md
+++ b/windows/configuration/wcd/wcd-countryandregion.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # CountryAndRegion (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-deviceformfactor.md b/windows/configuration/wcd/wcd-deviceformfactor.md
index 76e200ca6a..c9f81cda00 100644
--- a/windows/configuration/wcd/wcd-deviceformfactor.md
+++ b/windows/configuration/wcd/wcd-deviceformfactor.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # DeviceFormFactor (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-devicemanagement.md b/windows/configuration/wcd/wcd-devicemanagement.md
index eb4e7cf0d4..29bc56d848 100644
--- a/windows/configuration/wcd/wcd-devicemanagement.md
+++ b/windows/configuration/wcd/wcd-devicemanagement.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # DeviceManagement (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-dmclient.md b/windows/configuration/wcd/wcd-dmclient.md
index ac2b86436b..f8942889ea 100644
--- a/windows/configuration/wcd/wcd-dmclient.md
+++ b/windows/configuration/wcd/wcd-dmclient.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # DMClient (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-editionupgrade.md b/windows/configuration/wcd/wcd-editionupgrade.md
index e8772b4c44..02d0b6819d 100644
--- a/windows/configuration/wcd/wcd-editionupgrade.md
+++ b/windows/configuration/wcd/wcd-editionupgrade.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # EditionUpgrade (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-firstexperience.md b/windows/configuration/wcd/wcd-firstexperience.md
index 66c76f7446..7c02ecd47d 100644
--- a/windows/configuration/wcd/wcd-firstexperience.md
+++ b/windows/configuration/wcd/wcd-firstexperience.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # FirstExperience (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-folders.md b/windows/configuration/wcd/wcd-folders.md
index d006f87a77..86b86075f8 100644
--- a/windows/configuration/wcd/wcd-folders.md
+++ b/windows/configuration/wcd/wcd-folders.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Folders (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-hotspot.md b/windows/configuration/wcd/wcd-hotspot.md
index 1d3a431a35..31693b3461 100644
--- a/windows/configuration/wcd/wcd-hotspot.md
+++ b/windows/configuration/wcd/wcd-hotspot.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # HotSpot (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-maps.md b/windows/configuration/wcd/wcd-maps.md
index 48c957fe90..442b1d2ba4 100644
--- a/windows/configuration/wcd/wcd-maps.md
+++ b/windows/configuration/wcd/wcd-maps.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Maps (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-messaging.md b/windows/configuration/wcd/wcd-messaging.md
index 0a988510a7..2cd7c834a0 100644
--- a/windows/configuration/wcd/wcd-messaging.md
+++ b/windows/configuration/wcd/wcd-messaging.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Messaging (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-policies.md b/windows/configuration/wcd/wcd-policies.md
index 16c5d27391..fd647c2025 100644
--- a/windows/configuration/wcd/wcd-policies.md
+++ b/windows/configuration/wcd/wcd-policies.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Policies (Windows Configuration Designer reference)
@@ -153,7 +153,7 @@ PreventTabPreloading | Prevent Microsoft Edge from starting and loading the Star
 
 | Setting | Description | Desktop editions | Mobile editions | Surface Hub | HoloLens | IoT Core |
 | --- | --- | :---: | :---: | :---: | :---: | :---: |
-[DisableAutomaticReDeploymentCredentials](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 Automatic ReDeployment feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. | X |  |  |  |  |
+[DisableAutomaticReDeploymentCredentials](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-credentialproviders) | This setting disables the visibility of the credential provider that triggers the PC refresh on a device. This policy does not actually trigger the refresh. The admin user is required to authenticate to trigger the refresh on the target device. The Windows 10 AutoPilot Reset feature allows admin to reset devices to a known good managed state while preserving the management enrollment. After the automatic redeployment is triggered the devices are for ready for use by information workers or students. | X |  |  |  |  |
 
 ## Cryptography
 
diff --git a/windows/configuration/wcd/wcd-rcspresence.md b/windows/configuration/wcd/wcd-rcspresence.md
index 325c3d2a69..a6e9ee52e6 100644
--- a/windows/configuration/wcd/wcd-rcspresence.md
+++ b/windows/configuration/wcd/wcd-rcspresence.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # RcsPresence (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-tabletmode.md b/windows/configuration/wcd/wcd-tabletmode.md
index 2630c9a55a..fb480ab268 100644
--- a/windows/configuration/wcd/wcd-tabletmode.md
+++ b/windows/configuration/wcd/wcd-tabletmode.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # TabletMode (Windows Configuration Designer reference)
diff --git a/windows/configuration/wcd/wcd-universalappinstall.md b/windows/configuration/wcd/wcd-universalappinstall.md
index 9cdf3314ce..c9e427a13b 100644
--- a/windows/configuration/wcd/wcd-universalappinstall.md
+++ b/windows/configuration/wcd/wcd-universalappinstall.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # UniversalAppInstall (reference)
diff --git a/windows/configuration/wcd/wcd-weakcharger.md b/windows/configuration/wcd/wcd-weakcharger.md
index b4a45899d4..588b5cf039 100644
--- a/windows/configuration/wcd/wcd-weakcharger.md
+++ b/windows/configuration/wcd/wcd-weakcharger.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # WeakCharger (reference)
diff --git a/windows/configuration/wcd/wcd-windowsteamsettings.md b/windows/configuration/wcd/wcd-windowsteamsettings.md
index ad462fdd08..b6bb5189e2 100644
--- a/windows/configuration/wcd/wcd-windowsteamsettings.md
+++ b/windows/configuration/wcd/wcd-windowsteamsettings.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # WindowsTeamSettings (reference)
diff --git a/windows/configuration/wcd/wcd-wlan.md b/windows/configuration/wcd/wcd-wlan.md
index 137b3f163f..f39d201a7e 100644
--- a/windows/configuration/wcd/wcd-wlan.md
+++ b/windows/configuration/wcd/wcd-wlan.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # WLAN (reference)
diff --git a/windows/configuration/wcd/wcd-workplace.md b/windows/configuration/wcd/wcd-workplace.md
index 9f4f608ba7..82ade46236 100644
--- a/windows/configuration/wcd/wcd-workplace.md
+++ b/windows/configuration/wcd/wcd-workplace.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Workplace (reference)
diff --git a/windows/configuration/wcd/wcd.md b/windows/configuration/wcd/wcd.md
index dd3e48f99d..6cf786c7ee 100644
--- a/windows/configuration/wcd/wcd.md
+++ b/windows/configuration/wcd/wcd.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: jdeckerMS
 ms.localizationpriority: medium
 ms.author: jdecker
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Windows Configuration Designer provisioning settings (reference)
diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index 891f928d4d..615d0cdf01 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -37,6 +37,9 @@ Organizations might want to deploy a customized Start and taskbar configuration
 
 Some areas of Start can be managed using Group Policy. The layout of Start tiles can be managed using either Group Policy or Mobile Device Management (MDM) policy.
 
+>[!NOTE]
+>The MDM policy settings in the table can also be configured [in a provisioning package](customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md) using **Policies** > **Start**. [See the reference for **Start** settings in Windows Configuration Designer.](https://docs.microsoft.com/windows/configuration/wcd/wcd-policies#start)
+
 The following table lists the different parts of Start and any applicable policy settings or Settings options. Group Policy settings are in the **User Configuration**\\**Administrative Templates**\\**Start Menu and Taskbar** path except where a different path is listed in the table.
 
 | Start | Policy | Local setting |
@@ -54,6 +57,8 @@ The following table lists the different parts of Start and any applicable policy
 | All Settings | Group Policy: **Prevent changes to Taskbar and Start Menu Settings** | none |
 | Taskbar | MDM: **Start/NoPinningToTaskbar** | none |
 
+>[!NOTE]
+>In local **Settings** > **Personalization** > **Start**, there is an option to **Show more tiles**. The default tile layout for Start tiles is 3 columns of medium sized tiles. **Show more tiles** enables 4 columns. To configure the 4-column layout when you [customize and export a Start layout](customize-and-export-start-layout.md), turn on the **Show more tiles** setting and then arrange your tiles.
 
 [Learn how to customize and export Start layout](customize-and-export-start-layout.md)
 
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index 21c0ef9bf2..8698db70b2 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -8,7 +8,7 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 author: jdeckerms
 ms.localizationpriority: high
-ms.date: 04/23/2018
+ms.date: 04/30/2018
 ---
 
 # Configure Windows Spotlight on the lock screen
diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index b0f27ea80e..4c793ea5fb 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -1,5 +1,5 @@
 # [Deploy and update Windows 10](https://docs.microsoft.com/en-us/windows/deployment)
-
+## [Deploy Windows 10 with Microsoft 365](deploy-m365.md)
 ## [What's new in Windows 10 deployment](deploy-whats-new.md)
 ## [Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
 
diff --git a/windows/deployment/change-history-for-deploy-windows-10.md b/windows/deployment/change-history-for-deploy-windows-10.md
index 5f48b4eb49..f189dd0f7c 100644
--- a/windows/deployment/change-history-for-deploy-windows-10.md
+++ b/windows/deployment/change-history-for-deploy-windows-10.md
@@ -12,6 +12,12 @@ ms.date: 11/08/2017
 # Change history for Deploy Windows 10
 This topic lists new and updated topics in the [Deploy Windows 10](https://docs.microsoft.com/en-us/windows/deployment) documentation for [Windows 10 and Windows 10 Mobile](/windows/windows-10).
 
+## April 2018
+
+New or changed topic | Description
+--- | ---
+[Install VAMT](volume-activation/install-vamt.md) | Updated the instructions and link for SQL Server Express.
+
 ## November 2017
 
 New or changed topic | Description
diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md
new file mode 100644
index 0000000000..2fbc7cfda4
--- /dev/null
+++ b/windows/deployment/deploy-m365.md
@@ -0,0 +1,66 @@
+---
+title: Deploy Windows 10 with Microsoft 365
+description: Concepts about deploying Windows 10 for M365
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: deploy
+keywords: deployment, automate, tools, configure, mdt, sccm, M365
+ms.localizationpriority: high
+ms.date: 04/23/2018
+author: greg-lindsay
+---
+
+# Deploy Windows 10 with Microsoft 365
+
+**Applies to**
+
+-   Windows 10
+
+This topic provides a brief overview of Microsoft 365 and describes how to use a free 90-day trial account to review some of the benefits of Microsoft 365.
+
+[Microsoft 365](https://www.microsoft.com/microsoft-365) is a new offering from Microsoft that combines [Windows 10](https://www.microsoft.com/windows/features) with [Office 365](https://products.office.com/business/explore-office-365-for-business), and [Enterprise Mobility and Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security) (EMS).
+
+For Windows 10 deployment, Microsoft 365 includes a fantasic deployment advisor that can walk you through the entire process of deploying Windows 10. The wizard supports multiple Windows 10 deployment methods, including:
+
+- Windows AutoPilot
+- In-place upgrade
+- Deploying Windows 10 upgrade with Intune
+- Deploying Windows 10 upgrade with System Center Configuration Manager
+- Deploying a computer refresh with System Center Configuration Manager
+
+## Free trial account
+
+You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below. 
+
+1. Obtain a free EMS 90-day trial by visiting the following link. Provide your email address and answer a few simple questions.
+
+    [Free Trial - Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-trial)
+
+2. Check out the [Microsoft 365 deployment advisor](https://portal.office.com/onboarding/Microsoft365DeploymentAdvisor#/).
+3. Also check out the [Windows Analytics deployment advisor](https://portal.office.com/onboarding/WindowsAnalyticsDeploymentAdvisor#/). This advisor will walk you through deploying [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness), [Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), and [Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). 
+
+That's all there is to it! 
+
+Examples of these two deployment advisors are shown below.
+
+- [Microsoft 365 deployment advisor example](#microsoft-365-deployment-advisor-example)
+- [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example)
+
+## Microsoft 365 deployment advisor example
+![Microsoft 365 deployment advisor](images/m365da.png)
+
+## Windows Analytics deployment advisor example
+![Windows Analytics deployment advisor](images/wada.png)
+
+## Related Topics
+
+[Windows 10 deployment scenarios](windows-10-deployment-scenarios.md)
+ 
+
+ 
+
+
+
+
+
diff --git a/windows/deployment/images/m365da.PNG b/windows/deployment/images/m365da.PNG
new file mode 100644
index 0000000000..8f83c3bf8a
Binary files /dev/null and b/windows/deployment/images/m365da.PNG differ
diff --git a/windows/deployment/images/wada.PNG b/windows/deployment/images/wada.PNG
new file mode 100644
index 0000000000..1c715e8f0e
Binary files /dev/null and b/windows/deployment/images/wada.PNG differ
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 1fb488e7ea..a6feddf84d 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: activation
 author: jdeckerms
 ms.localizationpriority: high
-ms.date: 07/27/2017
+ms.date: 04/25/2018
 ---
 
 # Install VAMT
@@ -19,23 +19,20 @@ This topic describes how to install the Volume Activation Management Tool (VAMT)
 
 You can install VAMT as part of the [Windows Assessment and Deployment Kit (ADK)](https://go.microsoft.com/fwlink/p/?LinkId=526740) for Windows 10.
 
-**Important**  
-VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator. 
+>[!IMPORTANT]  
+>VAMT requires local administrator privileges on all managed computers in order to deposit confirmation IDs (CIDs), get the client products’ license status, and install product keys. If VAMT is being used to manage products and product keys on the local host computer and you do not have administrator privileges, start VAMT with elevated privileges. For Active Directory-Based Activation use, for best results we recommend running VAMT while logged on as a domain administrator. 
 
-**Note**  
-The VAMT Microsoft Management Console snap-in ships as an x86 package. 
+>[!NOTE]  
+>The VAMT Microsoft Management Console snap-in ships as an x86 package. 
 
-After you install VAMT, if you have a computer information list (CIL) that was created in a previous version of VAMT, you must import the list into a SQL database. If you do not have SQL installed, you can download a free copy of Microsoft SQL Server Express and create a new database into which you can import the CIL. To install SQL Server Express:
+To install SQL Server Express:
 1.  Install the Windows ADK.
-2.  Ensure that **Volume Activation Management Tool** and **Microsoft® SQL Server® 2012 Express** are selected to be installed.
+2.  Ensure that **Volume Activation Management Tool** is selected to be installed.
 3.  Click **Install**.
 
 ## Select a Database
 
-**Using a SQL database installed during ADK setup**
-If SQL Server 2012 Express was installed during ADK setup, the default database name will be **ADK**.By default, VAMT is configure to use a SQL database that is installed on the local machine during ADK setup and displays the server name as **.\\ADK**. If the SQL database was installed on another machine, you must configure the database to allow remote connections and you must provide the corresponding server name. If a new VAMT database needs to be created, provide a name for the new database.
-
-**Using a SQL database installed outside of ADK setup**
+VAMT requires a SQL database. After you install VAMT, if you have a computer information list (CIL) that was created in a previous version of VAMT, you must import the list into a SQL database. If you do not have SQL installed, you can [download a free copy of Microsoft SQL Server Express](https://www.microsoft.com/sql-server/sql-server-editions-express) and create a new database into which you can import the CIL. 
 
 You must configure SQL installation to allow remote connections and you must provide the corresponding server name in the format: *Machine Name\\SQL Server Name*. If a new VAMT database needs to be created, provide a name for the new database.
 
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index 26fe73a382..7d22c3efb9 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -7,9 +7,10 @@ ms.sitesec: library
 ms.pagetype: security, networking
 author: shortpatti
 ms.author: pashort
+manager: elizapo
 ms.reviewer: 
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/20/2018
 ---
 
 # VPN and conditional access
@@ -44,14 +45,13 @@ Conditional Access Platform components used for Device Compliance include the fo
     - Encryption compliance
     - Device health attestation state (validated against attestation service after query)
 
-
 The following client-side components are also required:
 - [HealthAttestation Configuration Service Provider (CSP)](https://msdn.microsoft.com/library/windows/hardware/dn934876.aspx)
 - [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) DeviceCompliance node settings
 - Trusted Platform Module (TPM)
 
 ## VPN device compliance 
-According to the VPNv2 CSP, these settings options are **Optional**.  If you want your users to access on-premises resources, such as files on a network share, based on the credential of a certificate that was issued by an on-premises CA, and not the Cloud CA certificate, you add these settings to the VPNv2 profile.  Alternatively, if you add the cloud root certs to the NTAuth store in on-prem AD, your user's cloud cert will chain and KDC will issue TGT and TGS tickets to them.
+According to the VPNv2 CSP, these settings options are **Optional**.  If you want your users to access on-premises resources, such as files on a network share, based on the credential of a certificate that was issued by an on-premises CA, and not the Cloud CA certificate, you add these settings to the VPNv2 profile.  Alternatively, if you add the cloud root certificates to the NTAuth store in on-prem AD, your user's cloud certificate will chain and KDC will issue TGT and TGS tickets to them.
 
 Server-side infrastructure requirements to support VPN device compliance include:
 
@@ -77,8 +77,12 @@ Two client-side configuration service providers are leveraged for VPN device com
    - Provisions the Health Attestation Certificate received from the HAS
    - Upon request, forwards the Health Attestation Certificate (received from HAS) and related runtime information to the MDM server for verification
    
+>[!NOTE]
+>Enabling SSO is not necessarily required unless you want VPN users to be issued Kerberos tickets to access on-premises resources using a certificate issued by the on-premises CA; not the cloud certificate issued by AAD.
+
+
 ## Client connection flow
-The  VPN client side connection flow works as follows:
+The VPN client side connection flow works as follows:
 
 ![Device compliance workflow when VPN client attempts to connect](images/vpn-device-compliance.png)
  
@@ -94,13 +98,6 @@ When a VPNv2 Profile is configured with \<DeviceCompliance> \<Enabled>true<\/Ena
 
 See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](https://msdn.microsoft.com/library/windows/hardware/dn914776.aspx) for XML configuration. 
 
-The following image shows conditional access options in a VPN Profile configuration policy using Microsoft Intune.
-
-![conditional access in profile](images/vpn-conditional-access-intune.png)
-
->[!NOTE]
->In Intune, the certificate selected in **Select a client certificate for client authentication** does not set any VPNv2 CSP nodes. It is simply a way to tie the VPN profile’s successful provisioning to the existence of a certificate. If you are enabling conditional access and using the Azure AD short-lived certificate for both VPN server authentication and domain resource authentication, do not select a certificate since the short-lived certificate is not a certificate that would be on the user’s device yet.
-
 ## Learn more about Conditional Access and Azure AD Health
 
 - [Azure Active Directory conditional access](https://azure.microsoft.com/documentation/articles/active-directory-conditional-access/)
@@ -112,9 +109,7 @@ The following image shows conditional access options in a VPN Profile configurat
 - [Tip of the Day: The Conditional Access Framework and Device Compliance for VPN (Part 4)](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/16/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn-part-4/)
 
 
-
 ## Related topics
-
 - [VPN technical guide](vpn-guide.md)
 - [VPN connection types](vpn-connection-type.md)
 - [VPN routing decisions](vpn-routing.md)
diff --git a/windows/security/index.yml b/windows/security/index.yml
index 7a1ed6b87c..a465944d46 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -154,7 +154,7 @@ sections:
       
       title: Windows Hello for Business
       
-    - href: \windows\security\threat-protection\windows-defender-application-control
+    - href: \windows\security\threat-protection\windows-defender-application-control\windows-defender-application-control
 
       html: <p>Lock down applications that run on a device</p>
 
@@ -251,7 +251,7 @@ sections:
     - html: <a href="/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security">Windows Defender Firewall</a>
     - html: <a href="/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard">Windows Defender Exploit Guard</a>
     - html: <a href="/windows/security/identity-protection/credential-guard/credential-guard">Windows Defender Credential Guard</a>
-    - html: <a href="/windows/security/threat-protection/device-guard/device-guard-deployment-guide">Windows Defender Device Guard</a>  
+    - html: <a href="/windows/security/threat-protection/windows-defender-device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control">Windows Defender Device Guard</a>  
     - html: <a href="/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview">Windows Defender Application Guard</a>
     - html: <a href="/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview">Windows Defender SmartScreen</a>  
     - html: <a href="/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center">Windows Defender Security Center</a>
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index 41f2b07751..ad44659819 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -393,7 +393,7 @@ This policy setting allows you to block direct memory access (DMA) for all hot p
 
 **Reference**
 
-This policy setting is only enforced when BitLocker or device encyption is enabled.
+This policy setting is only enforced when BitLocker or device encyption is enabled. As explained in the [Microoft Security Guidance blog](https://blogs.technet.microsoft.com/secguide/2018/01/18/issue-with-bitlockerdma-setting-in-windows-10-fall-creators-update-v1709/), in some cases when this setting is enabled, internal, PCI-based peripherals can fail, including wireless network drivers and input and audio peripherals. This problem is fixed in the [April 2018 quality update](https://support.microsoft.com/help/4093105/windows-10-update-kb4093105).
 
 ### <a href="" id="bkmk-dpinchange"></a>Disallow standard users from changing the PIN or password
 
diff --git a/windows/security/threat-protection/TOC.md b/windows/security/threat-protection/TOC.md
index f91ae2f8f5..2cad540881 100644
--- a/windows/security/threat-protection/TOC.md
+++ b/windows/security/threat-protection/TOC.md
@@ -1,21 +1,21 @@
 # [Threat protection](index.md)
 
 
-## [The Windows Defender Security Center app](windows-defender-security-center\windows-defender-security-center.md)
-### [Customize the Windows Defender Security Center app for your organization](windows-defender-security-center\wdsc-customize-contact-information.md)
-### [Hide Windows Defender Security Center app notifications](windows-defender-security-center\wdsc-hide-notifications.md)
-### [Virus and threat protection](windows-defender-security-center\wdsc-virus-threat-protection.md)
-### [Device performance and health](windows-defender-security-center\wdsc-device-performance-health.md)
-### [Firewall and network protection](windows-defender-security-center\wdsc-firewall-network-protection.md)
-### [App and browser control](windows-defender-security-center\wdsc-app-browser-control.md)
-### [Family options](windows-defender-security-center\wdsc-family-options.md)
+## [The Windows Defender Security Center app](windows-defender-security-center/windows-defender-security-center.md)
+### [Customize the Windows Defender Security Center app for your organization](windows-defender-security-center/wdsc-customize-contact-information.md)
+### [Hide Windows Defender Security Center app notifications](windows-defender-security-center/wdsc-hide-notifications.md)
+### [Virus and threat protection](windows-defender-security-center/wdsc-virus-threat-protection.md)
+### [Device performance and health](windows-defender-security-center/wdsc-device-performance-health.md)
+### [Firewall and network protection](windows-defender-security-center/wdsc-firewall-network-protection.md)
+### [App and browser control](windows-defender-security-center/wdsc-app-browser-control.md)
+### [Family options](windows-defender-security-center/wdsc-family-options.md)
 
 
 
 
 
 
-## [Windows Defender Advanced Threat Protection](windows-defender-atp\windows-defender-advanced-threat-protection.md)
+## [Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)
 ###Get started
 #### [Minimum requirements](windows-defender-atp\minimum-requirements-windows-defender-advanced-threat-protection.md)
 #### [Validate licensing and complete setup](windows-defender-atp\licensing-windows-defender-advanced-threat-protection.md)
@@ -45,48 +45,48 @@
 
 ###Investigate and remediate threats
 ####Alerts queue
-##### [View and organize the Alerts queue](windows-defender-atp\alerts-queue-windows-defender-advanced-threat-protection.md)
-##### [Manage alerts](windows-defender-atp\manage-alerts-windows-defender-advanced-threat-protection.md)
-##### [Investigate alerts](windows-defender-atp\investigate-alerts-windows-defender-advanced-threat-protection.md)
-##### [Investigate files](windows-defender-atp\investigate-files-windows-defender-advanced-threat-protection.md)
-##### [Investigate machines](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md)
-##### [Investigate an IP address](windows-defender-atp\investigate-ip-windows-defender-advanced-threat-protection.md)
-##### [Investigate a domain](windows-defender-atp\investigate-domain-windows-defender-advanced-threat-protection.md)
-##### [Investigate a user account](windows-defender-atp\investigate-user-windows-defender-advanced-threat-protection.md)
+##### [View and organize the Alerts queue](windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md)
+##### [Manage alerts](windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md)
+##### [Investigate alerts](windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md)
+##### [Investigate files](windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md)
+##### [Investigate machines](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md)
+##### [Investigate an IP address](windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md)
+##### [Investigate a domain](windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md)
+##### [Investigate a user account](windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md)
 
 
 
 
 ####Machines list
-##### [View and organize the Machines list](windows-defender-atp\machines-view-overview-windows-defender-advanced-threat-protection.md)
-##### [Manage machine group and tags](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
-##### [Alerts related to this machine](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
-##### [Machine timeline](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
-###### [Search for specific events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
-###### [Filter events from a specific date](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
-###### [Export machine timeline events](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
-###### [Navigate between pages](windows-defender-atp\investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
+##### [View and organize the Machines list](windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md)
+##### [Manage machine group and tags](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+##### [Alerts related to this machine](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
+##### [Machine timeline](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
+###### [Search for specific events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
+###### [Filter events from a specific date](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+###### [Export machine timeline events](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+###### [Navigate between pages](windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
 
 
-#### [Take response actions](windows-defender-atp\response-actions-windows-defender-advanced-threat-protection.md)
-##### [Take response actions on a machine](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md)
-###### [Collect investigation package](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
-###### [Run antivirus scan](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
-###### [Restrict app execution](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
-###### [Remove app restriction](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
-###### [Isolate machines from the network](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
-###### [Release machine from isolation](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
-###### [Check activity details in Action center](windows-defender-atp\respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-##### [Take response actions on a file](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md)
-###### [Stop and quarantine files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
-###### [Remove file from quarantine](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
-###### [Block files in your network](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
-###### [Remove file from blocked list](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
-###### [Check activity details in Action center](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
-###### [Deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
-####### [Submit files for analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
-####### [View deep analysis reports](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
-####### [Troubleshoot deep analysis](windows-defender-atp\respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
+#### [Take response actions](windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md)
+##### [Take response actions on a machine](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+###### [Collect investigation package](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
+###### [Run antivirus scan](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
+###### [Restrict app execution](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
+###### [Remove app restriction](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
+###### [Isolate machines from the network](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
+###### [Release machine from isolation](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
+###### [Check activity details in Action center](windows-defender-atp/respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+##### [Take response actions on a file](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md)
+###### [Stop and quarantine files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
+###### [Remove file from quarantine](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
+###### [Block files in your network](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+###### [Remove file from blocked list](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
+###### [Check activity details in Action center](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+###### [Deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
+####### [Submit files for analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
+####### [View deep analysis reports](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
+####### [Troubleshoot deep analysis](windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
 
 #### [Use Automated investigation to investigate and remediate threats](windows-defender-atp\automated-investigations-windows-defender-advanced-threat-protection.md)
 #### [Query data using Advanced hunting](windows-defender-atp\advanced-hunting-windows-defender-advanced-threat-protection.md)
@@ -94,86 +94,86 @@
 ##### [Advanced hunting query language best practices](windows-defender-atp\advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
 
 ###API and SIEM support
-#### [Pull alerts to your SIEM tools](windows-defender-atp\configure-siem-windows-defender-advanced-threat-protection.md)
-##### [Enable SIEM integration](windows-defender-atp\enable-siem-integration-windows-defender-advanced-threat-protection.md)
-##### [Configure Splunk to pull alerts](windows-defender-atp\configure-splunk-windows-defender-advanced-threat-protection.md)
-##### [Configure HP ArcSight to pull alerts](windows-defender-atp\configure-arcsight-windows-defender-advanced-threat-protection.md)
-##### [Windows Defender ATP alert API fields](windows-defender-atp\api-portal-mapping-windows-defender-advanced-threat-protection.md)
-##### [Pull alerts using REST API](windows-defender-atp\pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
-##### [Troubleshoot SIEM tool integration issues](windows-defender-atp\troubleshoot-siem-windows-defender-advanced-threat-protection.md)
+#### [Pull alerts to your SIEM tools](windows-defender-atp/configure-siem-windows-defender-advanced-threat-protection.md)
+##### [Enable SIEM integration](windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md)
+##### [Configure Splunk to pull alerts](windows-defender-atp/configure-splunk-windows-defender-advanced-threat-protection.md)
+##### [Configure HP ArcSight to pull alerts](windows-defender-atp/configure-arcsight-windows-defender-advanced-threat-protection.md)
+##### [Windows Defender ATP alert API fields](windows-defender-atp/api-portal-mapping-windows-defender-advanced-threat-protection.md)
+##### [Pull alerts using REST API](windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot SIEM tool integration issues](windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md)
 
-#### [Use the threat intelligence API to create custom alerts](windows-defender-atp\use-custom-ti-windows-defender-advanced-threat-protection.md)
-##### [Understand threat intelligence concepts](windows-defender-atp\threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
-##### [Enable the custom threat intelligence application](windows-defender-atp\enable-custom-ti-windows-defender-advanced-threat-protection.md)
-##### [Create custom threat intelligence alerts](windows-defender-atp\custom-ti-api-windows-defender-advanced-threat-protection.md)
-##### [PowerShell code examples](windows-defender-atp\powershell-example-code-windows-defender-advanced-threat-protection.md)
-##### [Python code examples](windows-defender-atp\python-example-code-windows-defender-advanced-threat-protection.md)
-##### [Experiment with custom threat intelligence alerts](windows-defender-atp\experiment-custom-ti-windows-defender-advanced-threat-protection.md)
-##### [Troubleshoot custom threat intelligence issues](windows-defender-atp\troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
-#### [Use the Windows Defender ATP exposed APIs](windows-defender-atp\exposed-apis-windows-defender-advanced-threat-protection.md)
-##### [Supported Windows Defender ATP APIs](windows-defender-atp\supported-apis-windows-defender-advanced-threat-protection.md)
+#### [Use the threat intelligence API to create custom alerts](windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Understand threat intelligence concepts](windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+##### [Enable the custom threat intelligence application](windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Create custom threat intelligence alerts](windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md)
+##### [PowerShell code examples](windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md)
+##### [Python code examples](windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md)
+##### [Experiment with custom threat intelligence alerts](windows-defender-atp/experiment-custom-ti-windows-defender-advanced-threat-protection.md)
+##### [Troubleshoot custom threat intelligence issues](windows-defender-atp/troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Use the Windows Defender ATP exposed APIs](windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection.md)
+##### [Supported Windows Defender ATP APIs](windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md)
 ######Actor
-####### [Get actor information](windows-defender-atp\get-actor-information-windows-defender-advanced-threat-protection.md)
-####### [Get actor related alerts](windows-defender-atp\get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get actor information](windows-defender-atp/get-actor-information-windows-defender-advanced-threat-protection.md)
+####### [Get actor related alerts](windows-defender-atp/get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
 ######Alerts
-####### [Get alerts](windows-defender-atp\get-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get alert information by ID](windows-defender-atp\get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
-####### [Get alert related actor information](windows-defender-atp\get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related domain information](windows-defender-atp\get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related file information](windows-defender-atp\get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related IP information](windows-defender-atp\get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
-####### [Get alert related machine information](windows-defender-atp\get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+####### [Get alerts](windows-defender-atp/get-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get alert information by ID](windows-defender-atp/get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get alert related actor information](windows-defender-atp/get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related domain information](windows-defender-atp/get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related file information](windows-defender-atp/get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related IP information](windows-defender-atp/get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+####### [Get alert related machine information](windows-defender-atp/get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
 ######Domain
-#######  [Get domain related alerts](windows-defender-atp\get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get domain related machines](windows-defender-atp\get-domain-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get domain statistics](windows-defender-atp\get-domain-statistics-windows-defender-advanced-threat-protection.md)
-####### [Is domain seen in organization](windows-defender-atp\is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+#######  [Get domain related alerts](windows-defender-atp/get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get domain related machines](windows-defender-atp/get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get domain statistics](windows-defender-atp/get-domain-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is domain seen in organization](windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
 
 ######File
-####### [Block file API](windows-defender-atp\block-file-windows-defender-advanced-threat-protection.md)
-####### [Get file information](windows-defender-atp\get-file-information-windows-defender-advanced-threat-protection.md)
-####### [Get file related alerts](windows-defender-atp\get-file-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get file related machines](windows-defender-atp\get-file-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get file statistics](windows-defender-atp\get-file-statistics-windows-defender-advanced-threat-protection.md)
-####### [Get FileActions collection API](windows-defender-atp\get-fileactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Unblock file API](windows-defender-atp\unblock-file-windows-defender-advanced-threat-protection.md)
+####### [Block file API](windows-defender-atp/block-file-windows-defender-advanced-threat-protection.md)
+####### [Get file information](windows-defender-atp/get-file-information-windows-defender-advanced-threat-protection.md)
+####### [Get file related alerts](windows-defender-atp/get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get file related machines](windows-defender-atp/get-file-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get file statistics](windows-defender-atp/get-file-statistics-windows-defender-advanced-threat-protection.md)
+####### [Get FileActions collection API](windows-defender-atp/get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Unblock file API](windows-defender-atp/unblock-file-windows-defender-advanced-threat-protection.md)
 
 ######IP
-####### [Get IP related alerts](windows-defender-atp\get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get IP related machines](windows-defender-atp\get-ip-related-machines-windows-defender-advanced-threat-protection.md)
-####### [Get IP statistics](windows-defender-atp\get-ip-statistics-windows-defender-advanced-threat-protection.md)
-####### [Is IP seen in organization](windows-defender-atp\is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+####### [Get IP related alerts](windows-defender-atp/get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get IP related machines](windows-defender-atp/get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get IP statistics](windows-defender-atp/get-ip-statistics-windows-defender-advanced-threat-protection.md)
+####### [Is IP seen in organization](windows-defender-atp/is-ip-seen-org-windows-defender-advanced-threat-protection.md)
 ######Machines
-####### [Collect investigation package API](windows-defender-atp\collect-investigation-package-windows-defender-advanced-threat-protection.md)
-####### [Find machine information by IP](windows-defender-atp\find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
-####### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
-####### [Get FileMachineAction object API](windows-defender-atp\get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
-####### [Get FileMachineActions collection API](windows-defender-atp\get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Get machine by ID](windows-defender-atp\get-machine-by-id-windows-defender-advanced-threat-protection.md)
-####### [Get machine log on users](windows-defender-atp\get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
-####### [Get machine related alerts](windows-defender-atp\get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get MachineAction object API](windows-defender-atp\get-machineaction-object-windows-defender-advanced-threat-protection.md)
-####### [Get MachineActions collection API](windows-defender-atp\get-machineactions-collection-windows-defender-advanced-threat-protection.md)
-####### [Get machines](windows-defender-atp\get-machines-windows-defender-advanced-threat-protection.md)
-####### [Get package SAS URI API](windows-defender-atp\get-package-sas-uri-windows-defender-advanced-threat-protection.md)
-####### [Isolate machine API](windows-defender-atp\isolate-machine-windows-defender-advanced-threat-protection.md)
-####### [Release machine from isolation API](windows-defender-atp\unisolate-machine-windows-defender-advanced-threat-protection.md)
-####### [Remove app restriction API](windows-defender-atp\unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
-####### [Request sample API](windows-defender-atp\request-sample-windows-defender-advanced-threat-protection.md)
-####### [Restrict app execution API](windows-defender-atp\restrict-code-execution-windows-defender-advanced-threat-protection.md)
-####### [Run antivirus scan API](windows-defender-atp\run-av-scan-windows-defender-advanced-threat-protection.md)
-####### [Stop and quarantine file API](windows-defender-atp\stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+####### [Collect investigation package API](windows-defender-atp/collect-investigation-package-windows-defender-advanced-threat-protection.md)
+####### [Find machine information by IP](windows-defender-atp/find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineAction object API](windows-defender-atp/get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get FileMachineActions collection API](windows-defender-atp/get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machine by ID](windows-defender-atp/get-machine-by-id-windows-defender-advanced-threat-protection.md)
+####### [Get machine log on users](windows-defender-atp/get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+####### [Get machine related alerts](windows-defender-atp/get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get MachineAction object API](windows-defender-atp/get-machineaction-object-windows-defender-advanced-threat-protection.md)
+####### [Get MachineActions collection API](windows-defender-atp/get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+####### [Get machines](windows-defender-atp/get-machines-windows-defender-advanced-threat-protection.md)
+####### [Get package SAS URI API](windows-defender-atp/get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+####### [Isolate machine API](windows-defender-atp/isolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Release machine from isolation API](windows-defender-atp/unisolate-machine-windows-defender-advanced-threat-protection.md)
+####### [Remove app restriction API](windows-defender-atp/unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Request sample API](windows-defender-atp/request-sample-windows-defender-advanced-threat-protection.md)
+####### [Restrict app execution API](windows-defender-atp/restrict-code-execution-windows-defender-advanced-threat-protection.md)
+####### [Run antivirus scan API](windows-defender-atp/run-av-scan-windows-defender-advanced-threat-protection.md)
+####### [Stop and quarantine file API](windows-defender-atp/stop-quarantine-file-windows-defender-advanced-threat-protection.md)
 
 
 
 ######User
-####### [Get alert related user information](windows-defender-atp\get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
-####### [Get user information](windows-defender-atp\get-user-information-windows-defender-advanced-threat-protection.md)
-####### [Get user related alerts](windows-defender-atp\get-user-related-alerts-windows-defender-advanced-threat-protection.md)
-####### [Get user related machines](windows-defender-atp\get-user-related-machines-windows-defender-advanced-threat-protection.md)
+####### [Get alert related user information](windows-defender-atp/get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+####### [Get user information](windows-defender-atp/get-user-information-windows-defender-advanced-threat-protection.md)
+####### [Get user related alerts](windows-defender-atp/get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+####### [Get user related machines](windows-defender-atp/get-user-related-machines-windows-defender-advanced-threat-protection.md)
 
 ###Reporting
-#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
+#### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md)
 
 ###Check service health and sensor state
 #### [Check sensor state](windows-defender-atp\check-sensor-status-windows-defender-advanced-threat-protection.md)
@@ -189,6 +189,7 @@
 ##### [Enable and create Power BI reports using Windows Defender ATP data](windows-defender-atp\powerbi-reports-windows-defender-advanced-threat-protection.md)
 ##### [Enable Secure score security controls](windows-defender-atp\enable-secure-score-windows-defender-advanced-threat-protection.md)
 ##### [Configure advanced features](windows-defender-atp\advanced-features-windows-defender-advanced-threat-protection.md)
+##### [Protect data with conditional access](windows-defender-atp\conditional-access-windows-defender-advanced-threat-protection.md)
 
 ####Permissions
 ##### [Manage portal access using RBAC](windows-defender-atp\rbac-windows-defender-advanced-threat-protection.md)
@@ -267,6 +268,7 @@
 #### [Configure and run scans](windows-defender-antivirus\run-scan-windows-defender-antivirus.md)
 #### [Review scan results](windows-defender-antivirus\review-scan-results-windows-defender-antivirus.md)
 #### [Run and review the results of a Windows Defender Offline scan](windows-defender-antivirus\windows-defender-offline.md)
+#### [Restore quarantined files in Windows Defender AV](windows-defender-antivirus\restore-quarantined-files-windows-defender-antivirus.md)
 
 
 ### [Review event logs and error codes to troubleshoot issues](windows-defender-antivirus\troubleshoot-windows-defender-antivirus.md)
@@ -292,7 +294,7 @@
 #### [Evaluate Exploit protection](windows-defender-exploit-guard\evaluate-exploit-protection.md)
 #### [Enable Exploit protection](windows-defender-exploit-guard\enable-exploit-protection.md)
 #### [Customize Exploit protection](windows-defender-exploit-guard\customize-exploit-protection.md)
-##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard\import-export-exploit-protection-emet-xml.md)
+##### [Import, export, and deploy Exploit protection configurations](windows-defender-exploit-guard/import-export-exploit-protection-emet-xml.md)
 ### [Attack surface reduction](windows-defender-exploit-guard\attack-surface-reduction-exploit-guard.md)
 #### [Evaluate Attack surface reduction](windows-defender-exploit-guard\evaluate-attack-surface-reduction.md)
 #### [Enable Attack surface reduction](windows-defender-exploit-guard\enable-attack-surface-reduction.md)
@@ -306,127 +308,27 @@
 #### [Evaluate Controlled folder access](windows-defender-exploit-guard\evaluate-controlled-folder-access.md)
 #### [Enable Controlled folder access](windows-defender-exploit-guard\enable-controlled-folders-exploit-guard.md)
 #### [Customize Controlled folder access](windows-defender-exploit-guard\customize-controlled-folders-exploit-guard.md)
+### [Memory integrity](windows-defender-exploit-guard\memory-integrity.md)
+#### [Requirements for virtualization-based protection of code integrity](windows-defender-exploit-guard\requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
+#### [Enable virtualization-based protection of code integrity](windows-defender-exploit-guard\enable-virtualization-based-protection-of-code-integrity.md)
 
 
-## [Windows Defender Application Control](windows-defender-application-control.md)
-
-## [Enable HVCI](enable-virtualization-based-protection-of-code-integrity.md)
-
-## [AppLocker](applocker\applocker-overview.md)
-### [Administer AppLocker](applocker\administer-applocker.md)
-#### [Maintain AppLocker policies](applocker\maintain-applocker-policies.md)
-#### [Edit an AppLocker policy](applocker\edit-an-applocker-policy.md)
-#### [Test and update an AppLocker policy](applocker\test-and-update-an-applocker-policy.md)
-#### [Deploy AppLocker policies by using the enforce rules setting](applocker\deploy-applocker-policies-by-using-the-enforce-rules-setting.md)
-#### [Use the AppLocker Windows PowerShell cmdlets](applocker\use-the-applocker-windows-powershell-cmdlets.md)
-#### [Use AppLocker and Software Restriction Policies in the same domain](applocker\use-applocker-and-software-restriction-policies-in-the-same-domain.md)
-#### [Optimize AppLocker performance](applocker\optimize-applocker-performance.md)
-#### [Monitor app usage with AppLocker](applocker\monitor-application-usage-with-applocker.md)
-#### [Manage packaged apps with AppLocker](applocker\manage-packaged-apps-with-applocker.md)
-#### [Working with AppLocker rules](applocker\working-with-applocker-rules.md)
-##### [Create a rule that uses a file hash condition](applocker\create-a-rule-that-uses-a-file-hash-condition.md)
-##### [Create a rule that uses a path condition](applocker\create-a-rule-that-uses-a-path-condition.md)
-##### [Create a rule that uses a publisher condition](applocker\create-a-rule-that-uses-a-publisher-condition.md)
-##### [Create AppLocker default rules](applocker\create-applocker-default-rules.md)
-##### [Add exceptions for an AppLocker rule](applocker\configure-exceptions-for-an-applocker-rule.md)
-##### [Create a rule for packaged apps](applocker\create-a-rule-for-packaged-apps.md)
-##### [Delete an AppLocker rule](applocker\delete-an-applocker-rule.md)
-##### [Edit AppLocker rules](applocker\edit-applocker-rules.md)
-##### [Enable the DLL rule collection](applocker\enable-the-dll-rule-collection.md)
-##### [Enforce AppLocker rules](applocker\enforce-applocker-rules.md)
-##### [Run the Automatically Generate Rules wizard](applocker\run-the-automatically-generate-rules-wizard.md)
-#### [Working with AppLocker policies](applocker\working-with-applocker-policies.md)
-##### [Configure the Application Identity service](applocker\configure-the-application-identity-service.md)
-##### [Configure an AppLocker policy for audit only](applocker\configure-an-applocker-policy-for-audit-only.md)
-##### [Configure an AppLocker policy for enforce rules](applocker\configure-an-applocker-policy-for-enforce-rules.md)
-##### [Display a custom URL message when users try to run a blocked app](applocker\display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md)
-##### [Export an AppLocker policy from a GPO](applocker\export-an-applocker-policy-from-a-gpo.md)
-##### [Export an AppLocker policy to an XML file](applocker\export-an-applocker-policy-to-an-xml-file.md)
-##### [Import an AppLocker policy from another computer](applocker\import-an-applocker-policy-from-another-computer.md)
-##### [Import an AppLocker policy into a GPO](applocker\import-an-applocker-policy-into-a-gpo.md)
-##### [Add rules for packaged apps to existing AppLocker rule-set](applocker\add-rules-for-packaged-apps-to-existing-applocker-rule-set.md)
-##### [Merge AppLocker policies by using Set-ApplockerPolicy](applocker\merge-applocker-policies-by-using-set-applockerpolicy.md)
-##### [Merge AppLocker policies manually](applocker\merge-applocker-policies-manually.md)
-##### [Refresh an AppLocker policy](applocker\refresh-an-applocker-policy.md)
-##### [Test an AppLocker policy by using Test-AppLockerPolicy](applocker\test-an-applocker-policy-by-using-test-applockerpolicy.md)
-### [AppLocker design guide](applocker\applocker-policies-design-guide.md)
-#### [Understand AppLocker policy design decisions](applocker\understand-applocker-policy-design-decisions.md)
-#### [Determine your application control objectives](applocker\determine-your-application-control-objectives.md)
-#### [Create a list of apps deployed to each business group](applocker\create-list-of-applications-deployed-to-each-business-group.md)
-##### [Document your app list](applocker\document-your-application-list.md)
-#### [Select the types of rules to create](applocker\select-types-of-rules-to-create.md)
-##### [Document your AppLocker rules](applocker\document-your-applocker-rules.md)
-#### [Determine the Group Policy structure and rule enforcement](applocker\determine-group-policy-structure-and-rule-enforcement.md)
-##### [Understand AppLocker enforcement settings](applocker\understand-applocker-enforcement-settings.md)
-##### [Understand AppLocker rules and enforcement setting inheritance in Group Policy](applocker\understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)
-##### [Document the Group Policy structure and AppLocker rule enforcement](applocker\document-group-policy-structure-and-applocker-rule-enforcement.md)
-#### [Plan for AppLocker policy management](applocker\plan-for-applocker-policy-management.md)
-##### [Document your application control management processes](applocker\document-your-application-control-management-processes.md)
-#### [Create your AppLocker planning document](applocker\create-your-applocker-planning-document.md)
-### [AppLocker deployment guide](applocker\applocker-policies-deployment-guide.md)
-#### [Understand the AppLocker policy deployment process](applocker\understand-the-applocker-policy-deployment-process.md)
-#### [Requirements for Deploying AppLocker Policies](applocker\requirements-for-deploying-applocker-policies.md)
-#### [Use Software Restriction Policies and AppLocker policies](applocker\using-software-restriction-policies-and-applocker-policies.md)
-#### [Create Your AppLocker policies](applocker\create-your-applocker-policies.md)
-##### [Create Your AppLocker rules](applocker\create-your-applocker-rules.md)
-#### [Deploy the AppLocker policy into production](applocker\deploy-the-applocker-policy-into-production.md)
-##### [Use a reference device to create and maintain AppLocker policies](applocker\use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
-###### [Determine which apps are digitally signed on a reference device](applocker\determine-which-applications-are-digitally-signed-on-a-reference-computer.md)
-###### [Configure the AppLocker reference device](applocker\configure-the-appLocker-reference-device.md)
-### [AppLocker technical reference](applocker\applocker-technical-reference.md)
-#### [What Is AppLocker?](applocker\what-is-applocker.md)
-#### [Requirements to use AppLocker](applocker\requirements-to-use-applocker.md)
-#### [AppLocker policy use scenarios](applocker\applocker-policy-use-scenarios.md)
-#### [How AppLocker works](applocker\how-applocker-works-techref.md)
-##### [Understanding AppLocker rule behavior](applocker\understanding-applocker-rule-behavior.md)
-##### [Understanding AppLocker rule exceptions](applocker\understanding-applocker-rule-exceptions.md)
-##### [Understanding AppLocker rule collections](applocker\understanding-applocker-rule-collections.md)
-##### [Understanding AppLocker allow and deny actions on rules](applocker\understanding-applocker-allow-and-deny-actions-on-rules.md)
-##### [Understanding AppLocker rule condition types](applocker\understanding-applocker-rule-condition-types.md)
-###### [Understanding the publisher rule condition in AppLocker](applocker\understanding-the-publisher-rule-condition-in-applocker.md)
-###### [Understanding the path rule condition in AppLocker](applocker\understanding-the-path-rule-condition-in-applocker.md)
-###### [Understanding the file hash rule condition in AppLocker](applocker\understanding-the-file-hash-rule-condition-in-applocker.md)
-##### [Understanding AppLocker default rules](applocker\understanding-applocker-default-rules.md)
-###### [Executable rules in AppLocker](applocker\executable-rules-in-applocker.md)
-###### [Windows Installer rules in AppLocker](applocker\windows-installer-rules-in-applocker.md)
-###### [Script rules in AppLocker](applocker\script-rules-in-applocker.md)
-###### [DLL rules in AppLocker](applocker\dll-rules-in-applocker.md)
-###### [Packaged apps and packaged app installer rules in AppLocker](applocker\packaged-apps-and-packaged-app-installer-rules-in-applocker.md)
-#### [AppLocker architecture and components](applocker\applocker-architecture-and-components.md)
-#### [AppLocker processes and interactions](applocker\applocker-processes-and-interactions.md)
-#### [AppLocker functions](applocker\applocker-functions.md)
-#### [Security considerations for AppLocker](applocker\security-considerations-for-applocker.md)
-#### [Tools to Use with AppLocker](applocker\tools-to-use-with-applocker.md)
-##### [Using Event Viewer with AppLocker](applocker\using-event-viewer-with-applocker.md)
-#### [AppLocker Settings](applocker\applocker-settings.md)
-
-
+## [Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)
 
 ## [Control the health of Windows 10-based devices](protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md)
 
-## [Device Guard deployment guide](device-guard/device-guard-deployment-guide.md)
-### [Introduction to Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-### [Requirements and deployment planning guidelines for Device Guard](device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md)
-### [Planning and getting started on the Device Guard deployment process](device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md)
-### [Deploy WDAC](device-guard/deploy-windows-defender-application-control.md)
-#### [Optional: Create a code signing certificate for WDAC](device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md)
-#### [Deploy WDAC: policy rules and file rules](device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md)
-#### [Steps to deploy WDAC](device-guard/steps-to-deploy-windows-defender-application-control.md)
-#### [Deploy catalog files to support WDAC](device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md)
-#### [Deploy Managed Installer for Device Guard](device-guard/deploy-managed-installer-for-device-guard.md)
-### [Deploy Device Guard: enable virtualization-based security](device-guard/deploy-device-guard-enable-virtualization-based-security.md)
+## [Windows Defender Device Guard: virtualization-based security and WDAC](device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
 
+## [Windows Defender SmartScreen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md)
+### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen/windows-defender-smartscreen-available-settings.md)
+### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen/windows-defender-smartscreen-set-individual-device.md)
 
-## [Windows Defender SmartScreen](windows-defender-smartscreen\windows-defender-smartscreen-overview.md)
-### [Available Windows Defender SmartScreen Group Policy and mobile device management (MDM) settings](windows-defender-smartscreen\windows-defender-smartscreen-available-settings.md)
-### [Set up and use Windows Defender SmartScreen on individual devices](windows-defender-smartscreen\windows-defender-smartscreen-set-individual-device.md)
-
-##[Windows Defender Application Guard](windows-defender-application-guard\wd-app-guard-overview.md)
-###[System requirements for Windows Defender Application Guard](windows-defender-application-guard\reqs-wd-app-guard.md)
-###[Prepare and install Windows Defender Application Guard](windows-defender-application-guard\install-wd-app-guard.md)
-###[Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard\configure-wd-app-guard.md)
-###[Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard\test-scenarios-wd-app-guard.md)
-###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard\faq-wd-app-guard.md)
+##[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)
+###[System requirements for Windows Defender Application Guard](windows-defender-application-guard/reqs-wd-app-guard.md)
+###[Prepare and install Windows Defender Application Guard](windows-defender-application-guard/install-wd-app-guard.md)
+###[Configure the Group Policy settings for Windows Defender Application Guard](windows-defender-application-guard/configure-wd-app-guard.md)
+###[Testing scenarios using Windows Defender Application Guard in your business or organization](windows-defender-application-guard/test-scenarios-wd-app-guard.md)
+###[Frequently Asked Questions - Windows Defender Application Guard](windows-defender-application-guard/faq-wd-app-guard.md)
 
 ## [Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md)
 
@@ -436,358 +338,358 @@
 
 ## [Block untrusted fonts in an enterprise](block-untrusted-fonts-in-enterprise.md)
 
-## [Security auditing](auditing\security-auditing-overview.md)
-### [Basic security audit policies](auditing\basic-security-audit-policies.md)
-#### [Create a basic audit policy for an event category](auditing\create-a-basic-audit-policy-settings-for-an-event-category.md)
-#### [Apply a basic audit policy on a file or folder](auditing\apply-a-basic-audit-policy-on-a-file-or-folder.md)
-#### [View the security event log](auditing\view-the-security-event-log.md)
-#### [Basic security audit policy settings](auditing\basic-security-audit-policy-settings.md)
-##### [Audit account logon events](auditing\basic-audit-account-logon-events.md)
-##### [Audit account management](auditing\basic-audit-account-management.md)
-##### [Audit directory service access](auditing\basic-audit-directory-service-access.md)
-##### [Audit logon events](auditing\basic-audit-logon-events.md)
-##### [Audit object access](auditing\basic-audit-object-access.md)
-##### [Audit policy change](auditing\basic-audit-policy-change.md)
-##### [Audit privilege use](auditing\basic-audit-privilege-use.md)
-##### [Audit process tracking](auditing\basic-audit-process-tracking.md)
-##### [Audit system events](auditing\basic-audit-system-events.md)
-### [Advanced security audit policies](auditing\advanced-security-auditing.md)
-#### [Planning and deploying advanced security audit policies](auditing\planning-and-deploying-advanced-security-audit-policies.md)
-#### [Advanced security auditing FAQ](auditing\advanced-security-auditing-faq.md)
-##### [Which editions of Windows support advanced audit policy configuration](auditing\which-editions-of-windows-support-advanced-audit-policy-configuration.md)
-#### [Using advanced security auditing options to monitor dynamic access control objects](auditing\using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
-##### [Monitor the central access policies that apply on a file server](auditing\monitor-the-central-access-policies-that-apply-on-a-file-server.md)
-##### [Monitor the use of removable storage devices](auditing\monitor-the-use-of-removable-storage-devices.md)
-##### [Monitor resource attribute definitions](auditing\monitor-resource-attribute-definitions.md)
-##### [Monitor central access policy and rule definitions](auditing\monitor-central-access-policy-and-rule-definitions.md)
-##### [Monitor user and device claims during sign-in](auditing\monitor-user-and-device-claims-during-sign-in.md)
-##### [Monitor the resource attributes on files and folders](auditing\monitor-the-resource-attributes-on-files-and-folders.md)
-##### [Monitor the central access policies associated with files and folders](auditing\monitor-the-central-access-policies-associated-with-files-and-folders.md)
-##### [Monitor claim types](auditing\monitor-claim-types.md)
-#### [Advanced security audit policy settings](auditing\advanced-security-audit-policy-settings.md)
-##### [Audit Credential Validation](auditing\audit-credential-validation.md)
-###### [Event 4774 S, F: An account was mapped for logon.](auditing\event-4774.md)
-###### [Event 4775 F: An account could not be mapped for logon.](auditing\event-4775.md)
-###### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](auditing\event-4776.md)
-###### [Event 4777 F: The domain controller failed to validate the credentials for an account.](auditing\event-4777.md)
-##### [Audit Kerberos Authentication Service](auditing\audit-kerberos-authentication-service.md)
-###### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](auditing\event-4768.md)
-###### [Event 4771 F: Kerberos pre-authentication failed.](auditing\event-4771.md)
-###### [Event 4772 F: A Kerberos authentication ticket request failed.](auditing\event-4772.md)
-##### [Audit Kerberos Service Ticket Operations](auditing\audit-kerberos-service-ticket-operations.md)
-###### [Event 4769 S, F: A Kerberos service ticket was requested.](auditing\event-4769.md)
-###### [Event 4770 S: A Kerberos service ticket was renewed.](auditing\event-4770.md)
-###### [Event 4773 F: A Kerberos service ticket request failed.](auditing\event-4773.md)
-##### [Audit Other Account Logon Events](auditing\audit-other-account-logon-events.md)
-##### [Audit Application Group Management](auditing\audit-application-group-management.md)
-##### [Audit Computer Account Management](auditing\audit-computer-account-management.md)
-###### [Event 4741 S: A computer account was created.](auditing\event-4741.md)
-###### [Event 4742 S: A computer account was changed.](auditing\event-4742.md)
-###### [Event 4743 S: A computer account was deleted.](auditing\event-4743.md)
-##### [Audit Distribution Group Management](auditing\audit-distribution-group-management.md)
-###### [Event 4749 S: A security-disabled global group was created.](auditing\event-4749.md)
-###### [Event 4750 S: A security-disabled global group was changed.](auditing\event-4750.md)
-###### [Event 4751 S: A member was added to a security-disabled global group.](auditing\event-4751.md)
-###### [Event 4752 S: A member was removed from a security-disabled global group.](auditing\event-4752.md)
-###### [Event 4753 S: A security-disabled global group was deleted.](auditing\event-4753.md)
-##### [Audit Other Account Management Events](auditing\audit-other-account-management-events.md)
-###### [Event 4782 S: The password hash an account was accessed.](auditing\event-4782.md)
-###### [Event 4793 S: The Password Policy Checking API was called.](auditing\event-4793.md)
-##### [Audit Security Group Management](auditing\audit-security-group-management.md)
-###### [Event 4731 S: A security-enabled local group was created.](auditing\event-4731.md)
-###### [Event 4732 S: A member was added to a security-enabled local group.](auditing\event-4732.md)
-###### [Event 4733 S: A member was removed from a security-enabled local group.](auditing\event-4733.md)
-###### [Event 4734 S: A security-enabled local group was deleted.](auditing\event-4734.md)
-###### [Event 4735 S: A security-enabled local group was changed.](auditing\event-4735.md)
-###### [Event 4764 S: A group’s type was changed.](auditing\event-4764.md)
-###### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing\event-4799.md)
-##### [Audit User Account Management](auditing\audit-user-account-management.md)
-###### [Event 4720 S: A user account was created.](auditing\event-4720.md)
-###### [Event 4722 S: A user account was enabled.](auditing\event-4722.md)
-###### [Event 4723 S, F: An attempt was made to change an account's password.](auditing\event-4723.md)
-###### [Event 4724 S, F: An attempt was made to reset an account's password.](auditing\event-4724.md)
-###### [Event 4725 S: A user account was disabled.](auditing\event-4725.md)
-###### [Event 4726 S: A user account was deleted.](auditing\event-4726.md)
-###### [Event 4738 S: A user account was changed.](auditing\event-4738.md)
-###### [Event 4740 S: A user account was locked out.](auditing\event-4740.md)
-###### [Event 4765 S: SID History was added to an account.](auditing\event-4765.md)
-###### [Event 4766 F: An attempt to add SID History to an account failed.](auditing\event-4766.md)
-###### [Event 4767 S: A user account was unlocked.](auditing\event-4767.md)
-###### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](auditing\event-4780.md)
-###### [Event 4781 S: The name of an account was changed.](auditing\event-4781.md)
-###### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](auditing\event-4794.md)
-###### [Event 4798 S: A user's local group membership was enumerated.](auditing\event-4798.md)
-###### [Event 5376 S: Credential Manager credentials were backed up.](auditing\event-5376.md)
-###### [Event 5377 S: Credential Manager credentials were restored from a backup.](auditing\event-5377.md)
-##### [Audit DPAPI Activity](auditing\audit-dpapi-activity.md)
-###### [Event 4692 S, F: Backup of data protection master key was attempted.](auditing\event-4692.md)
-###### [Event 4693 S, F: Recovery of data protection master key was attempted.](auditing\event-4693.md)
-###### [Event 4694 S, F: Protection of auditable protected data was attempted.](auditing\event-4694.md)
-###### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](auditing\event-4695.md)
-##### [Audit PNP Activity](auditing\audit-pnp-activity.md)
-###### [Event 6416 S: A new external device was recognized by the System.](auditing\event-6416.md)
-###### [Event 6419 S: A request was made to disable a device.](auditing\event-6419.md)
-###### [Event 6420 S: A device was disabled.](auditing\event-6420.md)
-###### [Event 6421 S: A request was made to enable a device.](auditing\event-6421.md)
-###### [Event 6422 S: A device was enabled.](auditing\event-6422.md)
-###### [Event 6423 S: The installation of this device is forbidden by system policy.](auditing\event-6423.md)
-###### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](auditing\event-6424.md)
-##### [Audit Process Creation](auditing\audit-process-creation.md)
-###### [Event 4688 S: A new process has been created.](auditing\event-4688.md)
-###### [Event 4696 S: A primary token was assigned to process.](auditing\event-4696.md)
-##### [Audit Process Termination](auditing\audit-process-termination.md)
-###### [Event 4689 S: A process has exited.](auditing\event-4689.md)
-##### [Audit RPC Events](auditing\audit-rpc-events.md)
-###### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing\event-5712.md)
-##### [Audit Detailed Directory Service Replication](auditing\audit-detailed-directory-service-replication.md)
-###### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing\event-4928.md)
-###### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing\event-4929.md)
-###### [Event 4930 S, F: An Active Directory replica source naming context was modified.](auditing\event-4930.md)
-###### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](auditing\event-4931.md)
-###### [Event 4934 S: Attributes of an Active Directory object were replicated.](auditing\event-4934.md)
-###### [Event 4935 F: Replication failure begins.](auditing\event-4935.md)
-###### [Event 4936 S: Replication failure ends.](auditing\event-4936.md)
-###### [Event 4937 S: A lingering object was removed from a replica.](auditing\event-4937.md)
-##### [Audit Directory Service Access](auditing\audit-directory-service-access.md)
-###### [Event 4662 S, F: An operation was performed on an object.](auditing\event-4662.md)
-###### [Event 4661 S, F: A handle to an object was requested.](auditing\event-4661.md)
-##### [Audit Directory Service Changes](auditing\audit-directory-service-changes.md)
-###### [Event 5136 S: A directory service object was modified.](auditing\event-5136.md)
-###### [Event 5137 S: A directory service object was created.](auditing\event-5137.md)
-###### [Event 5138 S: A directory service object was undeleted.](auditing\event-5138.md)
-###### [Event 5139 S: A directory service object was moved.](auditing\event-5139.md)
-###### [Event 5141 S: A directory service object was deleted.](auditing\event-5141.md)
-##### [Audit Directory Service Replication](auditing\audit-directory-service-replication.md)
-###### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](auditing\event-4932.md)
-###### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](auditing\event-4933.md)
-##### [Audit Account Lockout](auditing\audit-account-lockout.md)
-###### [Event 4625 F: An account failed to log on.](auditing\event-4625.md)
-##### [Audit User/Device Claims](auditing\audit-user-device-claims.md)
-###### [Event 4626 S: User/Device claims information.](auditing\event-4626.md)
-##### [Audit Group Membership](auditing\audit-group-membership.md)
-###### [Event 4627 S: Group membership information.](auditing\event-4627.md)
-##### [Audit IPsec Extended Mode](auditing\audit-ipsec-extended-mode.md)
-##### [Audit IPsec Main Mode](auditing\audit-ipsec-main-mode.md)
-##### [Audit IPsec Quick Mode](auditing\audit-ipsec-quick-mode.md)
-##### [Audit Logoff](auditing\audit-logoff.md)
-###### [Event 4634 S: An account was logged off.](auditing\event-4634.md)
-###### [Event 4647 S: User initiated logoff.](auditing\event-4647.md)
-##### [Audit Logon](auditing\audit-logon.md)
-###### [Event 4624 S: An account was successfully logged on.](auditing\event-4624.md)
-###### [Event 4625 F: An account failed to log on.](auditing\event-4625.md)
-###### [Event 4648 S: A logon was attempted using explicit credentials.](auditing\event-4648.md)
-###### [Event 4675 S: SIDs were filtered.](auditing\event-4675.md)
-##### [Audit Network Policy Server](auditing\audit-network-policy-server.md)
-##### [Audit Other Logon/Logoff Events](auditing\audit-other-logonlogoff-events.md)
-###### [Event 4649 S: A replay attack was detected.](auditing\event-4649.md)
-###### [Event 4778 S: A session was reconnected to a Window Station.](auditing\event-4778.md)
-###### [Event 4779 S: A session was disconnected from a Window Station.](auditing\event-4779.md)
-###### [Event 4800 S: The workstation was locked.](auditing\event-4800.md)
-###### [Event 4801 S: The workstation was unlocked.](auditing\event-4801.md)
-###### [Event 4802 S: The screen saver was invoked.](auditing\event-4802.md)
-###### [Event 4803 S: The screen saver was dismissed.](auditing\event-4803.md)
-###### [Event 5378 F: The requested credentials delegation was disallowed by policy.](auditing\event-5378.md)
-###### [Event 5632 S, F: A request was made to authenticate to a wireless network.](auditing\event-5632.md)
-###### [Event 5633 S, F: A request was made to authenticate to a wired network.](auditing\event-5633.md)
-##### [Audit Special Logon](auditing\audit-special-logon.md)
-###### [Event 4964 S: Special groups have been assigned to a new logon.](auditing\event-4964.md)
-###### [Event 4672 S: Special privileges assigned to new logon.](auditing\event-4672.md)
-##### [Audit Application Generated](auditing\audit-application-generated.md)
-##### [Audit Certification Services](auditing\audit-certification-services.md)
-##### [Audit Detailed File Share](auditing\audit-detailed-file-share.md)
-###### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](auditing\event-5145.md)
-##### [Audit File Share](auditing\audit-file-share.md)
-###### [Event 5140 S, F: A network share object was accessed.](auditing\event-5140.md)
-###### [Event 5142 S: A network share object was added.](auditing\event-5142.md)
-###### [Event 5143 S: A network share object was modified.](auditing\event-5143.md)
-###### [Event 5144 S: A network share object was deleted.](auditing\event-5144.md)
-###### [Event 5168 F: SPN check for SMB/SMB2 failed.](auditing\event-5168.md)
-##### [Audit File System](auditing\audit-file-system.md)
-###### [Event 4656 S, F: A handle to an object was requested.](auditing\event-4656.md)
-###### [Event 4658 S: The handle to an object was closed.](auditing\event-4658.md)
-###### [Event 4660 S: An object was deleted.](auditing\event-4660.md)
-###### [Event 4663 S: An attempt was made to access an object.](auditing\event-4663.md)
-###### [Event 4664 S: An attempt was made to create a hard link.](auditing\event-4664.md)
-###### [Event 4985 S: The state of a transaction has changed.](auditing\event-4985.md)
-###### [Event 5051: A file was virtualized.](auditing\event-5051.md)
-###### [Event 4670 S: Permissions on an object were changed.](auditing\event-4670.md)
-##### [Audit Filtering Platform Connection](auditing\audit-filtering-platform-connection.md)
-###### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](auditing\event-5031.md)
-###### [Event 5150: The Windows Filtering Platform blocked a packet.](auditing\event-5150.md)
-###### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing\event-5151.md)
-###### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](auditing\event-5154.md)
-###### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](auditing\event-5155.md)
-###### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](auditing\event-5156.md)
-###### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](auditing\event-5157.md)
-###### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](auditing\event-5158.md)
-###### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](auditing\event-5159.md)
-##### [Audit Filtering Platform Packet Drop](auditing\audit-filtering-platform-packet-drop.md)
-###### [Event 5152 F: The Windows Filtering Platform blocked a packet.](auditing\event-5152.md)
-###### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing\event-5153.md)
-##### [Audit Handle Manipulation](auditing\audit-handle-manipulation.md)
-###### [Event 4690 S: An attempt was made to duplicate a handle to an object.](auditing\event-4690.md)
-##### [Audit Kernel Object](auditing\audit-kernel-object.md)
-###### [Event 4656 S, F: A handle to an object was requested.](auditing\event-4656.md)
-###### [Event 4658 S: The handle to an object was closed.](auditing\event-4658.md)
-###### [Event 4660 S: An object was deleted.](auditing\event-4660.md)
-###### [Event 4663 S: An attempt was made to access an object.](auditing\event-4663.md)
-##### [Audit Other Object Access Events](auditing\audit-other-object-access-events.md)
-###### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](auditing\event-4671.md)
-###### [Event 4691 S: Indirect access to an object was requested.](auditing\event-4691.md)
-###### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](auditing\event-5148.md)
-###### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](auditing\event-5149.md)
-###### [Event 4698 S: A scheduled task was created.](auditing\event-4698.md)
-###### [Event 4699 S: A scheduled task was deleted.](auditing\event-4699.md)
-###### [Event 4700 S: A scheduled task was enabled.](auditing\event-4700.md)
-###### [Event 4701 S: A scheduled task was disabled.](auditing\event-4701.md)
-###### [Event 4702 S: A scheduled task was updated.](auditing\event-4702.md)
-###### [Event 5888 S: An object in the COM+ Catalog was modified.](auditing\event-5888.md)
-###### [Event 5889 S: An object was deleted from the COM+ Catalog.](auditing\event-5889.md)
-###### [Event 5890 S: An object was added to the COM+ Catalog.](auditing\event-5890.md)
-##### [Audit Registry](auditing\audit-registry.md)
-###### [Event 4663 S: An attempt was made to access an object.](auditing\event-4663.md)
-###### [Event 4656 S, F: A handle to an object was requested.](auditing\event-4656.md)
-###### [Event 4658 S: The handle to an object was closed.](auditing\event-4658.md)
-###### [Event 4660 S: An object was deleted.](auditing\event-4660.md)
-###### [Event 4657 S: A registry value was modified.](auditing\event-4657.md)
-###### [Event 5039: A registry key was virtualized.](auditing\event-5039.md)
-###### [Event 4670 S: Permissions on an object were changed.](auditing\event-4670.md)
-##### [Audit Removable Storage](auditing\audit-removable-storage.md)
-##### [Audit SAM](auditing\audit-sam.md)
-###### [Event 4661 S, F: A handle to an object was requested.](auditing\event-4661.md)
-##### [Audit Central Access Policy Staging](auditing\audit-central-access-policy-staging.md)
-###### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](auditing\event-4818.md)
-##### [Audit Audit Policy Change](auditing\audit-audit-policy-change.md)
-###### [Event 4670 S: Permissions on an object were changed.](auditing\event-4670.md)
-###### [Event 4715 S: The audit policy, SACL, on an object was changed.](auditing\event-4715.md)
-###### [Event 4719 S: System audit policy was changed.](auditing\event-4719.md)
-###### [Event 4817 S: Auditing settings on object were changed.](auditing\event-4817.md)
-###### [Event 4902 S: The Per-user audit policy table was created.](auditing\event-4902.md)
-###### [Event 4906 S: The CrashOnAuditFail value has changed.](auditing\event-4906.md)
-###### [Event 4907 S: Auditing settings on object were changed.](auditing\event-4907.md)
-###### [Event 4908 S: Special Groups Logon table modified.](auditing\event-4908.md)
-###### [Event 4912 S: Per User Audit Policy was changed.](auditing\event-4912.md)
-###### [Event 4904 S: An attempt was made to register a security event source.](auditing\event-4904.md)
-###### [Event 4905 S: An attempt was made to unregister a security event source.](auditing\event-4905.md)
-##### [Audit Authentication Policy Change](auditing\audit-authentication-policy-change.md)
-###### [Event 4706 S: A new trust was created to a domain.](auditing\event-4706.md)
-###### [Event 4707 S: A trust to a domain was removed.](auditing\event-4707.md)
-###### [Event 4716 S: Trusted domain information was modified.](auditing\event-4716.md)
-###### [Event 4713 S: Kerberos policy was changed.](auditing\event-4713.md)
-###### [Event 4717 S: System security access was granted to an account.](auditing\event-4717.md)
-###### [Event 4718 S: System security access was removed from an account.](auditing\event-4718.md)
-###### [Event 4739 S: Domain Policy was changed.](auditing\event-4739.md)
-###### [Event 4864 S: A namespace collision was detected.](auditing\event-4864.md)
-###### [Event 4865 S: A trusted forest information entry was added.](auditing\event-4865.md)
-###### [Event 4866 S: A trusted forest information entry was removed.](auditing\event-4866.md)
-###### [Event 4867 S: A trusted forest information entry was modified.](auditing\event-4867.md)
-##### [Audit Authorization Policy Change](auditing\audit-authorization-policy-change.md)
-###### [Event 4703 S: A user right was adjusted.](auditing\event-4703.md)
-###### [Event 4704 S: A user right was assigned.](auditing\event-4704.md)
-###### [Event 4705 S: A user right was removed.](auditing\event-4705.md)
-###### [Event 4670 S: Permissions on an object were changed.](auditing\event-4670.md)
-###### [Event 4911 S: Resource attributes of the object were changed.](auditing\event-4911.md)
-###### [Event 4913 S: Central Access Policy on the object was changed.](auditing\event-4913.md)
-##### [Audit Filtering Platform Policy Change](auditing\audit-filtering-platform-policy-change.md)
-##### [Audit MPSSVC Rule-Level Policy Change](auditing\audit-mpssvc-rule-level-policy-change.md)
-###### [Event 4944 S: The following policy was active when the Windows Firewall started.](auditing\event-4944.md)
-###### [Event 4945 S: A rule was listed when the Windows Firewall started.](auditing\event-4945.md)
-###### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](auditing\event-4946.md)
-###### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](auditing\event-4947.md)
-###### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](auditing\event-4948.md)
-###### [Event 4949 S: Windows Firewall settings were restored to the default values.](auditing\event-4949.md)
-###### [Event 4950 S: A Windows Firewall setting has changed.](auditing\event-4950.md)
-###### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](auditing\event-4951.md)
-###### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](auditing\event-4952.md)
-###### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](auditing\event-4953.md)
-###### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](auditing\event-4954.md)
-###### [Event 4956 S: Windows Firewall has changed the active profile.](auditing\event-4956.md)
-###### [Event 4957 F: Windows Firewall did not apply the following rule.](auditing\event-4957.md)
-###### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](auditing\event-4958.md)
-##### [Audit Other Policy Change Events](auditing\audit-other-policy-change-events.md)
-###### [Event 4714 S: Encrypted data recovery policy was changed.](auditing\event-4714.md)
-###### [Event 4819 S: Central Access Policies on the machine have been changed.](auditing\event-4819.md)
-###### [Event 4826 S: Boot Configuration Data loaded.](auditing\event-4826.md)
-###### [Event 4909: The local policy settings for the TBS were changed.](auditing\event-4909.md)
-###### [Event 4910: The group policy settings for the TBS were changed.](auditing\event-4910.md)
-###### [Event 5063 S, F: A cryptographic provider operation was attempted.](auditing\event-5063.md)
-###### [Event 5064 S, F: A cryptographic context operation was attempted.](auditing\event-5064.md)
-###### [Event 5065 S, F: A cryptographic context modification was attempted.](auditing\event-5065.md)
-###### [Event 5066 S, F: A cryptographic function operation was attempted.](auditing\event-5066.md)
-###### [Event 5067 S, F: A cryptographic function modification was attempted.](auditing\event-5067.md)
-###### [Event 5068 S, F: A cryptographic function provider operation was attempted.](auditing\event-5068.md)
-###### [Event 5069 S, F: A cryptographic function property operation was attempted.](auditing\event-5069.md)
-###### [Event 5070 S, F: A cryptographic function property modification was attempted.](auditing\event-5070.md)
-###### [Event 5447 S: A Windows Filtering Platform filter has been changed.](auditing\event-5447.md)
-###### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](auditing\event-6144.md)
-###### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](auditing\event-6145.md)
-##### [Audit Sensitive Privilege Use](auditing\audit-sensitive-privilege-use.md)
-###### [Event 4673 S, F: A privileged service was called.](auditing\event-4673.md)
-###### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing\event-4674.md)
-###### [Event 4985 S: The state of a transaction has changed.](auditing\event-4985.md)
-##### [Audit Non Sensitive Privilege Use](auditing\audit-non-sensitive-privilege-use.md)
-###### [Event 4673 S, F: A privileged service was called.](auditing\event-4673.md)
-###### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing\event-4674.md)
-###### [Event 4985 S: The state of a transaction has changed.](auditing\event-4985.md)
-##### [Audit Other Privilege Use Events](auditing\audit-other-privilege-use-events.md)
-###### [Event 4985 S: The state of a transaction has changed.](auditing\event-4985.md)
-##### [Audit IPsec Driver](auditing\audit-ipsec-driver.md)
-##### [Audit Other System Events](auditing\audit-other-system-events.md)
-###### [Event 5024 S: The Windows Firewall Service has started successfully.](auditing\event-5024.md)
-###### [Event 5025 S: The Windows Firewall Service has been stopped.](auditing\event-5025.md)
-###### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](auditing\event-5027.md)
-###### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](auditing\event-5028.md)
-###### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](auditing\event-5029.md)
-###### [Event 5030 F: The Windows Firewall Service failed to start.](auditing\event-5030.md)
-###### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](auditing\event-5032.md)
-###### [Event 5033 S: The Windows Firewall Driver has started successfully.](auditing\event-5033.md)
-###### [Event 5034 S: The Windows Firewall Driver was stopped.](auditing\event-5034.md)
-###### [Event 5035 F: The Windows Firewall Driver failed to start.](auditing\event-5035.md)
-###### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](auditing\event-5037.md)
-###### [Event 5058 S, F: Key file operation.](auditing\event-5058.md)
-###### [Event 5059 S, F: Key migration operation.](auditing\event-5059.md)
-###### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](auditing\event-6400.md)
-###### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](auditing\event-6401.md)
-###### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](auditing\event-6402.md)
-###### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](auditing\event-6403.md)
-###### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](auditing\event-6404.md)
-###### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](auditing\event-6405.md)
-###### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](auditing\event-6406.md)
-###### [Event 6407: 1%.](auditing\event-6407.md)
-###### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](auditing\event-6408.md)
-###### [Event 6409: BranchCache: A service connection point object could not be parsed.](auditing\event-6409.md)
-##### [Audit Security State Change](auditing\audit-security-state-change.md)
-###### [Event 4608 S: Windows is starting up.](auditing\event-4608.md)
-###### [Event 4616 S: The system time was changed.](auditing\event-4616.md)
-###### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](auditing\event-4621.md)
-##### [Audit Security System Extension](auditing\audit-security-system-extension.md)
-###### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](auditing\event-4610.md)
-###### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](auditing\event-4611.md)
-###### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](auditing\event-4614.md)
-###### [Event 4622 S: A security package has been loaded by the Local Security Authority.](auditing\event-4622.md)
-###### [Event 4697 S: A service was installed in the system.](auditing\event-4697.md)
-##### [Audit System Integrity](auditing\audit-system-integrity.md)
-###### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](auditing\event-4612.md)
-###### [Event 4615 S: Invalid use of LPC port.](auditing\event-4615.md)
-###### [Event 4618 S: A monitored security event pattern has occurred.](auditing\event-4618.md)
-###### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](auditing\event-4816.md)
-###### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](auditing\event-5038.md)
-###### [Event 5056 S: A cryptographic self-test was performed.](auditing\event-5056.md)
-###### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](auditing\event-5062.md)
-###### [Event 5057 F: A cryptographic primitive operation failed.](auditing\event-5057.md)
-###### [Event 5060 F: Verification operation failed.](auditing\event-5060.md)
-###### [Event 5061 S, F: Cryptographic operation.](auditing\event-5061.md)
-###### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](auditing\event-6281.md)
-###### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](auditing\event-6410.md)
-##### [Other Events](auditing\other-events.md)
-###### [Event 1100 S: The event logging service has shut down.](auditing\event-1100.md)
-###### [Event 1102 S: The audit log was cleared.](auditing\event-1102.md)
-###### [Event 1104 S: The security log is now full.](auditing\event-1104.md)
-###### [Event 1105 S: Event log automatic backup.](auditing\event-1105.md)
-###### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing\event-1108.md)
-##### [Appendix A: Security monitoring recommendations for many audit events](auditing\appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
-##### [Registry (Global Object Access Auditing) ](auditing\registry-global-object-access-auditing.md)
-##### [File System (Global Object Access Auditing) ](auditing\file-system-global-object-access-auditing.md)
+## [Security auditing](auditing/security-auditing-overview.md)
+### [Basic security audit policies](auditing/basic-security-audit-policies.md)
+#### [Create a basic audit policy for an event category](auditing/create-a-basic-audit-policy-settings-for-an-event-category.md)
+#### [Apply a basic audit policy on a file or folder](auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md)
+#### [View the security event log](auditing/view-the-security-event-log.md)
+#### [Basic security audit policy settings](auditing/basic-security-audit-policy-settings.md)
+##### [Audit account logon events](auditing/basic-audit-account-logon-events.md)
+##### [Audit account management](auditing/basic-audit-account-management.md)
+##### [Audit directory service access](auditing/basic-audit-directory-service-access.md)
+##### [Audit logon events](auditing/basic-audit-logon-events.md)
+##### [Audit object access](auditing/basic-audit-object-access.md)
+##### [Audit policy change](auditing/basic-audit-policy-change.md)
+##### [Audit privilege use](auditing/basic-audit-privilege-use.md)
+##### [Audit process tracking](auditing/basic-audit-process-tracking.md)
+##### [Audit system events](auditing/basic-audit-system-events.md)
+### [Advanced security audit policies](auditing/advanced-security-auditing.md)
+#### [Planning and deploying advanced security audit policies](auditing/planning-and-deploying-advanced-security-audit-policies.md)
+#### [Advanced security auditing FAQ](auditing/advanced-security-auditing-faq.md)
+##### [Which editions of Windows support advanced audit policy configuration](auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md)
+#### [Using advanced security auditing options to monitor dynamic access control objects](auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md)
+##### [Monitor the central access policies that apply on a file server](auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md)
+##### [Monitor the use of removable storage devices](auditing/monitor-the-use-of-removable-storage-devices.md)
+##### [Monitor resource attribute definitions](auditing/monitor-resource-attribute-definitions.md)
+##### [Monitor central access policy and rule definitions](auditing/monitor-central-access-policy-and-rule-definitions.md)
+##### [Monitor user and device claims during sign-in](auditing/monitor-user-and-device-claims-during-sign-in.md)
+##### [Monitor the resource attributes on files and folders](auditing/monitor-the-resource-attributes-on-files-and-folders.md)
+##### [Monitor the central access policies associated with files and folders](auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md)
+##### [Monitor claim types](auditing/monitor-claim-types.md)
+#### [Advanced security audit policy settings](auditing/advanced-security-audit-policy-settings.md)
+##### [Audit Credential Validation](auditing/audit-credential-validation.md)
+###### [Event 4774 S, F: An account was mapped for logon.](auditing/event-4774.md)
+###### [Event 4775 F: An account could not be mapped for logon.](auditing/event-4775.md)
+###### [Event 4776 S, F: The computer attempted to validate the credentials for an account.](auditing/event-4776.md)
+###### [Event 4777 F: The domain controller failed to validate the credentials for an account.](auditing/event-4777.md)
+##### [Audit Kerberos Authentication Service](auditing/audit-kerberos-authentication-service.md)
+###### [Event 4768 S, F: A Kerberos authentication ticket, TGT, was requested.](auditing/event-4768.md)
+###### [Event 4771 F: Kerberos pre-authentication failed.](auditing/event-4771.md)
+###### [Event 4772 F: A Kerberos authentication ticket request failed.](auditing/event-4772.md)
+##### [Audit Kerberos Service Ticket Operations](auditing/audit-kerberos-service-ticket-operations.md)
+###### [Event 4769 S, F: A Kerberos service ticket was requested.](auditing/event-4769.md)
+###### [Event 4770 S: A Kerberos service ticket was renewed.](auditing/event-4770.md)
+###### [Event 4773 F: A Kerberos service ticket request failed.](auditing/event-4773.md)
+##### [Audit Other Account Logon Events](auditing/audit-other-account-logon-events.md)
+##### [Audit Application Group Management](auditing/audit-application-group-management.md)
+##### [Audit Computer Account Management](auditing/audit-computer-account-management.md)
+###### [Event 4741 S: A computer account was created.](auditing/event-4741.md)
+###### [Event 4742 S: A computer account was changed.](auditing/event-4742.md)
+###### [Event 4743 S: A computer account was deleted.](auditing/event-4743.md)
+##### [Audit Distribution Group Management](auditing/audit-distribution-group-management.md)
+###### [Event 4749 S: A security-disabled global group was created.](auditing/event-4749.md)
+###### [Event 4750 S: A security-disabled global group was changed.](auditing/event-4750.md)
+###### [Event 4751 S: A member was added to a security-disabled global group.](auditing/event-4751.md)
+###### [Event 4752 S: A member was removed from a security-disabled global group.](auditing/event-4752.md)
+###### [Event 4753 S: A security-disabled global group was deleted.](auditing/event-4753.md)
+##### [Audit Other Account Management Events](auditing/audit-other-account-management-events.md)
+###### [Event 4782 S: The password hash an account was accessed.](auditing/event-4782.md)
+###### [Event 4793 S: The Password Policy Checking API was called.](auditing/event-4793.md)
+##### [Audit Security Group Management](auditing/audit-security-group-management.md)
+###### [Event 4731 S: A security-enabled local group was created.](auditing/event-4731.md)
+###### [Event 4732 S: A member was added to a security-enabled local group.](auditing/event-4732.md)
+###### [Event 4733 S: A member was removed from a security-enabled local group.](auditing/event-4733.md)
+###### [Event 4734 S: A security-enabled local group was deleted.](auditing/event-4734.md)
+###### [Event 4735 S: A security-enabled local group was changed.](auditing/event-4735.md)
+###### [Event 4764 S: A group’s type was changed.](auditing/event-4764.md)
+###### [Event 4799 S: A security-enabled local group membership was enumerated.](auditing/event-4799.md)
+##### [Audit User Account Management](auditing/audit-user-account-management.md)
+###### [Event 4720 S: A user account was created.](auditing/event-4720.md)
+###### [Event 4722 S: A user account was enabled.](auditing/event-4722.md)
+###### [Event 4723 S, F: An attempt was made to change an account's password.](auditing/event-4723.md)
+###### [Event 4724 S, F: An attempt was made to reset an account's password.](auditing/event-4724.md)
+###### [Event 4725 S: A user account was disabled.](auditing/event-4725.md)
+###### [Event 4726 S: A user account was deleted.](auditing/event-4726.md)
+###### [Event 4738 S: A user account was changed.](auditing/event-4738.md)
+###### [Event 4740 S: A user account was locked out.](auditing/event-4740.md)
+###### [Event 4765 S: SID History was added to an account.](auditing/event-4765.md)
+###### [Event 4766 F: An attempt to add SID History to an account failed.](auditing/event-4766.md)
+###### [Event 4767 S: A user account was unlocked.](auditing/event-4767.md)
+###### [Event 4780 S: The ACL was set on accounts which are members of administrators groups.](auditing/event-4780.md)
+###### [Event 4781 S: The name of an account was changed.](auditing/event-4781.md)
+###### [Event 4794 S, F: An attempt was made to set the Directory Services Restore Mode administrator password.](auditing/event-4794.md)
+###### [Event 4798 S: A user's local group membership was enumerated.](auditing/event-4798.md)
+###### [Event 5376 S: Credential Manager credentials were backed up.](auditing/event-5376.md)
+###### [Event 5377 S: Credential Manager credentials were restored from a backup.](auditing/event-5377.md)
+##### [Audit DPAPI Activity](auditing/audit-dpapi-activity.md)
+###### [Event 4692 S, F: Backup of data protection master key was attempted.](auditing/event-4692.md)
+###### [Event 4693 S, F: Recovery of data protection master key was attempted.](auditing/event-4693.md)
+###### [Event 4694 S, F: Protection of auditable protected data was attempted.](auditing/event-4694.md)
+###### [Event 4695 S, F: Unprotection of auditable protected data was attempted.](auditing/event-4695.md)
+##### [Audit PNP Activity](auditing/audit-pnp-activity.md)
+###### [Event 6416 S: A new external device was recognized by the System.](auditing/event-6416.md)
+###### [Event 6419 S: A request was made to disable a device.](auditing/event-6419.md)
+###### [Event 6420 S: A device was disabled.](auditing/event-6420.md)
+###### [Event 6421 S: A request was made to enable a device.](auditing/event-6421.md)
+###### [Event 6422 S: A device was enabled.](auditing/event-6422.md)
+###### [Event 6423 S: The installation of this device is forbidden by system policy.](auditing/event-6423.md)
+###### [Event 6424 S: The installation of this device was allowed, after having previously been forbidden by policy.](auditing/event-6424.md)
+##### [Audit Process Creation](auditing/audit-process-creation.md)
+###### [Event 4688 S: A new process has been created.](auditing/event-4688.md)
+###### [Event 4696 S: A primary token was assigned to process.](auditing/event-4696.md)
+##### [Audit Process Termination](auditing/audit-process-termination.md)
+###### [Event 4689 S: A process has exited.](auditing/event-4689.md)
+##### [Audit RPC Events](auditing/audit-rpc-events.md)
+###### [Event 5712 S: A Remote Procedure Call, RPC, was attempted.](auditing/event-5712.md)
+##### [Audit Detailed Directory Service Replication](auditing/audit-detailed-directory-service-replication.md)
+###### [Event 4928 S, F: An Active Directory replica source naming context was established.](auditing/event-4928.md)
+###### [Event 4929 S, F: An Active Directory replica source naming context was removed.](auditing/event-4929.md)
+###### [Event 4930 S, F: An Active Directory replica source naming context was modified.](auditing/event-4930.md)
+###### [Event 4931 S, F: An Active Directory replica destination naming context was modified.](auditing/event-4931.md)
+###### [Event 4934 S: Attributes of an Active Directory object were replicated.](auditing/event-4934.md)
+###### [Event 4935 F: Replication failure begins.](auditing/event-4935.md)
+###### [Event 4936 S: Replication failure ends.](auditing/event-4936.md)
+###### [Event 4937 S: A lingering object was removed from a replica.](auditing/event-4937.md)
+##### [Audit Directory Service Access](auditing/audit-directory-service-access.md)
+###### [Event 4662 S, F: An operation was performed on an object.](auditing/event-4662.md)
+###### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md)
+##### [Audit Directory Service Changes](auditing/audit-directory-service-changes.md)
+###### [Event 5136 S: A directory service object was modified.](auditing/event-5136.md)
+###### [Event 5137 S: A directory service object was created.](auditing/event-5137.md)
+###### [Event 5138 S: A directory service object was undeleted.](auditing/event-5138.md)
+###### [Event 5139 S: A directory service object was moved.](auditing/event-5139.md)
+###### [Event 5141 S: A directory service object was deleted.](auditing/event-5141.md)
+##### [Audit Directory Service Replication](auditing/audit-directory-service-replication.md)
+###### [Event 4932 S: Synchronization of a replica of an Active Directory naming context has begun.](auditing/event-4932.md)
+###### [Event 4933 S, F: Synchronization of a replica of an Active Directory naming context has ended.](auditing/event-4933.md)
+##### [Audit Account Lockout](auditing/audit-account-lockout.md)
+###### [Event 4625 F: An account failed to log on.](auditing/event-4625.md)
+##### [Audit User/Device Claims](auditing/audit-user-device-claims.md)
+###### [Event 4626 S: User/Device claims information.](auditing/event-4626.md)
+##### [Audit Group Membership](auditing/audit-group-membership.md)
+###### [Event 4627 S: Group membership information.](auditing/event-4627.md)
+##### [Audit IPsec Extended Mode](auditing/audit-ipsec-extended-mode.md)
+##### [Audit IPsec Main Mode](auditing/audit-ipsec-main-mode.md)
+##### [Audit IPsec Quick Mode](auditing/audit-ipsec-quick-mode.md)
+##### [Audit Logoff](auditing/audit-logoff.md)
+###### [Event 4634 S: An account was logged off.](auditing/event-4634.md)
+###### [Event 4647 S: User initiated logoff.](auditing/event-4647.md)
+##### [Audit Logon](auditing/audit-logon.md)
+###### [Event 4624 S: An account was successfully logged on.](auditing/event-4624.md)
+###### [Event 4625 F: An account failed to log on.](auditing/event-4625.md)
+###### [Event 4648 S: A logon was attempted using explicit credentials.](auditing/event-4648.md)
+###### [Event 4675 S: SIDs were filtered.](auditing/event-4675.md)
+##### [Audit Network Policy Server](auditing/audit-network-policy-server.md)
+##### [Audit Other Logon/Logoff Events](auditing/audit-other-logonlogoff-events.md)
+###### [Event 4649 S: A replay attack was detected.](auditing/event-4649.md)
+###### [Event 4778 S: A session was reconnected to a Window Station.](auditing/event-4778.md)
+###### [Event 4779 S: A session was disconnected from a Window Station.](auditing/event-4779.md)
+###### [Event 4800 S: The workstation was locked.](auditing/event-4800.md)
+###### [Event 4801 S: The workstation was unlocked.](auditing/event-4801.md)
+###### [Event 4802 S: The screen saver was invoked.](auditing/event-4802.md)
+###### [Event 4803 S: The screen saver was dismissed.](auditing/event-4803.md)
+###### [Event 5378 F: The requested credentials delegation was disallowed by policy.](auditing/event-5378.md)
+###### [Event 5632 S, F: A request was made to authenticate to a wireless network.](auditing/event-5632.md)
+###### [Event 5633 S, F: A request was made to authenticate to a wired network.](auditing/event-5633.md)
+##### [Audit Special Logon](auditing/audit-special-logon.md)
+###### [Event 4964 S: Special groups have been assigned to a new logon.](auditing/event-4964.md)
+###### [Event 4672 S: Special privileges assigned to new logon.](auditing/event-4672.md)
+##### [Audit Application Generated](auditing/audit-application-generated.md)
+##### [Audit Certification Services](auditing/audit-certification-services.md)
+##### [Audit Detailed File Share](auditing/audit-detailed-file-share.md)
+###### [Event 5145 S, F: A network share object was checked to see whether client can be granted desired access.](auditing/event-5145.md)
+##### [Audit File Share](auditing/audit-file-share.md)
+###### [Event 5140 S, F: A network share object was accessed.](auditing/event-5140.md)
+###### [Event 5142 S: A network share object was added.](auditing/event-5142.md)
+###### [Event 5143 S: A network share object was modified.](auditing/event-5143.md)
+###### [Event 5144 S: A network share object was deleted.](auditing/event-5144.md)
+###### [Event 5168 F: SPN check for SMB/SMB2 failed.](auditing/event-5168.md)
+##### [Audit File System](auditing/audit-file-system.md)
+###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
+###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
+###### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
+###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
+###### [Event 4664 S: An attempt was made to create a hard link.](auditing/event-4664.md)
+###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+###### [Event 5051: A file was virtualized.](auditing/event-5051.md)
+###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+##### [Audit Filtering Platform Connection](auditing/audit-filtering-platform-connection.md)
+###### [Event 5031 F: The Windows Firewall Service blocked an application from accepting incoming connections on the network.](auditing/event-5031.md)
+###### [Event 5150: The Windows Filtering Platform blocked a packet.](auditing/event-5150.md)
+###### [Event 5151: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5151.md)
+###### [Event 5154 S: The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.](auditing/event-5154.md)
+###### [Event 5155 F: The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.](auditing/event-5155.md)
+###### [Event 5156 S: The Windows Filtering Platform has permitted a connection.](auditing/event-5156.md)
+###### [Event 5157 F: The Windows Filtering Platform has blocked a connection.](auditing/event-5157.md)
+###### [Event 5158 S: The Windows Filtering Platform has permitted a bind to a local port.](auditing/event-5158.md)
+###### [Event 5159 F: The Windows Filtering Platform has blocked a bind to a local port.](auditing/event-5159.md)
+##### [Audit Filtering Platform Packet Drop](auditing/audit-filtering-platform-packet-drop.md)
+###### [Event 5152 F: The Windows Filtering Platform blocked a packet.](auditing/event-5152.md)
+###### [Event 5153 S: A more restrictive Windows Filtering Platform filter has blocked a packet.](auditing/event-5153.md)
+##### [Audit Handle Manipulation](auditing/audit-handle-manipulation.md)
+###### [Event 4690 S: An attempt was made to duplicate a handle to an object.](auditing/event-4690.md)
+##### [Audit Kernel Object](auditing/audit-kernel-object.md)
+###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
+###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
+###### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
+###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
+##### [Audit Other Object Access Events](auditing/audit-other-object-access-events.md)
+###### [Event 4671: An application attempted to access a blocked ordinal through the TBS.](auditing/event-4671.md)
+###### [Event 4691 S: Indirect access to an object was requested.](auditing/event-4691.md)
+###### [Event 5148 F: The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.](auditing/event-5148.md)
+###### [Event 5149 F: The DoS attack has subsided and normal processing is being resumed.](auditing/event-5149.md)
+###### [Event 4698 S: A scheduled task was created.](auditing/event-4698.md)
+###### [Event 4699 S: A scheduled task was deleted.](auditing/event-4699.md)
+###### [Event 4700 S: A scheduled task was enabled.](auditing/event-4700.md)
+###### [Event 4701 S: A scheduled task was disabled.](auditing/event-4701.md)
+###### [Event 4702 S: A scheduled task was updated.](auditing/event-4702.md)
+###### [Event 5888 S: An object in the COM+ Catalog was modified.](auditing/event-5888.md)
+###### [Event 5889 S: An object was deleted from the COM+ Catalog.](auditing/event-5889.md)
+###### [Event 5890 S: An object was added to the COM+ Catalog.](auditing/event-5890.md)
+##### [Audit Registry](auditing/audit-registry.md)
+###### [Event 4663 S: An attempt was made to access an object.](auditing/event-4663.md)
+###### [Event 4656 S, F: A handle to an object was requested.](auditing/event-4656.md)
+###### [Event 4658 S: The handle to an object was closed.](auditing/event-4658.md)
+###### [Event 4660 S: An object was deleted.](auditing/event-4660.md)
+###### [Event 4657 S: A registry value was modified.](auditing/event-4657.md)
+###### [Event 5039: A registry key was virtualized.](auditing/event-5039.md)
+###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+##### [Audit Removable Storage](auditing/audit-removable-storage.md)
+##### [Audit SAM](auditing/audit-sam.md)
+###### [Event 4661 S, F: A handle to an object was requested.](auditing/event-4661.md)
+##### [Audit Central Access Policy Staging](auditing/audit-central-access-policy-staging.md)
+###### [Event 4818 S: Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.](auditing/event-4818.md)
+##### [Audit Audit Policy Change](auditing/audit-audit-policy-change.md)
+###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+###### [Event 4715 S: The audit policy, SACL, on an object was changed.](auditing/event-4715.md)
+###### [Event 4719 S: System audit policy was changed.](auditing/event-4719.md)
+###### [Event 4817 S: Auditing settings on object were changed.](auditing/event-4817.md)
+###### [Event 4902 S: The Per-user audit policy table was created.](auditing/event-4902.md)
+###### [Event 4906 S: The CrashOnAuditFail value has changed.](auditing/event-4906.md)
+###### [Event 4907 S: Auditing settings on object were changed.](auditing/event-4907.md)
+###### [Event 4908 S: Special Groups Logon table modified.](auditing/event-4908.md)
+###### [Event 4912 S: Per User Audit Policy was changed.](auditing/event-4912.md)
+###### [Event 4904 S: An attempt was made to register a security event source.](auditing/event-4904.md)
+###### [Event 4905 S: An attempt was made to unregister a security event source.](auditing/event-4905.md)
+##### [Audit Authentication Policy Change](auditing/audit-authentication-policy-change.md)
+###### [Event 4706 S: A new trust was created to a domain.](auditing/event-4706.md)
+###### [Event 4707 S: A trust to a domain was removed.](auditing/event-4707.md)
+###### [Event 4716 S: Trusted domain information was modified.](auditing/event-4716.md)
+###### [Event 4713 S: Kerberos policy was changed.](auditing/event-4713.md)
+###### [Event 4717 S: System security access was granted to an account.](auditing/event-4717.md)
+###### [Event 4718 S: System security access was removed from an account.](auditing/event-4718.md)
+###### [Event 4739 S: Domain Policy was changed.](auditing/event-4739.md)
+###### [Event 4864 S: A namespace collision was detected.](auditing/event-4864.md)
+###### [Event 4865 S: A trusted forest information entry was added.](auditing/event-4865.md)
+###### [Event 4866 S: A trusted forest information entry was removed.](auditing/event-4866.md)
+###### [Event 4867 S: A trusted forest information entry was modified.](auditing/event-4867.md)
+##### [Audit Authorization Policy Change](auditing/audit-authorization-policy-change.md)
+###### [Event 4703 S: A user right was adjusted.](auditing/event-4703.md)
+###### [Event 4704 S: A user right was assigned.](auditing/event-4704.md)
+###### [Event 4705 S: A user right was removed.](auditing/event-4705.md)
+###### [Event 4670 S: Permissions on an object were changed.](auditing/event-4670.md)
+###### [Event 4911 S: Resource attributes of the object were changed.](auditing/event-4911.md)
+###### [Event 4913 S: Central Access Policy on the object was changed.](auditing/event-4913.md)
+##### [Audit Filtering Platform Policy Change](auditing/audit-filtering-platform-policy-change.md)
+##### [Audit MPSSVC Rule-Level Policy Change](auditing/audit-mpssvc-rule-level-policy-change.md)
+###### [Event 4944 S: The following policy was active when the Windows Firewall started.](auditing/event-4944.md)
+###### [Event 4945 S: A rule was listed when the Windows Firewall started.](auditing/event-4945.md)
+###### [Event 4946 S: A change has been made to Windows Firewall exception list. A rule was added.](auditing/event-4946.md)
+###### [Event 4947 S: A change has been made to Windows Firewall exception list. A rule was modified.](auditing/event-4947.md)
+###### [Event 4948 S: A change has been made to Windows Firewall exception list. A rule was deleted.](auditing/event-4948.md)
+###### [Event 4949 S: Windows Firewall settings were restored to the default values.](auditing/event-4949.md)
+###### [Event 4950 S: A Windows Firewall setting has changed.](auditing/event-4950.md)
+###### [Event 4951 F: A rule has been ignored because its major version number was not recognized by Windows Firewall.](auditing/event-4951.md)
+###### [Event 4952 F: Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.](auditing/event-4952.md)
+###### [Event 4953 F: Windows Firewall ignored a rule because it could not be parsed.](auditing/event-4953.md)
+###### [Event 4954 S: Windows Firewall Group Policy settings have changed. The new settings have been applied.](auditing/event-4954.md)
+###### [Event 4956 S: Windows Firewall has changed the active profile.](auditing/event-4956.md)
+###### [Event 4957 F: Windows Firewall did not apply the following rule.](auditing/event-4957.md)
+###### [Event 4958 F: Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.](auditing/event-4958.md)
+##### [Audit Other Policy Change Events](auditing/audit-other-policy-change-events.md)
+###### [Event 4714 S: Encrypted data recovery policy was changed.](auditing/event-4714.md)
+###### [Event 4819 S: Central Access Policies on the machine have been changed.](auditing/event-4819.md)
+###### [Event 4826 S: Boot Configuration Data loaded.](auditing/event-4826.md)
+###### [Event 4909: The local policy settings for the TBS were changed.](auditing/event-4909.md)
+###### [Event 4910: The group policy settings for the TBS were changed.](auditing/event-4910.md)
+###### [Event 5063 S, F: A cryptographic provider operation was attempted.](auditing/event-5063.md)
+###### [Event 5064 S, F: A cryptographic context operation was attempted.](auditing/event-5064.md)
+###### [Event 5065 S, F: A cryptographic context modification was attempted.](auditing/event-5065.md)
+###### [Event 5066 S, F: A cryptographic function operation was attempted.](auditing/event-5066.md)
+###### [Event 5067 S, F: A cryptographic function modification was attempted.](auditing/event-5067.md)
+###### [Event 5068 S, F: A cryptographic function provider operation was attempted.](auditing/event-5068.md)
+###### [Event 5069 S, F: A cryptographic function property operation was attempted.](auditing/event-5069.md)
+###### [Event 5070 S, F: A cryptographic function property modification was attempted.](auditing/event-5070.md)
+###### [Event 5447 S: A Windows Filtering Platform filter has been changed.](auditing/event-5447.md)
+###### [Event 6144 S: Security policy in the group policy objects has been applied successfully.](auditing/event-6144.md)
+###### [Event 6145 F: One or more errors occurred while processing security policy in the group policy objects.](auditing/event-6145.md)
+##### [Audit Sensitive Privilege Use](auditing/audit-sensitive-privilege-use.md)
+###### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md)
+###### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md)
+###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+##### [Audit Non Sensitive Privilege Use](auditing/audit-non-sensitive-privilege-use.md)
+###### [Event 4673 S, F: A privileged service was called.](auditing/event-4673.md)
+###### [Event 4674 S, F: An operation was attempted on a privileged object.](auditing/event-4674.md)
+###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+##### [Audit Other Privilege Use Events](auditing/audit-other-privilege-use-events.md)
+###### [Event 4985 S: The state of a transaction has changed.](auditing/event-4985.md)
+##### [Audit IPsec Driver](auditing/audit-ipsec-driver.md)
+##### [Audit Other System Events](auditing/audit-other-system-events.md)
+###### [Event 5024 S: The Windows Firewall Service has started successfully.](auditing/event-5024.md)
+###### [Event 5025 S: The Windows Firewall Service has been stopped.](auditing/event-5025.md)
+###### [Event 5027 F: The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.](auditing/event-5027.md)
+###### [Event 5028 F: The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.](auditing/event-5028.md)
+###### [Event 5029 F: The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.](auditing/event-5029.md)
+###### [Event 5030 F: The Windows Firewall Service failed to start.](auditing/event-5030.md)
+###### [Event 5032 F: Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.](auditing/event-5032.md)
+###### [Event 5033 S: The Windows Firewall Driver has started successfully.](auditing/event-5033.md)
+###### [Event 5034 S: The Windows Firewall Driver was stopped.](auditing/event-5034.md)
+###### [Event 5035 F: The Windows Firewall Driver failed to start.](auditing/event-5035.md)
+###### [Event 5037 F: The Windows Firewall Driver detected critical runtime error. Terminating.](auditing/event-5037.md)
+###### [Event 5058 S, F: Key file operation.](auditing/event-5058.md)
+###### [Event 5059 S, F: Key migration operation.](auditing/event-5059.md)
+###### [Event 6400: BranchCache: Received an incorrectly formatted response while discovering availability of content.](auditing/event-6400.md)
+###### [Event 6401: BranchCache: Received invalid data from a peer. Data discarded.](auditing/event-6401.md)
+###### [Event 6402: BranchCache: The message to the hosted cache offering it data is incorrectly formatted.](auditing/event-6402.md)
+###### [Event 6403: BranchCache: The hosted cache sent an incorrectly formatted response to the client.](auditing/event-6403.md)
+###### [Event 6404: BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.](auditing/event-6404.md)
+###### [Event 6405: BranchCache: %2 instances of event id %1 occurred.](auditing/event-6405.md)
+###### [Event 6406: %1 registered to Windows Firewall to control filtering for the following: %2.](auditing/event-6406.md)
+###### [Event 6407: 1%.](auditing/event-6407.md)
+###### [Event 6408: Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.](auditing/event-6408.md)
+###### [Event 6409: BranchCache: A service connection point object could not be parsed.](auditing/event-6409.md)
+##### [Audit Security State Change](auditing/audit-security-state-change.md)
+###### [Event 4608 S: Windows is starting up.](auditing/event-4608.md)
+###### [Event 4616 S: The system time was changed.](auditing/event-4616.md)
+###### [Event 4621 S: Administrator recovered system from CrashOnAuditFail.](auditing/event-4621.md)
+##### [Audit Security System Extension](auditing/audit-security-system-extension.md)
+###### [Event 4610 S: An authentication package has been loaded by the Local Security Authority.](auditing/event-4610.md)
+###### [Event 4611 S: A trusted logon process has been registered with the Local Security Authority.](auditing/event-4611.md)
+###### [Event 4614 S: A notification package has been loaded by the Security Account Manager.](auditing/event-4614.md)
+###### [Event 4622 S: A security package has been loaded by the Local Security Authority.](auditing/event-4622.md)
+###### [Event 4697 S: A service was installed in the system.](auditing/event-4697.md)
+##### [Audit System Integrity](auditing/audit-system-integrity.md)
+###### [Event 4612 S: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.](auditing/event-4612.md)
+###### [Event 4615 S: Invalid use of LPC port.](auditing/event-4615.md)
+###### [Event 4618 S: A monitored security event pattern has occurred.](auditing/event-4618.md)
+###### [Event 4816 S: RPC detected an integrity violation while decrypting an incoming message.](auditing/event-4816.md)
+###### [Event 5038 F: Code integrity determined that the image hash of a file is not valid.](auditing/event-5038.md)
+###### [Event 5056 S: A cryptographic self-test was performed.](auditing/event-5056.md)
+###### [Event 5062 S: A kernel-mode cryptographic self-test was performed.](auditing/event-5062.md)
+###### [Event 5057 F: A cryptographic primitive operation failed.](auditing/event-5057.md)
+###### [Event 5060 F: Verification operation failed.](auditing/event-5060.md)
+###### [Event 5061 S, F: Cryptographic operation.](auditing/event-5061.md)
+###### [Event 6281 F: Code Integrity determined that the page hashes of an image file are not valid.](auditing/event-6281.md)
+###### [Event 6410 F: Code integrity determined that a file does not meet the security requirements to load into a process.](auditing/event-6410.md)
+##### [Other Events](auditing/other-events.md)
+###### [Event 1100 S: The event logging service has shut down.](auditing/event-1100.md)
+###### [Event 1102 S: The audit log was cleared.](auditing/event-1102.md)
+###### [Event 1104 S: The security log is now full.](auditing/event-1104.md)
+###### [Event 1105 S: Event log automatic backup.](auditing/event-1105.md)
+###### [Event 1108 S: The event logging service encountered an error while processing an incoming event published from %1.](auditing/event-1108.md)
+##### [Appendix A: Security monitoring recommendations for many audit events](auditing/appendix-a-security-monitoring-recommendations-for-many-audit-events.md)
+##### [Registry (Global Object Access Auditing) ](auditing/registry-global-object-access-auditing.md)
+##### [File System (Global Object Access Auditing) ](auditing/file-system-global-object-access-auditing.md)
 
 ## [Security policy settings](security-policy-settings/security-policy-settings.md)
 ### [Administer security policy settings](security-policy-settings/administer-security-policy-settings.md)
diff --git a/windows/security/threat-protection/change-history-for-threat-protection.md b/windows/security/threat-protection/change-history-for-threat-protection.md
index 4c10382574..79880c8d9b 100644
--- a/windows/security/threat-protection/change-history-for-threat-protection.md
+++ b/windows/security/threat-protection/change-history-for-threat-protection.md
@@ -22,12 +22,12 @@ New or changed topic | Description
 ## January 2018
 |New or changed topic |Description |
 |---------------------|------------|
-|[Windows Defender Application Control](windows-defender-application-control.md)|New topic. WDAC replaces cofigurable code integrity policies. |
+|[Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)|New topic. WDAC replaces cofigurable code integrity policies. |
 
 ## November 2017
 |New or changed topic |Description |
 |---------------------|------------|
-| [How to enable virtualization-based protection of code integrity](enable-virtualization-based-protection-of-code-integrity.md)| New. Explains how to enable HVCI.  |
+| [How to enable virtualization-based protection of code integrity](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)| New. Explains how to enable HVCI.  |
 
 
 ## October 2017
diff --git a/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control.md
deleted file mode 100644
index 8becbe0a0e..0000000000
--- a/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control.md
+++ /dev/null
@@ -1,33 +0,0 @@
----
-title: Deploy Windows Defender Device Guard - deploy code integrity policies (Windows 10)
-description: This article, and the articles it links to, describe how to create code integrity policies, one of the main features that are part of Windows Defender Device Guard in Windows 10. 
-keywords: virtualization, security, malware
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: high
-author: brianlic-msft
-ms.date: 10/20/2017
----
-
-# Deploy Windows Defender Application Control
-
-**Applies to**
--   Windows 10
--   Windows Server 2016
-
-This section includes the following topics:
-
-- [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md)
-- [Deploy Windows Defender Application Control: policy rules and file rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md)
-- [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md)
-- [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md)
-- [Deploy Managed Installer for Windows Defender Application Control](deploy-managed-installer-for-device-guard.md)
-
-To increase the protection for devices that meet certain hardware requirements, you can use virtualization-based protection of code integrity with your Windows Defender Application Control (WDAC) policies.
-- For requirements, see [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard) in "Requirements and deployment planning guidelines for Windows Defender Device Guard."
-- For steps, see [Enable virtualization-based protection of code integrity](deploy-device-guard-enable-virtualization-based-security.md).
-
-## Related topics
-
-[Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-
diff --git a/windows/security/threat-protection/device-guard/device-guard-deployment-guide.md b/windows/security/threat-protection/device-guard/device-guard-deployment-guide.md
deleted file mode 100644
index 5bb386464c..0000000000
--- a/windows/security/threat-protection/device-guard/device-guard-deployment-guide.md
+++ /dev/null
@@ -1,38 +0,0 @@
----
-title: Windows Defender Device Guard deployment guide (Windows 10)
-description: Microsoft Windows Defender Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security.
-ms.assetid: 4BA52AA9-64D3-41F3-94B2-B87EC2717486
-keywords: virtualization, security, malware
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: high
-author: brianlic-msft
-ms.date: 10/20/2017
----
-
-# Windows Defender Device Guard deployment guide
-
-**Applies to**
--   Windows 10
--   Windows Server 2016
-
-With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Windows Defender Device Guard describes a locked-down device configuration state that uses multiple enterprise-related hardware and software security features that run on Windows 10 Enterprise edition and Windows Server. When these features are configured together, Windows Defender Device Guard changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. If the app isn’t trusted, it can’t run, period. 
-
-Windows Defender Device Guard also uses virtualization-based security to isolate the Code Integrity service and run it alongside the Windows kernel in a hypervisor-protected container. Even if an attacker manages to get control of the Windows kernel itself, the ability to run malicious executable code is much less likely. 
-
-
-## Related topics
-
-[AppLocker overview](/windows/device-security/applocker/applocker-overview)
-
-<!-- The following topic is EIGHT YEARS OLD, but I don't really see anything better out there on Code Integrity that existed before Windows 10. -->
-
-[Code integrity](https://technet.microsoft.com/library/dd348642.aspx)
-
-[Protect derived domain credentials with Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard)
-
-[Driver compatibility with Windows Defender Device Guard in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
-
-[Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender Device Guard](https://channel9.msdn.com/Events/Ignite/2015/BRK2336)
-
-
diff --git a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
index a1b6bbcab8..4d96519ca3 100644
--- a/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+++ b/windows/security/threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
@@ -5,8 +5,8 @@ keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: high
-author: brianlic-msft
-ms.date: 10/20/2017
+author: mdsakibMSFT
+ms.date: 04/19/2018
 ---
 
 # Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control
@@ -15,73 +15,39 @@ ms.date: 10/20/2017
 -   Windows 10
 -   Windows Server 2016
 
-With thousands of new malicious files created every day, using traditional methods like antivirus solutions—signature-based detection to fight against malware—provides an inadequate defense against new attacks. Windows Defender Device Guard changes from a mode where apps are trusted unless blocked by an antivirus or other security solution, to a mode where the operating system trusts only apps authorized by your enterprise. You designate these trusted apps by creating *Windows Defender Application Control (WDAC) policies*.
+With Windows 10, we introduced Windows Defender Device Guard, a set of hardware and OS technologies that, when configured together, allow enterprises to lock down Windows systems so they operate with many of the properties of mobile devices. 
+In this configuration, Device Guard restricts devices to only run authorized apps by using a feature called configurable code integrity (CI), while simultaneously hardening the OS against kernel memory attacks through the use of virtualization-based protection of code integrity (more specifically, HVCI). 
 
-> [!NOTE]
-> Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity policies.
+Configurable CI has these advantages over other solutions:
 
-On hardware that includes CPU virtualization extensions (called "Intel VT-x" or "AMD-V") and second-level address translation (SLAT), Windows Defender Device Guard can also use Virtualization Based Security (VBS) to run the Code Integrity service alongside the kernel in a Windows hypervisor-protected container, which increases the security of code integrity policies. On hardware that includes input/output memory management units (IOMMUs), Windows Defender Device Guard can also help protect against DMA attacks. The following table provides more information about how Windows Defender Device Guard and these hardware features can help protect against various threats.
+1. Configurable CI policy is enforced by the Windows kernel itself. As such, the policy takes effect early in the boot sequence before nearly all other OS code and before traditional antivirus solutions run. 
+2. Configurable CI allows customers to set application control policy not only over code running in user mode, but also kernel mode hardware and software drivers and even code that runs as part of Windows. 
+3. Customers can protect the configurable CI policy even from local administrator tampering by digitally signing the policy. Then changing the policy requires administrative privilege and access to the organization’s digital signing process, making it extremely difficult for an attacker or malware that managed to gain administrative privilege to alter the application control policy. 
+4. The entire configurable CI enforcement mechanism can be protected by HVCI, where even if a vulnerability exists in kernel mode code, the likelihood that an attacker could successfully exploit it is significantly diminished. Why is this relevant? That’s because an attacker that compromises the kernel would otherwise have enough privilege to disable most system defenses and override the application control policies enforced by configurable CI or any other application control solution.
 
-When Windows Defender Application Control and hardware-based security features are combined, Windows Defender Device Guard provides a locked-down configuration for computers. 
+## (Re-)Introducing Windows Defender Application Control
 
-## How Windows Defender Device Guard features help protect against threats
+When we originally designed Device Guard it was built with a specific security promise in mind. Although there were no direct dependencies between its two main OS features, configurable CI and HVCI, we intentionally focused our marketing story around the Device Guard lockdown state you achieve when deploying them together. 
 
-The following table lists security threats and describes the corresponding Windows Defender Device Guard features:
+However, this unintentionally left an impression for many customers that the two features were inexorably linked and could not be deployed separately. 
+And given that HVCI relies on the Windows virtualization-based security, it comes with additional hardware, firmware, and kernel driver compatibility requirements that some older systems can’t meet. 
 
-| Security threat in the enterprise | How a Windows Defender Device Guard feature helps protect against the threat |
-| --------------------------------- | ----------------------------------------------------------- |
-| **Exposure to new malware**, for which the "signature" is not yet known | **Windows Defender Application Control (WDAC)**:&nbsp;&nbsp;You can maintain a whitelist of software that is allowed to run (a configurable code integrity policy), rather than constantly update a list of "signatures" of software that should be blocked. This approach uses the trust-nothing model well known in mobile device operating systems.<br>Only code that is verified by WDAC, usually through the digital signature that you have identified as being from a trusted signer, is allowed to run. This allows full control over allowed code in both kernel and user mode.<br><br>**Specialized hardware required?** No security-related hardware features are required, but WDAC is strengthened by such features, as described in the next rows.<br><br> [!NOTE] Prior to Windows 10, version 1709, Windows Defender Application Control was known as configurable code integrity policies. |
-| **Exposure to unsigned code** (most malware is unsigned) | **WDAC plus catalog files as needed**:&nbsp;&nbsp;Because most malware is unsigned, WDAC can immediately help protect against a large number of threats. For organizations that use unsigned line-of-business (LOB) applications, you can use a tool called Package Inspector to create a *catalog* of all deployed and executed binary files for your trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by WDAC in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.<br><br>**Specialized hardware required?** No, but WDAC and catalogs are strengthened by the hardware features, as described in the next rows. |
-| **Malware that gains access to the kernel** and then, from within the kernel, captures sensitive information or damages the system | **Virtualization-based protection of code integrity**:&nbsp;&nbsp;This is protection that uses Windows 10’s new virtualization-based security (VBS) feature to help protect the kernel and other parts of the operating system. When virtualization-based protection of code integrity (also known as hypervisor-protected code integrity, or HVCI) is enabled, it strengthens either the default kernel-mode code integrity policy (which protects against bad drivers or system files), or the configurable code integrity policy that you deploy.<br>With HVCI, even if malware gains access to the kernel, the effects can be severely limited because the hypervisor can prevent the malware from executing code. The hypervisor, the most privileged level of system software, enforces R/W/X permissions across system memory.  Code integrity checks are performed in a secure environment which is resistant to attack from kernel mode software, and page permissions for kernel mode are set and maintained by the hypervisor. Even if there are vulnerabilities that allow memory modification, like a buffer overflow, the modified memory cannot be executed.<br><br>**Specialized hardware required?** Yes, VBS requires at least CPU virtualization extensions and SLAT, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). |
-| **DMA-based attacks**, for example, attacks launched from a malicious device that reads secrets from memory, making the enterprise more vulnerable to attack | **Virtualization-based security (VBS) using IOMMUs**:&nbsp;&nbsp;With this type of VBS protection, when the DMA-based attack makes a memory request, IOMMUs will evaluate the request and deny access.<br><br>**Specialized hardware required?** Yes, IOMMUs are a hardware feature that supports the hypervisor, and if you choose hardware that includes them, they can help protect against malicious attempts to access memory. |
-| **Exposure to boot kits or to a physically present attacker at boot time** | **Universal Extensible Firmware Interface (UEFI) Secure Boot**:&nbsp;&nbsp; Secure Boot and related methods protect the boot process and firmware from tampering. This tampering can come from a physically present attacker or from forms of malware that run early in the boot process or in the kernel after startup. UEFI is locked down (Boot order, Boot entries, Secure Boot, Virtualization extensions, IOMMU, Microsoft UEFI CA), so the settings in UEFI cannot be changed to compromise Windows Defender Device Guard security.<br><br>**Specialized hardware required?** UEFI Secure Boot has firmware requirements. For more information, see [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard).  | 
+As a result, many customers assumed that they couldn’t use configurable CI either. 
+But configurable CI carries no specific hardware or software requirements other than running Windows 10, which means many customers were wrongly denied the benefits of this powerful application control capability.
 
-In this guide, you learn about the individual features found within Windows Defender Device Guard as well as how to plan for, configure, and deploy them. Windows Defender Device Guard with WDAC is intended for deployment alongside additional threat-mitigating Windows features such as [Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard) and [AppLocker](/windows/device-security/applocker/applocker-overview).
+Since the initial release of Windows 10, the world has witnessed numerous hacking and malware attacks where application control alone could have prevented the attack altogether. So we are promoting configurable CI within our security stack and giving it a name of its own: [Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control). 
+We hope this branding change will help us better communicate options for adopting application control within an organization.
 
-## New and changed functionality
+Does this mean Windows Defender Device Guard is going away? Not at all. Device Guard will continue to exist as a way to describe the fully locked down state achieved through the use of Windows Defender Application Control (WDAC), HVCI, and hardware and firmware security features. It also allows us to work with our OEM partners to identify specifications for devices that are “Device Guard capable” so that our joint customers can easily purchase devices that meet all of the hardware and firmware requirements of the original Device Guard scenario.
 
-Prior to Windows 10, version 1709, Windows Defender Application Control (WDAC) was known as configurable code integrity policies. 
+## Related topics
 
-Beginning with Windows 10, version 1703, you can use WDAC not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser). For more information, see [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](steps-to-deploy-windows-defender-application-control.md#use-a-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules).
+[Windows Defender Application Control](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control)
 
-## Tools for managing Windows Defender Device Guard features
+[Dropping the Hammer Down on Malware Threats with Windows 10’s Windows Defender Device Guard](https://channel9.msdn.com/Events/Ignite/2015/BRK2336)
 
-You can easily manage Windows Defender Device Guard features by using familiar enterprise and client-management tools that IT pros use every day:
-
-<!-- The item about "Intune" below could be updated at some point, when more information and a link are available. -->
-
--   **Group Policy**. Windows 10 provides an administrative template to configure and deploy the configurable WDAC policies for your organization. Another template allows you to specify which hardware-based security features you would like to enable and deploy. You can manage these settings along with your existing Group Policy Objects (GPOs), which makes it simpler to implement Windows Defender Device Guard features. In addition to these WDAC and hardware-based security features, you can use Group Policy to help you manage your catalog files.
-
-    - For a description of catalog files, see the table row describing **Exposure to unsigned code** in [How Windows Defender Device Guard features help protect against threats](#how-windows-defender-device-guard-features-help-protect-against-threats), earlier in this topic.
-    - For information about using Group Policy as a deployment tool, see:<br>[Deploy catalog files with Group Policy](deploy-catalog-files-to-support-windows-defender-application-control.md#deploy-catalog-files-with-group-policy)<br>[Deploy and manage WDAC with Group Policy](steps-to-deploy-windows-defender-application-control.md#deploy-and-manage-windows-defender-application-control-with-group-policy)
-
--   **Microsoft System Center Configuration Manager**. You can use System Center Configuration Manager to simplify deployment and management of catalog files, WDAC policies, and hardware-based security features, as well as provide version control. For more information, see [Deploy catalog files with System Center Configuration Manager](deploy-catalog-files-to-support-windows-defender-application-control.md#deploy-catalog-files-with-system-center-configuration-manager).
-
-- **Microsoft Intune**. You can use Microsoft Intune to simplify deployment and management of WDAC policies, as well as provide version control. In a future release of Microsoft Intune, Microsoft is considering including features that will support the deployment and management of catalog files.
-
--   **Windows PowerShell**. You can use Windows PowerShell to create and service WDAC policies. For more information, see [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md).
-
-These options provide the same experience you're used to in order to manage your existing enterprise management solutions. 
-
-For more information about the deployment of Windows Defender Device Guard features, see:
-- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
-- [Deploy virtualization-based protection of code integrity](deploy-device-guard-enable-virtualization-based-security.md)
-
-## Other features that relate to Windows Defender Device Guard
-
-### Windows Defender Device Guard with AppLocker
-
-Although [AppLocker](/windows/device-security/applocker/applocker-overview) is not considered a new Windows Defender Device Guard feature, it complements Windows Defender Device Guard functionality when WDAC cannot be fully implemented or its functionality does not cover every desired scenario. There are many scenarios in which WDAC would be used alongside AppLocker rules. As a best practice, you should enforce WDAC at the most restrictive level possible for your organization, and then you can use AppLocker to fine-tune the restrictions to an even lower level.
-
-> **Note**&nbsp;&nbsp;One example of how Windows Defender Device Guard functionality can be enhanced by AppLocker is when you want to apply different policies for different users on the same device. For example, you may allow your IT support personnel to run additional apps that you do not allow for your end-users. You can accomplish this user-specific enforcement by using an AppLocker rule.
-
-AppLocker and Windows Defender Device Guard should run side-by-side in your organization, which offers the best of both security features at the same time and provides the most comprehensive security to as many devices as possible. In addition to these features, we recommend that you continue to maintain an enterprise antivirus solution for a well-rounded enterprise security portfolio.
-
-### Windows Defender Device Guard with Windows Defender Credential Guard
-
-Another Windows 10 feature that employs VBS is [Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard). Windows Defender Credential Guard provides additional protection to Active Directory domain users by storing domain credentials within the same type of VBS virtualization container that hosts code integrity when HVCI is enabled. By isolating these domain credentials from the active user mode and kernel mode, they have a much lower risk of being stolen. For more information about Windows Defender Credential Guard (which is not a feature within Windows Defender Device Guard), see [Protect derived domain credentials with Windows Defender Credential Guard](/windows/access-protection/credential-guard/credential-guard).
-
-Windows Defender Credential Guard is targeted at resisting pass-the-hash and pass-the-ticket techniques. By employing multifactor authentication with Windows Defender Credential Guard, organizations can gain additional protection against such threats. 
+[Driver compatibility with Windows Defender Device Guard in Windows 10](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10)
 
+[Code integrity](https://technet.microsoft.com/library/dd348642.aspx)
 
 
diff --git a/windows/security/threat-protection/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md b/windows/security/threat-protection/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
deleted file mode 100644
index b2c2cb7926..0000000000
--- a/windows/security/threat-protection/device-guard/planning-and-getting-started-on-the-device-guard-deployment-process.md
+++ /dev/null
@@ -1,78 +0,0 @@
----
-title: Planning and getting started on the Windows Defender Device Guard deployment process (Windows 10)
-description: To help you plan and begin the initial test stages of a deployment of Microsoft Windows Defender Device Guard, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies. 
-keywords: virtualization, security, malware
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: high
-author: brianlic-msft
-ms.date: 10/20/2017
----
-
-# Planning and getting started on the Windows Defender Device Guard deployment process
-
-**Applies to**
--   Windows 10
--   Windows Server 2016
-
-This topic provides a roadmap for planning and getting started on the Windows Defender Device Guard deployment process, with links to topics that provide additional detail. Planning for Windows Defender Device Guard deployment involves looking at both the end-user and the IT pro impact of your choices. Use the following steps to guide you.
-
-## Planning
-
-1. **Review requirements, especially hardware requirements for VBS**. Review the virtualization-based security (VBS) features described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats). Then you can assess your end-user systems to see how many support the VBS features you are interested in, as described in [Hardware, firmware, and software requirements for Windows Defender Device Guard](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard). 
-
-2. **Group devices by degree of control needed**. Group devices according to the table in [Windows Defender Device Guard deployment in different scenarios: types of devices](requirements-and-deployment-planning-guidelines-for-device-guard.md#windows-defender-device-guard-deployment-in-different-scenarios-types-of-devices). Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?<br>Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
-
-3. **Review how much variety in software and hardware is needed by roles or departments**. When several departments all use the same hardware and software, you might need to deploy only one Windows Defender Application Control (WDAC) policy for them. More variety across departments might mean you need to create and manage more WDAC policies. The following questions can help you clarify how many WDAC policies to create:
-    - How standardized is the hardware?<br>This can be relevant because of drivers. You could create a WDAC policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several WDAC policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment.
-
-    - What software does each department or role need? Should they be able to install and run other departments’ software?<br>If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management.
-         
-    - Are there departments or roles where unique, restricted software is used?<br>If one department needs to run an application that no other department is allowed, it might require a separate WDAC policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate WDAC policy.
-
-    - Is there already a list of accepted applications?<br>A list of accepted applications can be used to help create a baseline WDAC policy.<br>As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
-
-    - As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts? 
-    In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies. You can also fine-tune your control by using Windows Defender Application Control in combination with AppLocker, as described in [Windows Defender Device Guard with AppLocker](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#windows-defender-device-guard-with-applocker). 
-
-    Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass WDAC.
-
-    For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your WDAC policies. Other applications where older versions of the application had vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your WDAC policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used.
-
-    Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Windows Defender Application Control. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md).
-
-
-
-
-
-
-4.  **Identify LOB applications that are currently unsigned**. Although requiring signed code (through WDAC) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them. For a basic description of catalog files, see the table in [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). For more background information about catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files).
-
-## Getting started on the deployment process
-
-1.  **Optionally, create a signing certificate for Windows Defender Application Control**. As you deploy WDAC, you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal CA. If you choose to use an internal CA, you will need to create a code signing certificate. For more information, see [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md).
-
-2.  **Create WDAC policies from “golden” computers**. When you have identified departments or roles that use distinctive or partly-distinctive sets of hardware and software, you can set up “golden” computers containing that software and hardware. In this respect, creating and managing WDAC policies to align with the needs of roles or departments can be similar to managing corporate images. From each “golden” computer, you can create a WDAC policy, and decide how to manage that policy. You can merge WDAC policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. For more information, see:
-    - [Deploy Windows Defender Application Control: policy rules and file rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md)
-    - [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md)<br>
-
-3.  **Audit the WDAC policy and capture information about applications that are outside the policy**. We recommend that you use “audit mode” to carefully test each WDAC policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed. For more information, see [Audit Windows Defender Application Control policies](steps-to-deploy-windows-defender-application-control.md#audit-windows-defender-application-control-policies).
-
-4.  **Create a “catalog file” for unsigned LOB applications**. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. For more information, review step 4 **Identify LOB applications that are currently unsigned**, earlier in this list, and see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md). In later steps, you can merge the catalog file's signature into your WDAC policy, so that applications in the catalog will be allowed by the policy. 
-
-6.  **Capture needed policy information from the event log, and merge information into the existing policy as needed**. After a WDAC policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge WDAC policies from other sources also, for flexibility in how you create your final WDAC policies. For more information, see:
-    - [Create a Windows Defender Application Control policy that captures audit information from the event log](steps-to-deploy-windows-defender-application-control.md#create-a-windows-defender-application-control-policy-that-captures-audit-information-from-the-event-log)
-    - [Merge Windows Defender Application Control policies](steps-to-deploy-windows-defender-application-control.md#merge-windows-defender-application-control-policies)<br>
-
-7.  **Deploy WDAC policies and catalog files**. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking WDAC policies out of auditing mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and WDAC policies more broadly. For more information, see:
-    - [Enforce Windows Defender Application Control policies](steps-to-deploy-windows-defender-application-control.md#enforce-windows-defender-application-control-policies)
-    - [Deploy and manage Windows Defender Application Control with Group Policy](steps-to-deploy-windows-defender-application-control.md#deploy-and-manage-windows-defender-application-control-with-group-policy)<br>
-
-8.  **Enable desired virtualization-based security (VBS) features**. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by Windows Defender Application Control, as described in [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats). 
-
-    > [!WARNING]
-    >  Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
-
-    For information about enabling VBS features, see [Enable virtualization-based protection of code integrity](deploy-device-guard-enable-virtualization-based-security.md).
-
-<br />
diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
deleted file mode 100644
index 418d67676f..0000000000
--- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-device-guard.md
+++ /dev/null
@@ -1,157 +0,0 @@
----
-title: Requirements and deployment planning guidelines for Windows Defender Device Guard (Windows 10)
-description: To help you plan a deployment of Microsoft Windows Defender Device Guard, this article describes hardware requirements for Windows Defender Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies. 
-keywords: virtualization, security, malware
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: high
-author: brianlic-msft
-ms.date: 10/20/2017
----
-
-# Requirements and deployment planning guidelines for Windows Defender Device Guard
-
-**Applies to**
--   Windows 10
--   Windows Server 2016
-
-The information in this article is intended for IT professionals, and provides a foundation for [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
-
->**Note**&nbsp;&nbsp;If you are an OEM, see the requirements information at [PC OEM requirements for Windows Defender Device Guard and Windows Defender Credential Guard](https://msdn.microsoft.com/library/windows/hardware/mt767514.aspx).
-
-## Hardware, firmware, and software requirements for Windows Defender Device Guard
-
-To deploy Windows Defender Device Guard in a way that uses all of its virtualization-based security (VBS) features, the computers you are protecting must meet certain hardware, firmware, and software requirements. However, computers lacking some of the hardware and firmware requirements will still receive some protection when you deploy Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. 
-
-For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. For an outline of how VBS-related hardware strengthens the hardening offered by Windows Defender Device Guard, see [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md).
-
-You can deploy Windows Defender Device Guard in phases, and plan these phases in relation to the computer purchases you plan for your next hardware refresh.
-
-> [!WARNING]
->  Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
-
-The following tables provide more information about the hardware, firmware, and software required for deployment of various Windows Defender Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
-
-> **Notes**<br>
-> • To understand the requirements in the following tables, you will need to be familiar with the main features in Windows Defender Device Guard: Windows Defender Application Control (WDAC), virtualization-based protection of code integrity, and Universal Extensible Firmware Interface (UEFI) Secure Boot. For information about these features, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats).<br>
-> • Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. 
-
-## Baseline protections
-
-|Baseline Protections            | Description                                        | Security benefits |
-|--------------------------------|----------------------------------------------------|-------------------|
-| Hardware: **64-bit CPU**       | A 64-bit computer is required for the Windows hypervisor to provide VBS. |  | 
-| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>• VT-x (Intel) or<br>• AMD-V<br>And:<br>• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
-| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot) | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
-| Firmware: **Secure firmware update process**      | UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](http://msdn.microsoft.com/library/windows/hardware/dn932805.aspx#system-fundamentals-firmware-uefisecureboot). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
-| Software: **HVCI compatible drivers**       | See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://msdn.microsoft.com/library/windows/hardware/mt589732(v=vs.85).aspx).| [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode.  |
-| Software: Qualified **Windows operating system**  | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
-
-> **Important**&nbsp;&nbsp;The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
-
-## Additional qualifications for improved security
-
-The following tables describe additional hardware and firmware qualifications, and the improved security that is available when these qualifications are met.
-
-
-### Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
-
-| Protections for Improved Security       | Description                                        | Security benefits |
-|---------------------------------------------|----------------------------------------------------|------|
-| Firmware: **Securing Boot Configuration and Management** | • BIOS password or stronger authentication must be supported.<br>• In the BIOS configuration, BIOS authentication must be set.<br>• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
-
-<br>
-
-### Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
-
-
-| Protections for Improved Security        | Description                                        | Security benefits |
-|---------------------------------------------|----------------------------------------------------|-----|
-| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://msdn.microsoft.com/library/windows/hardware/dn932807(v=vs.85).aspx#system_fundamentals_firmware_cs_uefisecureboot_connectedstandby)<br>• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://msdn.microsoft.com/en-us/library/windows/hardware/mt712332.aspx). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
-| Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. |
-| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
-
-<br>
-
-### Additional security qualifications starting with Windows 10, version 1703 
-
-
-| Protections for Improved Security          | Description                                        | Security benefits |
-|---------------------------------------------|----------------------------------------------------|------|
-| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;• PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and exceutable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code  | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.   |
-| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM.  |
-
-## Windows Defender Device Guard deployment in different scenarios: types of devices
-
-Typically, deployment of Windows Defender Device Guard happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying Windows Defender Device Guard in your organization.
-
-| **Type of device**                 | **How Windows Defender Device Guard relates to this type of device**  | **Windows Defender Device Guard components that you can use to protect this kind of device**    |
-|------------------------------------|------------------------------------------------------|--------------------------------------------------------------------------------|
-| **Fixed-workload devices**: Perform same tasks every day.<br>Lists of approved applications rarely change.<br>Examples: kiosks, point-of-sale systems, call center computers. | Windows Defender Device Guard can be deployed fully, and deployment and ongoing administration are relatively straightforward.<br>After Windows Defender Device Guard deployment, only approved applications can run. This is because of protections offered by WDAC. | - VBS (hardware-based) protections, enabled.<br><br>• WDAC in enforced mode, with UMCI enabled. |
-| **Fully managed devices**: Allowed software is restricted by IT department.<br>Users can request additional software, or install from a list of applications provided by IT department.<br>Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.<br>WDAC policies are supported by the HVCI service. | - VBS (hardware-based) protections, enabled.<br><br>• WDAC in enforced mode, with UMCI enabled. |
-| **Lightly managed devices**: Company-owned, but users are free to install software.<br>Devices are required to run organization's antivirus solution and client management tools. | Windows Defender Device Guard can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | - VBS (hardware-based) protections, enabled. When enabled with a WDAC policy in audit mode only, VBS means the hypervisor helps enforce the default kernel-mode code integrity policy, which protects against unsigned drivers or system files.<br><br>• WDAC, with UMCI enabled, but running in audit mode only. This means applications are not blocked—the policy just logs an event whenever an application outside the policy is started.  |
-| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | Windows Defender Device Guard does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | N/A | 
-
-## Windows Defender Device Guard deployment in virtual machines
-
-Windows Defender Device Guard can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable Windows Defender Device Guard are the same from within the virtual machine.
-
-Windows Defender Device Guard protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable Windows Defender Device Guard for a virtual machine:
-
-` Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true`
-
-
-### Requirements for running Windows Defender Device Guard in Hyper-V virtual machines 
- -   The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
- -   The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. 
- -   Windows Defender Device Guard and [nested virtualization](https://docs.microsoft.com/en-us/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time. 
- -   Virtual Fibre Channel adapters are not compatible with Windows Defender Device Guard. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using Set-VMSecurity.
- -   The AllowFullSCSICommandSet option for pass-through disks is not compatible with Windows Defender Device Guard. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using Set-VMSecurity.
-
-
-## Reviewing your applications: application signing and catalog files 
-
-Typically, WDAC policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a “catalog file” from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed.
-
-Catalog files can be very useful for unsigned LOB applications that cannot easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your WDAC policies typically do not have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of WDAC (compared to using catalog signing).
-
-To obtain signed applications or embed signatures in your in-house applications, you can choose from a variety of methods:
-
-- Using the Microsoft Store publishing process. All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll-up to our certificate authority (CA) or to your own.
-
-- Using your own digital certificate or public key infrastructure (PKI). ISV's and enterprises can sign their own Classic Windows applications themselves, adding themselves to the trusted list of signers.
-
-- Using a non-Microsoft signing authority. ISV's and enterprises can use a trusted non-Microsoft signing authority to sign all of their own Classic Windows applications.
-
-To use catalog signing, you can choose from the following options:
-
-- Use the Windows Defender Device Guard signing portal available in the Microsoft Store for Business. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Windows Defender Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal).
-
-- Create your own catalog files, which are described in the next section. For information about how creating catalog files fits into Windows Defender Device Guard deployment, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
-
-### Catalog files
-
-Catalog files (which you can create in Windows 10 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by WDAC in the same way as any other signed application.
-
-Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries’ hash values are updated each time an application is updated, which requires the catalog file to be updated also.
-
-After you have created and signed your catalog files, you can configure your WDAC policies to trust the signer or signing certificate of those files.
-
-> **Note**&nbsp;&nbsp;Package Inspector only works on operating systems that support Windows Defender Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
-
-For information about how creating catalog files fits into Windows Defender Device Guard deployment, see [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md). For procedures for working with catalog files, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).
-
-## Windows Defender Application Control policy formats and signing
-
-When you generate a WDAC policy, you are generating a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 Enterprise, along with restrictions on Windows 10 script hosts. You can view your original XML document in a text editor, for example if you want to check the rule options that are present in the **&lt;Rules&gt;** section of the file.
-
-We recommend that you keep the original XML file for use when you need to merge the WDAC policy with another policy or update its rule options. For deployment purposes, the file is converted to a binary format, which can be done using a simple Windows PowerShell command.
-
-When the WDAC policy is deployed, it restricts the software that can run on a device. The XML document can be signed, helping to add additional protection against administrative users changing or removing the policy. 
-
-## Related topics
-
-- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
-- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
-
-
diff --git a/windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity.md
deleted file mode 100644
index 158b2fede1..0000000000
--- a/windows/security/threat-protection/enable-virtualization-based-protection-of-code-integrity.md
+++ /dev/null
@@ -1,72 +0,0 @@
----
-title: Enable virtualization-based protection of code integrity 
-description: This article explains the steps to opt in to using HVCI on Windows devices. 
-ms.prod: w10
-ms.mktglfcycl: deploy
-ms.localizationpriority: high
-ms.author: justinha
-author: brianlic-msft
-ms.date: 11/28/2017
----
-
-# Enable virtualization-based protection of code integrity 
-
-**Applies to**  
-
-- Windows 10
-- Windows Server 2016 
-
-Virtualization-based protection of code integrity (herein referred to as hypervisor-protected code integrity, or HVCI) is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. 
-Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor.  
-
-Some applications, including device drivers, may be incompatible with HVCI. 
-This can cause devices or software to malfunction and in rare cases may result in a Blue Screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. 
-If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. 
-
-## How to turn on virtualization-based protection of code integrity on the Windows 10 Fall Creators Update (version 1709) 
-
-These steps apply to Windows 10 S, Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education. 
-
-The following instructions are intended for Windows 10 client systems running the Fall Creators Update (version 1709) that have hypervisor support and that are not already using a [Windows Defender Application Control (WDAC)](https://blogs.technet.microsoft.com/mmpc/2017/10/23/introducing-windows-defender-application-control/) policy. 
-If your device already has a WDAC policy (SIPolicy.p7b), please contact your IT administrator to request HVCI. 
-
-> [!NOTE]
-> You must be an administrator to perform this procedure. 
-
-1. Download the [Enable HVCI cabinet file](http://download.microsoft.com/download/7/A/F/7AFBCDD1-578B-49B0-9B27-988EAEA89A8B/EnableHVCI.cab).
-
-2. Open the cabinet file.
-
-3. Right-click the SIPolicy.p7b file and extract it. Then move it to the following location: 
-
-   C:\Windows\System32\CodeIntegrity
-
-   > [!NOTE]
-   > Do not perform this step if a SIPolicy.p7b file is already in this location.
-
-4. Turn on the hypervisor:
-
-   a. Click Start, type **Turn Windows Features on or off** and press ENTER. 
-
-   b. Select **Hyper-V** > **Hyper-V Platform** > **Hyper-V Hypervisor** and click **OK**.  
-
-      ![Turn Windows features on or off](images\turn-windows-features-on-or-off.png)
-
-   c. After the installation completes, restart your computer. 
-
-5. To confirm HVCI was successfully enabled, open **System Information** and check **Virtualization-based security Services Running**, which should now display **Hypervisor enforced Code Integrity**.      
-
-
-## Troubleshooting
-
-A. If a device driver fails to load or crashes at runtime, you may be able to update the driver using **Device Manager**.
-
-B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you are able to log in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
-
-C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see [Windows RE Technical Reference](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
-
-## How to turn off HVCI on the Windows 10 Fall Creators Update
-
-1.	Rename or delete the SIPolicy.p7b file located at C:\Windows\System32\CodeIntegrity.
-2.	Restart the device.
-3.	To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed.
diff --git a/windows/security/threat-protection/index.md b/windows/security/threat-protection/index.md
index eb51bd3da1..f2c623bd85 100644
--- a/windows/security/threat-protection/index.md
+++ b/windows/security/threat-protection/index.md
@@ -19,8 +19,8 @@ Learn more about how to help protect against threats in Windows 10 and Windows
 |[Windows Defender Advanced Threat Protection](windows-defender-atp/windows-defender-advanced-threat-protection.md)|Provides info about Windows Defender Advanced Threat Protection (Windows Defender ATP), an out-of-the-box Windows enterprise security service that enables enterprise cybersecurity teams to detect and respond to advanced threats on their networks.|
 |[Windows Defender Antivirus in Windows 10](windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)|Provides info about Windows Defender Antivirus, a built-in antimalware solution that helps provide security and antimalware management for desktops, portable computers, and servers. Includes a list of system requirements and new features.|
 |[Windows Defender Application Guard](windows-defender-application-guard/wd-app-guard-overview.md)|Provides info about Windows Defender Application Guard, the hardware-based virtualization solution that helps to isolate a device and operating system from an untrusted browser session.|
-|[Windows Defender Application Control](enable-virtualization-based-protection-of-code-integrity.md)|Explains how Windows Defender Application Control restricts the applications that users are allowed to run and the code that runs in the System Core (kernel).|
-|[Enable HVCI](windows-defender-application-control.md)|Explains how to enable HVCI to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.|
+|[Windows Defender Application Control](windows-defender-application-control/windows-defender-application-control.md)|Explains how Windows Defender Application Control restricts the applications that users are allowed to run and the code that runs in the System Core (kernel).|
+|[Enable HVCI](windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md)|Explains how to enable HVCI to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code.|
 |[Windows Defender Smart​Screen](windows-defender-smartscreen/windows-defender-smartscreen-overview.md) |Learn more about Windows Defender SmartScreen.|
 |[Mitigate threats by using Windows 10 security features](overview-of-threat-mitigations-in-windows-10.md) |Learn more about mitigating threats in Windows 10.|
 |[Override Process Mitigation Options to help enforce app-related security policies](override-mitigation-options-for-app-related-security-policies.md) |Use Group Policy to override individual **Process Mitigation Options** settings and help to enforce specific app-related security policies.|
diff --git a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
index 968a0346b1..3d50fd3739 100644
--- a/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
+++ b/windows/security/threat-protection/security-policy-settings/network-access-restrict-clients-allowed-to-make-remote-sam-calls.md
@@ -85,7 +85,7 @@ In other words, the hotfix in each KB article provides the necessary code and fu
 |---|---|---|---|
 |Windows Server 2016 domain controller (reading Active Directory)|“”|-|Everyone has read permissions to preserve compatibility.|
 |Earlier domain controller |-|-|No access check is performed by default.|
-|Windows 10, version 1607 non-domain controller|(O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>DACL: <br>•	Revision: 0x02 <br>•	Size: 0x0020 <br>•	Ace Count: 0x001 <br>•	Ace[00]------------------------- <br> &nbsp;&nbsp;AceType:0x00 <br> &nbsp;&nbsp;(ACCESS\_ALLOWED_ACE_TYPE)<br> &nbsp;&nbsp;AceSize:0x0018 <br> &nbsp;&nbsp;InheritFlags:0x00 <br> &nbsp;&nbsp;Access Mask:0x00020000 <br> &nbsp;&nbsp;AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544) <br><br> &nbsp;&nbsp;SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. |
+|Windows 10, version 1607 non-domain controller|O:SYG:SYD:(A;;RC;;;BA)| Owner: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>Primary group: NTAUTHORITY/SYSTEM (WellKnownGroup) (S-1-5-18) <br>DACL: <br>•	Revision: 0x02 <br>•	Size: 0x0020 <br>•	Ace Count: 0x001 <br>•	Ace[00]------------------------- <br> &nbsp;&nbsp;AceType:0x00 <br> &nbsp;&nbsp;(ACCESS\_ALLOWED_ACE_TYPE)<br> &nbsp;&nbsp;AceSize:0x0018 <br> &nbsp;&nbsp;InheritFlags:0x00 <br> &nbsp;&nbsp;Access Mask:0x00020000 <br> &nbsp;&nbsp;AceSid: BUILTIN\Administrators (Alias) (S-1-5-32-544) <br><br> &nbsp;&nbsp;SACL: Not present |Grants RC access (READ_CONTROL, also known as STANDARD_RIGHTS_READ) only to members of the local (built-in) Administrators group. |
 |Earlier non-domain controller |-|-|No access check is performed by default.|
 
 ## Policy management
@@ -163,4 +163,4 @@ If the policy is defined, admin tools, scripts and software that formerly enumer
 
 [SAMRi10 - Hardening SAM Remote Access in Windows 10/Server 2016](https://gallery.technet.microsoft.com/SAMRi10-Hardening-Remote-48d94b5b)
 
-<br>
\ No newline at end of file
+<br>
diff --git a/windows/security/threat-protection/windows-defender-antivirus/TOC.md b/windows/security/threat-protection/windows-defender-antivirus/TOC.md
new file mode 100644
index 0000000000..d86f08369c
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-antivirus/TOC.md
@@ -0,0 +1,68 @@
+
+#	[Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
+
+## [Windows Defender AV in the Windows Defender Security Center app](windows-defender-security-center-antivirus.md)
+
+## [Windows Defender AV on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)
+
+## [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md)
+### [Use limited periodic scanning in Windows Defender AV](limited-periodic-scanning-windows-defender-antivirus.md)
+
+
+## [Evaluate Windows Defender Antivirus protection](evaluate-windows-defender-antivirus.md)
+
+
+## [Deploy, manage updates, and report on Windows Defender Antivirus](deploy-manage-report-windows-defender-antivirus.md)
+### [Deploy and enable Windows Defender Antivirus](deploy-windows-defender-antivirus.md)
+#### [Deployment guide for VDI environments](deployment-vdi-windows-defender-antivirus.md)
+### [Report on Windows Defender Antivirus protection](report-monitor-windows-defender-antivirus.md)
+#### [Troubleshoot Windows Defender Antivirus reporting in Update Compliance](troubleshoot-reporting.md)
+### [Manage updates and apply baselines](manage-updates-baselines-windows-defender-antivirus.md)
+#### [Manage protection and definition updates](manage-protection-updates-windows-defender-antivirus.md)
+#### [Manage when protection updates should be downloaded and applied](manage-protection-update-schedule-windows-defender-antivirus.md)
+#### [Manage updates for endpoints that are out of date](manage-outdated-endpoints-windows-defender-antivirus.md)
+#### [Manage event-based forced updates](manage-event-based-updates-windows-defender-antivirus.md)
+#### [Manage updates for mobile devices and VMs](manage-updates-mobile-devices-vms-windows-defender-antivirus.md)
+
+
+## [Configure Windows Defender Antivirus features](configure-windows-defender-antivirus-features.md)
+### [Utilize Microsoft cloud-delivered protection](utilize-microsoft-cloud-protection-windows-defender-antivirus.md)
+#### [Enable cloud-delivered protection](enable-cloud-protection-windows-defender-antivirus.md)
+#### [Specify the cloud-delivered protection level](specify-cloud-protection-level-windows-defender-antivirus.md)
+#### [Configure and validate network connections](configure-network-connections-windows-defender-antivirus.md)
+#### [Enable the Block at First Sight feature](configure-block-at-first-sight-windows-defender-antivirus.md)
+#### [Configure the cloud block timeout period](configure-cloud-block-timeout-period-windows-defender-antivirus.md)
+### [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
+#### [Detect and block Potentially Unwanted Applications](detect-block-potentially-unwanted-apps-windows-defender-antivirus.md)
+#### [Enable and configure always-on protection and monitoring](configure-real-time-protection-windows-defender-antivirus.md)
+### [Configure end-user interaction with Windows Defender AV](configure-end-user-interaction-windows-defender-antivirus.md)
+#### [Configure the notifications that appear on endpoints](configure-notifications-windows-defender-antivirus.md)
+#### [Prevent users from seeing or interacting with the user interface](prevent-end-user-interaction-windows-defender-antivirus.md)
+#### [Prevent or allow users to locally modify policy settings](configure-local-policy-overrides-windows-defender-antivirus.md)
+
+
+## [Customize, initiate, and review the results of scans and remediation](customize-run-review-remediate-scans-windows-defender-antivirus.md)
+### [Configure and validate exclusions in Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md)
+#### [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
+#### [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+#### [Configure exclusions in Windows Defender AV on Windows Server 2016](configure-server-exclusions-windows-defender-antivirus.md)
+### [Configure scanning options in Windows Defender AV](configure-advanced-scan-types-windows-defender-antivirus.md)
+### [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
+### [Configure scheduled scans](scheduled-catch-up-scans-windows-defender-antivirus.md)
+### [Configure and run scans](run-scan-windows-defender-antivirus.md)
+### [Review scan results](review-scan-results-windows-defender-antivirus.md)
+### [Run and review the results of a Windows Defender Offline scan](windows-defender-offline.md)
+
+
+## [Review event logs and error codes to troubleshoot issues](troubleshoot-windows-defender-antivirus.md)
+
+
+
+## [Reference topics for management and configuration tools](configuration-management-reference-windows-defender-antivirus.md)
+### [Use Group Policy settings to configure and manage Windows Defender AV](use-group-policy-windows-defender-antivirus.md)
+### [Use System Center Configuration Manager and Microsoft Intune to configure and manage Windows Defender AV](use-intune-config-manager-windows-defender-antivirus.md)
+### [Use PowerShell cmdlets to configure and manage Windows Defender AV](use-powershell-cmdlets-windows-defender-antivirus.md)
+### [Use Windows Management Instrumentation (WMI) to configure and manage Windows Defender AV](use-wmi-windows-defender-antivirus.md)
+### [Use the mpcmdrun.exe commandline tool to configure and manage Windows Defender AV](command-line-arguments-windows-defender-antivirus.md)
+
+
diff --git a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
index 27f2b3e2e4..8fbf0984c3 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/configure-remediation-windows-defender-antivirus.md
@@ -65,6 +65,13 @@ Quarantine | Configure removal of items from Quarantine folder | Specify how man
 Threats | Specify threat alert levels at which default action should not be taken when detected | Every threat that is detected by Windows Defender AV is assigned a threat level (low, medium, high, or severe). You can use this setting to define how all threats for each of the threat levels should be remediated (quarantined, removed, or ignored) | Not applicable
 Threats | Specify threats upon which default action should not be taken when detected | Specify how specific threats (using their threat ID) should be remediated. You can specify whether the specific threat should be quarantined, removed, or ignored | Not applicable
 
+>[!IMPORTANT]
+>Windows Defender Antivirus detects and remediates files based on many factors.  Sometimes, completing a remediation requires a reboot.  Even if the detection is later determined to be a false positive, the reboot must be completed to ensure all additional remediation steps have been completed.
+></p>
+>If you are certain Windows Defender AV quarantined a file based on a false positive, you can restore the file from quarantine after the device reboots. See [Restore quarantined files in Windows Defender AV](restore-quarantined-files-windows-defender-antivirus.md).
+></p>
+>To avoid this problem in the future, you can exclude files from the scans. See [Configure and validate exclusions for Windows Defender AV scans](configure-exclusions-windows-defender-antivirus.md).
+
 
 Also see the [Configure remediation-required scheduled full scans for Windows Defender AV](scheduled-catch-up-scans-windows-defender-antivirus.md#remed) topic for more remediation-related settings.
 
diff --git a/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
new file mode 100644
index 0000000000..db4d6528c0
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-antivirus/restore-quarantined-files-windows-defender-antivirus.md
@@ -0,0 +1,47 @@
+---
+title: Restore quarantined files in Windows Defender AV
+description: You can restore files and folders that were quarantined by Windows Defender AV.
+keywords: 
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: medium
+author: andreabichsel
+ms.author: v-anbic
+ms.date: 04/23/2018
+---
+
+# Restore quarantined files in Windows Defender AV
+
+
+**Applies to:**
+
+- Windows 10
+- Windows Server 2016
+
+**Audience**
+
+- Enterprise security administrators
+
+**Manageability available with**
+
+- Windows Defender Security Center
+
+If Windows Defender Antivirus is configured to detect and remediate threats on your device, Windows Defender AV quarantines suspicious files. If you are certain these files do not present a threat, you can restore them.
+
+1. Open **Windows Defender Security Center**.
+2. Click **Virus & threat protection** and then click **Scan history**.
+3. Under **Quarantined threats**, click **See full history**.
+4. Click **Restore** for any items you want to keep. (If you prefer to remove them, you can click **Remove**.)
+
+## Related topics
+
+- [Configure remediation for scans](configure-remediation-windows-defender-antivirus.md)
+- [Review scan results](review-scan-results-windows-defender-antivirus.md)
+- [Configure and validate exclusions based on file name, extension, and folder location](configure-extension-file-exclusions-windows-defender-antivirus.md)
+- [Configure and validate exclusions for files opened by processes](configure-process-opened-file-exclusions-windows-defender-antivirus.md)
+- [Configure exclusions in Windows Defender AV on Windows Server](configure-server-exclusions-windows-defender-antivirus.md)
+
diff --git a/windows/security/threat-protection/windows-defender-application-control/TOC.md b/windows/security/threat-protection/windows-defender-application-control/TOC.md
new file mode 100644
index 0000000000..6644912c09
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/TOC.md
@@ -0,0 +1,118 @@
+# [Windows Defender Application Control](windows-defender-application-control.md)
+
+## [Windows Defender Application Control design guide](windows-defender-application-control-design-guide.md)
+### [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md)
+### [Select the types of rules to create](select-types-of-rules-to-create.md)
+### [Plan for WDAC policy management](plan-windows-defender-application-control-management.md)
+#### [Document your application control management processes](document-your-windows-defender-application-control-management-processes.md)
+### [Create your WDAC planning document](create-your-windows-defender-application-control-planning-document.md)
+
+
+
+## [Windows Defender Application Control deployment guide](windows-defender-application-control-deployment-guide.md)
+### [Types of devices](types-of-devices.md)
+### [Use WDAC with a managed installer](use-windows-defender-application-control-with-managed-installer.md)
+###Use WDAC with custom policies
+#### [Create an initial default policy](create-initial-default-policy.md)
+#### [Microsoft recommended block rules](microsoft-recommended-block-rules.md)
+### [Audit WDAC policies](audit-windows-defender-application-control-policies.md)
+### [Merge WDAC policies](merge-windows-defender-application-control-policies.md)
+### [Enforce WDAC policies](enforce-windows-defender-application-control-policies.md)
+### [Deploy WDAC policies](deploy-windows-defender-application-control-policies-using-group-policy.md)
+### [Use code signing to simplify application control for classic Windows applications](use-code-signing-to-simplify-application-control-for-classic-windows-applications.md)
+#### [Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business](use-device-guard-signing-portal-in-microsoft-store-for-business.md)
+#### [Optional: Create a code signing cert for WDAC](create-code-signing-cert-for-windows-defender-application-control.md)
+#### [Deploy catalog files to support WDAC](deploy-catalog-files-to-support-windows-defender-application-control.md)
+### [Manage packaged apps with WDAC](manage-packaged-apps-with-windows-defender-application-control.md)
+### [Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules](use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md)
+### [Use signed policies to protect Windows Defender Application Control against tampering](use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md)
+#### [Signing WDAC policies with SignTool.exe](signing-policies-with-signtool.md)
+### [Disable WDAC policies](disable-windows-defender-application-control-policies.md)
+
+## [AppLocker](applocker\applocker-overview.md) 
+### [Administer AppLocker](applocker\administer-applocker.md)
+#### [Maintain AppLocker policies](applocker\maintain-applocker-policies.md)
+#### [Edit an AppLocker policy](applocker\edit-an-applocker-policy.md)
+#### [Test and update an AppLocker policy](applocker\test-and-update-an-applocker-policy.md)
+#### [Deploy AppLocker policies by using the enforce rules setting](applocker\deploy-applocker-policies-by-using-the-enforce-rules-setting.md)
+#### [Use the AppLocker Windows PowerShell cmdlets](applocker\use-the-applocker-windows-powershell-cmdlets.md)
+#### [Use AppLocker and Software Restriction Policies in the same domain](applocker\use-applocker-and-software-restriction-policies-in-the-same-domain.md)
+#### [Optimize AppLocker performance](applocker\optimize-applocker-performance.md)
+#### [Monitor app usage with AppLocker](applocker\monitor-application-usage-with-applocker.md)
+#### [Manage packaged apps with AppLocker](applocker\manage-packaged-apps-with-applocker.md)
+#### [Working with AppLocker rules](applocker\working-with-applocker-rules.md)
+##### [Create a rule that uses a file hash condition](applocker\create-a-rule-that-uses-a-file-hash-condition.md)
+##### [Create a rule that uses a path condition](applocker\create-a-rule-that-uses-a-path-condition.md)
+##### [Create a rule that uses a publisher condition](applocker\create-a-rule-that-uses-a-publisher-condition.md)
+##### [Create AppLocker default rules](applocker\create-applocker-default-rules.md)
+##### [Add exceptions for an AppLocker rule](applocker\configure-exceptions-for-an-applocker-rule.md)
+##### [Create a rule for packaged apps](applocker\create-a-rule-for-packaged-apps.md)
+##### [Delete an AppLocker rule](applocker\delete-an-applocker-rule.md)
+##### [Edit AppLocker rules](applocker\edit-applocker-rules.md)
+##### [Enable the DLL rule collection](applocker\enable-the-dll-rule-collection.md)
+##### [Enforce AppLocker rules](applocker\enforce-applocker-rules.md)
+##### [Run the Automatically Generate Rules wizard](applocker\run-the-automatically-generate-rules-wizard.md)
+#### [Working with AppLocker policies](applocker\working-with-applocker-policies.md)
+##### [Configure the Application Identity service](applocker\configure-the-application-identity-service.md)
+##### [Configure an AppLocker policy for audit only](applocker\configure-an-applocker-policy-for-audit-only.md)
+##### [Configure an AppLocker policy for enforce rules](applocker\configure-an-applocker-policy-for-enforce-rules.md)
+##### [Display a custom URL message when users try to run a blocked app](applocker\display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md)
+##### [Export an AppLocker policy from a GPO](applocker\export-an-applocker-policy-from-a-gpo.md)
+##### [Export an AppLocker policy to an XML file](applocker\export-an-applocker-policy-to-an-xml-file.md)
+##### [Import an AppLocker policy from another computer](applocker\import-an-applocker-policy-from-another-computer.md)
+##### [Import an AppLocker policy into a GPO](applocker\import-an-applocker-policy-into-a-gpo.md)
+##### [Add rules for packaged apps to existing AppLocker rule-set](applocker\add-rules-for-packaged-apps-to-existing-applocker-rule-set.md)
+##### [Merge AppLocker policies by using Set-ApplockerPolicy](applocker\merge-applocker-policies-by-using-set-applockerpolicy.md)
+##### [Merge AppLocker policies manually](applocker\merge-applocker-policies-manually.md)
+##### [Refresh an AppLocker policy](applocker\refresh-an-applocker-policy.md)
+##### [Test an AppLocker policy by using Test-AppLockerPolicy](applocker\test-an-applocker-policy-by-using-test-applockerpolicy.md)
+### [AppLocker design guide](applocker\applocker-policies-design-guide.md)
+#### [Understand AppLocker policy design decisions](applocker\understand-applocker-policy-design-decisions.md)
+#### [Determine your application control objectives](applocker\determine-your-application-control-objectives.md)
+#### [Create a list of apps deployed to each business group](applocker\create-list-of-applications-deployed-to-each-business-group.md)
+##### [Document your app list](applocker\document-your-application-list.md)
+#### [Select the types of rules to create](applocker\select-types-of-rules-to-create.md)
+##### [Document your AppLocker rules](applocker\document-your-applocker-rules.md)
+#### [Determine the Group Policy structure and rule enforcement](applocker\determine-group-policy-structure-and-rule-enforcement.md)
+##### [Understand AppLocker enforcement settings](applocker\understand-applocker-enforcement-settings.md)
+##### [Understand AppLocker rules and enforcement setting inheritance in Group Policy](applocker\understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)
+##### [Document the Group Policy structure and AppLocker rule enforcement](applocker\document-group-policy-structure-and-applocker-rule-enforcement.md)
+#### [Plan for AppLocker policy management](applocker\plan-for-applocker-policy-management.md)
+### [AppLocker deployment guide](applocker\applocker-policies-deployment-guide.md)
+#### [Understand the AppLocker policy deployment process](applocker\understand-the-applocker-policy-deployment-process.md)
+#### [Requirements for Deploying AppLocker Policies](applocker\requirements-for-deploying-applocker-policies.md)
+#### [Use Software Restriction Policies and AppLocker policies](applocker\using-software-restriction-policies-and-applocker-policies.md)
+#### [Create Your AppLocker policies](applocker\create-your-applocker-policies.md)
+##### [Create Your AppLocker rules](applocker\create-your-applocker-rules.md)
+#### [Deploy the AppLocker policy into production](applocker\deploy-the-applocker-policy-into-production.md)
+##### [Use a reference device to create and maintain AppLocker policies](applocker\use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
+###### [Determine which apps are digitally signed on a reference device](applocker\determine-which-applications-are-digitally-signed-on-a-reference-computer.md)
+###### [Configure the AppLocker reference device](applocker\configure-the-appLocker-reference-device.md)
+### [AppLocker technical reference](applocker\applocker-technical-reference.md)
+#### [What Is AppLocker?](applocker\what-is-applocker.md)
+#### [Requirements to use AppLocker](applocker\requirements-to-use-applocker.md)
+#### [AppLocker policy use scenarios](applocker\applocker-policy-use-scenarios.md)
+#### [How AppLocker works](applocker\how-applocker-works-techref.md)
+##### [Understanding AppLocker rule behavior](applocker\understanding-applocker-rule-behavior.md)
+##### [Understanding AppLocker rule exceptions](applocker\understanding-applocker-rule-exceptions.md)
+##### [Understanding AppLocker rule collections](applocker\understanding-applocker-rule-collections.md)
+##### [Understanding AppLocker allow and deny actions on rules](applocker\understanding-applocker-allow-and-deny-actions-on-rules.md)
+##### [Understanding AppLocker rule condition types](applocker\understanding-applocker-rule-condition-types.md)
+###### [Understanding the publisher rule condition in AppLocker](applocker\understanding-the-publisher-rule-condition-in-applocker.md)
+###### [Understanding the path rule condition in AppLocker](applocker\understanding-the-path-rule-condition-in-applocker.md)
+###### [Understanding the file hash rule condition in AppLocker](applocker\understanding-the-file-hash-rule-condition-in-applocker.md)
+##### [Understanding AppLocker default rules](applocker\understanding-applocker-default-rules.md)
+###### [Executable rules in AppLocker](applocker\executable-rules-in-applocker.md)
+###### [Windows Installer rules in AppLocker](applocker\windows-installer-rules-in-applocker.md)
+###### [Script rules in AppLocker](applocker\script-rules-in-applocker.md)
+###### [DLL rules in AppLocker](applocker\dll-rules-in-applocker.md)
+###### [Packaged apps and packaged app installer rules in AppLocker](applocker\packaged-apps-and-packaged-app-installer-rules-in-applocker.md)
+#### [AppLocker architecture and components](applocker\applocker-architecture-and-components.md)
+#### [AppLocker processes and interactions](applocker\applocker-processes-and-interactions.md)
+#### [AppLocker functions](applocker\applocker-functions.md)
+#### [Security considerations for AppLocker](applocker\security-considerations-for-applocker.md)
+#### [Tools to Use with AppLocker](applocker\tools-to-use-with-applocker.md)
+##### [Using Event Viewer with AppLocker](applocker\using-event-viewer-with-applocker.md)
+#### [AppLocker Settings](applocker\applocker-settings.md)
+
+
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.md b/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.md
new file mode 100644
index 0000000000..9aad83e9c5
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/TOC.md
@@ -0,0 +1,90 @@
+
+# [AppLocker](applocker-overview.md)
+
+## [Administer AppLocker](administer-applocker.md)
+### [Administer AppLocker using MDM](administer-applocker-using-mdm.md)
+### [Maintain AppLocker policies](maintain-applocker-policies.md)
+### [Edit an AppLocker policy](edit-an-applocker-policy.md)
+### [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md)
+### [Deploy AppLocker policies by using the enforce rules setting](deploy-applocker-policies-by-using-the-enforce-rules-setting.md)
+### [Use the AppLocker Windows PowerShell cmdlets](use-the-applocker-windows-powershell-cmdlets.md)
+### [Use AppLocker and Software Restriction Policies in the same domain](use-applocker-and-software-restriction-policies-in-the-same-domain.md)
+### [Optimize AppLocker performance](optimize-applocker-performance.md)
+### [Monitor app usage with AppLocker](monitor-application-usage-with-applocker.md)
+### [Manage packaged apps with AppLocker](manage-packaged-apps-with-applocker.md)
+### [Working with AppLocker rules](working-with-applocker-rules.md)
+#### [Create a rule that uses a file hash condition](create-a-rule-that-uses-a-file-hash-condition.md)
+#### [Create a rule that uses a path condition](create-a-rule-that-uses-a-path-condition.md)
+#### [Create a rule that uses a publisher condition](create-a-rule-that-uses-a-publisher-condition.md)
+#### [Create AppLocker default rules](create-applocker-default-rules.md)
+#### [Add exceptions for an AppLocker rule](configure-exceptions-for-an-applocker-rule.md)
+#### [Create a rule for packaged apps](create-a-rule-for-packaged-apps.md)
+#### [Delete an AppLocker rule](delete-an-applocker-rule.md)
+#### [Edit AppLocker rules](edit-applocker-rules.md)
+#### [Enable the DLL rule collection](enable-the-dll-rule-collection.md)
+#### [Enforce AppLocker rules](enforce-applocker-rules.md)
+#### [Run the Automatically Generate Rules wizard](run-the-automatically-generate-rules-wizard.md)
+### [Working with AppLocker policies](working-with-applocker-policies.md)
+#### [Configure the Application Identity service](configure-the-application-identity-service.md)
+#### [Configure an AppLocker policy for audit only](configure-an-applocker-policy-for-audit-only.md)
+#### [Configure an AppLocker policy for enforce rules](configure-an-applocker-policy-for-enforce-rules.md)
+#### [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md)
+#### [Export an AppLocker policy from a GPO](export-an-applocker-policy-from-a-gpo.md)
+#### [Export an AppLocker policy to an XML file](export-an-applocker-policy-to-an-xml-file.md)
+#### [Import an AppLocker policy from another computer](import-an-applocker-policy-from-another-computer.md)
+#### [Import an AppLocker policy into a GPO](import-an-applocker-policy-into-a-gpo.md)
+#### [Add rules for packaged apps to existing AppLocker rule-set](add-rules-for-packaged-apps-to-existing-applocker-rule-set.md)
+#### [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md)
+#### [Merge AppLocker policies manually](merge-applocker-policies-manually.md)
+#### [Refresh an AppLocker policy](refresh-an-applocker-policy.md)
+#### [Test an AppLocker policy by using Test-AppLockerPolicy](test-an-applocker-policy-by-using-test-applockerpolicy.md)
+## [AppLocker design guide](applocker-policies-design-guide.md)
+### [Understand AppLocker policy design decisions](understand-applocker-policy-design-decisions.md)
+### [Determine your application control objectives](determine-your-application-control-objectives.md)
+### [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+#### [Document your app list](document-your-application-list.md)
+### [Select the types of rules to create](select-types-of-rules-to-create.md)
+#### [Document your AppLocker rules](document-your-applocker-rules.md)
+### [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+#### [Understand AppLocker enforcement settings](understand-applocker-enforcement-settings.md)
+#### [Understand AppLocker rules and enforcement setting inheritance in Group Policy](understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md)
+#### [Document the Group Policy structure and AppLocker rule enforcement](document-group-policy-structure-and-applocker-rule-enforcement.md)
+### [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+## [AppLocker deployment guide](applocker-policies-deployment-guide.md)
+### [Understand the AppLocker policy deployment process](understand-the-applocker-policy-deployment-process.md)
+### [Requirements for Deploying AppLocker Policies](requirements-for-deploying-applocker-policies.md)
+### [Use Software Restriction Policies and AppLocker policies](using-software-restriction-policies-and-applocker-policies.md)
+### [Create Your AppLocker policies](create-your-applocker-policies.md)
+#### [Create Your AppLocker rules](create-your-applocker-rules.md)
+### [Deploy the AppLocker policy into production](deploy-the-applocker-policy-into-production.md)
+#### [Use a reference device to create and maintain AppLocker policies](use-a-reference-computer-to-create-and-maintain-applocker-policies.md)
+#### [Determine which apps are digitally signed on a reference device](determine-which-applications-are-digitally-signed-on-a-reference-computer.md)
+### [Configure the AppLocker reference device](configure-the-appLocker-reference-device.md)
+## [AppLocker technical reference](applocker-technical-reference.md)
+### [What Is AppLocker?](what-is-applocker.md)
+### [Requirements to use AppLocker](requirements-to-use-applocker.md)
+### [AppLocker policy use scenarios](applocker-policy-use-scenarios.md)
+### [How AppLocker works](how-applocker-works-techref.md)
+#### [Understanding AppLocker rule behavior](understanding-applocker-rule-behavior.md)
+#### [Understanding AppLocker rule exceptions](understanding-applocker-rule-exceptions.md)
+#### [Understanding AppLocker rule collections](understanding-applocker-rule-collections.md)
+#### [Understanding AppLocker allow and deny actions on rules](understanding-applocker-allow-and-deny-actions-on-rules.md)
+#### [Understanding AppLocker rule condition types](understanding-applocker-rule-condition-types.md)
+##### [Understanding the publisher rule condition in AppLocker](understanding-the-publisher-rule-condition-in-applocker.md)
+##### [Understanding the path rule condition in AppLocker](understanding-the-path-rule-condition-in-applocker.md)
+##### [Understanding the file hash rule condition in AppLocker](understanding-the-file-hash-rule-condition-in-applocker.md)
+#### [Understanding AppLocker default rules](understanding-applocker-default-rules.md)
+##### [Executable rules in AppLocker](executable-rules-in-applocker.md)
+##### [Windows Installer rules in AppLocker](windows-installer-rules-in-applocker.md)
+##### [Script rules in AppLocker](script-rules-in-applocker.md)
+##### [DLL rules in AppLocker](dll-rules-in-applocker.md)
+##### [Packaged apps and packaged app installer rules in AppLocker](packaged-apps-and-packaged-app-installer-rules-in-applocker.md)
+### [AppLocker architecture and components](applocker-architecture-and-components.md)
+### [AppLocker processes and interactions](applocker-processes-and-interactions.md)
+### [AppLocker functions](applocker-functions.md)
+### [Security considerations for AppLocker](security-considerations-for-applocker.md)
+### [Tools to Use with AppLocker](tools-to-use-with-applocker.md)
+#### [Using Event Viewer with AppLocker](using-event-viewer-with-applocker.md)
+### [AppLocker Settings](applocker-settings.md)
+
+
diff --git a/windows/security/threat-protection/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md b/windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
similarity index 100%
rename from windows/security/threat-protection/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/add-rules-for-packaged-apps-to-existing-applocker-rule-set.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm.md
new file mode 100644
index 0000000000..ac9277f3b2
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker-using-mdm.md
@@ -0,0 +1,19 @@
+---
+title: Administering AppLocker by using Mobile Device Management (MDM) (Windows 10)
+description: This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with AppLocker as part of your overall application control strategy.
+ms.assetid: 6d0c99e7-0284-4547-a30a-0685a9916650
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: brianlic-msft
+ms.date: 03/01/2018
+---
+
+# Administering AppLocker by using Mobile Device Management (MDM)
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+ 
diff --git a/windows/security/threat-protection/applocker/administer-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
similarity index 97%
rename from windows/security/threat-protection/applocker/administer-applocker.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
index 4898c621a2..e6c1d39bd4 100644
--- a/windows/security/threat-protection/applocker/administer-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
@@ -32,6 +32,7 @@ AppLocker helps administrators control how users can access and use files, such
 
 | Topic | Description |
 | - | - |
+| [Administer AppLocker using Mobile Device Management (MDM)](administer-applocker-using-mdm.md) | This topic describes how to used MDM to manage AppLocker policies. |
 | [Maintain AppLocker policies](maintain-applocker-policies.md) | This topic describes how to maintain rules within AppLocker policies. |
 | [Edit an AppLocker policy](edit-an-applocker-policy.md) | This topic for IT professionals describes the steps required to modify an AppLocker policy. |
 | [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This topic discusses the steps required to test an AppLocker policy prior to deployment. |
diff --git a/windows/security/threat-protection/applocker/applocker-architecture-and-components.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
similarity index 100%
rename from windows/security/threat-protection/applocker/applocker-architecture-and-components.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/applocker-architecture-and-components.md
diff --git a/windows/security/threat-protection/applocker/applocker-functions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
similarity index 100%
rename from windows/security/threat-protection/applocker/applocker-functions.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/applocker-functions.md
diff --git a/windows/security/threat-protection/applocker/applocker-overview.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
similarity index 100%
rename from windows/security/threat-protection/applocker/applocker-overview.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview.md
diff --git a/windows/security/threat-protection/applocker/applocker-policies-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
similarity index 97%
rename from windows/security/threat-protection/applocker/applocker-policies-deployment-guide.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
index 0687ca1fc2..ec754cf12c 100644
--- a/windows/security/threat-protection/applocker/applocker-policies-deployment-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide.md
@@ -37,7 +37,6 @@ The following are prerequisites or recommendations to deploying policies:
     -   [Select types of rules to create](select-types-of-rules-to-create.md)
     -   [Determine Group Policy Structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
     -   [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
-    -   [Create your AppLocker planning document](create-your-applocker-planning-document.md)
 
 ## Contents of this guide
 
diff --git a/windows/security/threat-protection/applocker/applocker-policies-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
similarity index 93%
rename from windows/security/threat-protection/applocker/applocker-policies-design-guide.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
index b83c242b59..26b4d23de4 100644
--- a/windows/security/threat-protection/applocker/applocker-policies-design-guide.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-design-guide.md
@@ -33,7 +33,7 @@ To understand if AppLocker is the correct application control solution for your
 | [Select the types of rules to create](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using AppLocker. |
 | [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md) | This overview topic describes the process to follow when you are planning to deploy AppLocker rules. |
 | [Plan for AppLocker policy management](plan-for-applocker-policy-management.md) | This topic for describes the decisions you need to make to establish the processes for managing and maintaining AppLocker policies. |
-| [Create your AppLocker planning document](create-your-applocker-planning-document.md) | This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document. | 
+
  
 After careful design and detailed planning, the next step is to deploy AppLocker policies. [AppLocker Deployment Guide](applocker-policies-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.
  
\ No newline at end of file
diff --git a/windows/security/threat-protection/applocker/applocker-policy-use-scenarios.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
similarity index 100%
rename from windows/security/threat-protection/applocker/applocker-policy-use-scenarios.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policy-use-scenarios.md
diff --git a/windows/security/threat-protection/applocker/applocker-processes-and-interactions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
similarity index 100%
rename from windows/security/threat-protection/applocker/applocker-processes-and-interactions.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/applocker-processes-and-interactions.md
diff --git a/windows/security/threat-protection/applocker/applocker-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
similarity index 100%
rename from windows/security/threat-protection/applocker/applocker-settings.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/applocker-settings.md
diff --git a/windows/security/threat-protection/applocker/applocker-technical-reference.md b/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
similarity index 100%
rename from windows/security/threat-protection/applocker/applocker-technical-reference.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/applocker-technical-reference.md
diff --git a/windows/security/threat-protection/applocker/configure-an-applocker-policy-for-audit-only.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
similarity index 100%
rename from windows/security/threat-protection/applocker/configure-an-applocker-policy-for-audit-only.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-audit-only.md
diff --git a/windows/security/threat-protection/applocker/configure-an-applocker-policy-for-enforce-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
similarity index 100%
rename from windows/security/threat-protection/applocker/configure-an-applocker-policy-for-enforce-rules.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/configure-an-applocker-policy-for-enforce-rules.md
diff --git a/windows/security/threat-protection/applocker/configure-exceptions-for-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
similarity index 100%
rename from windows/security/threat-protection/applocker/configure-exceptions-for-an-applocker-rule.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/configure-exceptions-for-an-applocker-rule.md
diff --git a/windows/security/threat-protection/applocker/configure-the-appLocker-reference-device.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
similarity index 100%
rename from windows/security/threat-protection/applocker/configure-the-appLocker-reference-device.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-appLocker-reference-device.md
diff --git a/windows/security/threat-protection/applocker/configure-the-application-identity-service.md b/windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
similarity index 100%
rename from windows/security/threat-protection/applocker/configure-the-application-identity-service.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/configure-the-application-identity-service.md
diff --git a/windows/security/threat-protection/applocker/create-a-rule-for-packaged-apps.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
similarity index 100%
rename from windows/security/threat-protection/applocker/create-a-rule-for-packaged-apps.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-for-packaged-apps.md
diff --git a/windows/security/threat-protection/applocker/create-a-rule-that-uses-a-file-hash-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
similarity index 100%
rename from windows/security/threat-protection/applocker/create-a-rule-that-uses-a-file-hash-condition.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-file-hash-condition.md
diff --git a/windows/security/threat-protection/applocker/create-a-rule-that-uses-a-path-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
similarity index 100%
rename from windows/security/threat-protection/applocker/create-a-rule-that-uses-a-path-condition.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-path-condition.md
diff --git a/windows/security/threat-protection/applocker/create-a-rule-that-uses-a-publisher-condition.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
similarity index 100%
rename from windows/security/threat-protection/applocker/create-a-rule-that-uses-a-publisher-condition.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/create-a-rule-that-uses-a-publisher-condition.md
diff --git a/windows/security/threat-protection/applocker/create-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
similarity index 100%
rename from windows/security/threat-protection/applocker/create-applocker-default-rules.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/create-applocker-default-rules.md
diff --git a/windows/security/threat-protection/applocker/create-list-of-applications-deployed-to-each-business-group.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
similarity index 100%
rename from windows/security/threat-protection/applocker/create-list-of-applications-deployed-to-each-business-group.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/create-list-of-applications-deployed-to-each-business-group.md
diff --git a/windows/security/threat-protection/applocker/create-your-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
similarity index 98%
rename from windows/security/threat-protection/applocker/create-your-applocker-policies.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
index 1153bc66a2..51965b4116 100644
--- a/windows/security/threat-protection/applocker/create-your-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-policies.md
@@ -31,7 +31,7 @@ You can develop an application control policy plan to guide you in making succes
 5.  [Select the types of rules to create](select-types-of-rules-to-create.md)
 6.  [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
 7.  [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
-8.  [Create your AppLocker planning document](create-your-applocker-planning-document.md)
+
 
 ## Step 2: Create your rules and rule collections
 
diff --git a/windows/security/threat-protection/applocker/create-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
similarity index 100%
rename from windows/security/threat-protection/applocker/create-your-applocker-rules.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/create-your-applocker-rules.md
diff --git a/windows/security/threat-protection/applocker/delete-an-applocker-rule.md b/windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
similarity index 100%
rename from windows/security/threat-protection/applocker/delete-an-applocker-rule.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/delete-an-applocker-rule.md
diff --git a/windows/security/threat-protection/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
similarity index 100%
rename from windows/security/threat-protection/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/deploy-applocker-policies-by-using-the-enforce-rules-setting.md
diff --git a/windows/security/threat-protection/applocker/deploy-the-applocker-policy-into-production.md b/windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
similarity index 100%
rename from windows/security/threat-protection/applocker/deploy-the-applocker-policy-into-production.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/deploy-the-applocker-policy-into-production.md
diff --git a/windows/security/threat-protection/applocker/determine-group-policy-structure-and-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
similarity index 100%
rename from windows/security/threat-protection/applocker/determine-group-policy-structure-and-rule-enforcement.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/determine-group-policy-structure-and-rule-enforcement.md
diff --git a/windows/security/threat-protection/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
similarity index 100%
rename from windows/security/threat-protection/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/determine-which-applications-are-digitally-signed-on-a-reference-computer.md
diff --git a/windows/security/threat-protection/applocker/determine-your-application-control-objectives.md b/windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
similarity index 100%
rename from windows/security/threat-protection/applocker/determine-your-application-control-objectives.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/determine-your-application-control-objectives.md
diff --git a/windows/security/threat-protection/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md b/windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
similarity index 100%
rename from windows/security/threat-protection/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md
diff --git a/windows/security/threat-protection/applocker/dll-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
similarity index 100%
rename from windows/security/threat-protection/applocker/dll-rules-in-applocker.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/dll-rules-in-applocker.md
diff --git a/windows/security/threat-protection/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
similarity index 98%
rename from windows/security/threat-protection/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
index 3843a798c0..b14ec68862 100644
--- a/windows/security/threat-protection/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-group-policy-structure-and-applocker-rule-enforcement.md
@@ -124,6 +124,6 @@ The following table includes the sample data that was collected when you determi
 
 After you have determined the Group Policy structure and rule enforcement strategy for each business group's apps, the following tasks remain:
 -   [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
--   [Create your AppLocker planning document](create-your-applocker-planning-document.md)
+
  
  
diff --git a/windows/security/threat-protection/applocker/document-your-application-list.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
similarity index 100%
rename from windows/security/threat-protection/applocker/document-your-application-list.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/document-your-application-list.md
diff --git a/windows/security/threat-protection/applocker/document-your-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
similarity index 98%
rename from windows/security/threat-protection/applocker/document-your-applocker-rules.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
index ffaaf96936..da3b193ffe 100644
--- a/windows/security/threat-protection/applocker/document-your-applocker-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/document-your-applocker-rules.md
@@ -118,4 +118,3 @@ For each rule, determine whether to use the allow or deny option. Then, three ta
 
 -   [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
 -   [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
--   [Create your AppLocker planning document](create-your-applocker-planning-document.md)
diff --git a/windows/security/threat-protection/applocker/edit-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
similarity index 96%
rename from windows/security/threat-protection/applocker/edit-an-applocker-policy.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
index a09df7e857..01886f6af8 100644
--- a/windows/security/threat-protection/applocker/edit-an-applocker-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-an-applocker-policy.md
@@ -20,11 +20,15 @@ This topic for IT professionals describes the steps required to modify an AppLoc
 
 You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot create a new version of the policy by importing additional rules. To modify an AppLocker policy that is in production, you should use Group Policy management software that allows you to version Group Policy Objects (GPOs). If you have created multiple AppLocker policies and need to merge them to create one AppLocker policy, you can either manually merge the policies or use the Windows PowerShell cmdlets for AppLocker. You cannot automatically merge policies by using the AppLocker snap-in. You must create one rule collection from two or more policies. The AppLocker policy is saved in XML format, and the exported policy can be edited with any text or XML editor. For info about merging policies, see [Merge AppLocker policies manually](merge-applocker-policies-manually.md) or [Merge AppLocker policies by using Set-ApplockerPolicy](merge-applocker-policies-by-using-set-applockerpolicy.md).
 
-There are two methods you can use to edit an AppLocker policy:
+There are three methods you can use to edit an AppLocker policy:
 
+-   [Editing an AppLocker policy by using Mobile Device Management (MDM)](#bkmk-editapppolinmdm)
 -   [Editing an AppLocker policy by using Group Policy](#bkmk-editapppolingpo)
 -   [Editing an AppLocker policy by using the Local Security Policy snap-in](#bkmk-editapplolnotingpo)
 
+## <a href="" id="bkmk-editapppolinmdm"></a>Editing an AppLocker policy by using Mobile Device Management (MDM)
+
+
 ## <a href="" id="bkmk-editapppolingpo"></a>Editing an AppLocker policy by using Group Policy
 
 The steps to edit an AppLocker policy distributed by Group Policy include the following:
diff --git a/windows/security/threat-protection/applocker/edit-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
similarity index 100%
rename from windows/security/threat-protection/applocker/edit-applocker-rules.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/edit-applocker-rules.md
diff --git a/windows/security/threat-protection/applocker/enable-the-dll-rule-collection.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
similarity index 100%
rename from windows/security/threat-protection/applocker/enable-the-dll-rule-collection.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/enable-the-dll-rule-collection.md
diff --git a/windows/security/threat-protection/applocker/enforce-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
similarity index 100%
rename from windows/security/threat-protection/applocker/enforce-applocker-rules.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/enforce-applocker-rules.md
diff --git a/windows/security/threat-protection/applocker/executable-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
similarity index 100%
rename from windows/security/threat-protection/applocker/executable-rules-in-applocker.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/executable-rules-in-applocker.md
diff --git a/windows/security/threat-protection/applocker/export-an-applocker-policy-from-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
similarity index 100%
rename from windows/security/threat-protection/applocker/export-an-applocker-policy-from-a-gpo.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-from-a-gpo.md
diff --git a/windows/security/threat-protection/applocker/export-an-applocker-policy-to-an-xml-file.md b/windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
similarity index 100%
rename from windows/security/threat-protection/applocker/export-an-applocker-policy-to-an-xml-file.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/export-an-applocker-policy-to-an-xml-file.md
diff --git a/windows/security/threat-protection/applocker/how-applocker-works-techref.md b/windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
similarity index 100%
rename from windows/security/threat-protection/applocker/how-applocker-works-techref.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/how-applocker-works-techref.md
diff --git a/windows/security/threat-protection/applocker/images/applocker-plan-inheritance.gif b/windows/security/threat-protection/windows-defender-application-control/applocker/images/applocker-plan-inheritance.gif
similarity index 100%
rename from windows/security/threat-protection/applocker/images/applocker-plan-inheritance.gif
rename to windows/security/threat-protection/windows-defender-application-control/applocker/images/applocker-plan-inheritance.gif
diff --git a/windows/security/threat-protection/applocker/images/applocker-plandeploy-quickreference.gif b/windows/security/threat-protection/windows-defender-application-control/applocker/images/applocker-plandeploy-quickreference.gif
similarity index 100%
rename from windows/security/threat-protection/applocker/images/applocker-plandeploy-quickreference.gif
rename to windows/security/threat-protection/windows-defender-application-control/applocker/images/applocker-plandeploy-quickreference.gif
diff --git a/windows/security/threat-protection/applocker/images/blockedappmsg.gif b/windows/security/threat-protection/windows-defender-application-control/applocker/images/blockedappmsg.gif
similarity index 100%
rename from windows/security/threat-protection/applocker/images/blockedappmsg.gif
rename to windows/security/threat-protection/windows-defender-application-control/applocker/images/blockedappmsg.gif
diff --git a/windows/security/threat-protection/applocker/import-an-applocker-policy-from-another-computer.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
similarity index 100%
rename from windows/security/threat-protection/applocker/import-an-applocker-policy-from-another-computer.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-from-another-computer.md
diff --git a/windows/security/threat-protection/applocker/import-an-applocker-policy-into-a-gpo.md b/windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
similarity index 100%
rename from windows/security/threat-protection/applocker/import-an-applocker-policy-into-a-gpo.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/import-an-applocker-policy-into-a-gpo.md
diff --git a/windows/security/threat-protection/applocker/maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
similarity index 95%
rename from windows/security/threat-protection/applocker/maintain-applocker-policies.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
index 7142e3a68e..7a8937b222 100644
--- a/windows/security/threat-protection/applocker/maintain-applocker-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/maintain-applocker-policies.md
@@ -27,21 +27,26 @@ Common AppLocker maintenance scenarios include:
 -   An app appears to be allowed but should be blocked.
 -   A single user or small subset of users needs to use a specific app that is blocked.
 
-There are two methods you can use to maintain AppLocker policies:
+There are three methods you can use to maintain AppLocker policies:
 
+-   [Maintaining AppLocker policies by using Mobile Device Management (MDM)](#bkmk-applkr-use-mdm)
 -   [Maintaining AppLocker policies by using Group Policy](#bkmk-applkr-use-gp)
 -   [Maintaining AppLocker policies on the local computer](#bkmk-applkr-use-locsnapin)
 
+## <a href="" id="bkmk-applkr-use-mdm"></a>Maintaining AppLocker policies by using Mobile Device Management (MDM)
+
+
+
+## <a href="" id="bkmk-applkr-use-gp"></a>Maintaining AppLocker policies by using Group Policy
+
+For every scenario, the steps to maintain an AppLocker policy distributed by Group Policy include the following tasks.
+
 As new apps are deployed or existing apps are removed by your organization or updated by the software publisher, you might need to make revisions to your rules and update the Group Policy Object (GPO) to ensure that your policy is current.
 
 You can edit an AppLocker policy by adding, changing, or removing rules. However, you cannot specify a version for the AppLocker policy by importing additional rules. To ensure version control when modifying an AppLocker policy, use Group Policy management software that allows you to create 
 versions of GPOs.
 
 >**Caution:**  You should not edit an AppLocker rule collection while it is being enforced in Group Policy. Because AppLocker controls what files are allowed to run, making changes to a live policy can create unexpected behavior.
- 
-## <a href="" id="bkmk-applkr-use-gp"></a>Maintaining AppLocker policies by using Group Policy
-
-For every scenario, the steps to maintain an AppLocker policy distributed by Group Policy include the following tasks.
 
 ### Step 1: Understand the current behavior of the policy
 
diff --git a/windows/security/threat-protection/applocker/manage-packaged-apps-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
similarity index 100%
rename from windows/security/threat-protection/applocker/manage-packaged-apps-with-applocker.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/manage-packaged-apps-with-applocker.md
diff --git a/windows/security/threat-protection/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
similarity index 100%
rename from windows/security/threat-protection/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-by-using-set-applockerpolicy.md
diff --git a/windows/security/threat-protection/applocker/merge-applocker-policies-manually.md b/windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
similarity index 100%
rename from windows/security/threat-protection/applocker/merge-applocker-policies-manually.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/merge-applocker-policies-manually.md
diff --git a/windows/security/threat-protection/applocker/monitor-application-usage-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
similarity index 94%
rename from windows/security/threat-protection/applocker/monitor-application-usage-with-applocker.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
index 23c4b6e8af..08cd3572ad 100644
--- a/windows/security/threat-protection/applocker/monitor-application-usage-with-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/monitor-application-usage-with-applocker.md
@@ -22,7 +22,7 @@ Once you set rules and deploy the AppLocker policies, it is good practice to det
 
 ### <a href="" id="bkmk-applkr-disc-effect-pol"></a>Discover the effect of an AppLocker policy
 
-You can evaluate how the AppLocker policy is currently implemented for documentation or audit purposes, or before you modify the policy. Updating your AppLocker Policy Deployment Planning document will help you track your findings. For information about creating this document, see [Create your AppLocker planning document](create-your-applocker-planning-document.md). You can perform one or more of the following steps to understand what application controls are currently enforced through AppLocker rules.
+You can evaluate how the AppLocker policy is currently implemented for documentation or audit purposes, or before you modify the policy. Updating your AppLocker Policy Deployment Planning document will help you track your findings. You can perform one or more of the following steps to understand what application controls are currently enforced through AppLocker rules.
 
 -   **Analyze the AppLocker logs in Event Viewer**
 
diff --git a/windows/security/threat-protection/applocker/optimize-applocker-performance.md b/windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
similarity index 100%
rename from windows/security/threat-protection/applocker/optimize-applocker-performance.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/optimize-applocker-performance.md
diff --git a/windows/security/threat-protection/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
similarity index 100%
rename from windows/security/threat-protection/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/packaged-apps-and-packaged-app-installer-rules-in-applocker.md
diff --git a/windows/security/threat-protection/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
similarity index 52%
rename from windows/security/threat-protection/applocker/plan-for-applocker-policy-management.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
index fa323ebe0a..995eb8fedc 100644
--- a/windows/security/threat-protection/applocker/plan-for-applocker-policy-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
@@ -104,12 +104,215 @@ A file could be blocked for three reasons:
 
 Before editing the rule collection, first determine what rule is preventing the file from running. You can troubleshoot the problem by using the **Test-AppLockerPolicy** Windows PowerShell cmdlet. For more info about troubleshooting an AppLocker policy, see [Testing and Updating an AppLocker Policy](https://go.microsoft.com/fwlink/p/?LinkId=160269) (https://go.microsoft.com/fwlink/p/?LinkId=160269).
 
-## Next steps
+## Record your findings
 
-After deciding how your organization will manage your AppLocker policy, record your findings.
+To complete this AppLocker planning document, you should first complete the following steps:
 
--   **End-user support policy.** Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel have clear escalation steps so that the administrator can update the AppLocker policy, if necessary.
--   **Event processing.** Document whether events will be collected in a central location called a store, how that store will be archived, and whether the events will be processed for analysis.
--   **Policy maintenance.** Detail how rules will be added to the policy and in which GPO the rules are defined.
+1.  [Determine your application control objectives](determine-your-application-control-objectives.md)
+2.  [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
+3.  [Select the types of rules to create](select-types-of-rules-to-create.md)
+4.  [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
+5.  [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+
+The three key areas to determine for AppLocker policy management are:
+
+1.  Support policy
+
+    Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel know recommended troubleshooting steps and escalation points for your policy.
+
+2.  Event processing
+
+    Document whether events will be collected in a central location, how that store will be archived, and whether the events will be processed for analysis.
+
+3.  Policy maintenance
+
+    Detail how rules will be added to the policy, in which Group Policy Object (GPO) the rules should be defined, and how to modify rules when apps are retired, updated, or added.
+
+The following table contains the added sample data that was collected when determining how to maintain and manage AppLocker policies.
+
+<table style="width:100%;">
+<colgroup>
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+<col width="11%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Organizational unit</th>
+<th align="left">Implement AppLocker?</th>
+<th align="left">Apps</th>
+<th align="left">Installation path</th>
+<th align="left">Use default rule or define new rule condition</th>
+<th align="left">Allow or deny</th>
+<th align="left">GPO name</th>
+<th align="left">Support policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Teller-East and Teller-West</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Teller Software</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p>Tellers-AppLockerTellerRules</p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p>
+<p></p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Create a path exception to the default rule to exclude \Windows\Temp</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Help desk</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>HR-All</p></td>
+<td align="left"><p>Yes</p></td>
+<td align="left"><p>Check Payout</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p>HR-AppLockerHRRules</p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Time Sheet Organizer</p></td>
+<td align="left"><p>C:\Program Files\Woodgrove\HR\Timesheet.exe</p></td>
+<td align="left"><p>File is not signed; create a file hash condition</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Web help</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Internet Explorer 7</p></td>
+<td align="left"><p>C:\Program Files\Internet Explorer\</p></td>
+<td align="left"><p>File is signed; create a publisher condition</p></td>
+<td align="left"><p>Deny</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Web help</p>
+<p></p></td>
+</tr>
+<tr class="even">
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Windows files</p></td>
+<td align="left"><p>C:\Windows</p></td>
+<td align="left"><p>Use the default rule for the Windows path</p></td>
+<td align="left"><p>Allow</p></td>
+<td align="left"><p></p></td>
+<td align="left"><p>Help desk</p></td>
+</tr>
+</tbody>
+</table>
+ 
+The following two tables illustrate examples of documenting considerations to maintain and manage AppLocker policies.
+
+**Event processing policy**
+
+One discovery method for app usage is to set the AppLocker enforcement mode to **Audit only**. This will write events to the AppLocker logs, which can be managed and analyzed like other Windows logs. After apps have been identified, you can begin to develop policies regarding the processing and access to AppLocker events.
+
+The following table is an example of what to consider and record.
+
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">AppLocker event collection location</th>
+<th align="left">Archival policy</th>
+<th align="left">Analyzed?</th>
+<th align="left">Security policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Forwarded to: AppLocker Event Repository on srvBT093</p></td>
+<td align="left"><p>Standard</p></td>
+<td align="left"><p>None</p></td>
+<td align="left"><p>Standard</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>DO NOT FORWARD. srvHR004</p></td>
+<td align="left"><p>60 months</p></td>
+<td align="left"><p>Yes, summary reports monthly to managers</p></td>
+<td align="left"><p>Standard</p></td>
+</tr>
+</tbody>
+</table>
+ 
+**Policy maintenance policy**
+When applications are identified and policies are created for application control, then you can begin documenting how you intend to update those policies.
+The following table is an example of what to consider and record.
+<table>
+<colgroup>
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+<col width="20%" />
+</colgroup>
+<thead>
+<tr class="header">
+<th align="left">Business group</th>
+<th align="left">Rule update policy</th>
+<th align="left">Application decommission policy</th>
+<th align="left">Application version policy</th>
+<th align="left">Application deployment policy</th>
+</tr>
+</thead>
+<tbody>
+<tr class="odd">
+<td align="left"><p>Bank Tellers</p></td>
+<td align="left"><p>Planned: Monthly through business office triage</p>
+<p>Emergency: Request through help desk</p></td>
+<td align="left"><p>Through business office triage</p>
+<p>30-day notice required</p></td>
+<td align="left"><p>General policy: Keep past versions for 12 months</p>
+<p>List policies for each application</p></td>
+<td align="left"><p>Coordinated through business office</p>
+<p>30-day notice required</p></td>
+</tr>
+<tr class="even">
+<td align="left"><p>Human Resources</p></td>
+<td align="left"><p>Planned: Monthly through HR triage</p>
+<p>Emergency: Request through help desk</p></td>
+<td align="left"><p>Through HR triage</p>
+<p>30-day notice required</p></td>
+<td align="left"><p>General policy: Keep past versions for 60 months</p>
+<p>List policies for each application</p></td>
+<td align="left"><p>Coordinated through HR</p>
+<p>30-day notice required</p></td>
+</tr>
+</tbody>
+</table>
 
-For information and steps how to document your processes, see [Document your application control management processes](document-your-application-control-management-processes.md).
diff --git a/windows/security/threat-protection/applocker/refresh-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
similarity index 100%
rename from windows/security/threat-protection/applocker/refresh-an-applocker-policy.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/refresh-an-applocker-policy.md
diff --git a/windows/security/threat-protection/applocker/requirements-for-deploying-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
similarity index 100%
rename from windows/security/threat-protection/applocker/requirements-for-deploying-applocker-policies.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/requirements-for-deploying-applocker-policies.md
diff --git a/windows/security/threat-protection/applocker/requirements-to-use-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
similarity index 100%
rename from windows/security/threat-protection/applocker/requirements-to-use-applocker.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/requirements-to-use-applocker.md
diff --git a/windows/security/threat-protection/applocker/run-the-automatically-generate-rules-wizard.md b/windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
similarity index 100%
rename from windows/security/threat-protection/applocker/run-the-automatically-generate-rules-wizard.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/run-the-automatically-generate-rules-wizard.md
diff --git a/windows/security/threat-protection/applocker/script-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
similarity index 100%
rename from windows/security/threat-protection/applocker/script-rules-in-applocker.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/script-rules-in-applocker.md
diff --git a/windows/security/threat-protection/applocker/security-considerations-for-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
similarity index 100%
rename from windows/security/threat-protection/applocker/security-considerations-for-applocker.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/security-considerations-for-applocker.md
diff --git a/windows/security/threat-protection/applocker/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
similarity index 100%
rename from windows/security/threat-protection/applocker/select-types-of-rules-to-create.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/select-types-of-rules-to-create.md
diff --git a/windows/security/threat-protection/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
similarity index 100%
rename from windows/security/threat-protection/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/test-an-applocker-policy-by-using-test-applockerpolicy.md
diff --git a/windows/security/threat-protection/applocker/test-and-update-an-applocker-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
similarity index 100%
rename from windows/security/threat-protection/applocker/test-and-update-an-applocker-policy.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/test-and-update-an-applocker-policy.md
diff --git a/windows/security/threat-protection/applocker/tools-to-use-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
similarity index 100%
rename from windows/security/threat-protection/applocker/tools-to-use-with-applocker.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/tools-to-use-with-applocker.md
diff --git a/windows/security/threat-protection/applocker/understand-applocker-enforcement-settings.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
similarity index 100%
rename from windows/security/threat-protection/applocker/understand-applocker-enforcement-settings.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-enforcement-settings.md
diff --git a/windows/security/threat-protection/applocker/understand-applocker-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
similarity index 98%
rename from windows/security/threat-protection/applocker/understand-applocker-policy-design-decisions.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
index 5655cb2189..4e1b579be2 100644
--- a/windows/security/threat-protection/applocker/understand-applocker-policy-design-decisions.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-policy-design-decisions.md
@@ -224,7 +224,7 @@ Because the effectiveness of application control policies is dependent on the ab
  
 ## Record your findings
 
-The next step in the process is to record and analyze your answers to the preceding questions. If AppLocker is the right solution for your goals, tyou can set your application control policy objectives and plan your AppLocker rules. This process culminates in creating your planning document.
+The next step in the process is to record and analyze your answers to the preceding questions. If AppLocker is the right solution for your goals, you can set your application control policy objectives and plan your AppLocker rules. This process culminates in creating your planning document.
 
 -   For info about setting your policy goals, see [Determine your application control objectives](determine-your-application-control-objectives.md).
--   For info about creating your planning document, see [Create your AppLocker planning document](create-your-applocker-planning-document.md).
+
diff --git a/windows/security/threat-protection/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
similarity index 100%
rename from windows/security/threat-protection/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
diff --git a/windows/security/threat-protection/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
similarity index 100%
rename from windows/security/threat-protection/applocker/understand-the-applocker-policy-deployment-process.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
diff --git a/windows/security/threat-protection/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
similarity index 100%
rename from windows/security/threat-protection/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-allow-and-deny-actions-on-rules.md
diff --git a/windows/security/threat-protection/applocker/understanding-applocker-default-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
similarity index 100%
rename from windows/security/threat-protection/applocker/understanding-applocker-default-rules.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-default-rules.md
diff --git a/windows/security/threat-protection/applocker/understanding-applocker-rule-behavior.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
similarity index 100%
rename from windows/security/threat-protection/applocker/understanding-applocker-rule-behavior.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-behavior.md
diff --git a/windows/security/threat-protection/applocker/understanding-applocker-rule-collections.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
similarity index 100%
rename from windows/security/threat-protection/applocker/understanding-applocker-rule-collections.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-collections.md
diff --git a/windows/security/threat-protection/applocker/understanding-applocker-rule-condition-types.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
similarity index 100%
rename from windows/security/threat-protection/applocker/understanding-applocker-rule-condition-types.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-condition-types.md
diff --git a/windows/security/threat-protection/applocker/understanding-applocker-rule-exceptions.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
similarity index 100%
rename from windows/security/threat-protection/applocker/understanding-applocker-rule-exceptions.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/understanding-applocker-rule-exceptions.md
diff --git a/windows/security/threat-protection/applocker/understanding-the-file-hash-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
similarity index 100%
rename from windows/security/threat-protection/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-file-hash-rule-condition-in-applocker.md
diff --git a/windows/security/threat-protection/applocker/understanding-the-path-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
similarity index 100%
rename from windows/security/threat-protection/applocker/understanding-the-path-rule-condition-in-applocker.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-path-rule-condition-in-applocker.md
diff --git a/windows/security/threat-protection/applocker/understanding-the-publisher-rule-condition-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
similarity index 100%
rename from windows/security/threat-protection/applocker/understanding-the-publisher-rule-condition-in-applocker.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/understanding-the-publisher-rule-condition-in-applocker.md
diff --git a/windows/security/threat-protection/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
similarity index 100%
rename from windows/security/threat-protection/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/use-a-reference-computer-to-create-and-maintain-applocker-policies.md
diff --git a/windows/security/threat-protection/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
similarity index 100%
rename from windows/security/threat-protection/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/use-applocker-and-software-restriction-policies-in-the-same-domain.md
diff --git a/windows/security/threat-protection/applocker/use-the-applocker-windows-powershell-cmdlets.md b/windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
similarity index 100%
rename from windows/security/threat-protection/applocker/use-the-applocker-windows-powershell-cmdlets.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/use-the-applocker-windows-powershell-cmdlets.md
diff --git a/windows/security/threat-protection/applocker/using-event-viewer-with-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
similarity index 100%
rename from windows/security/threat-protection/applocker/using-event-viewer-with-applocker.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/using-event-viewer-with-applocker.md
diff --git a/windows/security/threat-protection/applocker/using-software-restriction-policies-and-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
similarity index 100%
rename from windows/security/threat-protection/applocker/using-software-restriction-policies-and-applocker-policies.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/using-software-restriction-policies-and-applocker-policies.md
diff --git a/windows/security/threat-protection/applocker/what-is-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
similarity index 100%
rename from windows/security/threat-protection/applocker/what-is-applocker.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/what-is-applocker.md
diff --git a/windows/security/threat-protection/applocker/windows-installer-rules-in-applocker.md b/windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
similarity index 100%
rename from windows/security/threat-protection/applocker/windows-installer-rules-in-applocker.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/windows-installer-rules-in-applocker.md
diff --git a/windows/security/threat-protection/applocker/working-with-applocker-policies.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
similarity index 100%
rename from windows/security/threat-protection/applocker/working-with-applocker-policies.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-policies.md
diff --git a/windows/security/threat-protection/applocker/working-with-applocker-rules.md b/windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
similarity index 100%
rename from windows/security/threat-protection/applocker/working-with-applocker-rules.md
rename to windows/security/threat-protection/windows-defender-application-control/applocker/working-with-applocker-rules.md
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
new file mode 100644
index 0000000000..c7ccf71667
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
@@ -0,0 +1,97 @@
+---
+title: Audit Windows Defender Application Control (WDAC) policies (Windows 10)
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: jsuther1974
+ms.date: 02/27/2018
+---
+
+# Audit Windows Defender Application Control policies
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
+
+When WDAC policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can merge it with your existing WDAC policies.
+
+Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see [Create an initial Windows Defender Application Control policy from a reference computer](#create-initial-default-policy).
+
+**To audit a Windows Defender Application Control policy with local policy:**
+
+1.  Before you begin, find the *.bin policy file , for example, the DeviceGuardPolicy.bin. Copy the file to C:\\Windows\\System32\\CodeIntegrity.
+
+2.  On the computer you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**.
+
+    > [!Note]
+    
+    > - The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process that you follow after auditing the system, you might unintentionally merge in a policy that allows viruses or malware to run.
+    
+    > - An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor.
+    
+3.  Navigate to **Computer Configuration\\Administrative Templates\\System\\Windows Defender Device Guard**, and then select **Deploy Windows Defender Application Control**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1.
+
+    > [!Note]
+    
+    > - You can copy the WDAC policies to a file share to which all computer accounts have access rather than copy them to every system. 
+
+    > - You might have noticed that the GPO setting references a .p7b file and this policy uses a .bin file. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped onto the computers running Windows 10. We recommend that you make your WDAC policy names friendly and allow the system to convert the policy names for you. By doing this, it ensures that the policies are easily distinguishable when viewed in a share or any other central repository.
+
+   ![Group Policy called Deploy Windows Defender Application Control](images/dg-fig22-deploycode.png)
+
+   Figure 1. Deploy your Windows Defender Application Control policy
+
+4.  Restart the reference system for the WDAC policy to take effect.
+
+5.  Use the system as you normally would, and monitor code integrity events in the event log. While in audit mode, any exception to the deployed WDAC policy will be logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log, as shown in Figure 2.
+
+   ![Event showing exception to WDAC policy](images/dg-fig23-exceptionstocode.png)
+
+   Figure 2. Exceptions to the deployed WDAC policy
+
+   You will be reviewing the exceptions that appear in the event log, and making a list of any applications that should be allowed to run in your environment.
+   
+6. If you want to create a catalog file to simplify the process of including unsigned LOB applications in your WDAC policy, this is a good time to create it. For information, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).   
+
+Now that you have a WDAC policy deployed in audit mode, you can capture any audit information that appears in the event log. This is described in the next section.
+
+## Create a Windows Defender Application Control policy that captures audit information from the event log
+
+Use the following procedure after you have been running a computer with a WDAC policy in audit mode for a period of time. When you are ready to capture the needed policy information from the event log (so that you can later merge that information into the original WDAC policy), complete the following steps. 
+
+<!-- Watch the phrase "later step in this procedure" in step 1, in case the organization of the procedures changes. -->
+
+1.  Review the audit information in the event log. From the WDAC policy exceptions that you see, make a list of any applications that should be allowed to run in your environment, and decide on the file rule level that should be used to trust these applications.
+
+    Although the Hash file rule level will catch all of these exceptions, it may not be the best way to trust all of them. For information about file rule levels, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md) in "Deploy Windows Defender Application Control: policy rules and file rules."
+    
+    Your event log might also contain exceptions for applications that you eventually want your WDAC policy to block. If these appear, make a list of these also, for a later step in this procedure.
+
+2.  In an elevated Windows PowerShell session, initialize the variables that will be used. The example filename shown here is **DeviceGuardAuditPolicy.xml**:
+
+    ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
+
+    ` $CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
+
+3.  Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
+
+    ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3> CIPolicylog.txt`
+
+  > [!Note] 
+  > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
+
+4.  Find and review the WDAC audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following:
+
+    - Any applications that were caught as exceptions, but should be allowed to run in your environment. These are applications that should be in the .xml file. Leave these as-is in the file.
+    
+    - Any applications that actually should not be allowed to run in your environment. Edit these out of the .xml file. If they remain in the .xml file, and the information in the file is merged into your existing WDAC policy, the policy will treat the applications as trusted, and allow them to run. 
+
+You can now use this file to update the existing WDAC policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing WDAC policy, see the next section, [Merge Windows Defender Application Control policies](#merge-windows-defender-application-control-policies).
+
+> [!Note] 
+> You may have noticed that you did not generate a binary version of this policy as you did in [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer). This is because WDAC policies created from an audit log are not intended to run as stand-alone policies but rather to update existing WDAC policies.
\ No newline at end of file
diff --git a/windows/security/threat-protection/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
similarity index 84%
rename from windows/security/threat-protection/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md
rename to windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
index 668316004b..7303a1371c 100644
--- a/windows/security/threat-protection/device-guard/optional-create-a-code-signing-certificate-for-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
@@ -1,21 +1,23 @@
 ---
-title: Optional - Create a code signing certificate for code integrity policies (Windows 10)
-description: This article describes how to create a code signing certificate for code integrity policies, one of the main features that are part of Windows Defender Device Guard in Windows 10. 
-keywords: virtualization, security, malware
+title: Create a code signing cert for Windows Defender Application Control  (Windows 10)
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
-author: brianlic-msft
-ms.date: 10/20/2017
+ms.sitesec: library
+ms.pagetype: security
+author: jsuther1974
+ms.date: 02/28/2018
 ---
 
-# Optional: Create a code signing certificate for Windows Defender Application Control
+# Optional: Create a code signing cert for Windows Defender Application Control  
 
-**Applies to**
--   Windows 10
--   Windows Server 2016
+**Applies to:**
 
-As you deploy Windows Defender Application Control (WDAC) (also part of Windows Defender Device Guard), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md). 
+-   Windows 10
+-   Windows Server 2016
+
+As you deploy Windows Defender Application Control (WDAC) (also part of Windows Defender Device Guard), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). 
 
 If you have an internal CA, complete these steps to create a code signing certificate. 
 Only RSA algorithm is supported for the code signing certificate, and signatures must be PKCS 1.5 padded. 
@@ -99,7 +101,7 @@ When the certificate has been exported, import it into the personal store for th
 
 ## Related topics
 
-- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+- [Windows Defender Application Control](windows-defender-application-control.md)
 
-- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
+- [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md)
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
new file mode 100644
index 0000000000..3c1bd40618
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
@@ -0,0 +1,75 @@
+---
+title: Create an initial default policy (Windows 10)
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: jsuther1974
+ms.date: 02/27/2018
+---
+
+# Create a Windows Defender Application Control policy from a reference computer
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
+
+This section outlines the process to create a WDAC policy with Windows PowerShell. 
+For this example, you must initiate variables to be used during the creation process or use the full file paths in the command. 
+Then create the WDAC policy by scanning the system for installed applications. 
+The policy file is converted to binary format when it gets created so that Windows can interpret it.
+
+> [!Note] 
+> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy. 
+
+Each installed software application should be validated as trustworthy before you create a policy. 
+We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. 
+Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want to run scripts. 
+You can remove or disable such software on the reference computer. 
+
+
+
+To create a WDAC policy, copy each of the following commands into an elevated Windows PowerShell session, in order:
+
+1.  Initialize variables that you will use. The following example commands use **InitialScan.xml** and **DeviceGuardPolicy.bin** for the names of the files that will be created:
+
+    ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
+
+    ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
+
+    ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
+
+2.  Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to create a new WDAC policy by scanning the system for installed applications:
+
+    ```powershell
+    New-CIPolicy -Level PcaCertificate -FilePath $InitialCIPolicy –UserPEs 3> CIPolicyLog.txt 
+    ```
+
+    > [!Note] 
+    
+    > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. 
+    
+    > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](select-types-of-rules-to-create.md).
+
+    > - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned.
+    
+    > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
+
+3.  Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the WDAC policy to a binary format:
+
+    ```powershell
+    ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin
+    ```
+
+After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security.
+
+> [!Note] 
+> We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md).
+
+We recommend that every WDAC policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error messages. For information about how to audit a WDAC policy, see [Audit Windows Defender Application Control policies](audit-windows-defender-application-control-policies.md).
+
+
diff --git a/windows/security/threat-protection/applocker/create-your-applocker-planning-document.md b/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md
similarity index 83%
rename from windows/security/threat-protection/applocker/create-your-applocker-planning-document.md
rename to windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md
index 4f0f43ced7..c91ecd2bc3 100644
--- a/windows/security/threat-protection/applocker/create-your-applocker-planning-document.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-your-windows-defender-application-control-planning-document.md
@@ -1,6 +1,6 @@
 ---
-title: Create your AppLocker planning document (Windows 10)
-description: This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document.
+title: Create your Windows Defender Application Control (WDAC) planning document (Windows 10)
+description: This planning topic for the IT professional summarizes the information you need to research and include in your WDAC planning document.
 ms.assetid: 41e49644-baf4-4514-b089-88adae2d624e
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -10,41 +10,38 @@ author: brianlic-msft
 ms.date: 09/21/2017
 ---
 
-# Create your AppLocker planning document
+# Create your Windows Defender Application Control (WDAC) planning document
 
 **Applies to**
  -   Windows 10 
  -   Windows Server
 
-This planning topic for the IT professional summarizes the information you need to research and include in your AppLocker planning document.
+This planning topic for the IT professional summarizes the information you need to research and include in your WDAC planning document.
 
-## The AppLocker deployment design
+## The WDAC deployment design
 
-The design process and the planning document help you investigate application usage in your organization and record your findings so you can effectively deploy and maintain application control policies by using AppLocker.
+The design process and the planning document help you investigate application usage in your organization and record your findings so you can effectively deploy and maintain application control policies by using WDAC.
 
 You should have completed these steps in the design and planning process:
 
-1.  [Determine your application control objectives](determine-your-application-control-objectives.md)
-2.  [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
-3.  [Select types of rules to create](select-types-of-rules-to-create.md)
-4.  [Determine Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
-5.  [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+1.  [Select types of rules to create](select-types-of-rules-to-create.md)
+2.  [Plan for WDAC policy management](document-your-windows-defender-application-control-management-processes.md)
 
-### AppLocker planning document contents
+### WDAC planning document contents
 
 Your planning document should contain:
 
 -   A list of business groups that will participate in the application control policy project, their requirements, a description of their business processes, and contact information.
 -   Application control policy project target dates, both for planning and deployment.
 -   A complete list of apps used by each business group (or organizational unit), including version information and installation paths.
--   What condition to apply to rules governing each application (or whether to use the default set provided by AppLocker).
--   A strategy for using Group Policy to deploy the AppLocker policies.
--   A strategy in processing the application usage events generated by AppLocker.
--   A strategy to maintain and manage AppLocker polices after deployment.
+-   What condition to apply to rules governing each application (or whether to use the default set provided by WDAC).
+-   A strategy for using Group Policy to deploy the WDAC policies.
+-   A strategy in processing the application usage events generated by WDAC.
+-   A strategy to maintain and manage WDAC polices after deployment.
 
-### Sample template for an AppLocker planning document
+### Sample template for an WDAC planning document
 
-You can use the following form to construct your own AppLocker planning document.
+You can use the following form to construct your own WDAC planning document.
 
 **Business group**:
 
@@ -103,7 +100,7 @@ You can use the following form to construct your own AppLocker planning document
 <tr class="header">
 <th align="left">Business group</th>
 <th align="left">Organizational unit</th>
-<th align="left">Implement AppLocker?</th>
+<th align="left">Implement WDAC?</th>
 <th align="left">Apps</th>
 <th align="left">Installation path</th>
 <th align="left">Use default rule or define new rule condition</th>
@@ -140,7 +137,7 @@ You can use the following form to construct your own AppLocker planning document
 <thead>
 <tr class="header">
 <th align="left">Business group</th>
-<th align="left">AppLocker event collection location</th>
+<th align="left">WDAC event collection location</th>
 <th align="left">Archival policy</th>
 <th align="left">Analyzed?</th>
 <th align="left">Security policy</th>
@@ -188,7 +185,7 @@ You can use the following form to construct your own AppLocker planning document
 </tbody>
 </table>
  
-### Example of an AppLocker planning document
+### Example of a WDAC planning document
 
 **Rules**
 
@@ -208,7 +205,7 @@ You can use the following form to construct your own AppLocker planning document
 <tr class="header">
 <th align="left">Business group</th>
 <th align="left">Organizational unit</th>
-<th align="left">Implement AppLocker?</th>
+<th align="left">Implement WDAC?</th>
 <th align="left">Applications</th>
 <th align="left">Installation path</th>
 <th align="left">Use default rule or define new rule condition</th>
@@ -226,7 +223,7 @@ You can use the following form to construct your own AppLocker planning document
 <td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
 <td align="left"><p>File is signed; create a publisher condition</p></td>
 <td align="left"><p>Allow</p></td>
-<td align="left"><p>Tellers-AppLockerTellerRules</p></td>
+<td align="left"><p>Tellers-WDACTellerRules</p></td>
 <td align="left"><p>Web help</p></td>
 </tr>
 <tr class="even">
@@ -249,7 +246,7 @@ You can use the following form to construct your own AppLocker planning document
 <td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
 <td align="left"><p>File is signed; create a publisher condition</p></td>
 <td align="left"><p>Allow</p></td>
-<td align="left"><p>HR-AppLockerHRRules</p></td>
+<td align="left"><p>HR-WDACHRRules</p></td>
 <td align="left"><p>Web help</p></td>
 </tr>
 <tr class="even">
@@ -302,7 +299,7 @@ You can use the following form to construct your own AppLocker planning document
 <thead>
 <tr class="header">
 <th align="left">Business group</th>
-<th align="left">AppLocker event collection location</th>
+<th align="left">WDAC event collection location</th>
 <th align="left">Archival policy</th>
 <th align="left">Analyzed?</th>
 <th align="left">Security policy</th>
@@ -311,7 +308,7 @@ You can use the following form to construct your own AppLocker planning document
 <tbody>
 <tr class="odd">
 <td align="left"><p>Bank Tellers</p></td>
-<td align="left"><p>Forwarded to: AppLocker Event Repository on srvBT093</p></td>
+<td align="left"><p>Forwarded to: WDAC Event Repository on srvBT093</p></td>
 <td align="left"><p>Standard</p></td>
 <td align="left"><p>None</p></td>
 <td align="left"><p>Standard</p></td>
@@ -373,7 +370,6 @@ You can use the following form to construct your own AppLocker planning document
  
 ### Additional resources
 
--   The AppLocker Policies Design Guide is the predecessor to the AppLocker Policies Deployment Guide. When planning is complete, see the [AppLocker policies deployment guide](applocker-policies-deployment-guide.md).
--   For more general info, see [AppLocker](applocker-overview.md).
+-   [Windows Defender Application Control](windows-defender-application-control.md)
  
  
diff --git a/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
similarity index 75%
rename from windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md
rename to windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index 5e17a306fa..c2ea74a274 100644
--- a/windows/security/threat-protection/device-guard/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -1,43 +1,46 @@
 ---
-title: Deploy catalog files to support code integrity policies (Windows 10)
-description: This article describes how to deploy catalog files to support Windows Defender Application Control, one of the main features that are part of Windows Defender Device Guard in Windows 10. 
-keywords: virtualization, security, malware
+title: Deploy catalog files to support Windows Defender Application Control (Windows 10)
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
-author: brianlic-msft
-ms.date: 10/27/2017
+ms.sitesec: library
+ms.pagetype: security
+author: jsuther1974
+ms.date: 02/28/2018
 ---
 
-# Deploy catalog files to support Windows Defender Application Control
+# Deploy catalog files to support Windows Defender Application Control   
 
-**Applies to**
--   Windows 10
--   Windows Server 2016
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
 
 Catalog files can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. To prepare to create WDAC policies that allow these trusted applications but block unsigned code (most malware is unsigned), you create a *catalog file* that contains information about the trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by WDAC in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.
 
-For more description of catalog files, see [Reviewing your applications: application signing and catalog files](requirements-and-deployment-planning-guidelines-for-device-guard.md#reviewing-your-applications-application-signing-and-catalog-files) in "Requirements and deployment planning guidelines for Windows Defender Device Guard." 
-
 ## Create catalog files
 
 The creation of a catalog file simplifies the steps to run unsigned applications in the presence of a WDAC policy.
 
 To create a catalog file, you use a tool called **Package Inspector**. You must also have a WDAC policy deployed in audit mode on the computer on which you run Package Inspector, so that Package Inspector can include any temporary installation files that are added and then removed from the computer during the installation process.
 
-> **Note**&nbsp;&nbsp;When you establish a naming convention it makes it easier to detect deployed catalog files in the future. In this guide, *\*-Contoso.cat* is used as the example naming convention. For more information about why this practice is helpful to inventory or detect catalog files, see [Inventory catalog files with System Center Configuration Manager](#inventory-catalog-files-with-system-center-configuration-manager), later in this topic.
+> [!NOTE]
+> When you establish a naming convention it makes it easier to detect deployed catalog files in the future. In this guide, *\*-Contoso.cat* is used as the example naming convention. 
 
 1.  Be sure that a WDAC policy is currently deployed in audit mode on the computer on which you will run Package Inspector.
 
-    Package Inspector does not always detect temporary installation files that are added and then removed from the computer during the installation process. To ensure that these binaries are also included in your catalog file, deploy a WDAC policy in audit mode. You can use the WDAC policy that you created and audited in [Create a Windows Defender Application Control policy from a reference computer](steps-to-deploy-windows-defender-application-control.md#create-a-windows-defender-application-control-policy-from-a-reference-computer) and [Audit Windows Defender Application Control policies](steps-to-deploy-windows-defender-application-control.md#audit-windows-defender-application-control-policies).
+    Package Inspector does not always detect temporary installation files that are added and then removed from the computer during the installation process. To ensure that these binaries are also included in your catalog file, deploy a WDAC policy in audit mode. 
 
-    > **Note**&nbsp;&nbsp;This process should **not** be performed on a system with an enforced Windows Defender Application Control policy, only with a policy in audit mode. If a policy is currently being enforced, you will not be able to install and run the application unless the policy already allows it.
+    > [!NOTE]
+    > This process should **not** be performed on a system with an enforced Windows Defender Application Control policy, only with a policy in audit mode. If a policy is currently being enforced, you will not be able to install and run the application unless the policy already allows it.
 
 2.  Start Package Inspector, and then start scanning a local drive, for example, drive C:
 
     ` PackageInspector.exe Start C:`
 
-    > **Note**&nbsp;&nbsp;Package inspector can monitor installations on any local drive. Specify the appropriate drive on the local computer.
+    > [!NOTE]
+    > Package inspector can monitor installations on any local drive. Specify the appropriate drive on the local computer.
     
 3.  Copy the installation media to the local drive (typically drive C).
 
@@ -45,7 +48,8 @@ To create a catalog file, you use a tool called **Package Inspector**. You must
 
 4.  Install the application. Install it to the same drive that the application installer is located on (the drive you are scanning). Also, while Package Inspector is running, do not run any installations or updates that you don't want to capture in the catalog.
 
-    > **Important**&nbsp;&nbsp;Every binary that is run while Package Inspector is running will be captured in the catalog. Ensure that only trusted applications are run during this time. 
+    > [!IMPORTANT]
+    > Every binary that is run while Package Inspector is running will be captured in the catalog. Ensure that only trusted applications are run during this time. 
 
 5.  Start the application.
 
@@ -75,10 +79,6 @@ When finished, the files will be saved to your desktop. You can double-click the
 
 To trust the contents of the catalog file within a WDAC policy, the catalog must first be signed. Then, the signing certificate can be added to the WDAC policy, and the catalog file can be distributed to the individual client computers. 
 
-For information about signing catalog files by using a certificate and SignTool.exe, a free tool available in the Windows SDK, see the next section, [Catalog signing with SignTool.exe](#catalog-signing-with-signtoolexe).
-
-For information about adding the signing certificate to a WDAC policy, see [Add a catalog signing certificate to a Windows Defender Application Control policy](#add-a-catalog-signing-certificate-to-a-windows-defender-application-control-policy).
-
 ### Resolving package failures
 
 Packages can fail for the following reasons:
@@ -100,27 +100,23 @@ Packages can fail for the following reasons:
 
 ## Catalog signing with SignTool.exe
 
-In this section, you sign a catalog file you generated by using PackageInspector.exe, as described in the previous section, [Create catalog files](#create-catalog-files). In this example, you need the following:
+To sign a catalog file you generated by using PackageInspector.exe, you need the following:
 
 -   SignTool.exe, found in the Windows software development kit (SDK—Windows 7 or later)
 
--   The catalog file that you generated in the [Create catalog files](#create-catalog-files) section, or another catalog file that you have created
+-   The catalog file that you generated previously
 
 -   An internal certification authority (CA) code signing certificate or purchased code signing certificate
 
-If you do not have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md) for a walkthrough of how to create one. That topic uses an example certificate name of **ContosoDGSigningCert**, and the procedure that follows uses that example certificate name to sign the catalog file that you created in [Create catalog files](#create-catalog-files), earlier in this topic. If you are using an alternate certificate or catalog file, update the following steps with the appropriate variables and certificate. 
-
 To sign the existing catalog file, copy each of the following commands into an elevated Windows PowerShell session.
 
-1.  Initialize the variables that will be used:
+1.  Initialize the variables that will be used. Replace the *$ExamplePath* and *$CatFileName* variables as needed:
 
     ` $ExamplePath=$env:userprofile+"\Desktop"`
     
     ` $CatFileName=$ExamplePath+"\LOBApp-Contoso.cat"`
 
-    > **Note**&nbsp;&nbsp;This example specifies the catalog file you created in the [Create catalog files](#create-catalog-files) section. If you are signing another catalog file, update the *$ExamplePath* and *$CatFileName* variables with the correct information.
-
-2.  Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user’s personal store. This example uses the certificate name from [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md).
+2.  Import the code signing certificate that will be used to sign the catalog file. Import it to the signing user’s personal store. 
 
 3.  Sign the catalog file with Signtool.exe:
 
@@ -128,7 +124,7 @@ To sign the existing catalog file, copy each of the following commands into an e
 
     > **Note**&nbsp;&nbsp;The *&lt;Path to signtool.exe&gt;* variable should be the full path to the Signtool.exe utility. *ContosoDGSigningCert* represents the subject name of the certificate that you will use to sign the catalog file. This certificate should be imported to your personal certificate store on the computer on which you are attempting to sign the catalog file.
 
-    > **Note**&nbsp;&nbsp;For additional information about Signtool.exe and all additional switches, visit the [MSDN Sign Tool page](https://msdn.microsoft.com/library/8s9b9yaz(v=vs.110).aspx).
+    > **Note**&nbsp;&nbsp;For additional information about Signtool.exe and all additional switches, visit the [Sign Tool page](https://docs.microsoft.com/dotnet/framework/tools/signtool-exe).
     
 4.  Verify the catalog file digital signature. Right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1.
 
@@ -146,31 +142,31 @@ After the catalog file is signed, add the signing certificate to a WDAC policy,
 
 1.  If you have not already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect.
 
-2.  If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) to create a WDAC policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**:
+2.  If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) to create a WDAC policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**:
 
     ` New-CIPolicy -Level PcaCertificate -FilePath C:\PolicyFolder\CatalogSignatureOnly.xml –UserPEs`
 
-    > **Note**&nbsp;&nbsp;Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity.
+    > [!NOTE]
+    > Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity.
 
-3.  Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule?view=win10-ps) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `<policypath>` and `<certpath>`:
+3.  Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add the signing certificate to the WDAC policy, filling in the correct path and filenames for `<policypath>` and `<certpath>`:
 
     ` Add-SignerRule -FilePath <policypath> -CertificatePath <certpath> -User `
 
-If you used step 2 to create a new WDAC policy, and want information about merging policies together, see [Merge Windows Defender Application Control policies](steps-to-deploy-windows-defender-application-control.md#merge-windows-defender-application-control-policies).  
+If you used step 2 to create a new WDAC policy, and want information about merging policies together, see [Merge Windows Defender Application Control policies](merge-windows-defender-application-control-policies.md).  
 
 ## Deploy catalog files with Group Policy
 
 To simplify the management of catalog files, you can use Group Policy preferences to deploy catalog files to the appropriate computers in your organization. The following process walks you through the deployment of a signed catalog file called **LOBApp-Contoso.cat** to a test OU called DG Enabled PCs with a GPO called **Contoso DG Catalog File GPO Test**.
 
-> **Note**&nbsp;&nbsp;This walkthrough requires that you have previously created a signed catalog file and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a catalog file, see [Create catalog files](#create-catalog-files), earlier in this topic. Also, before you begin testing of a catalog file with the WDAC policy it supports, review [Add a catalog signing certificate to a Windows Defender Application Control policy](#add-a-catalog-signing-certificate-to-a-windows-defender-application-control-policy).
-
 **To deploy a catalog file with Group Policy:**
 
 1.  From either a domain controller or a client computer that has Remote Server Administration Tools (RSAT) installed, open the Group Policy Management Console (GPMC) by running **GPMC.MSC** or by searching for Group Policy Management.
 
 2.  Create a new GPO: right-click an OU, for example, the **DG Enabled PCs OU**, and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 2.
 
-    > **Note**&nbsp;&nbsp;You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+    > [!NOTE]
+    > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate).
 
    ![Group Policy Management, create a GPO](images/dg-fig13-createnewgpo.png)
 
@@ -210,7 +206,7 @@ To simplify the management of catalog files, you can use Group Policy preference
 
 12. Close the Group Policy Management Editor, and then update the policy on the test computer running Windows 10, by running GPUpdate.exe. When the policy has been updated, verify that the catalog file exists in C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE} on the computer running Windows 10.
 
-Before you begin testing the deployed catalog file, make sure that the catalog signing certificate has been added to an appropriate WDAC policy, as described in [Add a catalog signing certificate to a Windows Defender Application Control policy](#add-a-catalog-signing-certificate-to-a-windows-defender-application-control-policy).
+Before you begin testing the deployed catalog file, make sure that the catalog signing certificate has been added to an appropriate WDAC policy.
 
 ## Deploy catalog files with System Center Configuration Manager
 
@@ -284,7 +280,7 @@ After you create the deployment package, deploy it to a collection so that the c
 
 11. Close the wizard.
 
-Before you begin testing the deployed catalog file, make sure that the catalog signing certificate has been added to an appropriate WDAC policy, as described in [Add a catalog signing certificate to a Windows Defender Application Control policy](#add-a-catalog-signing-certificate-to-a-windows-defender-application-control-policy).
+Before you begin testing the deployed catalog file, make sure that the catalog signing certificate has been added to an appropriate WDAC policy,.
 
 ## Inventory catalog files with System Center Configuration Manager
 
@@ -338,9 +334,9 @@ At the time of the next software inventory cycle, when the targeted clients rece
 
 ## Related topics
 
-- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+- [Windows Defender Application Control](windows-defender-application-control.md)
 
-- [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md)
+- [Windows Defender Application Control Design Guide](windows-defender-application-control-design-guide.md)
 
-- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
+- [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md)
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
new file mode 100644
index 0000000000..a8c0e32665
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
@@ -0,0 +1,59 @@
+---
+title: Deploy Windows Defender Application Control (WDAC) policies by using Group Policy (Windows 10)
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: jsuther1974
+ms.date: 02/28/2018
+---
+
+# Deploy Windows Defender Application Control policies by using Group Policy
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
+
+WDAC policies can easily be deployed and managed with Group Policy. A Windows Defender Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Windows Defender Device Guard hardware-based security features and Windows Defender Application Control policies. The following procedure walks you through how to deploy a WDAC policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
+
+> [!NOTE] 
+> This walkthrough requires that you have previously created a WDAC policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a WDAC policy, see [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md), earlier in this topic.
+
+> [!NOTE] 
+> Signed WDAC policies can cause boot failures when deployed. We recommend that signed WDAC policies be thoroughly tested on each hardware platform before enterprise deployment.
+
+To deploy and manage a WDAC policy with Group Policy:
+
+1.  On a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC** 
+
+2.  Create a new GPO: right-click an OU and then click **Create a GPO in this domain, and Link it here**.
+
+    > [!NOTE]
+    > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control policy management](plan-windows-defender-application-control-management.md).
+
+    ![Group Policy Management, create a GPO](images/dg-fig24-creategpo.png)
+
+3.  Name the new GPO. You can choose any name. 
+
+4.  Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
+
+5.  In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
+
+    ![Edit the Group Policy for Windows Defender Application Control](images/wdac-edit-gp.png)
+
+6.  In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the code integrity policy deployment path.
+
+    In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with DeviceGuardPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin.
+
+    > [!NOTE] 
+    > This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
+
+    ![Group Policy called Deploy Windows Defender Application Control](images/dg-fig26-enablecode.png)
+
+    > [!NOTE] 
+    > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your WDAC policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
+
+7.  Close the Group Policy Management Editor, and then restart the Windows 10 test computer. Restarting the computer updates the WDAC policy. For information about how to audit WDAC policies, see [Audit Windows Defender Application Control policies](audit-windows-defender-application-control-policies.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
new file mode 100644
index 0000000000..b81a9aacaa
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
@@ -0,0 +1,84 @@
+---
+title: Disable Windows Defender Application Control policies  (Windows 10)
+description: This topic covers how to disable unsigned or signed WDAC policies. 
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: jsuther1974
+ms.date: 02/27/2018
+---
+
+# Disable Windows Defender Application Control policies
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
+
+This topic covers how to disable unsigned or signed WDAC policies.
+
+## Disable unsigned Windows Defender Application Control policies
+
+There may come a time when an administrator wants to disable a WDAC policy. For unsigned WDAC policies, this process is simple. Depending on how the WDAC policy was deployed, unsigned policies can be disabled in one of two ways. If a WDAC policy was manually enabled and copied to the code integrity folder location, simply delete the file and restart the computer. The following locations can contain executing WDAC policies:
+
+-   &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
+
+-   &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
+
+If the WDAC policy was deployed by using Group Policy, the GPO that is currently enabling and deploying the policy must be set to disabled. Then, the WDAC policy will be disabled on the next computer restart.
+
+## Disable signed Windows Defender Application Control policies within Windows
+
+Signed policies protect Windows from administrative manipulation as well as malware that has gained administrative-level access to the system. For this reason, signed WDAC policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed WDAC policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps.
+
+> [!Note] 
+> For reference, signed WDAC policies should be replaced and removed from the following locations:
+
+-   &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
+
+-   &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
+
+
+1.  Replace the existing policy with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
+
+    > **Note**&nbsp;&nbsp;To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
+
+2.  Restart the client computer.
+
+3.  Verify that the new signed policy exists on the client.
+
+    > **Note**&nbsp;&nbsp;If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
+
+4.  Delete the new policy.
+
+5.  Restart the client computer.
+
+If the signed WDAC policy has been deployed using by using Group Policy, you must complete the following steps:
+
+1.  Replace the existing policy in the GPO with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
+
+    > **Note**&nbsp;&nbsp;To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
+
+2.  Restart the client computer.
+
+3.  Verify that the new signed policy exists on the client.
+
+    > **Note**&nbsp;&nbsp;If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
+
+4.  Set the GPO to disabled.
+
+5.  Delete the new policy.
+
+6.  Restart the client computer.
+
+## Disable signed Windows Defender Application Control policies within the BIOS
+
+There may be a time when signed WDAC policies cause a boot failure. Because WDAC policies enforce kernel mode drivers, it is important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed WDAC policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows:
+
+-   &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
+
+-   &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
+
diff --git a/windows/security/threat-protection/applocker/document-your-application-control-management-processes.md b/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md
similarity index 79%
rename from windows/security/threat-protection/applocker/document-your-application-control-management-processes.md
rename to windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md
index a0b879a4c5..41f09c0b09 100644
--- a/windows/security/threat-protection/applocker/document-your-application-control-management-processes.md
+++ b/windows/security/threat-protection/windows-defender-application-control/document-your-windows-defender-application-control-management-processes.md
@@ -1,6 +1,6 @@
 ---
 title: Document your application control management processes (Windows 10)
-description: This planning topic describes the AppLocker policy maintenance information to record for your design document.
+description: This planning topic describes the WDAC policy maintenance information to record for your design document.
 ms.assetid: 6397f789-0e36-4933-9f86-f3f6489cf1fb
 ms.prod: w10
 ms.mktglfcycl: deploy
@@ -16,19 +16,16 @@ ms.date: 09/21/2017
  -   Windows 10 
  -   Windows Server
 
-This planning topic describes the AppLocker policy maintenance information to record for your design document.
+This planning topic describes the Windows Defender Application Control (WDAC) policy maintenance information to record for your design document.
 
 ## Record your findings
 
-To complete this AppLocker planning document, you should first complete the following steps:
+To complete this planning document, you should first complete the following steps:
 
-1.  [Determine your application control objectives](determine-your-application-control-objectives.md)
-2.  [Create a list of apps deployed to each business group](create-list-of-applications-deployed-to-each-business-group.md)
 3.  [Select the types of rules to create](select-types-of-rules-to-create.md)
-4.  [Determine the Group Policy structure and rule enforcement](determine-group-policy-structure-and-rule-enforcement.md)
-5.  [Plan for AppLocker policy management](plan-for-applocker-policy-management.md)
+5.  [Plan for WDAC policy management](plan-windows-defender-application-control-management.md)
 
-The three key areas to determine for AppLocker policy management are:
+The three key areas to determine for WDAC policy management are:
 
 1.  Support policy
 
@@ -42,7 +39,7 @@ The three key areas to determine for AppLocker policy management are:
 
     Detail how rules will be added to the policy, in which Group Policy Object (GPO) the rules should be defined, and how to modify rules when apps are retired, updated, or added.
 
-The following table contains the added sample data that was collected when determining how to maintain and manage AppLocker policies.
+The following table contains the added sample data that was collected when determining how to maintain and manage WDAC policies.
 
 <table style="width:100%;">
 <colgroup>
@@ -60,7 +57,7 @@ The following table contains the added sample data that was collected when deter
 <tr class="header">
 <th align="left">Business group</th>
 <th align="left">Organizational unit</th>
-<th align="left">Implement AppLocker?</th>
+<th align="left">Implement WDAC?</th>
 <th align="left">Apps</th>
 <th align="left">Installation path</th>
 <th align="left">Use default rule or define new rule condition</th>
@@ -78,7 +75,7 @@ The following table contains the added sample data that was collected when deter
 <td align="left"><p>C:\Program Files\Woodgrove\Teller.exe</p></td>
 <td align="left"><p>File is signed; create a publisher condition</p></td>
 <td align="left"><p>Allow</p></td>
-<td align="left"><p>Tellers-AppLockerTellerRules</p></td>
+<td align="left"><p>Tellers-WDACTellerRules</p></td>
 <td align="left"><p>Web help</p></td>
 </tr>
 <tr class="even">
@@ -101,7 +98,7 @@ The following table contains the added sample data that was collected when deter
 <td align="left"><p>C:\Program Files\Woodgrove\HR\Checkcut.exe</p></td>
 <td align="left"><p>File is signed; create a publisher condition</p></td>
 <td align="left"><p>Allow</p></td>
-<td align="left"><p>HR-AppLockerHRRules</p></td>
+<td align="left"><p>HR-WDACHRRules</p></td>
 <td align="left"><p>Web help</p></td>
 </tr>
 <tr class="even">
@@ -141,11 +138,11 @@ The following table contains the added sample data that was collected when deter
 </tbody>
 </table>
  
-The following two tables illustrate examples of documenting considerations to maintain and manage AppLocker policies.
+The following two tables illustrate examples of documenting considerations to maintain and manage WDAC policies.
 
 **Event processing policy**
 
-One discovery method for app usage is to set the AppLocker enforcement mode to **Audit only**. This will write events to the AppLocker logs, which can be managed and analyzed like other Windows logs. After apps have been identified, you can begin to develop policies regarding the processing and access to AppLocker events.
+One discovery method for app usage is to use Audit mode. This will write events to the CodeIntegrity log, which can be managed and analyzed like other Windows logs. 
 
 The following table is an example of what to consider and record.
 
@@ -160,7 +157,7 @@ The following table is an example of what to consider and record.
 <thead>
 <tr class="header">
 <th align="left">Business group</th>
-<th align="left">AppLocker event collection location</th>
+<th align="left">WDAC event collection location</th>
 <th align="left">Archival policy</th>
 <th align="left">Analyzed?</th>
 <th align="left">Security policy</th>
@@ -169,7 +166,7 @@ The following table is an example of what to consider and record.
 <tbody>
 <tr class="odd">
 <td align="left"><p>Bank Tellers</p></td>
-<td align="left"><p>Forwarded to: AppLocker Event Repository on srvBT093</p></td>
+<td align="left"><p>Forwarded to: CodeIntegrity Event Repository on srvBT093</p></td>
 <td align="left"><p>Standard</p></td>
 <td align="left"><p>None</p></td>
 <td align="left"><p>Standard</p></td>
@@ -232,5 +229,4 @@ The following table is an example of what to consider and record.
  
 ## Next steps
 
-After you have determined your application control management strategy for each of the business group's applications, the following task remains:
--   [Create your AppLocker planning document](create-your-applocker-planning-document.md)
+After you determine your application control management strategy for each business group, [create your WDAC planning document](create-your-windows-defender-application-control-planning-document.md).
diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
new file mode 100644
index 0000000000..9d87450308
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
@@ -0,0 +1,62 @@
+---
+title: Enforce Windows Defender Application Control (WDAC) policies (Windows 10)
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: jsuther1974
+ms.date: 02/27/2018
+---
+
+# Enforce Windows Defender Application Control policies
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
+
+Every WDAC policy is created with audit mode enabled. After you have successfully deployed and tested a WDAC policy in audit mode and are ready to test the policy in enforced mode, complete the following steps in an elevated Windows PowerShell session:
+
+> [!Note] 
+> Every WDAC policy should be tested in audit mode first. For information about how to audit WDAC policies, see [Audit Windows Defender Application Control policies](audit-windows-defender-application-control-policies.md), earlier in this topic.
+
+1.  Initialize the variables that will be used:
+
+    ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
+
+    ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" `
+
+    ` $EnforcedCIPolicy=$CIPolicyPath+"EnforcedPolicy.xml"`
+
+    ` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"`
+
+    > [!Note] 
+    > The initial WDAC policy that this section refers to was created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are using a different WDAC policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
+
+2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the WDAC policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options.
+
+    To ensure that these options are enabled in a policy, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) as shown in the following commands. You can run these commands even if you're not sure whether options 9 and 10 are already enabled—if so, the commands have no effect.
+    
+    ` Set-RuleOption -FilePath $InitialCIPolicy -Option 9`
+    
+    ` Set-RuleOption -FilePath $InitialCIPolicy -Option 10`
+
+3.  Copy the initial file to maintain an original copy:
+
+    ` copy $InitialCIPolicy $EnforcedCIPolicy`
+
+4.  Use Set-RuleOption to delete the audit mode rule option:
+
+    ` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete`
+
+  > [!Note] 
+  > To enforce a WDAC policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a WDAC policy.
+
+5.  Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the new WDAC policy to binary format:
+
+    ` ConvertFrom-CIPolicy $EnforcedCIPolicy $CIPolicyBin`
+
+Now that this policy is in enforced mode, you can deploy it to your test computers. Rename the policy to SIPolicy.p7b and copy it to C:\\Windows\\System32\\CodeIntegrity for testing, or deploy the policy through Group Policy by following the instructions in [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md). You can also use other client management software to deploy and manage the policy.
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/device-guard-gp.png b/windows/security/threat-protection/windows-defender-application-control/images/device-guard-gp.png
new file mode 100644
index 0000000000..6d265509ea
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/device-guard-gp.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig1-enableos.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig1-enableos.png
new file mode 100644
index 0000000000..cefb124344
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig1-enableos.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig10-enablecredentialguard.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig10-enablecredentialguard.png
new file mode 100644
index 0000000000..938e397751
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig10-enablecredentialguard.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig11-dgproperties.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig11-dgproperties.png
new file mode 100644
index 0000000000..3c93b2b948
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig11-dgproperties.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig12-verifysigning.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig12-verifysigning.png
new file mode 100644
index 0000000000..fa2c162cc0
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig12-verifysigning.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig13-createnewgpo.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig13-createnewgpo.png
new file mode 100644
index 0000000000..d640052d26
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig13-createnewgpo.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig14-createnewfile.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig14-createnewfile.png
new file mode 100644
index 0000000000..4439bd2764
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig14-createnewfile.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig15-setnewfileprops.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig15-setnewfileprops.png
new file mode 100644
index 0000000000..db0ddb80db
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig15-setnewfileprops.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig16-specifyinfo.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig16-specifyinfo.png
new file mode 100644
index 0000000000..55344d70d1
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig16-specifyinfo.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig17-specifyinfo.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig17-specifyinfo.png
new file mode 100644
index 0000000000..d79ca2c2af
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig17-specifyinfo.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig18-specifyux.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig18-specifyux.png
new file mode 100644
index 0000000000..08492ef73b
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig18-specifyux.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig19-customsettings.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig19-customsettings.png
new file mode 100644
index 0000000000..2c5c7236eb
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig19-customsettings.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig2-createou.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig2-createou.png
new file mode 100644
index 0000000000..d640052d26
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig2-createou.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig20-setsoftwareinv.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig20-setsoftwareinv.png
new file mode 100644
index 0000000000..2c838be648
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig20-setsoftwareinv.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig21-pathproperties.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig21-pathproperties.png
new file mode 100644
index 0000000000..9499946283
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig21-pathproperties.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig22-deploycode.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig22-deploycode.png
new file mode 100644
index 0000000000..4f6746eddf
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig22-deploycode.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig23-exceptionstocode.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig23-exceptionstocode.png
new file mode 100644
index 0000000000..c6b33e6139
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig23-exceptionstocode.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig24-creategpo.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig24-creategpo.png
new file mode 100644
index 0000000000..d640052d26
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig24-creategpo.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig25-editcode.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig25-editcode.png
new file mode 100644
index 0000000000..e3729e8214
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig25-editcode.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig26-enablecode.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig26-enablecode.png
new file mode 100644
index 0000000000..4f6746eddf
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig26-enablecode.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig27-managecerttemp.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig27-managecerttemp.png
new file mode 100644
index 0000000000..9f0ed93274
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig27-managecerttemp.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig29-enableconstraints.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig29-enableconstraints.png
new file mode 100644
index 0000000000..bad5fe7cdd
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig29-enableconstraints.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig3-enablevbs.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig3-enablevbs.png
new file mode 100644
index 0000000000..782c2017ae
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig3-enablevbs.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig30-selectnewcert.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig30-selectnewcert.png
new file mode 100644
index 0000000000..11687d092c
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig30-selectnewcert.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig31-getmoreinfo.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig31-getmoreinfo.png
new file mode 100644
index 0000000000..7661cb4eb9
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig31-getmoreinfo.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig5-createnewou.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig5-createnewou.png
new file mode 100644
index 0000000000..d640052d26
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig5-createnewou.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig6-enablevbs.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig6-enablevbs.png
new file mode 100644
index 0000000000..b9a4b1881f
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig6-enablevbs.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig7-enablevbsofkmci.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig7-enablevbsofkmci.png
new file mode 100644
index 0000000000..25f73eb190
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig7-enablevbsofkmci.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig8-createoulinked.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig8-createoulinked.png
new file mode 100644
index 0000000000..d640052d26
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig8-createoulinked.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/dg-fig9-enablevbs.png b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig9-enablevbs.png
new file mode 100644
index 0000000000..3a33c13350
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/dg-fig9-enablevbs.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-edit-gp.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-edit-gp.png
new file mode 100644
index 0000000000..9b423ea8ab
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-edit-gp.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments-groups.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments-groups.png
new file mode 100644
index 0000000000..5cdb4cf3c4
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments-groups.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments.png
new file mode 100644
index 0000000000..8ef2d0e3ce
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-assignments.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-acompliance-policy.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-acompliance-policy.png
new file mode 100644
index 0000000000..f201956d4d
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-acompliance-policy.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-new-policy.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-new-policy.png
new file mode 100644
index 0000000000..0c5eacc3f9
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-new-policy.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-policy-name.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-policy-name.png
new file mode 100644
index 0000000000..98e5507000
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-create-policy-name.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-health-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-health-settings.png
new file mode 100644
index 0000000000..cbd0366eff
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-health-settings.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-properties.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-properties.png
new file mode 100644
index 0000000000..4d8325baa6
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-device-properties.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-system-security-settings.png b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-system-security-settings.png
new file mode 100644
index 0000000000..e5ae089d6b
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-application-control/images/wdac-intune-system-security-settings.png differ
diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
new file mode 100644
index 0000000000..4437fc78ee
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
@@ -0,0 +1,50 @@
+---
+title: Manage packaged apps with Windows Defender Application Control  (Windows 10)
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: jsuther1974
+ms.date: 02/27/2018
+---
+
+# Manage packaged apps with Windows Defender Application Control 
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
+
+This topic for IT professionals describes concepts and lists procedures to help you manage Packaged apps with Windows Defender Application Control (WDAC) as part of your overall application control strategy.
+
+## Understanding Packaged apps and Packaged app installers
+
+Packaged apps, also known as Universal Windows apps, are based on a model that ensures all the files within an app package share the same identity. With classic Windows apps, each file within the app could have a unique identity. 
+With packaged apps, it is possible to control the entire app by using a single WDAC rule.
+ 
+Typically, an app consists of multiple components: the installer that is used to install the app, and one or more exes, dlls, or scripts. With classic Windows apps, these components don't always share common attributes such as the software’s publisher name, product name, and product version. Therefore, WDAC controls each of these components separately through different rule collections, such as exe, dll, script, and Windows Installer rules. In contrast, all the components of a packaged app share the same publisher name, package name, and package version attributes. Therefore, you can control an entire app with a single rule.
+
+### <a href="" id="bkmk-compareclassicmetro"></a>Comparing classic Windows apps and packaged apps
+
+WDAC policies for packaged apps can only be applied to apps installed on computers running at least Windows Server 2012 or Windows 8, but classic Windows apps can be controlled on devices running at least Windows Server 
+2008 R2 or Windows 7. The rules for classic Windows apps and packaged apps can be enforced in tandem. The differences between packaged apps and classic Windows apps that you should consider include:
+
+-   **Installing the apps**   All packaged apps can be installed by a standard user, whereas a number of classic Windows apps require administrative privileges to install. In an environment where most of the users are standard users, you might not have numerous exe rules (because classic Windows apps require administrative privileges to install), but you might want to have more explicit policies for packaged apps.
+-   **Changing the system state**   Classic Windows apps can be written to change the system state if they are run with administrative privileges. Most packaged apps cannot change the system state because they run with limited privileges. When you design your WDAC policies, it is important to understand whether an app that you are allowing can make system-wide changes.
+-   **Acquiring the apps**   Packaged apps can be acquired through the Store, or by loading using Windows PowerShell cmdlets (which requires a special enterprise license). Classic Windows apps can be acquired through traditional means.
+
+WDAC uses different rule collections to control packaged apps and classic Windows apps. You have the choice to control one type, the other type, or both.
+
+## Using WDAC to manage packaged apps
+
+Just as there are differences in managing each rule collection, you need to manage the packaged apps with the following strategy:
+
+1.  Gather information about which Packaged apps are running in your environment. 
+
+2.  Create WDAC rules for specific packaged apps based on your policy strategies. For more information, see [Deploy WDAC policy rules and file rules](select-types-of-rules-to-create.md).
+
+3.  Continue to update the WDAC policies as new package apps are introduced into your environment. To do this, see [Merge WDAC policies](merge-windows-defender-application-control-policies.md).
+
diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
new file mode 100644
index 0000000000..eb35054956
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
@@ -0,0 +1,52 @@
+---
+title: Merge Windows Defender Application Control (WDAC) policies (Windows 10)
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: jsuther1974
+ms.date: 02/27/2018
+---
+
+# Merge Windows Defender Application Control policies
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
+
+Because each computer running Windows 10 can have only one WDAC policy, you will occasionally need to merge two or more policies. For example, after a WDAC policy is created and audited, you might want to merge audit events from another WDAC policy.
+
+> [!NOTE] 
+> Because only one SiPolicy.p7b file can be active on a system, the last management authority to write the policy wins. If there was already a policy deployed by using Group Policy and then amanaged installer using System Center Configuration Manager (SCCM) targeted the same device, the SCCM policy would overwrite the SiPolicy.p7b file.
+
+To merge two WDAC policies, complete the following steps in an elevated Windows PowerShell session:
+
+1.  Initialize the variables that will be used:
+
+    ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
+
+    ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
+
+    ` $AuditCIPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
+
+    ` $MergedCIPolicy=$CIPolicyPath+"MergedPolicy.xml"`
+
+    ` $CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"`
+
+  > [!Note] 
+  > The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit WDAC policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other WDAC policies, update the variables accordingly.
+
+2.  Use [Merge-CIPolicy](https://docs.microsoft.com/powershell/module/configci/merge-cipolicy) to merge two policies and create a new WDAC policy:
+
+    ` Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy`
+
+3.  Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the merged WDAC policy to binary format:
+
+    ` ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin `
+
+Now that you have created a new WDAC policy, you can deploy the policy binary to systems manually or by using Group Policy or Microsoft client management solutions. For information about how to deploy this new policy with Group Policy, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
+
diff --git a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
similarity index 59%
rename from windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
rename to windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index 1650272c86..ca85529b51 100644
--- a/windows/security/threat-protection/device-guard/steps-to-deploy-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -1,41 +1,20 @@
 ---
-title: Deploy code integrity policies - steps (Windows 10)
-description: This article describes how to deploy code integrity policies, one of the main features that are part of Windows Defender Device Guard in Windows 10. 
+title: Microsoft recommended block rules (Windows 10)
+description: To help you plan and begin the initial test stages of a deployment of Microsoft Windows Defender Application Comntrol, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies. 
 keywords: virtualization, security, malware
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: high
-author: brianlic-msft
-ms.date: 04/18/2018
+author: jsuther1974
+ms.date: 02/27/2018
 ---
 
-# Steps to Deploy Windows Defender Application Control
+# Microsoft recommended block rules
 
 **Applies to**
 -   Windows 10
 -   Windows Server 2016
 
-For an overview of the process described in the following procedures, see [Deploy Windows Defender Application Control: policy rules and file rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md). 
-
-
-## Create a Windows Defender Application Control policy from a reference computer
-
-This section outlines the process to create a WDAC policy with Windows PowerShell. 
-For this example, you must initiate variables to be used during the creation process or use the full file paths in the command. 
-Then create the WDAC policy by scanning the system for installed applications. 
-The policy file is converted to binary format when it gets created so that Windows can interpret it.
-
-> [!Note] 
-> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy. 
-
-### Scripting and applications
-
-Each installed software application should be validated as trustworthy before you create a policy. 
-We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. 
-Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want it to run scripts. 
-You can remove or disable such software on the reference computer. 
-You can also fine-tune your control by [using Windows Defender Application Control in combination with AppLocker](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#windows-defender-device-guard-with-applocker). 
-
 Members of the security community<sup>\*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control. 
 
 Unless your use scenarios explicitly require them, Microsoft recommends that you block the following applications. These applications or files can be used by an attacker to circumvent application whitelisting policies, including Windows Defender Application Control:
@@ -828,409 +807,3 @@ Microsoft recommends that you block the following Microsoft-signed applications
   ```
 <br />
 
-To create a WDAC policy, copy each of the following commands into an elevated Windows PowerShell session, in order:
-
-1.  Initialize variables that you will use. The following example commands use **InitialScan.xml** and **DeviceGuardPolicy.bin** for the names of the files that will be created:
-
-    ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
-
-    ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
-
-    ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
-
-2.  Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) to create a new WDAC policy by scanning the system for installed applications:
-
-    ` New-CIPolicy -Level FilePublisher -FilePath $InitialCIPolicy –UserPEs -FallBack Hash 3> CIPolicyLog.txt `
-
-    > [!Note] 
-    
-    > - When you specify the **-UserPEs** parameter (to include user mode executables in the scan), rule option **0 Enabled:UMCI** is automatically added to the WDAC policy. In contrast, if you do not specify **-UserPEs**, the policy will be empty of user mode executables and will only have rules for kernel mode binaries like drivers, in other words, the whitelist will not include applications. If you create such a policy and later add rule option **0 Enabled:UMCI**, all attempts to start applications will cause a response from Windows Defender Application Control. In audit mode, the response is logging an event, and in enforced mode, the response is blocking the application. 
-    
-    > - You can add the **-Fallback** parameter to catch any applications not discovered using the primary file rule level specified by the **-Level** parameter. For more information about file rule level options, see [Windows Defender Application Control file rule levels](deploy-windows-defender-application-control-policy-rules-and-file-rules.md#windows-defender-application-control-file-rule-levels) in “Deploy Windows Defender Application Control: policy rules and file rules.”
-
-    > - To specify that the WDAC policy scan only a specific drive, include the **-ScanPath** parameter followed by a path. Without this parameter, the entire system is scanned.
-    
-    > - The preceding example includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
-
-3.  Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the WDAC policy to a binary format:
-
-    ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
-
-After you complete these steps, the WDAC binary file (DeviceGuardPolicy.bin) and original .xml file (IntialScan.xml) will be available on your desktop. You can use the binary file as a WDAC policy or sign it for additional security.
-
-> [!Note] 
-> We recommend that you keep the original .xml file of the policy for use when you need to merge the WDAC policy with another policy or update its rule options. Alternatively, you would have to create a new policy from a new scan for servicing. For more information about how to merge WDAC policies, see [Merge Windows Defender Application Control policies](#merge-windows-defender-application-control-policies).
-
-We recommend that every WDAC policy be run in audit mode before being enforced. Doing so allows administrators to discover any issues with the policy without receiving error message dialog boxes. For information about how to audit a WDAC policy, see the next section, [Audit Windows Defender Application Control policies](#audit-windows-defender-application-control-policies).
-
-## Audit Windows Defender Application Control policies
-
-When WDAC policies are run in audit mode, it allows administrators to discover any applications that were missed during an initial policy scan and to identify any new applications that have been installed and run since the original policy was created. While a WDAC policy is running in audit mode, any binary that runs and would have been denied had the policy been enforced is logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log. When these logged binaries have been validated, they can easily be added to a new WDAC policy. When the new exception policy is created, you can merge it with your existing WDAC policies.
-
-> [!Note] 
-> Before you begin this process, you need to create a WDAC policy binary file. If you have not already done so, see [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer), earlier in this topic, for a step-by-step walkthrough of the process to create a WDAC policy and convert it to binary format.
-
-**To audit a Windows Defender Application Control policy with local policy:**
-
-1.  Find a *.bin policy file that you have created, for example, the DeviceGuardPolicy.bin file that resulted from the steps in the earlier section, [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer). Copy the file to C:\\Windows\\System32\\CodeIntegrity.
-
-2.  On the computer you want to run in audit mode, open the Local Group Policy Editor by running **GPEdit.msc**.
-
-    > [!Note]
-    
-    > - The computer that you will run in audit mode must be clean of viruses or malware. Otherwise, in the process that you follow after auditing the system, you might unintentionally merge in a policy that allows viruses or malware to run.
-    
-    > - An alternative method to test a policy is to rename the test file to SIPolicy.p7b and drop it into C:\\Windows\\System32\\CodeIntegrity, rather than deploy it by using the Local Group Policy Editor.
-    
-3.  Navigate to **Computer Configuration\\Administrative Templates\\System\\Device Guard**, and then select **Deploy Windows Defender Application Control**. Enable this setting by using the appropriate file path, for example, C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 1.
-
-    > [!Note]
-    
-    > - The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer). Also, this policy file does not need to be copied to every system. You can instead copy the WDAC policies to a file share to which all computer accounts have access.
-
-    > - Any policy you select here is converted to SIPolicy.p7b when it is deployed to the individual computers.
-
-    > - You might have noticed that the GPO setting references a .p7b file and this policy uses a .bin file. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped onto the computers running Windows 10. We recommend that you make your WDAC policy names friendly and allow the system to convert the policy names for you. By doing this, it ensures that the policies are easily distinguishable when viewed in a share or any other central repository.
-
-   ![Group Policy called Deploy Windows Defender Application Control](images/dg-fig22-deploycode.png)
-
-   Figure 1. Deploy your Windows Defender Application Control policy
-
-4.  Restart the reference system for the WDAC policy to take effect.
-
-5.  Use the system as you normally would, and monitor code integrity events in the event log. While in audit mode, any exception to the deployed WDAC policy will be logged in the **Applications and Services Logs\\Microsoft\\Windows\\CodeIntegrity\\Operational** event log, as shown in Figure 2.
-
-   ![Event showing exception to WDAC policy](images/dg-fig23-exceptionstocode.png)
-
-   Figure 2. Exceptions to the deployed WDAC policy
-
-   You will be reviewing the exceptions that appear in the event log, and making a list of any applications that should be allowed to run in your environment.
-   
-6. If you want to create a catalog file to simplify the process of including unsigned LOB applications in your WDAC policy, this is a good time to create it. For information, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).   
-
-Now that you have a WDAC policy deployed in audit mode, you can capture any audit information that appears in the event log. This is described in the next section.
-
-## Create a Windows Defender Application Control policy that captures audit information from the event log
-
-Use the following procedure after you have been running a computer with a WDAC policy in audit mode for a period of time. When you are ready to capture the needed policy information from the event log (so that you can later merge that information into the original WDAC policy), complete the following steps. 
-
-<!-- Watch the phrase "later step in this procedure" in step 1, in case the organization of the procedures changes. -->
-
-1.  Review the audit information in the event log. From the WDAC policy exceptions that you see, make a list of any applications that should be allowed to run in your environment, and decide on the file rule level that should be used to trust these applications.
-
-    Although the Hash file rule level will catch all of these exceptions, it may not be the best way to trust all of them. For information about file rule levels, see [Windows Defender Application Control file rule levels](deploy-windows-defender-application-control-policy-rules-and-file-rules.md#windows-defender-application-control-file-rule-levels) in "Deploy Windows Defender Application Control: policy rules and file rules."
-    
-    Your event log might also contain exceptions for applications that you eventually want your WDAC policy to block. If these appear, make a list of these also, for a later step in this procedure.
-
-2.  In an elevated Windows PowerShell session, initialize the variables that will be used. The example filename shown here is **DeviceGuardAuditPolicy.xml**:
-
-    ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
-
-    ` $CIAuditPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
-
-3.  Use [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) to generate a new WDAC policy from logged audit events. This example uses a file rule level of **Hash** and includes `3> CIPolicylog.txt`, which redirects warning messages to a text file, **CIPolicylog.txt**.
-
-    ` New-CIPolicy -Audit -Level Hash -FilePath $CIAuditPolicy –UserPEs 3 -FallBack Hash > CIPolicylog.txt`
-
-  > [!Note] 
-  > When you create policies from audit events, you should carefully consider the file rule level that you select to trust. The preceding example uses the **Hash** rule level, which is the most specific. Any change to the file (such as replacing the file with a newer version of the same file) will change the Hash value, and require an update to the policy.
-
-4.  Find and review the WDAC audit policy .xml file that you created. If you used the example variables as shown, the filename will be **DeviceGuardAuditPolicy.xml**, and it will be on your desktop. Look for the following:
-
-    - Any applications that were caught as exceptions, but should be allowed to run in your environment. These are applications that should be in the .xml file. Leave these as-is in the file.
-    
-    - Any applications that actually should not be allowed to run in your environment. Edit these out of the .xml file. If they remain in the .xml file, and the information in the file is merged into your existing WDAC policy, the policy will treat the applications as trusted, and allow them to run. 
-
-You can now use this file to update the existing WDAC policy that you ran in audit mode by merging the two policies. For instructions on how to merge this audit policy with the existing WDAC policy, see the next section, [Merge Windows Defender Application Control policies](#merge-windows-defender-application-control-policies).
-
-> [!Note] 
-> You may have noticed that you did not generate a binary version of this policy as you did in [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer). This is because WDAC policies created from an audit log are not intended to run as stand-alone policies but rather to update existing WDAC policies.
-
-## Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules
-
-As of Windows 10, version 1703, you can use WDAC policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser):
-
-| Approach (as of Windows 10, version 1703) | Guideline |
-|---|---|
-| You can work from a list of plug-ins, add-ins, or modules that you want only a specific application to be able to run. Other applications would be blocked from running them. | Use `New-CIPolicyRule` with the `-AppID` option. |
-| In addition, you can work  from a list of plug-ins, add-ins, or modules that you want to block in a specific application. Other applications would be allowed to run them. | Use `New-CIPolicyRule` with the `-AppID` and `-Deny` options. |
-
-To work with these options, the typical method is to create a policy that only affects plug-ins, add-ins, and modules, then merge it into your ‘master’ policy (merging is described in the next section).
-
-For example, to create a WDAC policy that allows **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization’s enterprise resource planning (ERP) application, but blocks those add-ins in other applications, run the following commands. Note that in the second command, **+=** is used to add a second rule to the **$rule** variable:
-
-```
-$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe'
-$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP1.exe'
-New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs
-```
-
-As another example, to create a WDAC policy that blocks **addin3.dll** from running in Microsoft Word, run the following command. You must include the `-Deny` option to block the specified add-ins in the specifed application:
-
-```
-$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin3.dll' -Level FileName -Deny -AppID '.\winword.exe'
-New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs
-```
-
-## Merge Windows Defender Application Control policies
-
-When you develop WDAC policies, you will occasionally need to merge two policies. A common example is when a WDAC policy is initially created and audited. Another example is when you create a single master policy by using multiple policies previously created from reference computers. Because each computer running Windows 10 can have only one WDAC policy, it is important to properly maintain these policies. In this example, audit events have been saved into a secondary WDAC policy that you then merge with the initial WDAC policy.
-
-> [!Note] 
-> The following example uses several of the WDAC policy .xml files that you created in earlier sections in this topic. You can follow this process, however, with any two WDAC policies you would like to combine.
-
-To merge two WDAC policies, complete the following steps in an elevated Windows PowerShell session:
-
-1.  Initialize the variables that will be used:
-
-    ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
-
-    ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
-
-    ` $AuditCIPolicy=$CIPolicyPath+"DeviceGuardAuditPolicy.xml"`
-
-    ` $MergedCIPolicy=$CIPolicyPath+"MergedPolicy.xml"`
-
-    ` $CIPolicyBin=$CIPolicyPath+"NewDeviceGuardPolicy.bin"`
-
-  > [!Note] 
-  > The variables in this section specifically expect to find an initial policy on your desktop called **InitialScan.xml** and an audit WDAC policy called **DeviceGuardAuditPolicy.xml**. If you want to merge other WDAC policies, update the variables accordingly.
-
-2.  Use [Merge-CIPolicy](https://docs.microsoft.com/powershell/module/configci/merge-cipolicy?view=win10-ps) to merge two policies and create a new WDAC policy:
-
-    ` Merge-CIPolicy -PolicyPaths $InitialCIPolicy,$AuditCIPolicy -OutputFilePath $MergedCIPolicy`
-
-3.  Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the merged WDAC policy to binary format:
-
-    ` ConvertFrom-CIPolicy $MergedCIPolicy $CIPolicyBin `
-
-Now that you have created a new WDAC policy (for example, called **NewDeviceGuardPolicy.bin**), you can deploy the policy binary to systems manually or by using Group Policy or Microsoft client management solutions. For information about how to deploy this new policy with Group Policy, see the [Deploy and manage Windows Defender Application Control with Group Policy](#deploy-and-manage-windows-defender-application-control-with-group-policy) section.
-
-## Enforce Windows Defender Application Control policies
-
-Every WDAC policy is created with audit mode enabled. After you have successfully deployed and tested a WDAC policy in audit mode and are ready to test the policy in enforced mode, complete the following steps in an elevated Windows PowerShell session:
-
-> [!Note] 
-> Every WDAC policy should be tested in audit mode first. For information about how to audit WDAC policies, see [Audit Windows Defender Application Control policies](#audit-windows-defender-application-control-policies), earlier in this topic.
-
-1.  Initialize the variables that will be used:
-
-    ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
-
-    ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml" `
-
-    ` $EnforcedCIPolicy=$CIPolicyPath+"EnforcedPolicy.xml"`
-
-    ` $CIPolicyBin=$CIPolicyPath+"EnforcedDeviceGuardPolicy.bin"`
-
-    > [!Note] 
-    > The initial WDAC policy that this section refers to was created in the [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer) section. If you are using a different WDAC policy, update the **CIPolicyPath** and **InitialCIPolicy** variables.
-
-2. Ensure that rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) are set the way that you intend for this policy. We strongly recommend that you enable these rule options before you run any enforced policy for the first time. Enabling these options provides administrators with a pre-boot command prompt, and allows Windows to start even if the WDAC policy blocks a kernel-mode driver from running. When ready for enterprise deployment, you can remove these options.
-
-    To ensure that these options are enabled in a policy, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps) as shown in the following commands. You can run these commands even if you're not sure whether options 9 and 10 are already enabled—if so, the commands have no effect.
-    
-    ` Set-RuleOption -FilePath $InitialCIPolicy -Option 9`
-    
-    ` Set-RuleOption -FilePath $InitialCIPolicy -Option 10`
-
-3.  Copy the initial file to maintain an original copy:
-
-    ` copy $InitialCIPolicy $EnforcedCIPolicy`
-
-4.  Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps) to delete the audit mode rule option:
-
-    ` Set-RuleOption -FilePath $EnforcedCIPolicy -Option 3 -Delete`
-
-  > [!Note] 
-  > To enforce a WDAC policy, you delete option 3, the **Audit Mode Enabled** option. There is no “enforced” option that can be placed in a WDAC policy.
-
-5.  Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the new WDAC policy to binary format:
-
-    ` ConvertFrom-CIPolicy $EnforcedCIPolicy $CIPolicyBin`
-
-Now that this policy is in enforced mode, you can deploy it to your test computers. Rename the policy to SIPolicy.p7b and copy it to C:\\Windows\\System32\\CodeIntegrity for testing, or deploy the policy through Group Policy by following the instructions in [Deploy and manage Windows Defender Application Control with Group Policy](#deploy-and-manage-windows-defender-application-control-with-group-policy). You can also use other client management software to deploy and manage the policy.
-
-## Signing Windows Defender Application Control policies with SignTool.exe
-
-Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. 
-In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. 
-These policies are designed to prevent administrative tampering and kernel mode exploit access. 
-With this in mind, it is much more difficult to remove signed WDAC policies. 
-Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](#audit-windows-defender-application-control-policies) to discover any blocked applications that should be allowed to run. 
-
-Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. 
-If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md) to create one with your on-premises CA. 
-
-Before signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](deploy-windows-defender-application-control-policy-rules-and-file-rules.md#windows-defender-application-control-policy-rules) in "Deploy Windows Defender Application Control: policy rules and file rules."
-
-To sign a WDAC policy with SignTool.exe, you need the following components:
-
--   SignTool.exe, found in the Windows SDK (Windows 7 or later)
-
--   The binary format of the WDAC policy that you generated in the [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer) section or another WDAC policy that you have created
-
--   An internal CA code signing certificate or a purchased code signing certificate
-
-If you do not have a code signing certificate, see the [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md) section for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
-
-1.  Initialize the variables that will be used:
-
-    ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
-    
-    ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
-    
-    ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
-
-   > [!Note] 
-   > This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
-
-2.  Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md).
-
-3.  Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
-
-4.  Navigate to your desktop as the working directory:
-
-    ` cd $env:USERPROFILE\Desktop `
-
-5.  Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule?view=win10-ps) to add an update signer certificate to the WDAC policy:
-
-    ` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User –Update`
-
-   > [!Note] 
-   > *&lt;Path to exported .cer certificate&gt;* should be  the full path to the certificate that you exported in   step 3.
-    Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see the [Disable signed Windows Defender Application Control policies within Windows](#disable-signed-windows-defender-application-control-policies-within-windows) section.
-
-6.  Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps) to remove the unsigned policy rule option:
-
-    ` Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete`
-
-7.  Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy?view=win10-ps) to convert the policy to binary format:
-
-    ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
-
-8.  Sign the WDAC policy by using SignTool.exe:
-
-    ` <Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
-
-   > [!Note] 
-   > The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
-
-9.  Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](#deploy-and-manage-windows-defender-application-control-with-group-policy).
-
-## Disable unsigned Windows Defender Application Control policies
-
-There may come a time when an administrator wants to disable a WDAC policy. For unsigned WDAC policies, this process is simple. Depending on how the WDAC policy was deployed, unsigned policies can be disabled in one of two ways. If a WDAC policy was manually enabled and copied to the code integrity folder location, simply delete the file and restart the computer. The following locations can contain executing WDAC policies:
-
--   &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
-
--   &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
-
-If the WDAC policy was deployed by using Group Policy, the GPO that is currently enabling and deploying the policy must be set to disabled. Then, the WDAC policy will be disabled on the next computer restart.
-
-## Disable signed Windows Defender Application Control policies within Windows
-
-Signed policies protect Windows from administrative manipulation as well as malware that has gained administrative-level access to the system. For this reason, signed WDAC policies are intentionally more difficult to remove than unsigned policies. They inherently protect themselves from modification or removal and therefore are difficult even for administrators to remove successfully. If the signed WDAC policy is manually enabled and copied to the CodeIntegrity folder, to remove the policy, you must complete the following steps.
-
-> [!Note] 
-> For reference, signed WDAC policies should be replaced and removed from the following locations:
-
--   &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
-
--   &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
-
-
-1.  Replace the existing policy with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
-
-    > **Note**&nbsp;&nbsp;To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
-
-2.  Restart the client computer.
-
-3.  Verify that the new signed policy exists on the client.
-
-    > **Note**&nbsp;&nbsp;If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
-
-4.  Delete the new policy.
-
-5.  Restart the client computer.
-
-If the signed WDAC policy has been deployed using by using Group Policy, you must complete the following steps:
-
-1.  Replace the existing policy in the GPO with another signed policy that has the **6 Enabled: Unsigned System Integrity Policy** rule option enabled.
-
-    > **Note**&nbsp;&nbsp;To take effect, this policy must be signed with a certificate previously added to the **UpdatePolicySigners** section of the original signed policy you want to replace.
-
-2.  Restart the client computer.
-
-3.  Verify that the new signed policy exists on the client.
-
-    > **Note**&nbsp;&nbsp;If the signed policy that contains rule option 6 has not been processed on the client, the addition of an unsigned policy may cause boot failures.
-
-4.  Set the GPO to disabled.
-
-5.  Delete the new policy.
-
-6.  Restart the client computer.
-
-## Disable signed Windows Defender Application Control policies within the BIOS
-
-There may be a time when signed WDAC policies cause a boot failure. Because WDAC policies enforce kernel mode drivers, it is important that they be thoroughly tested on each software and hardware configuration before being enforced and signed. Signed WDAC policies are validated in the pre-boot sequence by using Secure Boot. When you disable the Secure Boot feature in the BIOS, and then delete the file from the following locations on the operating system disk, it allows the system to boot into Windows:
-
--   &lt;EFI System Partition&gt;\\Microsoft\\Boot\\
-
--   &lt;OS Volume&gt;\\Windows\\System32\\CodeIntegrity\\
-
-## Deploy and manage Windows Defender Application Control with Group Policy
-
-WDAC policies can easily be deployed and managed with Group Policy. A Windows Defender Device Guard administrative template will be available in Windows Server 2016 that allows you to simplify deployment of Windows Defender Device Guard hardware-based security features and Windows Defender Application Control policies. The following procedure walks you through how to deploy a WDAC policy called **DeviceGuardPolicy.bin** to a test OU called *DG Enabled PCs* by using a GPO called **Contoso GPO Test**.
-
-> [!Note] 
-> This walkthrough requires that you have previously created a WDAC policy and have a computer running Windows 10 on which to test a Group Policy deployment. For more information about how to create a WDAC policy, see [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer), earlier in this topic.
-
-> [!Note] 
-> Signed WDAC policies can cause boot failures when deployed. We recommend that signed WDAC policies be thoroughly tested on each hardware platform before enterprise deployment.
-
-To deploy and manage a WDAC policy with Group Policy:
-
-1.  On a domain controller on a client computer on which RSAT is installed, open the GPMC by running **GPMC.MSC** or searching for “Group Policy Management” in Windows Search.
-
-2.  Create a new GPO: right-click an OU and then click **Create a GPO in this domain, and Link it here**, as shown in Figure 3.
-
-    > **Note**&nbsp;&nbsp;You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
-
-    ![Group Policy Management, create a GPO](images/dg-fig24-creategpo.png)
-
-    Figure 3. Create a GPO
-
-3.  Name the new GPO. You can choose any name. 
-
-4.  Open the Group Policy Management Editor: right-click the new GPO, and then click **Edit**.
-
-5.  In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
-
-    ![Edit the Group Policy for Windows Defender Application Control](images/wdac-edit-gp.png)
-
-    Figure 4. Edit the Group Policy for Windows Defender Application Control
-
-6.  In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the code integrity policy deployment path.
-
-    In this policy setting, you specify either the local path in which the policy will exist on the client computer or a Universal Naming Convention (UNC) path that the client computers will look to retrieve the latest version of the policy. For example, with DeviceGuardPolicy.bin on the test computer, the example file path would be C:\\Windows\\System32\\CodeIntegrity\\DeviceGuardPolicy.bin, as shown in Figure 5.
-
-    > [!Note] 
-    > The illustration shows the example file name *DeviceGuardPolicy.bin* because this name was used earlier in this topic, in [Create a Windows Defender Application Control policy from a reference computer](#create-a-windows-defender-application-control-policy-from-a-reference-computer). Also, this policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
-
-    ![Group Policy called Deploy Windows Defender Application Control](images/dg-fig26-enablecode.png)
-
-    Figure 5. Enable the Windows Defender Application Control policy
-
-    > [!Note] 
-    > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Make your WDAC policies friendly and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
-
-7.  Close the Group Policy Management Editor, and then restart the Windows 10 test computer. Restarting the computer updates the WDAC policy. For information about how to audit WDAC policies, see the [Audit Windows Defender Application Control policies](#audit-windows-defender-application-control-policies) section.
-
-## Related topics
-
-[Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
-
-[Enable virtualization-based protection of code integrity](deploy-device-guard-enable-virtualization-based-security.md)
-
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
new file mode 100644
index 0000000000..239ebf291c
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -0,0 +1,88 @@
+---
+title: Plan for Windows Defender Application Control policy management  (Windows 10)
+description: Plan for Windows Defender Application Control policy management. 
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: jsuther1974
+ms.date: 02/21/2018
+---
+
+# Plan for Windows Defender Application Control policy management 
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
+
+This topic for describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies.
+
+## Policy management
+
+Before you begin the deployment process, consider how the WDAC rules will be managed. Developing a process for managing WDAC rules helps assure that WDAC continues to effectively control how applications are allowed to run in your organization.
+
+### Application and user support policy
+
+Considerations include:
+
+-   What type of end-user support is provided for blocked applications?
+-   How are new rules added to the policy?
+-   How are existing rules updated?
+-   Are events forwarded for review?
+
+**Help desk support**
+
+If your organization has an established help desk support department in place, consider the following when deploying WDAC policies:
+
+-   What documentation does your support department require for new policy deployments?
+-   What are the critical processes in each business group both in work flow and timing that will be affected by application control policies and how could they affect your support department's workload?
+-   Who are the contacts in the support department?
+-   How will the support department resolve application control issues between the end user and those who maintain the WDAC rules?
+
+**End-user support**
+
+Because WDAC is preventing unapproved apps from running, it is important that your organization carefully plan how to provide end-user support. Considerations include:
+
+-   Do you want to use an intranet site as a first line of support for users who have tried to run a blocked app?
+-   How do you want to support exceptions to the policy? Will you allow users to run a script to temporarily allow access to a blocked app?
+
+**WDAC event management**
+
+Each time that a process requests permission to run, WDAC creates an event in the CodeIntegrity log. The event details which file tried to run, the attributes of that file, and the user that initiated the request. 
+
+Collecting these events in a central location can help you maintain your WDAC policy and troubleshoot rule configuration problems. Event collection technologies such as those available in Windows allow administrators to subscribe to specific event channels and have the events from source computers aggregated into a forwarded event log on a Windows Server operating system collector. For more info about setting up an event subscription, see [Configure Computers to Collect and Forward Events](https://go.microsoft.com/fwlink/p/?LinkId=145012).
+
+### Policy maintenance
+
+As new apps are deployed or existing apps are updated by the software publisher, you will need to make revisions to your rule collections to ensure that the policy is current.
+
+To ensure version control when modifying an WDAC policy, use Group Policy management software that allows you to create versions of Group Policy Objects (GPOs). An example of this type of software is the Advanced Group Policy Management feature from the Microsoft Desktop Optimization Pack. For more info about Advanced Group Policy Management, see [Advanced Group Policy Management Overview](https://go.microsoft.com/fwlink/p/?LinkId=145013) (https://go.microsoft.com/fwlink/p/?LinkId=145013).
+ 
+**New version of a supported app**
+
+When a new version of an app is deployed in the organization, you need to determine whether to continue to support the previous version of that app. To add the new version, you might only need to create a new rule for each file that is associated with the app. If you are using publisher conditions and the version is not specified, then the existing rule or rules might be sufficient to allow the updated file to run. You must ensure, however, that the updated app has not altered the file names or added files to support new functionality. If so, then you must modify the existing rules or create new rules. To continue to reuse a publisher-based rule without a specific file version, you must also ensure that the file's digital signature is still identical to the previous version—the publisher, product name, and file name (if configured in your rule) must all match for the rule to be correctly applied.
+
+To determine whether a file has been modified during an app update, review the publisher's release details provided with the update package. You can also review the publisher's web page to retrieve this information. Each file can also be inspected to determine the version.
+
+For files that are allowed or denied with file hash conditions, you must retrieve the new file hash. To add support for a new version and maintain support for the older version, you can either create a new file hash rule for the new version or edit the existing rule and add the new file hash to the list of conditions.
+
+For files with path conditions, you should verify that the installation path has not changed from what is stated in the rule. If the path has changed, you need to update the rule before installing the new version of the app
+
+**Recently deployed app**
+
+To support a new app, you must add one or more rules to the existing WDAC policy.
+
+**App is no longer supported**
+
+If your organization has determined that it will no longer support an application that has WDAC rules associated with it, the easiest way to prevent users from running the app is to delete these rules.
+
+## Next steps
+
+After deciding how your organization will manage your WDAC policy, record your findings.
+
+-   **End-user support policy.** Document the process that you will use for handling calls from users who have attempted to run a blocked app, and ensure that support personnel have clear escalation steps so that the administrator can update the WDAC policy, if necessary.
+-   **Event processing.** Document whether events will be collected in a central location called a store, how that store will be archived, and whether the events will be processed for analysis.
+-   **Policy maintenance.** Detail how rules will be added to the policy and in which GPO the rules are defined.
+
+For information and steps how to document your processes, see [Document your application control management processes](document-your-windows-defender-application-control-management-processes.md).
diff --git a/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
similarity index 66%
rename from windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md
rename to windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 1abe52b44a..3ebdf18aaf 100644
--- a/windows/security/threat-protection/device-guard/deploy-windows-defender-application-control-policy-rules-and-file-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -1,48 +1,36 @@
 ---
-title: Deploy code integrity policies - policy rules and file rules (Windows 10)
-description: This article provides information about two elements in code integrity policies, called policy rules and file rules. Code integrity policies are part of Windows Defender Device Guard in Windows 10. 
-keywords: virtualization, security, malware
+title: Select the types of rules to create  (Windows 10)
+description: Select the types of rules to create. 
 ms.prod: w10
 ms.mktglfcycl: deploy
-ms.localizationpriority: high
-author: brianlic-msft
-ms.date: 10/20/2017
+ms.sitesec: library
+ms.pagetype: security
+author: jsuther1974
+ms.date: 04/20/2018
 ---
 
-# Deploy Windows Defender Application Control: policy rules and file rules
+# Deploy Windows Defender Application Control policy rules and file rules
 
-**Applies to**
--   Windows 10
--   Windows Server 2016
+**Applies to:**
 
-Windows Defender Application Control (WDAC) provides control over a computer running Windows 10 by specifying whether a driver or application is trusted and can be run. For an overview of WDAC, see:
-- [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats) in "Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control."
-- [Windows Defender Application Control policy formats and signing](requirements-and-deployment-planning-guidelines-for-device-guard.md#windows-defender-application-control-policy-formats-and-signing) in "Requirements and deployment planning guidelines for Windows Defender Device Guard."
+-   Windows 10
+-   Windows Server 2016
 
-If you already understand the basics of WDAC and want procedures for creating, auditing, and merging WDAC policies, see [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md).
-
-This topic includes the following sections:
-
-- [Overview of the process of creating Windows Defender Application Control policies](#overview-of-the-process-of-creating-windows-defender-application-control-policies): Helps familiarize you with the process described in this and related topics.
-- [Windows Defender Application Control policy rules](#windows-defender-application-control-policy-rules): Describes one key element you specify in a policy, the *policy rules*, which control options such as audit mode or whether user mode code integrity (UMCI) is enabled in a WDAC policy.
-- [Windows Defender Application Control file rule levels](#windows-defender-application-control-file-rule-levels): Describes the other key element you specify in a policy, the *file rules* (or *file rule levels*), which specify the level at which applications will be identified and trusted.
-- [Example of file rule levels in use](#example-of-file-rule-levels-in-use): Gives an example of how file rule levels can be applied.
+Windows Defender Application Control (WDAC) provides control over a computer running Windows 10 by using policies that specify whether a driver or application is trusted and can be run. A policy includes *policy rules* that control options such as audit mode or whether user mode code integrity (UMCI) is enabled in a WDAC policy, and *file rules* (or *file rule levels*) that specify the level at which applications will be identified and trusted.
 
 ## Overview of the process of creating Windows Defender Application Control policies
 
-A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. WDAC policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of WDAC policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional WDAC policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the planning steps in [Planning and getting started on the Windows Defender Device Guard deployment process](planning-and-getting-started-on-the-device-guard-deployment-process.md).
+A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. WDAC policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of WDAC policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional WDAC policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the [WDAC Design Guide](windows-defender-application-control-design-guide.md).
 
 > **Note**&nbsp;&nbsp;Each computer can have only **one** WDAC policy at a time. Whichever way you deploy this policy, it is renamed to SIPolicy.p7b and copied to **C:\\Windows\\System32\\CodeIntegrity** and, for UEFI computers, **&lt;EFI System Partition&gt;\\Microsoft\\Boot**. Keep this in mind when you create your WDAC policies.
 
 Optionally, WDAC can align with your software catalog as well as any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed.
 
-If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](optional-create-a-code-signing-certificate-for-windows-defender-application-control.md). 
+If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). 
 
 ## Windows Defender Application Control policy rules
 
-WDAC policies include *policy rules*, which control options such as audit mode or whether UMCI is enabled in a WDAC policy. You can modify these options in a new or existing WDAC policy. (For information about *file rules*, which specify the level at which applications will be identified and trusted, see the next section, [Windows Defender Application Control file rule levels](#windows-defender-application-control-file-rule-levels).)
-
-To modify the policy rule options of an existing WDAC policy, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps). Note the following examples of how to use this cmdlet to add and remove a rule option on an existing WDAC policy:
+To modify the policy rule options of an existing WDAC policy, use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). Note the following examples of how to use this cmdlet to add and remove a rule option on an existing WDAC policy:
 
 -   To ensure that UMCI is enabled for a WDAC policy that was created with the `-UserPEs` (user mode) option, add rule option 0 to an existing policy by running the following command:
 
@@ -54,12 +42,10 @@ To modify the policy rule options of an existing WDAC policy, use [Set-RuleOptio
 
     ` Set-RuleOption -FilePath <Path to policy> -Option 0 -Delete`
 
-You can set several rule options within a WDAC policy. To display a list of rule options, you can type **Set-
-RuleOption -Help** in a Windows PowerShell session. Table 2 describes each rule option. 
+You can set several rule options within a WDAC policy. Table 2 describes each rule option. 
 
-> **Note**&nbsp;&nbsp;**Enabled:Audit Mode** is an important rule option. We recommend that you use this option for a period of time with all new WDAC policies, because it allows you to test them before you enforce them. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. To expand the policy so that (when enforced) it will allow these applications, you can use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy.
-
-> The mode—audit mode or enforced mode—is set by including or deleting **Enabled:Audit Mode** in the WDAC policy. When this option is deleted, the policy runs in enforced mode.
+> [!NOTE] 
+> We recommend that you use **Enabled:Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. To allow these applications, you can capture the policy information from the event log, and then merge that information into the existing policy. When the **Enabled:Audit Mode** is deleted, the policy runs in enforced mode.
 
 **Table 2. Windows Defender Application Control policy - policy rule options**
 
@@ -105,20 +91,15 @@ Table 3. Windows Defender Application Control policy - file rule levels
 | **WHQLPublisher** | This is a combination of the WHQL and the CN on the leaf certificate and is primarily for kernel binaries. |
 | **WHQLFilePublisher** | Specifies that the binaries are validated and signed by WHQL, with a specific publisher (WHQLPublisher), and that the binary is the specified version or newer. This is primarily for kernel binaries. |
 
-> **Note**&nbsp;&nbsp;When you create WDAC policies with the [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) cmdlet, you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
+> [!NOTE]
+> When you create WDAC policies with [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy), you can specify a primary file rule level by including the **-Level** parameter. For discovered binaries that cannot be trusted based on the primary file rule criteria, use the **-Fallback** parameter. For example, if the primary file rule level is PCACertificate but you would like to trust the unsigned applications as well, using the Hash rule level as a fallback adds the hash values of binaries that did not have a signing certificate.
 
 ## Example of file rule levels in use
 
 For example, consider some IT professionals in a department that runs many servers. They decide they want their servers to run only software signed by the providers of their software and drivers, that is, the companies that provide their hardware, operating system, antivirus, and other important software. They know that their servers also run an internally written application that is unsigned but is rarely updated. They want to allow this application to run.
 
-To create the WDAC policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy?view=win10-ps) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They enable the policy in auditing mode and gather information about any necessary software that was not included on the reference server. They merge WDAC policies into the original policy to allow that additional software to run. Then they enable the WDAC policy in enforced mode for their servers.
+To create the WDAC policy, they build a reference server on their standard hardware, and install all of the software that their servers are known to run. Then they run [New-CIPolicy](https://docs.microsoft.com/powershell/module/configci/new-cipolicy) with **-Level Publisher** (to allow software from their software providers, the "Publishers") and **-Fallback Hash** (to allow the internal, unsigned application). They enable the policy in auditing mode and gather information about any necessary software that was not included on the reference server. They merge WDAC policies into the original policy to allow that additional software to run. Then they enable the WDAC policy in enforced mode for their servers.
 
 As part of normal operations, they will eventually install software updates, or perhaps add software from the same software providers. Because the "Publisher" remains the same on those updates and software, they will not need to update their WDAC policy. If they come to a time when the internally-written, unsigned application must be updated, they must also update the WDAC policy so that the hash in the policy matches the hash of the updated internal application.
 
-They could also choose to create a catalog that captures information about the unsigned internal application, then sign and distribute the catalog. Then the internal application could be handled by WDAC policies in the same way as any other signed application. An update to the internal application would only require that the catalog be regenerated, signed, and distributed (no restarts would be required).
-
-
-## Related topics
-
-- [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats)
-- [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md)
+They could also choose to create a catalog that captures information about the unsigned internal application, then sign and distribute the catalog. Then the internal application could be handled by WDAC policies in the same way as any other signed application. An update to the internal application would only require that the catalog be regenerated, signed, and distributed (no restarts would be required).
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
new file mode 100644
index 0000000000..316dc3405f
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/signing-policies-with-signtool.md
@@ -0,0 +1,83 @@
+---
+title: Signing Windows Defender Application Control policies with SignTool.exe  (Windows 10)
+description: SSigned WDAC policies give organizations the highest level of malware protection available in Windows 10. 
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: jsuther1974
+ms.date: 02/21/2018
+---
+
+# Signing Windows Defender Application Control policies with SignTool.exe 
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
+
+Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. 
+In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. 
+These policies are designed to prevent administrative tampering and kernel mode exploit access. 
+With this in mind, it is much more difficult to remove signed WDAC policies. 
+Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. 
+
+Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. 
+If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA. 
+
+Before signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
+
+To sign a WDAC policy with SignTool.exe, you need the following components:
+
+-   SignTool.exe, found in the Windows SDK (Windows 7 or later)
+
+-   The binary format of the WDAC policy that you generated in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section or another WDAC policy that you have created
+
+-   An internal CA code signing certificate or a purchased code signing certificate
+
+If you do not have a code signing certificate, see the [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) section for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
+
+1.  Initialize the variables that will be used:
+
+    ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
+    
+    ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
+    
+    ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
+
+   > [!Note] 
+   > This example uses the WDAC policy that you created in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md). If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
+
+2.  Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
+
+3.  Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
+
+4.  Navigate to your desktop as the working directory:
+
+    ` cd $env:USERPROFILE\Desktop `
+
+5.  Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy:
+
+    ` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User –Update`
+
+   > [!Note] 
+   > <Path to exported .cer certificate> should be the full path to the certificate that you exported in   step 3.
+    Also, adding update signers is crucial to being able to modify or disable this policy in the future. 
+
+6.  Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
+
+    ` Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete`
+
+7.  Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format:
+
+    ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
+
+8.  Sign the WDAC policy by using SignTool.exe:
+
+    ` <Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
+
+   > [!Note] 
+   > The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
+
+9.  Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
+
diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
new file mode 100644
index 0000000000..3f8d489fb7
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
@@ -0,0 +1,33 @@
+---
+title: types of devices (Windows 10)
+description: Typically, deployment of Windows Defender Application Control happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+author: brianlic-msft
+ms.date: 03/01/2018
+---
+
+# Windows Defender Application Control deployment in different scenarios: types of devices
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+
+Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization.
+
+| **Type of device**                 | **How WDAC relates to this type of device**  | 
+|------------------------------------|------------------------------------------------------|
+| **Fixed-workload devices**: Perform same tasks every day.<br>Lists of approved applications rarely change.<br>Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.<br>After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. | 
+| **Fully managed devices**: Allowed software is restricted by IT department.<br>Users can request additional software, or install from a list of applications provided by IT department.<br>Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.<br>WDAC policies are supported by the HVCI service. | 
+| **Lightly managed devices**: Company-owned, but users are free to install software.<br>Devices are required to run organization's antivirus solution and client management tools. | WDAC can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | 
+| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. | 
+
+
+## Related topics
+
+- [Windows Defender Application Control Design Guide](windows-defender-application-control-design-guide.md)
+- [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md)
+
+
diff --git a/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
new file mode 100644
index 0000000000..0148e43cae
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/understand-windows-defender-application-control-policy-design-decisions.md
@@ -0,0 +1,138 @@
+---
+title: Understand Windows Defender Application Control policy design decisions  (Windows 10)
+description: Understand Windows Defender Application Control policy design decisions. 
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: jsuther1974
+ms.date: 02/08/2018
+---
+
+# Understand Windows Defender Application Control policy design decisions 
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
+
+This topic for the IT professional lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies by using Windows Defender Application Control (WDAC) within a Windows operating system environment.
+
+When you begin the design and planning process, you should consider the ramifications of your design choices. The resulting decisions will affect your policy deployment scheme and subsequent application control policy maintenance.
+
+You should consider using WDAC as part of your organization's application control policies if all the following are true:
+
+-   You have deployed or plan to deploy the supported versions of Windows in your organization. 
+-   You need improved control over the access to your organization's applications and the data your users access.
+-   The number of applications in your organization is known and manageable.
+-   You have resources to test policies against the organization's requirements.
+-   You have resources to involve Help Desk or to build a self-help process for end-user application access issues.
+-   The group's requirements for productivity, manageability, and security can be controlled by restrictive policies.
+
+The following questions are not in priority or sequential order. They should be considered when you deploy application control policies (as appropriate for your targeted environment).
+
+### Which apps do you need to control in your organization?
+
+You might need to control a limited number of apps because they access sensitive data, or you might have to exclude all applications except those that are sanctioned for business purposes. There might be certain business groups that require strict control, and others that promote independent application usage.
+
+| Possible answers | Design considerations|
+| - | - |
+| Control all apps | WDAC policies control applications by creating an allowed list of applications. Exceptions are also possible. WDAC policies can only be applied to applications installed on computers running Windows 10 . |
+| Control specific apps | When you create WDAC rules, a list of allowed apps are created. All apps on that list will be allowed to run (except those on the exception list). Apps that are not on the list will be prevented from running. WDAC policies can only be applied to apps installed on computers running Windows 10 or Windows Server 2016. |
+|Control only Classic Windows applications, only Universal Windows apps, or both| WDAC policies control apps by creating an allowed list of apps based on code signing certificate and\or file hash information. Because Universal Windows apps are all signed by the Windows Store, Classic Windows applications and Universal Windows apps can be controlled together. WDAC policies for Universal Windows apps can be applied only to apps that are installed on PCs that support the Microsoft Store, but Classic Windows applications can be controlled with WDAC on Windows. The rules you currently have configured for Classic Windows applications can remain, and you can create new ones for Universal Windows apps.|
+| Control apps by business group | WDAC policies can be applied through a Group Policy Object (GPO) to computer objects within an organizational unit (OU). |
+| Control apps by computer, not user | WDAC is a computer-based policy implementation. If your domain or site organizational structure is not based on a logical user structure, such as an OU, you might want to set up that structure before you begin your WDAC planning. Otherwise, you will have to identify users, their computers, and their app access requirements.|
+|Understand app usage, but there is no need to control any apps yet | WDAC policies can be set to audit app usage to help you track which apps are used in your organization. You can then use teh CodeIntegrity log in Event Viewer to create WDAC policies.|
+
+### How do you currently control app usage in your organization?
+
+Most organizations have evolved app control policies and methods over time. With heightened security concerns and an emphasis on tighter IT control over desktop use, your organization might decide to consolidate app control practices or design a comprehensive application control scheme. WDAC includes improvements over AppLocker and SRP in the architecture and management of application control policies.
+
+| Possible answers | Design considerations |
+| - | - |
+| Security polices (locally set or through Mobile Device Management (MDM) or Group Policy) | Using WDAC requires increased effort in planning to create correct policies, but this results in a simpler distribution method.| 
+| Non-Microsoft app control software | Using WDAC requires a complete app control policy evaluation and implementation.| 
+| Managed usage by group or OU | Using WDAC requires a complete app control policy evaluation and implementation.| 
+| Authorization Manager or other role-based access technologies | Using WDAC requires a complete app control policy evaluation and implementation.| 
+| Other | Using WDAC requires a complete app control policy evaluation and implementation.| 
+ 
+### Are there specific groups in your organization that need customized application control policies?
+
+Most business groups or departments have specific security requirements that pertain to data access and the applications used to access that data. You should consider the scope of the project for each group and the group’s priorities before you deploy application control policies for the entire organization.
+
+| Possible answers | Design considerations |
+| - | - |
+| Yes | For each group, you need to create a list that includes their application control requirements. Although this may increase the planning time, it will most likely result in a more effective deployment.<br/>If your GPO structure is not currently configured so that you can apply different policies to specific groups, you can alternatively apply WDAC rules in a GPO to specific user groups.|
+| No | WDAC policies can be applied globally to applications that are installed on PCs running Windows 10. Depending on the number of apps you need to control, managing all the rules and exceptions might be challenging.|
+ 
+### Does your IT department have resources to analyze application usage, and to design and manage the policies?
+
+The time and resources that are available to you to perform the research and analysis can affect the detail of your plan and processes for continuing policy management and maintenance.
+
+| Possible answers | Design considerations |
+| - | - |
+| Yes | Invest the time to analyze your organization's application control requirements, and plan a complete deployment that uses rules that are as simply constructed as possible.|
+| No | Consider a focused and phased deployment for specific groups by using a small number of rules. As you apply controls to applications in a specific group, learn from that deployment to plan your next deployment. |
+ 
+### Does your organization have Help Desk support?
+
+Preventing your users from accessing known, deployed, or personal applications will initially cause an increase in end-user support. It will be necessary to address the various support issues in your organization so security policies are followed and business workflow is not hampered.
+
+| Possible answers | Design considerations |
+| - | - |
+| Yes | Involve the support department early in the planning phase because your users may inadvertently be blocked from using their applications, or they may seek exceptions to use specific applications. |
+| No | Invest time in developing online support processes and documentation before deployment. |
+
+ 
+### Do you know what applications require restrictive policies?
+Any successful application control policy implementation is based on your knowledge and understanding of app usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the apps that access that data.
+
+| Possible answers | Design considerations |
+| - | - |
+| Yes | You should determine the application control priorities for a business group and then attempt to design the simplest scheme for their application control policies. |
+| No | You will have to perform an audit and requirements gathering project to discover the application usage. WDAC provides the means to deploy policies in audit mode.|
+ 
+### How do you deploy or sanction applications (upgraded or new) in your organization?
+
+Implementing a successful application control policy is based on your knowledge and understanding of application usage within the organization or business group. In addition, the application control design is dependent on the security requirements for data and the applications that access that data. Understanding the upgrade and deployment policy will help shape the construction of the application control policies.
+
+| Possible answers | Design considerations |
+| - | - |
+| Ad hoc | You need to gather requirements from each group. Some groups might want unrestricted access or installation, while other groups might want strict controls.| 
+|  Strict written policy or guidelines to follow | You need to develop WDAC rules that reflect those policies, and then test and maintain the rules. |
+| No process in place | You need to determine if you have the resources to develop an application control policy, and for which groups. |
+ 
+### What are your organization's priorities when implementing application control policies?
+
+Some organizations will benefit from application control policies as shown by an increase in productivity or conformance, while others will be hindered in performing their duties. Prioritize these aspects for each group to allow you to evaluate the effectiveness of WDAC.
+
+| Possible answers | Design considerations |
+| - | - |
+| Productivity: The organization assures that tools work and required applications can be installed. | To meet innovation and productivity goals, some groups require the ability to install and run a variety of software from different sources, including software that they developed. Therefore, if innovation and productivity is a high priority, managing application control policies through an allowed list might be time consuming and an impediment to progress. |
+| Management: The organization is aware of and controls the apps it supports. | In some business groups, application usage can be managed from a central point of control. WDAC policies can be built into a GPO for that purpose. This shifts the burden of app access to the IT department, but it also has the benefit of controlling the number of apps that can be run and controlling the versions of those apps|
+| Security: The organization must protect data in part by ensuring that only approved apps are used. | WDAC can help protect data by allowing a defined set of users access to apps that access the data. If security is the top priority, the application control policies will be the most restrictive.|
+ 
+### How are apps currently accessed in your organization?
+
+WDAC is very effective for organizations that have application restriction requirements if they have environments with a simple topography and application control policy goals that are straightforward. For example, WDAC can benefit an environment where non-employees have access to computers that are connected to the organizational network, such as a school or library. Large organizations also benefit from WDAC policy deployment when the goal is to achieve a detailed level of control on the desktop computers with a relatively small number of applications to manage, or when the applications are manageable with a small number of rules.
+
+| Possible answers | Design considerations |
+| - | - |
+| Users run without administrative rights. | Apps are installed by using an installation deployment technology.|
+| WDAC can help reduce the total cost of ownership for business groups that typically use a finite set of apps, such as human resources and finance departments. At the same time, these departments access highly sensitive information, much of which contains confidential and proprietary information. By using WDAC to create rules for specific apps that are allowed to run, you can help limit unauthorized applications from accessing this information.<br/>**Note: **WDAC can also be effective in helping create standardized desktops in organizations where users run as administrators. | Users must be able to install applications as needed. 
+| Users currently have administrator access, and it would be difficult to change this.|Enforcing WDAC rules is not suited for business groups that must be able to install apps as needed and without approval from the IT department. If one or more OUs in your organization has this requirement, you can choose not to enforce application rules in those OUs by using WDAC or to implement the audit only enforcement setting.|
+ 
+### Is the structure in Active Directory Domain Services based on the organization's hierarchy?
+
+Designing application control policies based on an organizational structure that is already built into Active Directory Domain Services (AD DS) is easier than converting the existing structure to an organizational structure. 
+Because the effectiveness of application control policies is dependent on the ability to update policies, consider what organizational work needs to be accomplished before deployment begins.
+
+| Possible answers | Design considerations |
+| - | - |
+| Yes | WDAC rules can be developed and implemented through Group Policy, based on your AD DS structure.|
+| No | The IT department must create a scheme to identify how application control policies can be applied to the correct user or computer.|
+ 
+## Record your findings
+
+The next step in the process is to record and analyze your answers to the preceding questions. If WDAC is the right solution for your goals, you can set your application control policy objectives and plan your WDAC rules. 
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
new file mode 100644
index 0000000000..94fa8ec867
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/use-code-signing-to-simplify-application-control-for-classic-windows-applications.md
@@ -0,0 +1,62 @@
+---
+title: Use code signing to simplify application control for classic Windows applications (Windows 10)
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: jsuther1974
+ms.date: 02/27/2018
+---
+
+# Use code signing to simplify application control for classic Windows applications
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
+
+This topic covers guidelines for using code signing control classic Windows apps.
+
+## Reviewing your applications: application signing and catalog files 
+
+Typically, WDAC policies are configured to use the application's signing certificate as part or all of what identifies the application as trusted. This means that applications must either use embedded signing—where the signature is part of the binary—or catalog signing, where you generate a “catalog file” from the applications, sign it, and through the signed catalog file, configure the WDAC policy to recognize the applications as signed.
+
+Catalog files can be very useful for unsigned LOB applications that cannot easily be given an embedded signature. However, catalogs need to be updated each time an application is updated. In contrast, with embedded signing, your WDAC policies typically do not have to be updated when an application is updated. For this reason, if code-signing is or can be included in your in-house application development process, it can simplify the management of WDAC (compared to using catalog signing).
+
+To obtain signed applications or embed signatures in your in-house applications, you can choose from a variety of methods:
+
+- Using the Microsoft Store publishing process. All apps that come out of the Microsoft Store are automatically signed with special signatures that can roll-up to our certificate authority (CA) or to your own.
+
+- Using your own digital certificate or public key infrastructure (PKI). ISV's and enterprises can sign their own Classic Windows applications themselves, adding themselves to the trusted list of signers.
+
+- Using a non-Microsoft signing authority. ISV's and enterprises can use a trusted non-Microsoft signing authority to sign all of their own Classic Windows applications.
+
+To use catalog signing, you can choose from the following options:
+
+- Use the Windows Defender Device Guard signing portal available in the Microsoft Store for Business and Education. The portal is a Microsoft web service that you can use to sign your Classic Windows applications. For more information, see [Device Guard signing](https://technet.microsoft.com/itpro/windows/manage/device-guard-signing-portal).
+
+- Create your own catalog files, which are described in the next section. 
+
+### Catalog files
+
+Catalog files (which you can create in Windows 10 with a tool called Package Inspector) contain information about all deployed and executed binary files associated with your trusted but unsigned applications. When you create catalog files, you can also include signed applications for which you do not want to trust the signer but rather the specific application. After creating a catalog, you must sign the catalog file itself by using enterprise public key infrastructure (PKI), or a purchased code signing certificate. Then you can distribute the catalog, so that your trusted applications can be handled by WDAC in the same way as any other signed application.
+
+Catalog files are simply Secure Hash Algorithm 2 (SHA2) hash lists of discovered binaries. These binaries’ hash values are updated each time an application is updated, which requires the catalog file to be updated also.
+
+After you have created and signed your catalog files, you can configure your WDAC policies to trust the signer or signing certificate of those files.
+
+> [!NOTE]
+> Package Inspector only works on operating systems that support Windows Defender Device Guard, such as Windows 10 Enterprise, Windows 10 Education, Windows 2016 Server, or Windows Enterprise IoT.
+
+For procedures for working with catalog files, see [Deploy catalog files to support Windows Defender Application Control](deploy-catalog-files-to-support-windows-defender-application-control.md).
+
+## Windows Defender Application Control policy formats and signing
+
+When you generate a WDAC policy, you are generating a binary-encoded XML document that includes configuration settings for both the User and Kernel-modes of Windows 10 Enterprise, along with restrictions on Windows 10 script hosts. You can view your original XML document in a text editor, for example if you want to check the rule options that are present in the **&lt;Rules&gt;** section of the file.
+
+We recommend that you keep the original XML file for use when you need to merge the WDAC policy with another policy or update its rule options. For deployment purposes, the file is converted to a binary format, which can be done using a simple Windows PowerShell command.
+
+When the WDAC policy is deployed, it restricts the software that can run on a device. The XML document can be signed, helping to add additional protection against administrative users changing or removing the policy. 
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
new file mode 100644
index 0000000000..fd0fd8af09
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/use-device-guard-signing-portal-in-microsoft-store-for-business.md
@@ -0,0 +1,18 @@
+---
+title: Use the Device Guard Signing Portal in the Microsoft Store for Business  (Windows 10)
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: jsuther1974
+ms.date: 02/28/2018
+---
+
+# Optional: Use the Device Guard Signing Portal in the Microsoft Store for Business
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
new file mode 100644
index 0000000000..34188e138e
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/use-signed-policies-to-protect-windows-defender-application-control-against-tampering.md
@@ -0,0 +1,86 @@
+---
+title: Use signed policies to protect Windows Defender Application Control against tampering  (Windows 10)
+description: Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. 
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: jsuther1974
+ms.date: 02/27/2018
+---
+
+# Use signed policies to protect Windows Defender Application Control against tampering
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
+
+
+Signed WDAC policies give organizations the highest level of malware protection available in Windows 10. 
+In addition to their enforced policy rules, signed policies cannot be modified or deleted by a user or administrator on the computer. 
+These policies are designed to prevent administrative tampering and kernel mode exploit access. 
+With this in mind, it is much more difficult to remove signed WDAC policies. 
+Before you sign and deploy a signed WDAC policy, we recommend that you [audit the policy](audit-windows-defender-application-control-policies.md) to discover any blocked applications that should be allowed to run. 
+
+Signing WDAC policies by using an on-premises CA-generated certificate or a purchased code signing certificate is straightforward. 
+If you do not currently have a code signing certificate exported in .pfx format (containing private keys, extensions, and root certificates), see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) to create one with your on-premises CA. 
+
+Before signing WDAC policies for the first time, be sure to enable rule options 9 (“Advanced Boot Options Menu”) and 10 (“Boot Audit on Failure”) to leave troubleshooting options available to administrators. To ensure that a rule option is enabled, you can run a command such as `Set-RuleOption -FilePath <PathAndFilename> -Option 9` even if you're not sure whether the option is already enabled—if so, the command has no effect. When validated and ready for enterprise deployment, you can remove these options. For more information about rule options, see [Windows Defender Application Control policy rules](select-types-of-rules-to-create.md).
+
+To sign a WDAC policy with SignTool.exe, you need the following components:
+
+-   SignTool.exe, found in the Windows SDK (Windows 7 or later)
+
+-   The binary format of the WDAC policy that you generated in [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) or another WDAC policy that you have created
+
+-   An internal CA code signing certificate or a purchased code signing certificate
+
+If you do not have a code signing certificate, see [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md) for instructions on how to create one. If you use an alternate certificate or WDAC policy, be sure to update the following steps with the appropriate variables and certificate so that the commands will function properly. To sign the existing WDAC policy, copy each of the following commands into an elevated Windows PowerShell session:
+
+1.  Initialize the variables that will be used:
+
+    ` $CIPolicyPath=$env:userprofile+"\Desktop\"`
+    
+    ` $InitialCIPolicy=$CIPolicyPath+"InitialScan.xml"`
+    
+    ` $CIPolicyBin=$CIPolicyPath+"DeviceGuardPolicy.bin"`
+
+   > [!Note] 
+   > This example uses the WDAC policy that you created in the [Create a Windows Defender Application Control policy from a reference computer](create-initial-default-policy.md) section. If you are signing another policy, be sure to update the **$CIPolicyPath** and **$CIPolicyBin** variables with the correct information.
+
+2.  Import the .pfx code signing certificate. Import the code signing certificate that you will use to sign the WDAC policy into the signing user’s personal store on the computer that will be doing the signing. In this example, you use the certificate that was created in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
+
+3.  Export the .cer code signing certificate. After the code signing certificate has been imported, export the .cer version to your desktop. This version will be added to the policy so that it can be updated later.
+
+4.  Navigate to your desktop as the working directory:
+
+    ` cd $env:USERPROFILE\Desktop `
+
+5.  Use [Add-SignerRule](https://docs.microsoft.com/powershell/module/configci/add-signerrule) to add an update signer certificate to the WDAC policy:
+
+    ` Add-SignerRule -FilePath $InitialCIPolicy -CertificatePath <Path to exported .cer certificate> -Kernel -User –Update`
+
+   > [!Note] 
+   > *&lt;Path to exported .cer certificate&gt;* should be  the full path to the certificate that you exported in   step 3.
+    Also, adding update signers is crucial to being able to modify or disable this policy in the future. For more information about how to disable signed WDAC policies, see [Disable signed Windows Defender Application Control policies within Windows](disable-windows-defender-application-control-policies.md#disable-signed-windows-defender-application-control-policies-within-windows).
+
+6.  Use [Set-RuleOption](https://docs.microsoft.com/powershell/module/configci/set-ruleoption) to remove the unsigned policy rule option:
+
+    ` Set-RuleOption -FilePath $InitialCIPolicy -Option 6 -Delete`
+
+7.  Use [ConvertFrom-CIPolicy](https://docs.microsoft.com/powershell/module/configci/convertfrom-cipolicy) to convert the policy to binary format:
+
+    ` ConvertFrom-CIPolicy $InitialCIPolicy $CIPolicyBin`
+
+8.  Sign the WDAC policy by using SignTool.exe:
+
+    ` <Path to signtool.exe> sign -v /n "ContosoDGSigningCert" -p7 . -p7co 1.3.6.1.4.1.311.79.1 -fd sha256 $CIPolicyBin`
+
+   > [!Note] 
+   > The *&lt;Path to signtool.exe&gt;* variable should be the full path to the SignTool.exe utility. **ContosoDGSigningCert** is the subject name of the certificate that will be used to sign the WDAC policy. You should import this certificate to your personal certificate store on the computer you use to sign the policy.
+
+9.  Validate the signed file. When complete, the commands should output a signed policy file called DeviceGuardPolicy.bin.p7 to your desktop. You can deploy this file the same way you deploy an enforced or non-enforced policy. For information about how to deploy WDAC policies, see [Deploy and manage Windows Defender Application Control with Group Policy](deploy-windows-defender-application-control-policies-using-group-policy.md).
+
diff --git a/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
new file mode 100644
index 0000000000..7ca42368db
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md
@@ -0,0 +1,44 @@
+---
+title: Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules  (Windows 10)
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.localizationpriority: high
+author: jsuther1974
+ms.date: 02/27/2018
+---
+
+# Use a Windows Defender Application Control policy to control specific plug-ins, add-ins, and modules 
+
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
+
+As of Windows 10, version 1703, you can use WDAC policies not only to control applications, but also to control whether specific plug-ins, add-ins, and modules can run from specific apps (such as a line-of-business application or a browser):
+
+| Approach (as of Windows 10, version 1703) | Guideline |
+|---|---|
+| You can work from a list of plug-ins, add-ins, or modules that you want only a specific application to be able to run. Other applications would be blocked from running them. | Use `New-CIPolicyRule` with the `-AppID` option. |
+| In addition, you can work  from a list of plug-ins, add-ins, or modules that you want to block in a specific application. Other applications would be allowed to run them. | Use `New-CIPolicyRule` with the `-AppID` and `-Deny` options. |
+
+To work with these options, the typical method is to create a policy that only affects plug-ins, add-ins, and modules, then merge it into your ‘master’ policy (merging is described in the next section).
+
+For example, to create a WDAC policy that allows **addin1.dll** and **addin2.dll** to run in **ERP1.exe**, your organization’s enterprise resource planning (ERP) application, but blocks those add-ins in other applications, run the following commands. Note that in the second command, **+=** is used to add a second rule to the **$rule** variable:
+
+```
+$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin1.dll' -Level FileName -AppID '.\ERP1.exe'
+$rule += New-CIPolicyRule -DriverFilePath '.\temp\addin2.dll' -Level FileName -AppID '.\ERP1.exe'
+New-CIPolicy -Rules $rule -FilePath ".\AllowERPAddins.xml" -UserPEs
+```
+
+As another example, to create a WDAC policy that blocks **addin3.dll** from running in Microsoft Word, run the following command. You must include the `-Deny` option to block the specified add-ins in the specifed application:
+
+```
+$rule = New-CIPolicyRule -DriverFilePath '.\temp\addin3.dll' -Level FileName -Deny -AppID '.\winword.exe'
+New-CIPolicy -Rules $rule -FilePath ".\BlockAddins.xml" -UserPEs
+```
+
diff --git a/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
similarity index 92%
rename from windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md
rename to windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
index 1fe2c03c15..efb071bcb1 100644
--- a/windows/security/threat-protection/device-guard/deploy-managed-installer-for-device-guard.md
+++ b/windows/security/threat-protection/windows-defender-application-control/use-windows-defender-application-control-with-managed-installer.md
@@ -6,11 +6,17 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: high
 author: mdsakibMSFT
-ms.date: 10/20/2017
+ms.date: 03/01/2018
 ---
 
 # Deploy Managed Installer for Windows Defender Application Control
 
+**Applies to:**
+
+-   Windows 10
+-   Windows Server 2016
+
+
 Creating and maintaining application execution control policies has always been challenging, and finding ways to address this issue has been a frequently-cited request for customers of AppLocker and Windows Defender Application Control (WDAC). 
 This is especially true for enterprises with large, ever changing software catalogs. 
 
@@ -23,13 +29,10 @@ A managed installer uses a new rule collection in AppLocker to specify one or mo
 Specifying an executable as a managed installer will cause Windows to tag files that are written from the executable’s process (or processes it launches) as having originated from a trusted installation authority.  
 
 Once the IT administrator adds the Allow: Managed Installer option to a WDAC policy, the WDAC component will subsequently check for the presence of the origin information when evaluating other application execution control rules specified in the policy. 
-If there are no deny rules present for the file, it will be authorized based on the managed installer origin information.
+If there are no deny rules present for the file, it will be authorized based on the managed installer origin information.+
 
-> [!NOTE] 
-> Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer. 
->
-> Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps. 
-> Admins can reference and customize them as needed for their Windows Defender Application Control deployment or create a custom WDAC policy as described in [Deploy Windows Defender Application Control: steps](steps-to-deploy-windows-defender-application-control.md#create-a-windows-defender-application-control-policy-from-a-reference-computer).
+Admins needs to ensure that there is a WDAC policy in place to allow the system to boot and run any other authorized applications that may not be deployed through a managed installer. 
+Examples of WDAC policies available in C:\Windows\schemas\CodeIntegrity\ExamplePolicies help authorize Windows OS components, WHQL signed drivers and all Store apps. 
 
 ## Configuring a managed installer with AppLocker and Windows Defender Application Control
 
@@ -110,7 +113,7 @@ For example:
 ### Enable the managed installer option in WDAC policy
 
 In order to enable trust for the binaries laid down by managed installers, the Allow: Managed Installer option must be specified in your WDAC policy.
-This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption?view=win10-ps). 
+This can be done by using the [Set-RuleOption cmdlet](https://docs.microsoft.com/powershell/module/configci/set-ruleoption). 
 An example of the managed installer option being set in policy is shown below.
 
 ```code
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
new file mode 100644
index 0000000000..a4d05d50a0
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-deployment-guide.md
@@ -0,0 +1,64 @@
+---
+title: Planning and getting started on the Windows Defender Application Control deployment process (Windows 10)
+description: To help you plan and begin the initial test stages of a deployment of Microsoft Windows Defender Application Control, this article outlines how to gather information, create a plan, and begin to create and test initial code integrity policies. 
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+author: jsuther1974
+ms.date: 02/27/2018
+---
+
+# Planning and getting started on the Windows Defender Application Control deployment process
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+
+This topic provides a roadmap for planning and getting started on the Windows Defender Application Control (WDAC) deployment process, with links to topics that provide additional detail. Planning for WDAC deployment involves looking at both the end-user and the IT pro impact of your choices. 
+
+## Planning
+
+1. Review requirements, especially hardware requirements for VBS. 
+
+2. Group devices by degree of control needed. Do most devices fit neatly into a few categories, or are they scattered across all categories? Are users allowed to install any application or must they choose from a list? Are users allowed to use their own peripheral devices?<br>Deployment is simpler if everything is locked down in the same way, but meeting individual departments’ needs, and working with a wide variety of devices, may require a more complicated and flexible deployment.
+
+3. Review how much variety in software and hardware is needed by roles or departments. The following questions can help you clarify how many WDAC policies to create:
+
+    - How standardized is the hardware?<br>This can be relevant because of drivers. You could create a WDAC policy on hardware that uses a particular set of drivers, and if other drivers in your environment use the same signature, they would also be allowed to run. However, you might need to create several WDAC policies on different "reference" hardware, then merge the policies together, to ensure that the resulting policy recognizes all the drivers in your environment.
+
+    - What software does each department or role need? Should they be able to install and run other departments’ software?<br>If multiple departments are allowed to run the same list of software, you might be able to merge several WDAC policies to simplify management.
+         
+    - Are there departments or roles where unique, restricted software is used?<br>If one department needs to run an application that no other department is allowed, it might require a separate WDAC policy. Similarly, if only one department must run an old version of an application (while other departments allow only the newer version), it might require a separate WDAC policy.
+
+    - Is there already a list of accepted applications?<br>A list of accepted applications can be used to help create a baseline WDAC policy.<br>As of Windows 10, version 1703, it might also be useful to have a list of plug-ins, add-ins, or modules that you want to allow only in a specific app (such as a line-of-business app). Similarly, it might be useful to have a list of plug-ins, add-ins, or modules that you want to block in a specific app (such as a browser).
+
+    - As part of a threat review process, have you reviewed systems for software that can load arbitrary DLLs or run code or scripts? 
+    In day-to-day operations, your organization’s security policy may allow certain applications, code, or scripts to run on your systems depending on their role and the context. However, if your security policy requires that you run only trusted applications, code, and scripts on your systems, you may decide to lock these systems down securely with Windows Defender Application Control policies. 
+    
+    Legitimate applications from trusted vendors provide valid functionality. However, an attacker could also potentially use that same functionality to run malicious executable code that could bypass WDAC.
+
+    For operational scenarios that require elevated security, certain applications with known Code Integrity bypasses may represent a security risk if you whitelist them in your WDAC policies. Other applications where older versions of the application had vulnerabilities also represent a risk. Therefore, you may want to deny or block such applications from your WDAC policies. For applications with vulnerabilities, once the vulnerabilities are fixed you can create a rule that only allows the fixed or newer versions of that application. The decision to allow or block applications depends on the context and on how the reference system is being used.
+
+    Security professionals collaborate with Microsoft continuously to help protect customers. With the help of their valuable reports, Microsoft has identified a list of known applications that an attacker could potentially use to bypass Windows Defender Application Control. Depending on the context, you may want to block these applications. To view this list of applications and for use case examples, such as disabling msbuild.exe, see [Microsoft recommended block rules](microsoft-recommended-block-rules.md).
+
+4.  Identify LOB applications that are currently unsigned. Although requiring signed code (through WDAC) protects against many threats, your organization might use unsigned LOB applications, for which the process of signing might be difficult. You might also have applications that are signed, but you want to add a secondary signature to them. If so, identify these applications, because you will need to create a catalog file for them.
+
+## Getting started on the deployment process
+
+1.  Optionally, create a signing certificate for Windows Defender Application Control. As you deploy WDAC, you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal CA. If you choose to use an internal CA, you will need to [create a code signing certificate](create-code-signing-cert-for-windows-defender-application-control.md).
+
+2.  Create WDAC policies from reference computers. In this respect, creating and managing WDAC policies to align with the needs of roles or departments can be similar to managing corporate images. From each reference computer, you can create a WDAC policy, and decide how to manage that policy. You can [merge](merge-windows-defender-application-control-policies.md) WDAC policies to create a broader policy or a master policy, or you can manage and deploy each policy individually. 
+
+3.  Audit the WDAC policy and capture information about applications that are outside the policy. We recommend that you use [audit mode](audit-windows-defender-application-control-policies.md) to carefully test each WDAC policy before you enforce it. With audit mode, no application is blocked—the policy just logs an event whenever an application outside the policy is started. Later, you can expand the policy to allow these applications, as needed.
+
+4.  Create a [catalog file](deploy-catalog-files-to-support-windows-defender-application-control.md) for unsigned LOB applications. Use the Package Inspector tool to create and sign a catalog file for your unsigned LOB applications. In later steps, you can merge the catalog file's signature into your WDAC policy, so that applications in the catalog will be allowed by the policy. 
+
+6.  Capture needed policy information from the event log, and merge information into the existing policy as needed. After a WDAC policy has been running for a time in audit mode, the event log will contain information about applications that are outside the policy. To expand the policy so that it allows for these applications, use Windows PowerShell commands to capture the needed policy information from the event log, and then merge that information into the existing policy. You can merge WDAC policies from other sources also, for flexibility in how you create your final WDAC policies.
+
+7.  Deploy WDAC policies and catalog files. After you confirm that you have completed all the preceding steps, you can begin deploying catalog files and taking WDAC policies out of auditing mode. We strongly recommend that you begin this process with a test group of users. This provides a final quality-control validation before you deploy the catalog files and WDAC policies more broadly. 
+
+8.  Enable desired virtualization-based security (VBS) features. Hardware-based security features—also called virtualization-based security (VBS) features—strengthen the protections offered by Windows Defender Application Control. 
+
+    > [!WARNING]
+    >  Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
diff --git a/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
new file mode 100644
index 0000000000..06f9907511
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control-design-guide.md
@@ -0,0 +1,31 @@
+---
+title: Windows Defender Application Control design guide (Windows 10)
+description: Microsoft Windows Defender Device Guard is a feature set that consists of both hardware and software system integrity hardening features that revolutionize the Windows operating system’s security.
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+author: brianlic-msft
+ms.date: 02/20/2018
+---
+
+# Windows Defender Application Control design guide
+
+**Applies to**
+ -   Windows 10 
+ -   Windows Server
+
+This guide covers design and planning for Windows Defender Application Control (WDAC). It is intended to help security architects, security administrators, and system administrators create a plan that addresses specific application control requirements for different departments or business groups within an organization.
+
+
+## In this section
+
+| Topic | Description |
+| - | - |
+| [Understand WDAC policy design decisions](understand-windows-defender-application-control-policy-design-decisions.md) | This topic lists the design questions, possible answers, and ramifications of the decisions when you plan a deployment of application control policies. |
+| [Select the types of rules to create](select-types-of-rules-to-create.md) | This topic lists resources you can use when selecting your application control policy rules by using WDAC. |
+| [Plan for WDAC policy management](plan-windows-defender-application-control-management.md) | This topic describes the decisions you need to make to establish the processes for managing and maintaining WDAC policies. |
+| [Create your WDAC planning document](create-your-windows-defender-application-control-planning-document.md) | This planning topic summarizes the information you need to research and include in your planning document. | 
+ 
+After planning is complete, the next step is to deploy WDAC. The [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md) covers the creation and testing of policies, deploying the enforcement setting, and managing and maintaining the policies.
+ 
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
similarity index 95%
rename from windows/security/threat-protection/windows-defender-application-control.md
rename to windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
index 74adeafb06..298f03c997 100644
--- a/windows/security/threat-protection/windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control.md
@@ -6,8 +6,9 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
+ms.localizationpriority: high
 author: jsuther1974
-ms.date: 01/24/2018
+ms.date: 02/27/2018
 ---
 
 # Windows Defender Application Control 
@@ -36,7 +37,7 @@ WDAC policies also block unsigned scripts and MSIs, and Windows PowerShell runs
 ## WDAC System Requirements
 
 WDAC policies can only be created on computers running Windows 10 Enterprise or Windows Server 2016. 
-They can be applied to computers running any edition of Windows 10 and managed via Mobile Device Management (MDM), such as Microsoft Intune. 
+They can be applied to computers running any edition of Windows 10 or Windows Server 2016 and managed via Mobile Device Management (MDM), such as Microsoft Intune. 
 Group Policy can also be used to distribute Group Policy Objects that contain WDAC policies on computers running Windows 10 Enterprise or Windows Server 2016. 
 
 ## New and changed functionality
diff --git a/windows/security/threat-protection/windows-defender-atp/TOC.md b/windows/security/threat-protection/windows-defender-atp/TOC.md
new file mode 100644
index 0000000000..c46a4ebe2d
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/TOC.md
@@ -0,0 +1,200 @@
+# [Windows Defender Advanced Threat Protection](windows-defender-advanced-threat-protection.md)
+##Get started
+### [Minimum requirements](minimum-requirements-windows-defender-advanced-threat-protection.md)
+### [Validate licensing and complete setup](licensing-windows-defender-advanced-threat-protection.md)
+### [Troubleshoot subscription and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
+### [Preview features](preview-windows-defender-advanced-threat-protection.md)
+### [Data storage and privacy](data-storage-privacy-windows-defender-advanced-threat-protection.md)
+### [Assign user access to the portal](assign-portal-access-windows-defender-advanced-threat-protection.md)
+## [Onboard machines](onboard-configure-windows-defender-advanced-threat-protection.md)
+### [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md)
+#### [Onboard machines using Group Policy](configure-endpoints-gp-windows-defender-advanced-threat-protection.md)
+#### [Onboard machines using System Center Configuration Manager](configure-endpoints-sccm-windows-defender-advanced-threat-protection.md)
+#### [Onboard machines using Mobile Device Management tools](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md)
+##### [Onboard machines using Microsoft Intune](configure-endpoints-mdm-windows-defender-advanced-threat-protection.md#onboard-windows-10-machines-using-microsoft-intune)
+#### [Onboard machines using a local script](configure-endpoints-script-windows-defender-advanced-threat-protection.md)
+#### [Onboard non-persistent virtual desktop infrastructure (VDI) machines](configure-endpoints-vdi-windows-defender-advanced-threat-protection.md)
+### [Onboard servers](configure-server-endpoints-windows-defender-advanced-threat-protection.md)
+### [Onboard non-Windows machines](configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md)
+### [Run a detection test on a newly onboarded machine](run-detection-test-windows-defender-advanced-threat-protection.md)
+### [Run simulated attacks on machines](attack-simulations-windows-defender-advanced-threat-protection.md)
+### [Configure proxy and Internet connectivity settings](configure-proxy-internet-windows-defender-advanced-threat-protection.md)
+### [Troubleshoot onboarding issues](troubleshoot-onboarding-windows-defender-advanced-threat-protection.md)
+## [Understand the Windows Defender ATP portal](use-windows-defender-advanced-threat-protection.md)
+### [Portal overview](portal-overview-windows-defender-advanced-threat-protection.md)
+### [View the Security operations dashboard](security-operations-dashboard-windows-defender-advanced-threat-protection.md)
+### [View the Secure Score dashboard and improve your secure score](secure-score-dashboard-windows-defender-advanced-threat-protection.md)
+### [View the Threat analytics dashboard and take recommended mitigation actions](threat-analytics-dashboard-windows-defender-advanced-threat-protection.md)
+
+##Investigate and remediate threats
+###Alerts queue
+#### [View and organize the Alerts queue](alerts-queue-windows-defender-advanced-threat-protection.md)
+#### [Manage alerts](manage-alerts-windows-defender-advanced-threat-protection.md)
+#### [Investigate alerts](investigate-alerts-windows-defender-advanced-threat-protection.md)
+#### [Investigate files](investigate-files-windows-defender-advanced-threat-protection.md)
+#### [Investigate machines](investigate-machines-windows-defender-advanced-threat-protection.md)
+#### [Investigate an IP address](investigate-ip-windows-defender-advanced-threat-protection.md)
+#### [Investigate a domain](investigate-domain-windows-defender-advanced-threat-protection.md)
+#### [Investigate a user account](investigate-user-windows-defender-advanced-threat-protection.md)
+
+
+
+
+###Machines list
+#### [View and organize the Machines list](machines-view-overview-windows-defender-advanced-threat-protection.md)
+#### [Manage machine group and tags](investigate-machines-windows-defender-advanced-threat-protection.md#manage-machine-group-and-tags)
+#### [Alerts related to this machine](investigate-machines-windows-defender-advanced-threat-protection.md#alerts-related-to-this-machine)
+#### [Machine timeline](investigate-machines-windows-defender-advanced-threat-protection.md#machine-timeline)
+##### [Search for specific events](investigate-machines-windows-defender-advanced-threat-protection.md#search-for-specific-events)
+##### [Filter events from a specific date](investigate-machines-windows-defender-advanced-threat-protection.md#filter-events-from-a-specific-date)
+##### [Export machine timeline events](investigate-machines-windows-defender-advanced-threat-protection.md#export-machine-timeline-events)
+##### [Navigate between pages](investigate-machines-windows-defender-advanced-threat-protection.md#navigate-between-pages)
+
+
+### [Take response actions](response-actions-windows-defender-advanced-threat-protection.md)
+#### [Take response actions on a machine](respond-machine-alerts-windows-defender-advanced-threat-protection.md)
+##### [Collect investigation package](respond-machine-alerts-windows-defender-advanced-threat-protection.md#collect-investigation-package-from-machines)
+##### [Run antivirus scan](respond-machine-alerts-windows-defender-advanced-threat-protection.md#run-windows-defender-antivirus-scan-on-machines)
+##### [Restrict app execution](respond-machine-alerts-windows-defender-advanced-threat-protection.md#restrict-app-execution)
+##### [Remove app restriction](respond-machine-alerts-windows-defender-advanced-threat-protection.md#remove-app-restriction)
+##### [Isolate machines from the network](respond-machine-alerts-windows-defender-advanced-threat-protection.md#isolate-machines-from-the-network)
+##### [Release machine from isolation](respond-machine-alerts-windows-defender-advanced-threat-protection.md#release-machine-from-isolation)
+##### [Check activity details in Action center](respond-machine-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+#### [Take response actions on a file](respond-file-alerts-windows-defender-advanced-threat-protection.md)
+##### [Stop and quarantine files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#stop-and-quarantine-files-in-your-network)
+##### [Remove file from quarantine](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-quarantine)
+##### [Block files in your network](respond-file-alerts-windows-defender-advanced-threat-protection.md#block-files-in-your-network)
+##### [Remove file from blocked list](respond-file-alerts-windows-defender-advanced-threat-protection.md#remove-file-from-blocked-list)
+##### [Check activity details in Action center](respond-file-alerts-windows-defender-advanced-threat-protection.md#check-activity-details-in-action-center)
+##### [Deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#deep-analysis)
+###### [Submit files for analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#submit-files-for-analysis)
+###### [View deep analysis reports](respond-file-alerts-windows-defender-advanced-threat-protection.md#view-deep-analysis-reports)
+###### [Troubleshoot deep analysis](respond-file-alerts-windows-defender-advanced-threat-protection.md#troubleshoot-deep-analysis)
+
+### [Use Automated investigation to investigate and remediate threats](automated-investigations-windows-defender-advanced-threat-protection.md)
+### [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)
+#### [Advanced hunting reference](advanced-hunting-reference-windows-defender-advanced-threat-protection.md)
+#### [Advanced hunting query language best practices](advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
+
+##API and SIEM support
+### [Pull alerts to your SIEM tools](configure-siem-windows-defender-advanced-threat-protection.md)
+#### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+#### [Configure Splunk to pull alerts](configure-splunk-windows-defender-advanced-threat-protection.md)
+#### [Configure HP ArcSight to pull alerts](configure-arcsight-windows-defender-advanced-threat-protection.md)
+#### [Windows Defender ATP alert API fields](api-portal-mapping-windows-defender-advanced-threat-protection.md)
+#### [Pull alerts using REST API](pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot SIEM tool integration issues](troubleshoot-siem-windows-defender-advanced-threat-protection.md)
+
+### [Use the threat intelligence API to create custom alerts](use-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Understand threat intelligence concepts](threat-indicator-concepts-windows-defender-advanced-threat-protection.md)
+#### [Enable the custom threat intelligence application](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Create custom threat intelligence alerts](custom-ti-api-windows-defender-advanced-threat-protection.md)
+#### [PowerShell code examples](powershell-example-code-windows-defender-advanced-threat-protection.md)
+#### [Python code examples](python-example-code-windows-defender-advanced-threat-protection.md)
+#### [Experiment with custom threat intelligence alerts](experiment-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Troubleshoot custom threat intelligence issues](troubleshoot-custom-ti-windows-defender-advanced-threat-protection.md)
+### [Use the Windows Defender ATP exposed APIs](exposed-apis-windows-defender-advanced-threat-protection.md)
+#### [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection.md)
+#####Actor
+###### [Get actor information](get-actor-information-windows-defender-advanced-threat-protection.md)
+###### [Get actor related alerts](get-actor-related-alerts-windows-defender-advanced-threat-protection.md)
+#####Alerts
+###### [Get alerts](get-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get alert information by ID](get-alert-info-by-id-windows-defender-advanced-threat-protection.md)
+###### [Get alert related actor information](get-alert-related-actor-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related domain information](get-alert-related-domain-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related file information](get-alert-related-files-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related IP information](get-alert-related-ip-info-windows-defender-advanced-threat-protection.md)
+###### [Get alert related machine information](get-alert-related-machine-info-windows-defender-advanced-threat-protection.md)
+#####Domain
+######  [Get domain related alerts](get-domain-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get domain related machines](get-domain-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get domain statistics](get-domain-statistics-windows-defender-advanced-threat-protection.md)
+###### [Is domain seen in organization](is-domain-seen-in-org-windows-defender-advanced-threat-protection.md)
+
+#####File
+###### [Block file API](block-file-windows-defender-advanced-threat-protection.md)
+###### [Get file information](get-file-information-windows-defender-advanced-threat-protection.md)
+###### [Get file related alerts](get-file-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get file related machines](get-file-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get file statistics](get-file-statistics-windows-defender-advanced-threat-protection.md)
+###### [Get FileActions collection API](get-fileactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Unblock file API](unblock-file-windows-defender-advanced-threat-protection.md)
+
+#####IP
+###### [Get IP related alerts](get-ip-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get IP related machines](get-ip-related-machines-windows-defender-advanced-threat-protection.md)
+###### [Get IP statistics](get-ip-statistics-windows-defender-advanced-threat-protection.md)
+###### [Is IP seen in organization](is-ip-seen-org-windows-defender-advanced-threat-protection.md)
+#####Machines
+###### [Collect investigation package API](collect-investigation-package-windows-defender-advanced-threat-protection.md)
+###### [Find machine information by IP](find-machine-info-by-ip-windows-defender-advanced-threat-protection.md)
+###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
+###### [Get FileMachineAction object API](get-filemachineaction-object-windows-defender-advanced-threat-protection.md)
+###### [Get FileMachineActions collection API](get-filemachineactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Get machine by ID](get-machine-by-id-windows-defender-advanced-threat-protection.md)
+###### [Get machine log on users](get-machine-log-on-users-windows-defender-advanced-threat-protection.md)
+###### [Get machine related alerts](get-machine-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get MachineAction object API](get-machineaction-object-windows-defender-advanced-threat-protection.md)
+###### [Get MachineActions collection API](get-machineactions-collection-windows-defender-advanced-threat-protection.md)
+###### [Get machines](get-machines-windows-defender-advanced-threat-protection.md)
+###### [Get package SAS URI API](get-package-sas-uri-windows-defender-advanced-threat-protection.md)
+###### [Isolate machine API](isolate-machine-windows-defender-advanced-threat-protection.md)
+###### [Release machine from isolation API](unisolate-machine-windows-defender-advanced-threat-protection.md)
+###### [Remove app restriction API](unrestrict-code-execution-windows-defender-advanced-threat-protection.md)
+###### [Request sample API](request-sample-windows-defender-advanced-threat-protection.md)
+###### [Restrict app execution API](restrict-code-execution-windows-defender-advanced-threat-protection.md)
+###### [Run antivirus scan API](run-av-scan-windows-defender-advanced-threat-protection.md)
+###### [Stop and quarantine file API](stop-quarantine-file-windows-defender-advanced-threat-protection.md)
+
+
+
+#####User
+###### [Get alert related user information](get-alert-related-user-info-windows-defender-advanced-threat-protection.md)
+###### [Get user information](get-user-information-windows-defender-advanced-threat-protection.md)
+###### [Get user related alerts](get-user-related-alerts-windows-defender-advanced-threat-protection.md)
+###### [Get user related machines](get-user-related-machines-windows-defender-advanced-threat-protection.md)
+
+##Reporting
+### [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
+
+##Check service health and sensor state
+### [Check sensor state](check-sensor-status-windows-defender-advanced-threat-protection.md)
+### [Fix unhealthy sensors](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md)
+### [Inactive machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#inactive-machines)
+### [Misconfigured machines](fix-unhealhty-sensors-windows-defender-advanced-threat-protection.md#misconfigured-machines)
+### [Check service health](service-status-windows-defender-advanced-threat-protection.md)
+### [Configure Windows Defender ATP Settings](preferences-setup-windows-defender-advanced-threat-protection.md)
+
+###General
+#### [Update data retention settings](data-retention-settings-windows-defender-advanced-threat-protection.md)
+#### [Configure alert notifications](configure-email-notifications-windows-defender-advanced-threat-protection.md)
+#### [Enable and create Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
+#### [Enable Secure score security controls](enable-secure-score-windows-defender-advanced-threat-protection.md)
+#### [Configure advanced features](advanced-features-windows-defender-advanced-threat-protection.md)
+#### [Protect data with conditional access](conditional-access-windows-defender-advanced-threat-protection.md)
+
+###Permissions
+#### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)
+#### [Create and manage machine groups](machine-groups-windows-defender-advanced-threat-protection.md)
+
+###APIs
+#### [Enable Threat intel](enable-custom-ti-windows-defender-advanced-threat-protection.md)
+#### [Enable SIEM integration](enable-siem-integration-windows-defender-advanced-threat-protection.md)
+
+###Rules
+#### [Manage suppression rules](manage-suppression-rules-windows-defender-advanced-threat-protection.md)
+#### [Manage automation allowed/blocked](manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md)
+#### [Manage automation file uploads](manage-automation-file-uploads-windows-defender-advanced-threat-protection.md)
+#### [Manage automation folder exclusions](manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md)
+
+###Machine management
+#### [Onboarding machines](onboard-configure-windows-defender-advanced-threat-protection.md)
+#### [Offboarding machines](offboard-machines-windows-defender-advanced-threat-protection.md)
+
+## [Configure Windows Defender ATP time zone settings](time-settings-windows-defender-advanced-threat-protection.md)
+
+## [Access the Windows Defender ATP Community Center](community-windows-defender-advanced-threat-protection.md)
+## [Troubleshoot Windows Defender ATP](troubleshoot-windows-defender-advanced-threat-protection.md)
+### [Review events and errors on machines with Event Viewer](event-error-codes-windows-defender-advanced-threat-protection.md)
+## [Windows Defender Antivirus compatibility with Windows Defender ATP](defender-compatibility-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
index 8b0591b338..d74d21d178 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-features-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Configure advanced features in Windows Defender ATP
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md
index 49284ab1d1..f553f152fd 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Advanced hunting query best practices Windows Defender ATP
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
index db6c9b6f35..77ffee9999 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Advanced hunting reference in Windows Defender ATP
@@ -64,7 +64,7 @@ Use the following table to understand what the columns represent, its data type,
 | InitiatingProcessParentId           | int         | Process ID (PID) of the parent process that spawned the process responsible for the event.                                                                                                                                                                     |
 | InitiatingProcessParentName         | string      | Name of the parent process that spawned the process responsible for the event.                                                                                                                                                                                 |
 | InitiatingProcessSha1               | string      | SHA-1 of the process (image file) that initiated the event.                                                                                                                                                                                                    |
-| InitiatingProcessSha256             | string      | SHA-256 of the process (image file) that initiated the event.                                                                                                                                                                                                  |
+| InitiatingProcessSha256             | string      | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available.                                                                                                                                                                                                |
 | InitiatingProcessTokenElevation     | string      | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event.                                                                                                                |
 | IsAzureADJoined                     | boolean     | Boolean indicator of whether machine is joined to the Azure Active Directory.                                                                                                                                                                                  |
 | LocalIP                             | string      | IP address assigned to the local machine used during communication.                                                                                                                                                                                            |
@@ -97,7 +97,7 @@ Use the following table to understand what the columns represent, its data type,
 | RemoteUrl                           | string      | URL or fully qualified domain name (FQDN) that was being connected to.                                                                                                                                                                                         |
 | ReportIndex                         | long        | Event identifier that is unique among the same event type.                                                                                                                                                                                                     |
 | SHA1                                | string      | SHA-1 of the file that the recorded action was applied to.                                                                                                                                                                                                     |
-| SHA256                              | string      | SHA-256 of the file that the recorded action was applied to.                                                                                      
+| SHA256                              | string      | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available.                                                                                     
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)        
 
diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
index f523b1c8d1..c5a0aa9147 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Query data using Advanced hunting in Windows Defender ATP
diff --git a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
index 26eef896ca..3955ce8269 100644
--- a/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/alerts-queue-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # View and organize the Windows Defender Advanced Threat Protection Alerts queue
diff --git a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
index 4b947eec35..5acb334a86 100644
--- a/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/assign-portal-access-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Assign user access to the Windows Defender ATP portal
diff --git a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
index 6046993dba..760acda319 100644
--- a/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/automated-investigations-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Use Automated investigations to investigate and remediate threats
diff --git a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
index 6a933ada64..968c448af5 100644
--- a/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/check-sensor-status-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Check sensor health state in Windows Defender ATP
diff --git a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md
index f56d8e3bae..d55f04fddc 100644
--- a/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/community-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md
new file mode 100644
index 0000000000..5c7c425311
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-atp/conditional-access-windows-defender-advanced-threat-protection.md
@@ -0,0 +1,157 @@
+---
+title: Enable conditional access to better protect users, devices, and data
+description: Enable conditional access to prevent applications from running if a device is considered at risk and an application is determined to be non-compliant.
+keywords: conditional access, block applications, security level, intune,
+search.product: eADQiWindows 10XVcnh
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: high
+ms.date: 04/24/2018
+---
+
+# Enable conditional access to better protect users, devices, and data 
+
+**Applies to:**
+
+- Windows 10 Enterprise
+- Windows 10 Education
+- Windows 10 Pro
+- Windows 10 Pro Education
+- Windows Defender Advanced Threat Protection (Windows Defender ATP)
+
+[!include[Prerelease information](prerelease.md)]
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-abovefoldlink)
+
+Conditional access is a capability that helps you better protect your users and enterprise information by making sure that only secure devices have access to applications.
+
+With conditional access, you can control access to enterprise information based on the risk level of a device. This helps keep trusted users on trusted devices using trusted applications.
+
+You can define security conditions under which devices and applications can run and access information from your network by enforcing policies to stop applications from running until a device returns to a compliant state. 
+
+The implementation of conditional access in Windows Defender ATP is based on Microsoft Intune (Intune) device compliance policies and Azure Active Directory (Azure AD) conditional access policies. 
+
+The compliance policy is used with conditional access to allow only devices that fulfill one or more device compliance policy rules to access applications. 
+
+## Understand the conditional access flow
+Conditional access is put in place so that when a threat is seen on a device, access to sensitive content is blocked until the threat is remediated. 
+
+The flow begins with machines being seen to have a low, medium, or high risk. These risk determinations are then sent to Intune. 
+
+Depending on how you configure policies in Intune, conditional access can be set up so that when certain conditions are met, the policy is applied.
+
+For example, you can configure Intune to apply conditional access on devices that have a high risk.
+
+In Intune, a device compliance policy is used in conjunction with Azure AD conditional access to block access to applications. In parallel, an automated investigation and remediation process is launched.
+
+ A user can still use the device while the automated investigation and remediation is taking place, but access to enterprise data is blocked until the threat is fully remediated. 
+
+To resolve the risk found on a device, you'll need to return the device to a compliant state. A device returns to a compliant state when there is no risk seen on it. 
+
+There are three ways to address a risk:
+1. Use Manual or automated remediation.
+2. Resolve active alerts on the machine. This will remove the risk from the machine.
+3. You can remove the machine from the active policies and consequently, conditional access will not be applied on the machine. 
+
+Manual remediation requires a secops admin to investigate an alert and address the risk seen on the device. The automated remediation is configured through configuration settings provided in the following section, [Configure conditional access](#configure-conditional-access).
+
+When the risk is removed either through manual or automated remediation, the device returns to a compliant state and access to applications is granted.
+
+The following example sequence of events explains conditional access in action:
+
+1. A user opens a malicious file and Windows Defender ATP flags the device as high risk.
+2. The high risk assessment is passed along to Intune. In parallel, an automated investigation is initiated to remediate the identified threat. A manual remediation can also be done to remediate the identified threat.
+3. Based on the policy created in Intune, the device is marked as not compliant. The assessment is then communicated to Azure AD by the Intune conditional access policy. In Azure AD, the corresponding policy is applied to block access to applications.
+4. The manual or automated investigation and remediation is completed and the threat is removed. Windows Defender ATP sees that there is no risk on the device and Intune assesses the device to be in a compliant state. Azure AD applies the policy which allows access to applications.
+5. Users can now access applications.
+
+
+
+ ## Configure conditional access
+This section guides you through all the steps you need to take to properly implement conditional access.
+
+### Before you begin
+>[!WARNING] 
+>It's important to note that Azure AD registered devices is not supported in this scenario.</br>
+>Only Intune enrolled devices are supported.
+
+You need to make sure that all your devices are enrolled in Intune. You can use any of the following options to enroll devices in Intune:
+
+
+- IT Admin: For more information on how to enabling auto-enrollment, see [Windows Enrollment](https://docs.microsoft.com/intune/windows-enroll#enable-windows-10-automatic-enrollment)
+- End-user: For more information on how to enroll your Windows 10 device in Intune, see [Enroll your Windows 10 device in Intune](https://docs.microsoft.com/intune-user-help/enroll-your-w10-device-access-work-or-school)
+- End-user alternative: For more information on joining an Azure AD domain, see [Set up Azure Active Directory joined devices](https://docs.microsoft.com/en-us/azure/active-directory/device-management-azuread-joined-devices-setup).
+
+
+
+There are steps you'll need to take in the Windows Defender ATP portal, the Intune portal, and Azure AD portal.
+
+> [!NOTE] 
+> You'll need a Microsoft Intune environment, with Intune managed and Azure AD joined Windows 10 devices.
+
+Take the following steps to enable conditional access:
+- Step 1: Turn on the Microsoft Intune connection from the Windows Defender ATP portal
+- Step 2: Turn on the Windows Defender ATP integration in Intune
+- Step 3: Create the compliance policy in Intune
+- Step 4: Assign the policy 
+- Step 5: Create an Azure AD conditional access policy
+
+
+### Step 1: Turn on the Microsoft Intune connection
+1. In the navigation pane, select **Settings** > **General** > **Advanced features** > **Microsoft Intune connection**.
+2. Toggle the Microsoft Intune setting to **On**.
+3. Click **Save preferences**.
+
+
+### Step 2: Turn on the Windows Defender ATP integration in Intune
+1. Sign in to the [Azure portal](https://portal.azure.com).
+2. Select **Device compliance** > **Windows Defender ATP**.
+3. Set **Connect Windows 10.0.15063+ devices to Windows Defender Advanced Threat Protection** to **On**.
+4. Click **Save**.
+
+
+### Step 3: Create the compliance policy in Intune
+1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
+2. Select **Device compliance** > **Policies** > **Create policy**.
+3. Enter a **Name** and **Description**.
+4. In **Platform**, select **Windows 10 and later**.
+5. In the **Device Health** settings, set **Require the device to be at or under the Device Threat Level** to your preferred level:
+
+  - **Secured**: This level is the most secure. The device cannot have any existing threats and still access company resources. If any threats are found, the device is evaluated as noncompliant.
+  - **Low**: The device is compliant if only low-level threats exist. Devices with medium or high threat levels are not compliant.
+  - **Medium**: The device is compliant if the threats found on the device are low or medium. If high-level threats are detected, the device is determined as noncompliant.
+  - **High**: This level is the least secure, and allows all threat levels. So devices that with high, medium or low threat levels are considered compliant.
+
+6. Select **OK**, and **Create** to save your changes (and create the policy).
+
+### Step 4: Assign the policy
+1. In the [Azure portal](https://portal.azure.com), select **All services**, filter on **Intune**, and select **Microsoft Intune**.
+2. Select **Device compliance** > **Policies**> select your Windows Defender ATP compliance policy.
+3. Select **Assignments**.
+4. Include or exclude your Azure AD groups to assign them the policy.
+5. To deploy the policy to the groups, select **Save**. The user devices targeted by the policy are evaluated for compliance.
+
+### Step 5: Create an Azure AD conditional access policy
+1. In the [Azure portal](https://portal.azure.com), open **Azure Active Directory** > **Conditional access** > **New policy**.
+2. Enter a policy **Name**, and select **Users and groups**. Use the Include or Exclude options to add your groups for the policy, and select **Done**.
+3. Select **Cloud apps**, and choose which apps to protect. For example, choose **Select apps**, and select **Office 365 SharePoint Online** and **Office 365 Exchange Online**. Select **Done** to save your changes.
+
+4. Select **Conditions** > **Client apps** to apply the policy to apps and browsers. For example, select **Yes**, and then enable **Browser** and **Mobile apps and desktop clients**. Select **Done** to save your changes.
+
+5. Select **Grant** to apply conditional access based on device compliance. For example, select **Grant access** > **Require device to be marked as compliant**. Choose **Select** to save your changes.
+
+6. Select **Enable policy**, and then **Create** to save your changes.
+
+For more information, see [Enable Windows Defender ATP with conditional access in Intune](https://docs.microsoft.com/intune/advanced-threat-protection).
+
+>Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-conditionalaccess-belowfoldlink)
+
+## Related topic
+- [Configure advanced features in Windows Defender ATP](advanced-features-windows-defender-advanced-threat-protection.md)
+
+
+
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
index 6559e3e082..b35af2246b 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-email-notifications-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Configure alert notifications in Windows Defender ATP
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
index 20a25e6d96..e3b7fb8022 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-gp-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Onboard Windows 10 machines using Group Policy 
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
index fc37a29fbc..c7774a5663 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-mdm-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Onboard Windows 10 machines using Mobile Device Management tools
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
index 60fdf52cf6..450371174d 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-non-windows-windows-defender-advanced-threat-protection.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: mjcaparas
 localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Onboard non-Windows machines
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
index 1da2299153..ab8da7cafa 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-sccm-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Onboard Windows 10 machines using System Center Configuration Manager
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
index 51910b2668..4dbf933ec5 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-script-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Onboard Windows 10 machines using a local script
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
index 477529fa7d..3053183884 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-vdi-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Onboard non-persistent virtual desktop infrastructure (VDI) machines
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
index e6d78d4bb0..dab99dbf01 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-endpoints-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Onboard Windows 10 machines
diff --git a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
index c55f7851c0..62c3b16138 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: mjcaparas
 localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Onboard servers to the Windows Defender ATP service
@@ -18,7 +18,6 @@ ms.date: 04/17/2018
 
 - Windows Server 2012 R2
 - Windows Server 2016
-- Windows Server, version 1803
 - Windows Defender Advanced Threat Protection (Windows Defender ATP)
 
 [!include[Prerelease information](prerelease.md)]
@@ -30,7 +29,6 @@ Windows Defender ATP extends support to also include the Windows Server operatin
 Windows Defender ATP supports the onboarding of the following servers:
 - Windows Server 2012 R2
 - Windows Server 2016
-- Windows Server, version 1803
 
 ## Onboard Windows Server 2012 R2 and Windows Server 2016
 
@@ -82,31 +80,6 @@ Once completed, you should see onboarded servers in the portal within an hour.
 |    winatp-gw-neu.microsoft.com    |    443    |
 |    winatp-gw-weu.microsoft.com    |    443    |
 
-## Onboard Windows Server, version 1803 
-You’ll be able to onboard in the same method available for Windows 10 client machines. For more information, see  [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). Support for Windows Server, version 1803 provides deeper insight into activities happening on the server, coverage for kernel and memory attack detection, and enables response actions on Windows Server endpoint as well. 
-
-1.	Install the latest Windows Server Insider build on a machine. For more information, see [Windows Server Insider Preview](https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver).
-
-2. Configure Windows Defender ATP onboarding settings on the server. For more information, see [Onboard Windows 10 machines](configure-endpoints-windows-defender-advanced-threat-protection.md). 
-
-3.	If you’re running a third party antimalware solution, you'll need to apply the following Windows Defender AV passive mode settings and verify it was configured correctly:
-
-    a. Set the following registry entry:
-      - Path: `HKLM\SOFTWARE\Policies\Microsoft\Windows Advanced Threat Protection`
-      - Name: ForceDefenderPassiveMode
-      - Value: 1
-
-    b. Run the following PowerShell command to verify that the passive mode was configured:
-    ```Get-WinEvent -FilterHashtable @{ProviderName="Microsoft-Windows-Sense" ;ID=84}```
-
-    c. Confirm  that a recent event containing the passive mode event is found:
-    ![Image of passive mode verification result](images/atp-verify-passive-mode.png)
-
-4. Run the following command to check if Windows Defender AV is installed:
-   ```sc query Windefend```
-
-    If the result is ‘The specified service does not exist as an installed service’, then you'll need to install Windows Defender AV. For more information, see [Windows Defender Antivirus in Windows 10](https://docs.microsoft.com/en-us/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-in-windows-10).
-
 ## Offboard servers 
 You have two options to offboard servers from the service:
 - Uninstall the MMA agent
diff --git a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
index 8af91533b7..e06ccda51d 100644
--- a/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/custom-ti-api-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Create custom alerts using the threat intelligence (TI) application program interface (API)
diff --git a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md
index 2c31b1365d..2f1642def7 100644
--- a/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/data-retention-settings-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 # Update data retention settings for Windows Defender ATP 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
index e262cc5244..e04a79d353 100644
--- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -51,7 +51,7 @@ In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wik
 
 ## Do I have the flexibility to select where to store my data?
 
-When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not under any circumstance, transfer the data from the specified geolocation into another geolocation.
+When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States.
 
 ## Is my data isolated from other customer data?
 Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides.
diff --git a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
index 09ed79f526..035afaf190 100644
--- a/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Windows Defender Antivirus compatibility with Windows Defender ATP
diff --git a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
index 4864c55ad8..babca11760 100644
--- a/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/enable-custom-ti-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Enable the custom threat intelligence API in Windows Defender ATP
diff --git a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md
index 9e6c2f081b..da135efb65 100644
--- a/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/enable-secure-score-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Enable Secure Score security controls
diff --git a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
index 9b39935b31..183ecc286d 100644
--- a/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/enable-siem-integration-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Enable SIEM integration in Windows Defender ATP
diff --git a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
index 7dbc500f97..f4c7dd2bb3 100644
--- a/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/event-error-codes-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 
diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
index 840ac36b91..c8df547c6b 100644
--- a/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/investigate-alerts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Investigate Windows Defender Advanced Threat Protection alerts
diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
index 9d2442bd7c..cf096a36d3 100644
--- a/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/investigate-domain-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 # Investigate a domain associated with a Windows Defender ATP alert
 
diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
index 8303abcda1..042216f1a6 100644
--- a/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/investigate-files-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 # Investigate a file associated with a Windows Defender ATP alert
 
diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
index a22179f273..cd9eaa9b7c 100644
--- a/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/investigate-ip-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 # Investigate an IP address associated with a Windows Defender ATP alert
 
diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
index 9fb3644bae..7f17822158 100644
--- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Investigate machines in the Windows Defender ATP Machines list
diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
index 46a2f46c0e..fb5d06dfd4 100644
--- a/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/investigate-user-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 # Investigate a user account in Windows Defender ATP
 
diff --git a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
index 240d558937..a7c1630a56 100644
--- a/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/is-domain-seen-in-org-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Is domain seen in org
diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
index b866964b62..71573b1352 100644
--- a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
@@ -54,7 +54,7 @@ To gain access into which licenses are provisioned to your company, and to check
 
 When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows.com) for the first time there will be a setup wizard that will guide you through some initial steps. At the end of the setup wizard there will be a dedicated cloud instance of Windows Defender ATP created.
 
-1. Each time you access the portal you will need to validate that you are authorized to access the product. Only if you are not authorized will This **Set up your permissions** step will only be available if you are not currently authorized to access the product.
+1. Each time you access the portal you will need to validate that you are authorized to access the product. This **Set up your permissions** step will only be available if you are not currently authorized to access the product.
 
 	![Image of Set up your permissions for WDATP](images\atp-setup-permissions-wdatp-portal.png)
 
@@ -134,4 +134,4 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows.
 
 ## Related topics
 - [Onboard machines to the Windows Defender Advanced Threat Protection service](onboard-configure-windows-defender-advanced-threat-protection.md)
-- [Troubleshoot onboarding process and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
\ No newline at end of file
+- [Troubleshoot onboarding process and portal access issues](troubleshoot-onboarding-error-messages-windows-defender-advanced-threat-protection.md)
diff --git a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md
index 454d1a3aec..221bfd7884 100644
--- a/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/machine-groups-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Create and manage machine groups in Windows Defender ATP
diff --git a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
index 278725340f..c304f74048 100644
--- a/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/machines-view-overview-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # View and organize the Windows Defender ATP Machines list
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
index 5912acb1a8..54bc053ce4 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-alerts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Manage Windows Defender Advanced Threat Protection alerts
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
index 1f68016ea9..abe6240f77 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-allowed-blocked-list-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Manage automation allowed/blocked lists
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md
index f6b88381ff..a418fca559 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-file-uploads-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Manage automation file uploads
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md
index c7d1e70c54..0388d3e0dd 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-automation-folder-exclusions-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Manage automation folder exclusions 
diff --git a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md
index c06aea4230..afd498bd1b 100644
--- a/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/manage-suppression-rules-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Manage suppression rules
diff --git a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
index 3983d79af5..9afdfa86cb 100644
--- a/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Minimum requirements for Windows Defender ATP
diff --git a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md
index 78710989d2..5083d2feae 100644
--- a/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/offboard-machines-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Offboard machines from the Windows Defender ATP service
diff --git a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
index 84c7cee481..e5ee209594 100644
--- a/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/onboard-configure-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Onboard machines to the Windows Defender ATP service
diff --git a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
index ce444d924a..d8e518f47c 100644
--- a/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/portal-overview-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Windows Defender Advanced Threat Protection portal overview
diff --git a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
index e92d59ee73..ecb07ccd1e 100644
--- a/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: mjcaparas
 localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 # Create and build Power BI reports using Windows Defender ATP data
 
diff --git a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
index 36e285cce8..f08533a767 100644
--- a/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/powershell-example-code-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # PowerShell code examples for the custom threat intelligence API
diff --git a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
index 4d00c68de1..72dd86675c 100644
--- a/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preferences-setup-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 # Configure Windows Defender ATP settings
 
diff --git a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
index 6f65f14423..61315574f8 100644
--- a/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preview-settings-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 # Turn on the preview experience in Windows Defender ATP
 
diff --git a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
index 4d92a145bd..af0f9887a7 100644
--- a/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/preview-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Windows Defender ATP preview features
@@ -47,7 +47,6 @@ The following features are included in the preview release:
 Windows Defender ATP supports the onboarding of the following servers:
     - Windows Server 2012 R2
     - Windows Server 2016
-    - Windows Server, version 1803
 
 - [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)<br>
 Windows Defender ATP supports the use of Power BI data connectors to enable you to connect and access Windows Defender ATP data using Microsoft Graph.
diff --git a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
index d3de2bec95..441d1895d8 100644
--- a/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/pull-alerts-using-rest-api-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Pull Windows Defender ATP alerts using REST API
diff --git a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
index 278e02f9bb..58abb6bddc 100644
--- a/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/python-example-code-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Python code examples for the custom threat intelligence API
diff --git a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md
index 8b7ad9f93e..fdb452e1ad 100644
--- a/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Manage portal access using role-based access control
diff --git a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
index 0e5f08d3d5..f3fa656be3 100644
--- a/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Take response actions on a file
diff --git a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md
index 43e1cf6abb..c6c4102eb5 100644
--- a/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/secure-score-dashboard-windows-defender-advanced-threat-protection.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: mjcaparas
 localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # View the Windows Defender Advanced Threat Protection Secure score dashboard
@@ -297,9 +297,6 @@ For more information, see [Windows Defender Firewall with Advanced Security](htt
 ### BitLocker optimization
 For a machine to be considered "well configured", it must comply to a minimum baseline configuration setting. This tile shows you a specific list of actions you must apply on endpoints so that the minimum baseline configuration setting for BitLocker is fulfilled. 
 
->[!IMPORTANT]
->This security control is only applicable for machines with Windows 10, version 1803 or later.
-
 #### Minimum baseline configuration setting for BitLocker
 - Ensure all supported internal drives are encrypted
 - Ensure that all suspended protection on drives resume protection 
diff --git a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md
index 7b4b053ce3..d3740aa25f 100644
--- a/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/security-operations-dashboard-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # View the Windows Defender Advanced Threat Protection Security operations dashboard
diff --git a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
index 0e0c2d60c4..488f25d704 100644
--- a/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/service-status-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Check the Windows Defender Advanced Threat Protection service health
diff --git a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
index 6e4c10056a..9fa8d8f13a 100644
--- a/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/supported-apis-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Supported Windows Defender ATP query APIs 
diff --git a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
index 3324909b34..160df53514 100644
--- a/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/threat-indicator-concepts-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Understand threat intelligence concepts
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
index 637bf8c04f..53bbce16ae 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-onboarding-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Troubleshoot Windows Defender Advanced Threat Protection onboarding issues
diff --git a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
index 43d2792de3..fca8e3f3ee 100644
--- a/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/use-custom-ti-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Use the threat intelligence API to create custom alerts
diff --git a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
index a3ae16d7dd..10373e6ddc 100644
--- a/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/17/2018
+ms.date: 04/24/2018
 ---
 
 # Windows Defender Advanced Threat Protection
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/TOC.md b/windows/security/threat-protection/windows-defender-exploit-guard/TOC.md
new file mode 100644
index 0000000000..eedb76c8dc
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/TOC.md
@@ -0,0 +1,30 @@
+# [Windows Defender Exploit Guard](windows-defender-exploit-guard.md)
+
+## [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
+### [Use auditing mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
+### [View Exploit Guard events](event-views-exploit-guard.md)
+
+## [Exploit protection](exploit-protection-exploit-guard.md)
+### [Comparison with Enhanced Mitigation Experience Toolkit](emet-exploit-protection-exploit-guard.md)
+### [Evaluate Exploit protection](evaluate-exploit-protection.md)
+### [Enable Exploit protection](enable-exploit-protection.md)
+### [Customize Exploit protection](customize-exploit-protection.md)
+#### [Import, export, and deploy Exploit protection configurations](import-export-exploit-protection-emet-xml.md)
+### [Memory integrity](memory-integrity.md)
+#### [Requirements for virtualization-based protection of code integrity](requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md)
+#### [Enable virtualization-based protection of code integrity](enable-virtualization-based-protection-of-code-integrity.md)
+## [Attack surface reduction](attack-surface-reduction-exploit-guard.md)
+### [Evaluate Attack surface reduction](evaluate-attack-surface-reduction.md)
+### [Enable Attack surface reduction](enable-attack-surface-reduction.md)
+### [Customize Attack surface reduction](customize-attack-surface-reduction.md)
+### [Troubleshoot Attack surface reduction rules](troubleshoot-asr.md)
+## [Network Protection](network-protection-exploit-guard.md)
+### [Evaluate Network Protection](evaluate-network-protection.md)
+### [Enable Network Protection](enable-network-protection.md)
+### [Troubleshoot Network protection](troubleshoot-np.md)
+## [Controlled folder access](controlled-folders-exploit-guard.md)
+### [Evaluate Controlled folder access](evaluate-controlled-folder-access.md)
+### [Enable Controlled folder access](enable-controlled-folders-exploit-guard.md)
+### [Customize Controlled folder access](customize-controlled-folders-exploit-guard.md)
+
+
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index b4f01bbee5..b046ee873b 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -18,7 +18,7 @@ ms.date: 11/09/2017
 
 **Applies to:**
 
-- Windows 10, version 1709
+- Windows 10 Enterprise edition, version 1709 or higher
 
 
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index c7f25e04df..aafca3a295 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -20,7 +20,7 @@ ms.date: 11/09/2017
 
 **Applies to:**
 
-- Windows 10, version 1709
+- Windows 10 Enterprise edition, version 1709 or higher
 
 
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
index 2f89ddd49a..c7bf57924e 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
@@ -20,7 +20,7 @@ ms.date: 10/16/2017
 
 **Applies to:**
 
-- Windows 10, version 1709
+- Windows 10 Enterprise edition, version 1709 or higher
 
 
 
diff --git a/windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
similarity index 61%
rename from windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security.md
rename to windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
index 400d1f0540..354c6831e1 100644
--- a/windows/security/threat-protection/device-guard/deploy-device-guard-enable-virtualization-based-security.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -1,63 +1,50 @@
 ---
-title: Deploy Windows Defender Device Guard - enable virtualization-based security (Windows 10)
-description: This article describes how to enable virtualization-based security, one of the main features that are part of Windows Defender Device Guard in Windows 10. 
-keywords: virtualization, security, malware
+title: Enable virtualization-based protection of code integrity 
+description: This article explains the steps to opt in to using HVCI on Windows devices. 
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.localizationpriority: high
+ms.author: justinha
 author: brianlic-msft
-ms.date: 10/20/2017
+ms.date: 04/19/2018
 ---
 
-# Enable virtualization-based protection of code integrity
+# Enable virtualization-based protection of code integrity 
 
-**Applies to**
--   Windows 10
--   Windows Server 2016
+**Applies to**  
 
-Virtualization-based protection of code integrity (herein referred to as Hypervisor-protected Code Integrity, or HVCI) is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. When used with Windows Defender Application Control (WDAC), HVCI helps achieve a locked down configuration state known as Windows Defender Device Guard that can block many types of malware from running on computers running Windows 10 and Windows Server 2016.
+- Windows 10
+- Windows Server 2016 
 
-> [!NOTE]
-> Some applications, including device drivers, may be incompatible with HVCI. This can cause devices or software to malfunction and in rare cases may result in a Blue Screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. We recommend testing thoroughly before enabling HVCI on production systems.
+This topic covers different ways to enable Hypervisor-protected code integrity (HVCI) on Windows 10. 
+Some applications, including device drivers, may be incompatible with HVCI. 
+This can cause devices or software to malfunction and in rare cases may result in a Blue Screen. Such issues may occur after HVCI has been turned on or during the enablement process itself. 
+If this happens, see [Troubleshooting](#troubleshooting) for remediation steps. 
 
-Use the following procedure to enable virtualization-based protection of code integrity:
+## How to turn on HVCI in Windows 10 
 
-1.  Decide whether to use the procedures in this topic, or to use [the Device Guard and Credential Guard hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337). 
+To enable HVCI on Windows 10 devices with supporting hardware throughout an enterprise, use any of these options:
+- [Microsoft Intune (or another MDM provider)](#enable-hvci-using-intune)
+- [Group Policy](#enable-hvci-using-group-policy)
+- [System Center Configuration Manager](https://cloudblogs.microsoft.com/enterprisemobility/2015/10/30/managing-windows-10-device-guard-with-configuration-manager/) 
+- [Registry](#use-registry-keys-to-enable-virtualization-based-protection-of-code-integrity)
 
-2.  Verify that [hardware and firmware requirements](requirements-and-deployment-planning-guidelines-for-device-guard.md#hardware-firmware-and-software-requirements-for-windows-defender-device-guard) are met. 
+### Enable HVCI using Intune
 
-## Enable virtualization-based protection of code integrity
+Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp). 
 
-If you don't want to use the [hardware readiness tool](https://www.microsoft.com/en-us/download/details.aspx?id=53337), you can use Group Policy or the Registry to enable HVCI.
+### Enable HVCI using Group Policy
 
-### Use Group Policy to enable virtualization-based protection of code integrity
+1. Use Group Policy Editor (gpedit.msc) to either edit an existing GPO or create a new one.
+2. Navigate to **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard**.  
+3. Double-click **Turn on Virtualization Based Security**.
+4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be enabled remotely or select **Enabled without UEFI lock**.
 
-1.  To create a new GPO, right-click the OU where you want to link the GPO, and then click **Create a GPO in this domain, and Link it here**.
+   ![Enable HVCI using Group Policy](images\enable-hvci-gp.png)
 
-    ![Group Policy Management, create a GPO](images/dg-fig2-createou.png)
+5. Click **Ok** to close the editor.
 
-2.  Give the new GPO a name, then right-click the new GPO, and click **Edit**.
-
-4.  Within the selected GPO, navigate to Computer Configuration\\Policies\\Administrative Templates\\System\\Device Guard. Right-click **Turn On Virtualization Based Security**, and then click **Edit**.
-
-    ![Edit the group policy for Virtualization Based Security](images/dg-fig3-enablevbs.png)
-
-5.  Select the **Enabled** button. For **Select Platform Security Level**:
-
-    - **Secure Boot** provides as much protection as a computer’s hardware can support. If the computer does not have input/output memory management units (IOMMUs), enable **Secure Boot**.
-    - **Secure Boot with DMA** enables Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can have WDAC enabled.<br>For information about how VBS uses the hypervisor to strengthen protections provided by WDAC, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats).
-
-    For **Virtualization Based Protection of Code Integrity**:
-
-    - Beginning with Windows 10, version 1607 and Windows Server 2016:<br>For an initial deployment or test deployment, we recommend **Enabled without lock**.<br>When your deployment is stable, we recommend changing to **Enabled with UEFI lock**. This option helps protect the registry from tampering, either through malware or by an unauthorized person.
-
-    - With earlier versions of Windows 10:<br>Select the **Enable Virtualization Based Protection of Code Integrity** check box.
-
-      ![Group Policy, Turn On Virtualization Based Security](images/dg-fig7-enablevbsofkmci.png)
-
-7.  Close the Group Policy Management Editor, and then restart the Windows 10 test computer. The settings will take effect upon restart.
-
-8.  Check Device Guard logs in Event Viewer at **Applications and Services Logs\\Microsoft\\Windows\\DeviceGuard-GPEXT\\Operational** for Event ID 7000, which contains the selected settings within a GPO that has been successfully processed. This event is logged only when Group Policy is used.
+To apply the new policy on a domain-joined computer, either restart or run `gpupdate /force` in an elevated command prompt. 
 
 ### Use registry keys to enable virtualization-based protection of code integrity
 
@@ -66,7 +53,7 @@ Set the following registry keys to enable HVCI. This provides exactly the same s
 <!--This comment ensures that the Important above and the Warning below don't merge together. -->
 
 > [!IMPORTANT]
-> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.<br>In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled.<br>For information about how VBS uses the hypervisor to strengthen protections provided by WDAC, see [How Windows Defender Device Guard features help protect against threats](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md#how-windows-defender-device-guard-features-help-protect-against-threats).<br>
+> - Among the commands that follow, you can choose settings for **Secure Boot** and **Secure Boot with DMA**. In most situations, we recommend that you choose **Secure Boot**. This option provides Secure Boot with as much protection as is supported by a given computer’s hardware. A computer with input/output memory management units (IOMMUs) will have Secure Boot with DMA protection. A computer without IOMMUs will simply have Secure Boot enabled.<br>In contrast, with **Secure Boot with DMA**, the setting will enable Secure Boot—and VBS itself—only on a computer that supports DMA, that is, a computer with IOMMUs. With this setting, any computer without IOMMUs will not have VBS or HVCI protection, although it can still have WDAC enabled.<br>
 > - All drivers on the system must be compatible with virtualization-based protection of code integrity; otherwise, your system may fail. We recommend that you enable these features on a group of test computers before you enable them on users' computers.
 
 #### For Windows 1607 and above
@@ -258,8 +245,34 @@ Another method to determine the available and enabled Windows Defender Device Gu
 
 ![Windows Defender Device Guard properties in the System Summary](images/dg-fig11-dgproperties.png)
 
-## Related topics
 
-- [Introduction to Windows Defender Device Guard: virtualization-based security and Windows Defender Application Control](introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md)
+## Troubleshooting
 
-- [Deploy Windows Defender Application Control](deploy-windows-defender-application-control.md)
+A. If a device driver fails to load or crashes at runtime, you may be able to update the driver using **Device Manager**.
+
+B. If you experience software or device malfunction after using the above procedure to turn on HVCI, but you are able to log in to Windows, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
+
+C. If you experience a critical error during boot or your system is unstable after using the above procedure to turn on HVCI, you can recover using the Windows Recovery Environment (Windows RE). To boot to Windows RE, see [Windows RE Technical Reference](https://docs.microsoft.com/windows-hardware/manufacture/desktop/windows-recovery-environment--windows-re--technical-reference). After logging in to Windows RE, you can turn off HVCI by renaming or deleting the SIPolicy.p7b file from the file location in step 3 above and then restart your device.
+
+## How to turn off HVCI on the Windows 10 Fall Creators Update
+
+1.	Rename or delete the SIPolicy.p7b file located at C:\Windows\System32\CodeIntegrity.
+2.	Restart the device.
+3.	To confirm HVCI has been successfully disabled, open System Information and check **Virtualization-based security Services Running**, which should now have no value displayed.
+
+## HVCI deployment in virtual machines
+
+HVCI can protect a Hyper-V virtual machine, just as it would a physical machine. The steps to enable WDAC are the same from within the virtual machine.
+
+WDAC protects against malware running in the guest virtual machine. It does not provide additional protection from the host administrator. From the host, you can disable WDAC for a virtual machine:
+
+```powershell
+Set-VMSecurity -VMName <VMName> -VirtualizationBasedSecurityOptOut $true
+```
+
+### Requirements for running HVCI in Hyper-V virtual machines 
+ -   The Hyper-V host must run at least Windows Server 2016 or Windows 10 version 1607.
+ -   The Hyper-V virtual machine must be Generation 2, and running at least Windows Server 2016 or Windows 10. 
+ -   HVCI and [nested virtualization](https://docs.microsoft.com/virtualization/hyper-v-on-windows/user-guide/nested-virtualization) cannot be enabled at the same time. 
+ -   Virtual Fibre Channel adapters are not compatible with HVCI. Before attaching a virtual Fibre Channel Adapter to a virtual machine, you must first opt out of virtualization-based security using `Set-VMSecurity`.
+ -   The AllowFullSCSICommandSet option for pass-through disks is not compatible with HVCI. Before configuring a pass-through disk with AllowFullSCSICommandSet, you must first opt out of virtualization-based security using `Set-VMSecurity`.
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
index a282799eb8..a5bc5791c2 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
@@ -19,7 +19,7 @@ ms.date: 11/20/2017
 
 **Applies to:**
 
-- Windows 10, version 1709
+- Windows 10 Enterprise edition, version 1709 or higher
 
 
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
index 0d7c214b39..74ed3c6f01 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
@@ -20,7 +20,7 @@ ms.date: 11/20/2017
 
 **Applies to:**
 
-- Windows 10, version 1709
+- Windows 10 Enterprise edition, version 1709 or higher
 
 
 
@@ -115,4 +115,4 @@ You can also use Group Policy, Intune, or MDM CSPs to configure and deploy the s
 
 - [Protect your network with Windows Defender Exploit Guard](network-protection-exploit-guard.md)
 - [Evaluate Windows Defender Exploit Guard](evaluate-windows-defender-exploit-guard.md)
-- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
\ No newline at end of file
+- [Use audit mode to evaluate Windows Defender Exploit Guard](audit-windows-defender-exploit-guard.md)
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_50.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_50.png
new file mode 100644
index 0000000000..bab791f3c0
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_50.png differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_75.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_75.png
new file mode 100644
index 0000000000..de277c05e1
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_75.png differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_empty.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_empty.png
new file mode 100644
index 0000000000..97f905f5ea
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_empty.png differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_full.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_full.png
new file mode 100644
index 0000000000..2bc45259d3
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/ball_full.png differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/dg-fig11-dgproperties.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/dg-fig11-dgproperties.png
new file mode 100644
index 0000000000..3c93b2b948
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/dg-fig11-dgproperties.png differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-hvci-gp.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-hvci-gp.png
new file mode 100644
index 0000000000..59c071a50c
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/enable-hvci-gp.png differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/images/turn-windows-features-on-or-off.png b/windows/security/threat-protection/windows-defender-exploit-guard/images/turn-windows-features-on-or-off.png
new file mode 100644
index 0000000000..8d47a53b51
Binary files /dev/null and b/windows/security/threat-protection/windows-defender-exploit-guard/images/turn-windows-features-on-or-off.png differ
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md
new file mode 100644
index 0000000000..06270361cd
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/memory-integrity.md
@@ -0,0 +1,28 @@
+---
+title: Memory integrity
+keywords: mitigations, vulnerabilities, vulnerability, mitigation, exploit, exploits, emet
+description: Memory integrity.
+search.product: eADQiWindows 10XVcnh
+ms.pagetype: security
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.pagetype: security
+localizationpriority: medium
+author: iaanw
+ms.author: iawilt
+ms.date: 02/20/2018
+---
+
+
+
+# Memory integrity
+
+
+**Applies to:**
+
+- Windows 10, version 1709
+- Windows Server 2016
+
+Memory integrity is a powerful system mitigation that leverages hardware virtualization and the Windows Hyper-V hypervisor to protect Windows kernel-mode processes against the injection and execution of malicious or unverified code. Code integrity validation is performed in a secure environment that is resistant to attack from malicious software, and page permissions for kernel mode are set and maintained by the Hyper-V hypervisor. Memory integrity helps block many types of malware from running on computers that run Windows 10 and Windows Server 2016.
+
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
index 772ad2e7b0..16b940a5e4 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
@@ -20,7 +20,7 @@ ms.date: 11/20/2017
 
 **Applies to:**
 
-- Windows 10, version 1709
+- Windows 10 Enterprise edition, version 1709 or higher
 
 
 
@@ -38,7 +38,7 @@ ms.date: 11/20/2017
 
 Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. 
 
-It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outboud HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
+It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
 
 It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
new file mode 100644
index 0000000000..61166e5854
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -0,0 +1,74 @@
+---
+title: Requirements and deployment planning guidelines for irtualization-based protection of code integrity (Windows 10)
+description: To help you plan a deployment of Microsoft Windows Defender Device Guard, this article describes hardware requirements for Windows Defender Device Guard, outlines deployment approaches, and describes methods for code signing and the deployment of code integrity policies. 
+keywords: virtualization, security, malware
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+author: brianlic-msft
+ms.date: 10/20/2017
+---
+
+# Requirements and deployment planning guidelines for virtualization-based protection of code integrity
+
+**Applies to**
+-   Windows 10
+-   Windows Server 2016
+
+Computers must meet certain hardware, firmware, and software requirements in order to take adavantage of all of the virtualization-based security (VBS) features in Windows Defender Device Guard. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats. 
+
+For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media. 
+
+> [!WARNING]
+>  Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
+
+The following tables provide more information about the hardware, firmware, and software required for deployment of various Windows Defender Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
+
+> [!NOTE]
+> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers. 
+
+## Baseline protections
+
+|Baseline Protections            | Description                                        | Security benefits |
+|--------------------------------|----------------------------------------------------|-------------------|
+| Hardware: **64-bit CPU**       | A 64-bit computer is required for the Windows hypervisor to provide VBS. |  | 
+| Hardware: **CPU virtualization extensions**,<br>plus **extended page tables** | These hardware features are required for VBS:<br>One of the following virtualization extensions:<br>• VT-x (Intel) or<br>• AMD-V<br>And:<br>• Extended page tables, also called Second Level Address Translation (SLAT). | VBS provides isolation of the secure kernel from the normal operating system. Vulnerabilities and zero-days in the normal operating system cannot be exploited because of this isolation. |
+| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwareuefisecureboot) | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots.  |
+| Firmware: **Secure firmware update process**      | UEFI firmware must support secure firmware update found under the following Windows Hardware Compatibility Program requirement: [System.Fundamentals.Firmware.UEFISecureBoot](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwareuefisecureboot)  | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
+| Software: **HVCI compatible drivers**       | See the Windows Hardware Compatibility Program requirements under [Filter.Driver.DeviceGuard.DriverCompatibility](https://docs.microsoft.com/windows-hardware/design/compatibility/filter#filterdriverdeviceguarddrivercompatibility).| [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode.  |
+| Software: Qualified **Windows operating system**  | Windows 10 Enterprise, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise<br><blockquote><p><strong>Important:</strong><br> Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.</p></blockquote> | Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
+
+> **Important**&nbsp;&nbsp;The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
+
+## Additional qualifications for improved security
+
+The following tables describe additional hardware and firmware qualifications, and the improved security that is available when these qualifications are met.
+
+
+### Additional security qualifications starting with Windows 10, version 1507, and Windows Server 2016, Technical Preview 4
+
+| Protections for Improved Security       | Description                                        | Security benefits |
+|---------------------------------------------|----------------------------------------------------|------|
+| Firmware: **Securing Boot Configuration and Management** | • BIOS password or stronger authentication must be supported.<br>• In the BIOS configuration, BIOS authentication must be set.<br>• There must be support for protected BIOS option to configure list of permitted boot devices (for example, “Boot only from internal hard drive”) and boot device order, overriding BOOTORDER modification made by operating system.<br>• In the BIOS configuration, BIOS options related to security and boot options (list of permitted boot devices, boot order) must be secured to prevent other operating systems from starting and to prevent changes to the BIOS settings. | • BIOS password or stronger authentication helps ensure that only authenticated Platform BIOS administrators can change BIOS settings. This helps protect against a physically present user with BIOS access.<br>• Boot order when locked provides protection against the computer being booted into WinRE or another operating system on bootable media. |
+
+<br>
+
+### Additional security qualifications starting with Windows 10, version 1607, and Windows Server 2016
+
+
+| Protections for Improved Security        | Description                                        | Security benefits |
+|---------------------------------------------|----------------------------------------------------|-----|
+| Firmware: **Hardware Rooted Trust Platform Secure Boot** | • Boot Integrity (Platform Secure Boot) must be supported. See the Windows Hardware Compatibility Program requirements under [System.Fundamentals.Firmware.CS.UEFISecureBoot.ConnectedStandby](https://docs.microsoft.com/windows-hardware/design/compatibility/systems#systemfundamentalsfirmwarecsuefisecurebootconnectedstandby)<br>• The Hardware Security Test Interface (HSTI) 1.1.a must be implemented. See [Hardware Security Testability Specification](https://docs.microsoft.com/windows-hardware/test/hlk/testref/hardware-security-testability-specification). | • Boot Integrity (Platform Secure Boot) from Power-On provides protections against physically present attackers, and defense-in-depth against malware.<br>• HSTI 1.1.a provides additional security assurance for correctly secured silicon and platform. |
+| Firmware: **Firmware Update through Windows Update** | Firmware must support field updates through Windows Update and UEFI encapsulation update. | Helps ensure that firmware updates are fast, secure, and reliable. |
+| Firmware: **Securing Boot Configuration and Management** | • Required BIOS capabilities: Ability of OEM to add ISV, OEM, or Enterprise Certificate in Secure Boot DB at manufacturing time.<br>• Required configurations: Microsoft UEFI CA must be removed from Secure Boot DB. Support for 3rd-party UEFI modules is permitted but should leverage ISV-provided certificates or OEM certificate for the specific UEFI software.| • Enterprises can choose to allow proprietary EFI drivers/applications to run.<br>• Removing Microsoft UEFI CA from Secure Boot DB provides full control to enterprises over software that runs before the operating system boots. |
+
+<br>
+
+### Additional security qualifications starting with Windows 10, version 1703 
+
+
+| Protections for Improved Security          | Description                                        | Security benefits |
+|---------------------------------------------|----------------------------------------------------|------|
+| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be exceutable.<br>• UEFI runtime service must meet these requirements: <br>&nbsp;&nbsp;&nbsp;&nbsp;• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table. <br>&nbsp;&nbsp;&nbsp;&nbsp;• PE sections need to be page-aligned in memory (not required for in non-volitile storage).<br>&nbsp;&nbsp;&nbsp;&nbsp;• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:<br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both <br>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;• No entries may be left with neither of the above attributes, indicating memory that is both exceutable and writable. Memory must be either readable and executable or writeable and non-executable. <br><blockquote><p><strong>Notes:</strong><br>• This only applies to UEFI runtime service memory, and not UEFI boot service memory. <br>• This protection is applied by VBS on OS page tables.</p></blockquote><br> Please also note the following: <br>• Do not use sections that are both writeable and exceutable<br>• Do not attempt to directly modify executable system memory<br>• Do not use dynamic code  | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.   |
+| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](http://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)<br>• Reduces the attack surface to VBS from system firmware.<br>• Blocks additional security attacks against SMM.  |
+
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
index 17d4105837..32d8680ec1 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
@@ -18,7 +18,7 @@ ms.date: 12/12/2017
 
 **Applies to:**
 
-- Windows 10, version 1709
+- Windows 10 Enterprise edition, version 1709 or higher
 
 **Audience**
 
@@ -45,7 +45,7 @@ There are four steps to troubleshooting these problems:
 Attack surface reduction (ASR) will only work on devices with the following conditions:
 
 >[!div class="checklist"]
-> - Endpoints are running Windows 10, version 1709 (also known as the Fall Creators Update).
+> - Endpoints are running Windows 10 Enterprise edition, version 1709 (also known as the Fall Creators Update).
 > - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
 > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
 > - Audit mode is not enabled. Use Group Policy to set the rule to **Disabled** (value: **0**) as described in the [Enable ASR topic](enable-attack-surface-reduction.md#use-group-policy-to-enable-or-audit-attack-surface-reduction-rules).
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
index bb99de7665..2cbe2f1f1e 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-np.md
@@ -18,7 +18,7 @@ ms.date: 12/12/2017
 
 **Applies to:**
 
-- Windows 10, version 1709
+- Windows 10 Enterprise edition, version 1709 or higher
 
 **Audience**
 
@@ -45,7 +45,7 @@ There are four steps to troubleshooting these problems:
 Windows Defender Exploit Guard will only work on devices with the following conditions:
 
 >[!div class="checklist"]
-> - Endpoints are running Windows 10, version 1709 (also known as the Fall Creators Update).
+> - Endpoints are running Windows 10 Enterprise edition, version 1709 or higher (also known as the Fall Creators Update).
 > - Endpoints are using Windows Defender Antivirus as the sole antivirus protection app. [Using any other antivirus app will cause Windows Defender AV to disable itself](../windows-defender-antivirus/windows-defender-antivirus-compatibility.md).
 > - [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) is enabled.
 > - [Cloud-delivered protection](../windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md) is enabled.
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
index d75309c31b..08cc20ad7b 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
@@ -61,17 +61,28 @@ You can use the Windows Defender ATP console to obtain detailed reporting into e
 
 Each of the features in Windows Defender EG have slightly different requirements:
 
-Feature | [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md) | [Windows Defender Advanced Threat Protection license](../windows-defender-atp/minimum-requirements-windows-defender-advanced-threat-protection.md) 
--|-|-|-
-Exploit protection | No requirement | Required for reporting in the Windows Defender ATP console
-Attack surface reduction | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | Required for reporting in the Windows Defender ATP console
-Network protection | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | Required for reporting in the Windows Defender ATP console
-Controlled folder access | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled | Required for reporting in the Windows Defender ATP console
+| Feature | Windows 10 Home | Windows 10 Professional | Windows 10 E3 | Windows 10 E5 |
+| ----------------- | :------------------------------------: | :---------------------------: | :-------------------------: | :--------------------------------------: |
+| Exploit protection | ![supported](./images/ball_50.png) | ![supported](./images/ball_50.png) | ![supported, enhanced](./images/ball_75.png) | ![supported, full reporting](./images/ball_full.png) |
+| Attack surface reduction | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, full reporting](./images/ball_full.png) |
+| Network protection | ![not supported](./images/ball_empty.png) | ![not supported](./images/ball_empty.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
+| Controlled folder access | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, limited reporting](./images/ball_50.png) | ![supported, full reporting](./images/ball_full.png) |
+
+> [!NOTE]
+> ![supported, enhanced](./images/ball_75.png) Exploit Protection - On Windows 10 E3, includes advanced exploit protection for the kernel mode via [HVCI] (https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-virtualization-based-protection-of-code-integrity).
+> ![supported, full reporting](./images/ball_full.png) On Windows 10 E5, includes automated reporting into the Windows Defender ATP console.
+
+
+| Feature | [Windows Defender Antivirus](../windows-defender-antivirus/windows-defender-antivirus-in-windows-10.md)
+|-----------------| ------------------------------------ |
+| Exploit protection | No requirement |
+| Attack surface reduction | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled |
+| Network protection | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled |
+| Controlled folder access | [Real-time protection](../windows-defender-antivirus/configure-real-time-protection-windows-defender-antivirus.md) must be enabled |
 
 > [!NOTE]
 > Each feature's requirements are further described in the individual topics in this library.
 
-
  ## In this library
 
 Topic | Description 
diff --git a/windows/security/threat-protection/windows-defender-security-center/TOC.md b/windows/security/threat-protection/windows-defender-security-center/TOC.md
new file mode 100644
index 0000000000..1bb541cc85
--- /dev/null
+++ b/windows/security/threat-protection/windows-defender-security-center/TOC.md
@@ -0,0 +1,11 @@
+# [The Windows Defender Security Center app](windows-defender-security-center.md)
+
+
+## [Customize the Windows Defender Security Center app for your organization](wdsc-customize-contact-information.md)
+## [Hide Windows Defender Security Center app notifications](wdsc-hide-notifications.md)
+## [Virus and threat protection](wdsc-virus-threat-protection.md)
+## [Device performance and health](wdsc-device-performance-health.md)
+## [Firewall and network protection](wdsc-firewall-network-protection.md)
+## [App and browser control](wdsc-app-browser-control.md)
+## [Family options](wdsc-family-options.md)
+