Merge branch 'master' into Kellylorenebaker-patch-8

2025-05-12 13:27:23 +00:00 · 2020-02-21 20:28:57 -08:00 · 2020-02-21 20:28:57 -08:00 · 175d941dae
commit 175d941dae
parent 82a77fbbff 788af85fee
307 changed files with 3126 additions and 2316 deletions
--- a/.openpublishing.redirection.json
+++ b/.openpublishing.redirection.json
@ -1727,6 +1727,21 @@
 "redirect_document_id": true
 },
 {
 "source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/overview-secure-score.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score",
 "redirect_document_id": false
 },
 {
 "source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/secure-score-dashboard.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score",
 "redirect_document_id": false
 },
 {
 "source_path": "windows/security/threat-protection/windows-defender-atp/microsoft-defender-atp/enable-secure-score.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/configuration-score",
 "redirect_document_id": false
 },
 {
 "source_path": "windows/security/threat-protection/windows-defender-atp/partner-applications.md",
 "redirect_url": "https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/partner-applications",
 "redirect_document_id": true
@ -15705,6 +15720,6 @@
 "source_path": "windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness.md",
 "redirect_url": "https://docs.microsoft.com/configmgr/desktop-analytics/overview",
 "redirect_document_id": false
-},
+}
 ]
 }
--- a/devices/hololens/TOC.md
+++ b/devices/hololens/TOC.md
@ -61,7 +61,9 @@
 ## [Troubleshoot HoloLens](hololens-troubleshooting.md)
 ## [Known issues](hololens-known-issues.md)
 ## [Frequently asked questions](hololens-faq.md)
 ## [Frequently asked security questions](hololens-faq-security.md)
 ## [Hololens services status](hololens-status.md)
 ## [SCEP Whitepaper](scep-whitepaper.md)
 # [Release Notes](hololens-release-notes.md)
 # [Give us feedback](hololens-feedback.md)
--- a/devices/hololens/hololens-FAQ.md
+++ b/devices/hololens/hololens-FAQ.md
@ -43,8 +43,10 @@ This FAQ addresses the following questions and issues:
 - [I'm having problems with the HoloLens clicker](#im-having-problems-with-the-hololens-clicker)
 - [I can't connect to Wi-Fi](#i-cant-connect-to-wi-fi)
 - [My HoloLens isn't running well, is unresponsive, or won't start](#my-hololens-isnt-running-well-is-unresponsive-or-wont-start)
 - [HoloLens Management Questions](#hololens-management-questions)
 - [How do I delete all spaces?](#how-do-i-delete-all-spaces)
 - [I cannot find or use the keyboard to type in the HoloLens 2 Emulator](#i-cannot-find-or-use-the-keyboard-to-type-in-the-hololens-2-emulator)
 - [I can't log in to a HoloLens because it was previously set up for someone else](#i-cant-log-in-to-a-hololens-because-it-was-previously-set-up-for-someone-else)
 ## My holograms don't look right or are moving around
@ -204,6 +206,30 @@ If your device isn't performing properly, see [Restart, reset, or recover HoloLe
 [Back to list](#list)
 ## I can't log in to a HoloLens because it was previously set up for someone else
 If your device was previously set up for someone else, either a client or former employee and you don't have their password to unlock the device there are two solutions.
 - If your device is MDM managed by Intune then you can remotely [Wipe](https://docs.microsoft.com/intune/remote-actions/devices-wipe) the device and it'll reflash itself. Make sure to leave **Retain enrollment state and user account** unchecked.
 - If you have the device with you then you can put the device into **Flashing Mode** and use Advanced Recovery Companion to [recover](https://docs.microsoft.com/hololens/hololens-recovery) the device.
 [Back to list](#list)
 ## HoloLens Management Questions
 1. **Can I use SCCM to manage the HoloLens?**
    1. No. An MDM must be used to manage the HoloLens
 1. **Can I use Active Directory to manage HoloLens user accounts?**
    1. No, Azure AD must be used to manage user accounts.
 1. **Is the HoloLens capable of ADCS auto enrollment?**
    1. No
 1. **Can the HoloLens participate in WNA/IWA?**
    1. No
 1. **Does the HoloLens support branding?**
    1. No. However, one work around is to create a custom app and enable Kiosk mode. The custom app can have branding which can then launch other apps (such as Remote Assist). Another option is to change all of the users profile pictures in AAD to your company logo. (However, this may not be desirable for all scenarios)
 1. **What logging capabilities are available on HL1 and HL2?**
    1. Logging is limited to traces captured in developer/troubleshooting scenarios or telemetry sent to Microsoft servers.
 ## How do I delete all spaces?
 *Coming soon*
@ -215,3 +241,4 @@ If your device isn't performing properly, see [Restart, reset, or recover HoloLe
 *Coming soon*
 [Back to list](#list)
--- a/devices/hololens/hololens-commercial-infrastructure.md
+++ b/devices/hololens/hololens-commercial-infrastructure.md
@ -10,104 +10,178 @@ ms.topic: article
 ms.localizationpriority: high
 ms.date: 1/23/2020
 ms.reviewer: 
 audience: ITPro
 manager: bradke
 appliesto:
 - HoloLens (1st gen)
 - HoloLens 2
 ---
-# Configure Your Network
+# Configure Your Network for HoloLens
 This portion of the document will require the following people:
-1.	Network Admin with permissions to make changes to the proxy/firewall
+
-2.	Azure Active Directory Admin
+1. Network Admin with permissions to make changes to the proxy/firewall
-3.	Mobile Device Manager Admin
+2. Azure Active Directory Admin
-4.	Teams admin for Remote Assist only
+3. Mobile Device Manager Admin
 ## Infrastructure Requirements
 HoloLens is, at its core, a Windows mobile device integrated with Azure.  It works best in commercial environments with wireless network availability (wi-fi) and access to Microsoft services.
 Critical cloud services include:
 - Azure active directory (AAD)
 - Windows Update (WU)
 Commercial customers will need enterprise mobility management (EMM) or mobile device management (MDM) infrastructure to manage HoloLens devices at scale.  This guide uses [Microsoft Intune](https://www.microsoft.com/enterprise-mobility-security/microsoft-intune) as an example, though any provider with full support for Microsoft Policy can support HoloLens.  Ask your mobile device management provider if they support HoloLens 2.
 HoloLens does support a limited set of cloud disconnected experiences.
 ### Wireless network EAP support
 - PEAP-MS-CHAPv2
 - PEAP-TLS
 - TLS
 - TTLS-CHAP
 - TTLS-CHAPv2
 - TTLS-MS-CHAPv2
 - TTLS-PAP
 - TTLS-TLS
 ### HoloLens Specific Network Requirements
-Make sure that these ports and URLs are allowed on your network firewall. This will enable HoloLens to function properly. The latest list can be found [here](hololens-offline.md).
+
 Make sure that [this list](hololens-offline.md) of endpoints are allowed on your network firewall. This will enable HoloLens to function properly.
 ### Remote Assist Specific Network Requirements
-1.	The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network).
+1. The recommended bandwidth for optimal performance of Remote Assist is 1.5Mbps. Detailed network requirements and additional information can be found [here](https://docs.microsoft.com/MicrosoftTeams/prepare-network).
-**Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer.**
+**(Please note, if you don’t network have network speeds of at least 1.5Mbps, Remote Assist will still work. However, quality may suffer).**
 1. Make sure that these ports and URLs are allowed on your network firewall. This will enable Microsoft Teams to function. The latest list can be found [here](https://docs.microsoft.com/office365/enterprise/urls-and-ip-address-ranges#skype-for-business-online-and-microsoft-teams).
 ### Guides Specific Network Requirements
 Guides only require network access to download and use the app.
 ## Azure Active Directory Guidance
 This step is only necessary if your company plans on managing the HoloLens and mixed reality apps.
-### 1. Ensure that you have an Azure AD License. 
+>[!NOTE]
-Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md)for additional information.
+>This step is only necessary if your company plans on managing the HoloLens.
-### 2. Ensure that your company’s users are in Azure Active Directory (Azure AD).
+1. Ensure that you have an Azure AD License.
 Please [HoloLens Licenses Requirements](hololens-licenses-requirements.md) for additional information.
 1. If you plan on using Auto Enrollment, you will have to [Configure Azure AD enrollment.](https://docs.microsoft.com/intune/deploy-use/.set-up-windows-device-management-with-microsoft-intune#azure-active-directory-enrollment)
 1. Ensure that your company’s users are in Azure Active Directory (Azure AD).
 Instructions for adding users can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/add-users-azure-active-directory).
-### 3. We suggest that users who will be need similar licenses are added to a group.
+1. We suggest that users who need similar licenses are added to the same group.
-1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal) 
+    1. [Create a Group](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-create-azure-portal)
    1. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal)
-2. [Add users to groups](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-groups-members-azure-portal)
+1. Ensure that your company’s users (or group of users) are assigned the necessary licenses.
 ### 4. Ensure that your company’s users (or group of users) are assigned the necessary licenses. 
 Directions for assigning licenses can be found [here](https://docs.microsoft.com/azure/active-directory/fundamentals/license-users-groups).
-### 5. **IMPORTANT:** Only do this step if users are expected to enroll their HoloLens/Mobile device onto the network. 
+1. Only do this step if users are expected to enroll their HoloLens/Mobile device into you (There are three options)
 These steps ensure that your company’s users (or a group of users) can add devices.
-1. Option 1: Give all users permission to join devices to Azure AD.
+    1. **Option 1:** Give all users permission to join devices to Azure AD.
 **Sign in to the Azure portal as an administrator** > **Azure Active Directory** > **Devices** > **Device Settings** >
 **Set Users may join devices to Azure AD to *All***
-1.	Option 2: Give selected users/groups permission to join devices to Azure AD
+    1. **Option 2:** Give selected users/groups permission to join devices to Azure AD
 **Sign in to the Azure portal as an administrator** > **Azure Active Directory** > **Devices** > **Device Settings** >
 **Set Users may join devices to Azure AD to *Selected***
 ![Image that shows Configuration of Azure AD Joined Devices](images/azure-ad-image.png)
-1.	Option 3: You can block all users from joining their devices to the domain. This means that all devices will need to be manually enrolled by your IT department. 
+    1. **Option 3:** You can block all users from joining their devices to the domain. This means that all devices will need to be manually enrolled.
-## Mobile Device Manager Admin Steps
+## Mobile Device Manager Guidance
-### Scenario 1: Kiosk Mode
+### Ongoing device management
 As a note, auto-launching an app does not currently work for HoloLens.
-How to Set Up Kiosk Mode Using Microsoft Intune.
+>[!NOTE]
-#### 1. Sync Microsoft Store to Intune ([Here](https://docs.microsoft.com/intune/apps/windows-store-for-business))
+>This step is only necessary if your company plans to manage the HoloLens.
 Ongoing device management will depend on your mobile device management infrastructure.  Most have the same general functionality but the user interface may vary widely.
-#### 2.	Check your app settings
+1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. A list of CSPs for HoloLens can be found [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices).
-1. Log into your Microsoft Store Business account
+1. [Compliance policies](https://docs.microsoft.com/intune/device-compliance-get-started) are rules and settings that devices must meet to be compliant in your corporate infrastructure. Use these policies with Conditional Access to block access to company resources for devices that are non-compliant. For example, you can create a policy that requires Bitlocker be enabled.
 1. **Manage** > **Products and Services** > **Apps and Software** > **Select the app you want to sync** > **Private Store Availability** > **Select “Everyone” or “Specific Groups”**
 1.	If you do not see your apps in **Intune** > **Client Apps** > **Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again.
-#### 3.	Configuring Kiosk Mode using MDM
+1. [Create Compliance Policy](https://docs.microsoft.com/intune/protect/compliance-policy-create-windows).
-Information on configuring Kiosk Mode in Intune can be found [here](https://docs.microsoft.com/hololens/hololens-kiosk#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803)
+1. Conditional Access allows/denies mobile devices and mobile applications from accessing company resources. Two documents you may find helpful are [Plan your CA Deployment](https://docs.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access) and [Best Practices](https://docs.microsoft.com/azure/active-directory/conditional-access/best-practices).
- >[!NOTE]
+1. [This article](https://docs.microsoft.com/intune/fundamentals/windows-holographic-for-business) talks about Intune's management tools for HoloLens.
    >You can configure different users to have different Kiosk Mode experiences by using “Azure AD” as the “User logon type”. However, this option is only available in Multi-App kiosk mode. Multi-App kiosk mode will work with only one app as well as multiple apps.
-![Image that shows Configuration of Kiosk Mode in Intune](images/aad-kioskmode.png)
+1. [Create a device profile](https://docs.microsoft.com/intune/configuration/device-profile-create)
-If you are configuring Kiosk Mode on an MDM other than Intune, please check your MDM provider's documentation.
+### Manage updates
-## Additional Intune Quick Links
+Intune includes a feature called Update rings for Windows 10 devices, including HoloLens 2 and HoloLens v1 (with Holographic for Business). Update rings include a group of settings that determine how and when updates are installed.
-1.	[Create Profiles:](https://docs.microsoft.com/intune/configuration/device-profile-create) Profiles allow you to add and configure settings that will be pushed to the devices in your organization.
+For example, you can create a maintenance window to install updates, or choose to restart after updates are installed.  You can also choose to pause updates indefinitely until you're ready to update.
-1. [CSPs (Configuration Service Providers)](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices) allows you to create and deploy management settings for the devices on your network. Some CSPs are supported by HoloLens devices. (See the list of CSPs for HoloLens [here](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#csps-supported-in-hololens-devices).
+Read more about [configuring update rings with Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure).
-1.	[Create Compliance Policy](https://docs.microsoft.com/intune/protect/create-compliance-policy)
+### Application management
-1.	 Conditional Access allows/denies mobile devices and mobile applications from accessing company resources. Two documents you may find helpful are [Plan your CA Deployment](https://docs.microsoft.com/azure/active-directory/conditional-access/plan-conditional-access) and [Best Practices](https://docs.microsoft.com/azure/active-directory/conditional-access/best-practices).
+Manage HoloLens applications through:
-## Certificates and Authentication
+1. Microsoft Store  
-### MDM Certificate Distribution
+  The Microsoft Store is the best way to distribute and consume applications on HoloLens.  There is a great set of core HoloLens applications already available in the store or you can [publish your own](https://docs.microsoft.com/windows/uwp/publish/).  
-If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certs for HoloLens Authentication, PFX or SCEP may be right for you.
+  All applications in the store are available publicly to everyone, but if it isn't acceptable, checkout the Microsoft Store for Business.  
 1. [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/)  
  Microsoft Store for Business and Education is a custom store for your corporate environment.  It lets you use the Microsoft Store built into Windows 10 and HoloLens to find, acquire, distribute, and manage apps for your organization.  It also lets you deploy apps that are specific to your commercial environment but not to the world.
 1. Application deployment and management via Intune or another mobile device management solution  
  Most mobile device management solutions, including Intune, provide a way to deploy line of business applications directly to a set of enrolled devices.  See this article for [Intune app install](https://docs.microsoft.com/intune/apps-deploy).
 1. _not recommended_ Device Portal  
  Applications can also be installed on HoloLens directly using the Windows Device Portal.  This isn't recommended since Developer Mode has to be enabled to use the device portal.
 Read more about [installing apps on HoloLens](https://docs.microsoft.com/hololens/hololens-install-apps).
 ### Certificates
 You can distribute certificates through your MDM provider. If your company requires certificates, Intune supports PKCS, PFX, and SCEP. It is important to understand which certificate is right for your company. Please visit [here](https://docs.microsoft.com/intune/protect/certificates-configure) to determine which cert is best for you. If you plan to use certificates for HoloLens Authentication, PFX or SCEP may be right for you.
 Steps for SCEP can be found [here](https://docs.microsoft.com/intune/protect/certificates-profile-scep).
-### Device Certificates
+### How to Upgrade to Holographics for Business Commercial Suite
-Certificates can also be added to the HoloLens through package provisioning. Please see [HoloLens Provisioning](hololens-provisioning.md) for additional information.
+
 >[!NOTE]
 >Windows Holographics for Business (commercial suite) is only intended for HoloLens 1st gen devices. The profile will not be applied to HoloLens 2 devices.
 Directions for upgrading to the commercial suite can be found [here](https://docs.microsoft.com/intune/configuration/holographic-upgrade).
 ### How to Configure Kiosk Mode Using Microsoft Intune
 1. Sync Microsoft Store to Intune ([Here](https://docs.microsoft.com/intune/apps/windows-store-for-business)).
 1. Check your app settings
    1. Log into your Microsoft Store Business account
    1. **Manage > Products and Services > Apps and Software > Select the app you want to sync > Private Store Availability > Select “Everyone” or “Specific Groups”**
    1. If you do not see your apps in **Intune > Client Apps > Apps** , you may have to [sync your apps](https://docs.microsoft.com/intune/apps/windows-store-for-business#synchronize-apps) again.
 1. [Create a device profile for Kiosk mode](https://docs.microsoft.com/intune/configuration/kiosk-settings#create-the-profile)
 > [!NOTE]
 > You can configure different users to have different Kiosk Mode experiences by using “Azure AD” as the “User logon type”. However, this option is only available in Multi-App kiosk mode. Multi-App kiosk mode will work with only one app as well as multiple apps.
 ![Image that shows Configuration of Kiosk Mode in Intune](images/aad-kioskmode.png)
 For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, additional directions can be found [here](hololens-kiosk.md#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803)
 ## Certificates and Authentication
 Certificates can be deployed via you MDM (see "certificates" in the [MDM Section](hololens-commercial-infrastructure.md#mobile-device-manager-guidance)). Certificates can also be deployed to the HoloLens through package provisioning. Please see [HoloLens Provisioning](hololens-provisioning.md) for additional information.
 ### Additional Intune Quick Links
 1. [Create Profiles:](https://docs.microsoft.com/intune/configuration/device-profile-create) Profiles allow you to add and configure settings that will be pushed to the devices in your organization.
 ## Next (Optional) Step: [Configure HoloLens using a provisioning package](hololens-provisioning.md)
 ## Next Step: [Enroll your device](hololens-enroll-mdm.md)
--- a/devices/hololens/hololens-faq-security.md
+++ b/devices/hololens/hololens-faq-security.md
@ -0,0 +1,126 @@
 ---
 title: Frequently Asked Security Questions
 description: security questions frequently asked about the hololens
 ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b
 author: pawinfie
 ms.author: pawinfie
 ms.date: 02/19/2020
 keywords: hololens, Windows Mixed Reality, security
 ms.prod: hololens
 ms.sitesec: library
 ms.topic: article
 audience: ITPro
 ms.localizationpriority: high
 manager: bradke
 appliesto:
 - HoloLens 1 (1st gen)
 - HoloLens 2
 ---
 # Frequently Asked Security Questions
 ## HoloLens 1st Gen Security Questions
 1. **What type of wireless is used?**
    1. 802.11ac and Bluetooth 4.1 LE
 1. **What type of architecture is incorporated?  For example: point to point, mesh or something else?**
    1. Wi-Fi can be used in infrastructure mode to communicate with other wireless access points.
    1. Bluetooth can be used to talk peer to peer between multiple HoloLens if the customers application supports it or to other Bluetooth devices.
 1. **What is FCC ID?**
    1. C3K1688
 1. **What frequency range and channels does the device operate on and is it configurable?**
    1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels.
    1. Bluetooth: Bluetooth uses the standard 2.4-2.48 GHz range.
 1. **Can the device blacklist or white list specific frequencies?**
    1. This is not controllable by the user/device
 1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?**
    1. Our emissions testing standards can be found [here](https://fccid.io/C3K1688). Range of operation is highly dependent on the access point and environment - but is roughly equivalent to other high-quality phones, tablets, or PCs.
 1. **What is the duty cycle/lifetime for normal operation?**
    1. 2-3hrs of active use and up to 2 weeks of standby time
    1. Battery lifetime is unavailable.
 1. **What is transmit and receive behavior when a tool is not in range?**
    1. HoloLens transmit/receive follows the standard Wi-Fi/Bluetooth pattern. At the edge of its range, you'll probably notice input getting choppy until it fully disconnects, but after you get back in range it should quickly reconnect.
 1. **What is deployment density per square foot?**
    1. This is dependent on your network infrastructure.
 1. **Can device use the infrastructure as a client?**
    1. Yes
 1. **What protocol is used?**
    1. HoloLens does not use any proprietary protocols
 1. **OS update frequency – What is the frequency of OS updates for the HL?  Is there a set schedule?  Does Microsoft release security patches as needed, etc.**
    1. Microsoft does provide OS updates to HoloLens exactly the same way it is done for Windows 10. There are normally two major updates per year, one in spring, one in fall. As HoloLens is a Windows device, the update concept is the same as with any other Windows device. Microsoft releases Security patches as needed and follows the same concept as done on any other Windows device.
 1. **OS hardening – What options are there to harden the OS?  Can we remove or shutdown unnecessary apps or services?**
    1. HoloLens behaves like a smartphone. It is comparable to other modern Windows devices. HoloLens can be managed by either Microsoft Intune or other Modern Device Management Solutions, like MobileIron, Airwatch, or Soti. There are Policies you can set in these Management Systems to put Security policies on the device and in order to harden the device. There is also the option in deleting any unnecessary applications if wanted.
 1. **How will software applications be managed and updated? What control do we have to define what apps are loaded and app update process for apps that are living in the Microsoft store?**
    1. HoloLens gets software applications only through the Windows store. Only Appx Application Packages can be installed, which are developed for the Use of HoloLens. You can see this in the Microsoft Store with a little logo next to the application which shows the HoloLens device. Any control that you have over the management of Store applications also applies to HoloLens. You can use the concept of the official store or the store for business. Apps can either be side-loaded (manual process to load an app on a Windows device) or can be managed through an MDM so that apps are automatically pulled from the store when needed.
 1. **What is the frequency of updates to apps in the store for HoloLens?**
    1. As we follow the same concept of the Microsoft Store and pull apps from there, the update cycle is determined by the developer of the Application. All management options that you have to control the update mechanism in the store apply to HoloLens as well.
 1. **Is there a secure boot capability for the HoloLens?**
    1. Yes
 1. **Is there an ability to disable or disconnect peripheral support from the device?**
    1. Yes
 1. **Is there an ability to control or disable the use of ports on the device?**
    1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons.
 1. **Antivirus, end point detection, IPS, app control whitelist – Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.**
    1. Windows Holographic for Business (commercial suite) does support Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens.
    1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
 1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time?  Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc.  When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.**
    1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version.
 1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?**
    1. No
 1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it’s only on that device, unique to that device, and can’t be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?**
    1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that’s sent to the client.
    1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn’t be verified on a different device, rendering the certs/key unusable on different devices.
 1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?**
    1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities.
 ## HoloLens 2nd Gen Security Questions
 1. **What type of wireless is used?**
    1. 802.11ac and Bluetooth 5.0
 1. **What type of architecture is incorporated?  For example: point to point, mesh or something else?**
    1. Wi-Fi can be used in infrastructure mode to communicate with other wireless access points.
    1. Bluetooth can be used to talk peer to peer between multiple HoloLens if the customers application supports it or to other Bluetooth devices.
 1. **What is FCC ID?**
    1. C3K1855
 1. **What frequency range and channels does the device operate on and is it configurable?**
    1. Wi-Fi: The frequency range is not user configurable and depends on the country of use. In the US Wi-Fi uses both 2.4 GHz (1-11) channels and 5 GHz (36-64, 100-165) channels.
 1. **Can the device blacklist or white list specific frequencies?**
    1. This is not controllable by the user/device
 1. **What is the power level for both transmit and receive? Is it adjustable? What is the range of operation?**
    1. Wireless power levels depend on the channel of operation. Devices are calibrated to perform at the highest power levels allowed based on the region’s regulatory rules.
 1. **What is the duty cycle/lifetime for normal operation?**
    1. *Currently unavailable.*
 1. **What is transmit and receive behavior when a tool is not in range?**
    1. HoloLens transmit/receive follows the standard Wi-Fi/Bluetooth pattern. At the edge of its range, you'll probably notice input getting choppy until it fully disconnects, but after you get back in range it should quickly reconnect.
 1. **What is deployment density per square foot?**
    1. This is dependent on your network infrastructure.
 1. **Can device use the infrastructure as a client?**
    1. Yes
 1. **What protocol is used?**
    1. HoloLens does not use any proprietary protocols
 1. **OS update frequency – What is the frequency of OS updates for the HL?  Is there a set schedule?  Does Microsoft release security patches as needed, etc.**
    1. Microsoft does provide OS updates to HoloLens exactly the same way it is done for Windows 10. There are normally two major updates per year, one in spring, one in fall. As HoloLens is a Windows device, the update concept is the same as with any other Windows device. Microsoft releases Security patches as needed and follows the same concept as done on any other Windows device.
 1. **OS hardening – What options are there to harden the OS?  Can we remove or shutdown unnecessary apps or services?**
    1. HoloLens behaves like a smartphone. It is comparable to other modern Windows devices. HoloLens can be managed by either Microsoft Intune or other Modern Device Management Solutions, like MobileIron, Airwatch, or Soti. There are Policies you can set in these Management Systems to put Security policies on the device and in order to harden the device. There is also the option in deleting any unnecessary applications if wanted.
 1. **How will software applications be managed and updated? What control do we have to define what apps are loaded and app update process for apps that are living in the Microsoft store?**
    1. HoloLens gets software applications only through the Windows store. Only Appx Application Packages can be installed, which are developed for the Use of HoloLens. You can see this in the Microsoft Store with a little logo next to the application which shows the HoloLens device. Any control that you have over the management of Store applications also applies to HoloLens. You can use the concept of the official store or the store for business. Apps can either be side-loaded (manual process to load an app on a Windows device) or can be managed through an MDM so that apps are automatically pulled from the store when needed.
 1. **What is the frequency of updates to apps in the store for HoloLens?**
    1. As we follow the same concept of the Microsoft Store and pull apps from there, the update cycle is determined by the developer of the Application. All management options that you have to control the update mechanism in the store apply to HoloLens as well.
 1. **Is there a secure boot capability for the HoloLens?**
    1. Yes
 1. **Is there an ability to disable or disconnect peripheral support from the device?**
    1. Yes
 1. **Is there an ability to control or disable the use of ports on the device?**
    1. The HoloLens only contains 2 ports (one for headphones and one for charging or connecting to PCs). There is not ability to disable the port due to functionality and recovery reasons.
 1. **Antivirus, end point detection, IPS, app control whitelist – Any ability to run antivirus, end point detection, IPS, app control whitelist, etc.**
    1. HoloLens 2nd Gen supports Windows Defender Smart Screen. If an antivirus company were to create and publish their app to the Universal Windows Platform, it could be downloaded on HoloLens. At present, no companies have done this for HoloLens.
    1. Whitelisting apps is possible by using the Microsoft Enterprise Store, where you can choose only what specific apps can be downloaded. Also, through MDM you can lock what specific apps can be run or even seen on the device.
 1. **Can we quarantine the device from prod network until we update the device if it has been offline for an extended period of time?  Ex. Device has been sitting in a drawer not powered up for a period (6 months) and has not received any updates, patches, etc.  When it tries to come on the network can we flag it and say you must update on another network prior to being complaint to join the network.**
    1. This is something that can be managed on the infrastructure level by either an MDM or an on-prem server. The device can be flagged as not compliant if it does not meet a specified Update version.
 1. **Does Microsoft include any back doors or access to services that allows Microsoft to connect to the device for screen sharing or remote support at will?**
    1. No
 1. **When a PKI cert is being generated for trusted communication, we want the cert to be generated on the device so that we know it’s only on that device, unique to that device, and can’t be exported or used to impersonate the device. Is this true on HoloLens? If not is there a potential mitigation?**
    1. CSR for SCEP is generated on the device itself. Intune and the on premise SCEP connector help secure the requests themselves by adding and verifying a challenge string that’s sent to the client.
    1. Since HoloLens (1st Gen and 2nd Gen) have a TPM module, these certs would be stored in the TPM module, and are unable to be extracted. Additionally, even if it could be extracted, the challenge strings couldn’t be verified on a different device, rendering the certs/key unusable on different devices.
 1. **SCEP is vulnerable. How does Microsoft mitigate the known vulnerabilities of SCEP?**
    1. This [SCEP Whitepaper](scep-whitepaper.md) addresses how Microsoft mitigates SCEP vulnerabilities.
--- a/devices/hololens/hololens-insider.md
+++ b/devices/hololens/hololens-insider.md
@ -12,7 +12,6 @@ ms.date: 1/6/2020
 ms.reviewer: 
 manager: dansimp
 appliesto:
 - HoloLens (1st gen)
 - HoloLens 2
 ---
@ -22,7 +21,7 @@ Welcome to the latest Insider Preview builds for HoloLens!  It’s simple to get
 ## Start receiving Insider builds
-On a device running the Windows 10 April 2018 Update, go to **Settings** -> **Update & Security** -> **Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider.
+On a HoloLens 2 device go to **Settings** -> **Update & Security** -> **Windows Insider Program** and select **Get started**. Link the account you used to register as a Windows Insider.
 Then, select **Active development of Windows**, choose whether you’d like to receive **Fast** or **Slow** builds, and review the program terms.
@ -30,7 +29,7 @@ Select **Confirm -> Restart Now** to finish up. After your device has rebooted,
 ## Stop receiving Insider builds
-If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](hololens-recovery.md) using the Windows Device Recovery Tool to recover your device to a non-Insider version of Windows Holographic.
+If you no longer want to receive Insider builds of Windows Holographic, you can opt out when your HoloLens is running a production build, or you can [recover your device](hololens-recovery.md) using the Advanced Recovery Companion to recover your device to a non-Insider version of Windows Holographic.
 To verify that your HoloLens is running a production build:
@ -52,3 +51,54 @@ Please use [the Feedback Hub app](hololens-feedback.md) on your HoloLens to prov
 ## Note for developers
 You are welcome and encouraged to try developing your applications using Insider builds of HoloLens.  Check out the [HoloLens Developer Documentation](https://developer.microsoft.com/windows/mixed-reality/development) to get started. Those same instructions work with Insider builds of HoloLens.  You can use the same builds of Unity and Visual Studio that you're already using for HoloLens development.
 ## Windows Insider Release Notes
 HoloLens 2 Windows Insider builds are full of new features and improvements.  Sign up for Windows Insider Fast or Slow flights to test them out!
 Here's a quick summary of what's new:
 - Support for FIDO2 Security Keys to enable secure and easy authentication for shared devices
 - Seamlessly apply a provisioning package from a USB drive to your HoloLens
 - Use a provisioning packages to enroll your HoloLens to your Mobile Device Management system
 - Use Windows AutoPilot to set up and pre-configure new devices, quickly getting them ready for productive use.  Send a note to hlappreview@microsoft.com to join the preview.
 - Dark Mode - many Windows apps support both dark and light modes, and now HoloLens customers can choose the default mode for apps that support both color schemes! Based on customer feedback, with this update we are setting the default app mode to "dark," but you can easily change this setting at any time. Navigate to Settings > System > Colors to find "Choose your default app mode."
 - Support for additional system voice commands
 - Hand Tracking improvements to reduce the tendency to close the index finger when pointing. This should make button pressing and 2D slate usage feel more accurate
 - Performance and stability improvements across the product
 - More information in settings on HoloLens about the policy pushed to the device
 Once you’ve had a chance to explore these new capabilities, use the Feedback Hub app to let us know what you think. Feedback you provide in the Feedback Hub goes directly to our engineers.
 ### FIDO 2 support
 Many of you share a HoloLens with lots of people in a work or school environment.  Whether devices are shared between students in a classroom or they're checked out from a device locker, it's important to be able to change users quickly and easily without typing long user names and passwords.  FIDO lets anyone in your organization (AAD tenant) seamlessly sign in to HoloLens without entering a username or password.
 Read the [passwordless security docs](https://docs.microsoft.com/azure/active-directory/authentication/howto-authentication-passwordless-security-key) to get started.
 ### Provisioning package updates
 Provisioning packages let you set HoloLens configuration through a config file rather than going through the HoloLens out of box experience.  Previously, provisioning packages had to be copied onto HoloLens' internal memory, now they can be on a USB drive so they're easier to re-use on multiple HoloLens and so more people can provision HoloLens in parallel.
 1. To try it out, download the latest version of the Windows Configuration Designer from the Windows store onto your PC.  
 1. Select **Provision HoloLens Devices** > Select **Provision HoloLens 2 devices**
 1. Build your configuration profile and, when you're done, copy all files created to a USB-C storage device.
 1. Plug it into any freshly flashed HoloLens and press **Volume down + Power** to apply your provisioning package.
 ### System voice commands
 You can now can access these commands with your voice:
 - "Restart device"
 - "Shutdown device"
 - "Brightness up"
 - "Brightness down"
 - "Volume up"
 - "Volume down"
 - "What is my IP address?"
 If you're running your system with a different language, please try the appropriate commands in that language.
 ### FFU download and flash directions
 To test with a flight signed ffu, you first have to flight unlock your device prior to flashing the flight signed ffu.
 1. On PC
    1. Download ffu to your PC from: [https://aka.ms/hololenspreviewdownload](https://aka.ms/hololenspreviewdownload)
    1. Install ARC (Advanced Recovery Companion) from the Microsoft Store: [https://www.microsoft.com/store/productId/9P74Z35SFRS8](https://www.microsoft.com/store/productId/9P74Z35SFRS8) 
 1. On HoloLens - Flight Unlock: Open **Settings** > **Update & Security** > **Windows Insider Program** then sign up, reboot device
 1. Flash FFU - Now you can flash the flight signed FFU using ARC 
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@ -14,8 +14,6 @@ manager: dansimp
 # Set up HoloLens in kiosk mode
 In Windows 10, version 1803, you can configure your HoloLens devices to run as multi-app or single-app kiosks. You can also configure guest access for a HoloLens kiosk device by [designating a SpecialGroup account in your XML file.](#add-guest-access-to-the-kiosk-configuration-optional)
 When HoloLens is configured as a multi-app kiosk, only the allowed apps are available to the user. The benefit of a multi-app kiosk, or fixed-purpose device, is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access.
@ -41,14 +39,14 @@ The [AssignedAccess Configuration Service Provider (CSP)](https://docs.microsoft
 For HoloLens devices running Windows 10, version 1803, there are three methods that you can use to configure the device as a kiosk:
 - You can use [Microsoft Intune or other mobile device management (MDM) service](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803) to configure single-app and multi-app kiosks.
- You can [use a provisioning package](#setup-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure single-app and multi-app kiosks.
+- You can [use a provisioning package](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure single-app and multi-app kiosks.
 - You can [use the Windows Device Portal](#set-up-kiosk-mode-using-the-windows-device-portal-windows-10-version-1607-and-version-1803) to configure single-app kiosks. This method is recommended only for demonstrations, as it requires that developer mode be enabled on the device.
 For HoloLens devices running Windows 10, version 1607, you can [use the Windows Device Portal](#set-up-kiosk-mode-using-the-windows-device-portal-windows-10-version-1607-and-version-1803) to configure single-app kiosks.
 ## Start layout for HoloLens
-If you use [MDM, Microsoft Intune](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803), or a [provisioning package](#setup-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Holographic for Business, so you'll need to use a placeholder Start layout. 
+If you use [MDM, Microsoft Intune](#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803), or a [provisioning package](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Holographic for Business, so you'll need to use a placeholder Start layout. 
 >[!NOTE]
 >Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed.
@ -78,7 +76,7 @@ Save the following sample as an XML file. You can use this file when you configu
 ### Start layout for a provisioning package
-You will [create an XML file](#setup-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to define the kiosk configuration to be included in a provisioning package. Use the following sample in the `StartLayout` section of your XML file.
+You will [create an XML file](#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) to define the kiosk configuration to be included in a provisioning package. Use the following sample in the `StartLayout` section of your XML file.
 ```xml
 <!-- This section is required for parity with Desktop Assigned Access. It is not currently used on HoloLens -->
@ -102,11 +100,11 @@ You will [create an XML file](#setup-kiosk-mode-using-a-provisioning-package-win
 ## Set up kiosk mode using Microsoft Intune or MDM (Windows 10, version 1803)
-For HoloLens devices that are managed by Microsoft Intune, you [create a device profile](https://docs.microsoft.com/intune/device-profile-create) and configure the [Kiosk settings](https://docs.microsoft.com/intune/kiosk-settings).
+For HoloLens devices that are managed by Microsoft Intune, directions can be found [here](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune).
 For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#create-a-kiosk-configuration-xml-file), and make sure to include the [Start layout](#start-layout-for-a-provisioning-package) in the XML file.  
-## Setup kiosk mode using a provisioning package (Windows 10, version 1803)
+## Set up kiosk mode using a provisioning package (Windows 10, version 1803)
 Process:
 1. [Create an XML file that defines the kiosk configuration.](#create-a-kiosk-configuration-xml-file)
@ -155,7 +153,7 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest*
 13. On the **Provisioning package security** page, do not select **Enable package encryption** or provisioning will fail on HoloLens. You can choose to enable package signing.
-      -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
+      - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
 14. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Configuration Designer uses the project folder as the output location. Optionally, you can click **Browse** to change the default output location.
@ -202,7 +200,6 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest*
 5. Select **Enable Kiosk Mode**, choose an app to run when the device starts, and click **Save**.
 ## Kiosk app recommendations
 - You cannot select Microsoft Edge, Microsoft Store, or the Shell app as a kiosk app.
@ -212,7 +209,5 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest*
 ## More information
 Watch how to configure a kiosk in a provisioning package.
 >[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
--- a/devices/hololens/hololens-licenses-requirements.md
+++ b/devices/hololens/hololens-licenses-requirements.md
@ -10,41 +10,53 @@ ms.topic: article
 ms.localizationpriority: high
 ms.date: 1/23/2020
 ms.reviewer: 
 audience: ITPro
 manager: bradke
 appliesto:
 - HoloLens (1st gen)
 - HoloLens 2
 ---
-# Licenses Required for Mixed Reality Deployment
+# Determine what licenses you need
 If you plan on using a Mobile Device Management system (MDM) to manage your HoloLens, please review the MDM License Guidance section.
 ## Mobile Device Management (MDM) Licenses Guidance
 If you plan on managing your HoloLens devices, you will need Azure AD and an MDM. Active Director (AD) cannot be used to manage HoloLens devices.
 If you plan on using an MDM other than Intune, an [Azure Active Directory Licenses](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis) is required.
 If you plan on using Intune as your MDM, you can acquire an [Enterprise Mobility + Security (EMS) suite (E3 or E5) licenses](https://www.microsoft.com/microsoft-365/enterprise-mobility-security/compare-plans-and-pricing). **Please note that Azure AD is included in both suites.**
 ## Identify the licenses needed for your scenario and products
 ### HoloLens Licenses Requirements
 You may need to upgrade your HoloLens 1st Gen Device to Windows Holographic for Business. (See [HoloLens commercial features](holoLens-commercial-features.md#feature-comparison-between-editions) to determine if you need to upgrade).
 If so, you will need to do the following:
 - Acquire a HoloLens Enterprise license XML file
 - Apply the XML file to the HoloLens. You can do this through a [Provisioning package](hololens-provisioning.md) or through your [Mobile Device Manager](https://docs.microsoft.com/intune/configuration/holographic-upgrade)
 ### Remote Assist License Requirements
 Make sure you have the required licensing and device. Updated licensing and product requirements can be found [here](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/requirements).
-1.	[Remote Assist License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)
+1. [Remote Assist License](https://docs.microsoft.com/dynamics365/mixed-reality/remote-assist/buy-and-deploy-remote-assist)
-1.	[Teams Freemium/Teams](https://products.office.com/microsoft-teams/free)
+1. [Teams Freemium/Teams](https://products.office.com/microsoft-teams/free)
-1.	[Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)
+1. [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)
 ### Guides License Requirements
 Updated licensing and device requirements can be found [here](https://docs.microsoft.com/dynamics365/mixed-reality/guides/requirements).
-1.	[Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)
+1. [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)
-1.	[Power BI](https://powerbi.microsoft.com/desktop/)
+1. [Power BI](https://powerbi.microsoft.com/desktop/)
-1.	[Guides](https://docs.microsoft.com/dynamics365/mixed-reality/guides/setup)
+1. [Guides](https://docs.microsoft.com/dynamics365/mixed-reality/guides/setup)
 ### Scenario 1: Kiosk Mode
 If you are not planning to use an MDM to manage your device and you are planning to use a local account or an MSA as the login identity, you will not need any additional licenses. Kiosk mode can be accomplished using a provisioning packages.
-1.	If you are **not** planning to use an MDM to manage your device and you are planning to use a local account or an MSA as the login identity, you will not need any additional licenses. Kiosk mode can be accomplished using a provisioning packages.
+1. If you are **not** planning to manage your device and you are planning to use a local account or an MSA as the login identity, you will not need any additional licenses. Kiosk mode can be accomplished using a provisioning packages.
-1.	If you are planning to use an MDM other than Intune, your MDM provider will have steps on configuring Kiosk mode. 
+1. If you are planning to use an MDM to implement Kiosk mode, you will need an [Azure Active Directory (Azure AD) License](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis).
-1. If you are planning to use **Intune** as your MDM, implementation directions can be found in [Configuring your Network for HoloLens]().
+
 Additional information regarding kiosk mode will be covered in [Configuring your Network for HoloLens](hololens-commercial-infrastructure.md#how-to-configure-kiosk-mode-using-microsoft-intune).
 ## Next Step: [Configure your network for HoloLens](hololens-commercial-infrastructure.md)
--- a/devices/hololens/hololens-provisioning.md
+++ b/devices/hololens/hololens-provisioning.md
@ -14,35 +14,32 @@ manager: dansimp
 # Configure HoloLens using a provisioning package
 [Windows provisioning](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages) makes it easy for IT administrators to configure end-user devices without imaging. Windows Configuration Designer is a tool for configuring images and runtime settings which are then built into provisioning packages.
 Some of the HoloLens configurations that you can apply in a provisioning package:
- Upgrade to Windows Holographic for Business
+
 - Upgrade to Windows Holographic for Business [here](hololens1-upgrade-enterprise.md)
 - Set up a local account
 - Set up a Wi-Fi connection
 - Apply certificates to the device
 - Enable Developer Mode
 - Configure Kiosk mode (Detailed instructions for configuring kiosk mode can be found [here](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803).
-To create provisioning packages, you must install Windows Configuration Designer [from Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22) or [from the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box.
+## Provisioning package HoloLens wizard
 <span id="wizard" />
 ## Create a provisioning package for HoloLens using the HoloLens wizard
 The HoloLens wizard helps you configure the following settings in a provisioning package:
 - Upgrade to the enterprise edition
    >[!NOTE]
-    >Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md).
+    > This should only be used for HoloLens 1st Gen devices. Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md).
 - Configure the HoloLens first experience (OOBE)
 - Configure Wi-Fi network
 - Enroll device in Azure Active Directory or create a local account
 - Add certificates
 - Enable Developer Mode
 - Configure kiosk mode. (Detailed instructions for configuring kiosk mode can be found [here](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803)).
 >[!WARNING]
 >You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.
@ -52,8 +49,14 @@ Provisioning packages can include management instructions and policies, customiz
 > [!TIP]
 > Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
 ## Steps for Creating Provisioning Packages
-### Create the provisioning package
+### 1. Install Windows Configuration Designer on your PC. (There are two ways to do this).
 1. **Option 1:** [From Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22)
 2. **Option 2:** [From the Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit). If you install Windows Configurations Designer from the Windows ADK, select **Configuration Designer** from the **Select the features you want to install** dialog box.
 ### 2. Create the Provisioning Package
 Use the Windows Configuration Designer tool to create a provisioning package.
@ -72,7 +75,6 @@ Use the Windows Configuration Designer tool to create a provisioning package.
 ### Configure settings
 <table>
 <tr><td style="width:45%" valign="top"><a id="one"></a><img src="images/one.png" alt="step one"/><img src="images/set-up-device.png" alt="set up device"/></br></br>Browse to and select the enterprise license file to upgrade the HoloLens edition.</br></br>You can also toggle <strong>Yes</strong> or <strong>No</strong> to hide parts of the first experience.</br></br>To set up the device without the need to connect to a Wi-Fi network, toggle <strong>Skip Wi-Fi setup</strong> to <strong>On</strong>.</br></br>Select a region and timezone in which the device will be used. </td><td><img src="images/set-up-device-details.png" alt="Select enterprise licence file and configure OOBE"/></td></tr>
 <tr><td style="width:45%" valign="top"><a id="two"></a><img src="images/two.png" alt="step two"/>  <img src="images/set-up-network.png" alt="set up network"/></br></br>In this section, you can enter the details of the Wi-Fi wireless network that the device should connect to automatically. To do this, select <strong>On</strong>, enter the SSID, the network type (<strong>Open</strong> or <strong>WPA2-Personal</strong>), and (if <strong>WPA2-Personal</strong>) the password for the wireless network.</td><td><img src="images/set-up-network-details-desktop.png" alt="Enter network SSID and type"/></td></tr>
@ -84,10 +86,7 @@ Use the Windows Configuration Designer tool to create a provisioning package.
 After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
- **Next step**: [How to apply a provisioning package](#apply)   
+### 3. Create a provisioning package for HoloLens using advanced provisioning
 ## Create a provisioning package for HoloLens using advanced provisioning
 >[!NOTE]
 >Settings in a provisioning package will only be applied if the provisioning package includes an edition upgrade license to Windows Holographic for Business or if [the device has already been upgraded to Windows Holographic for Business](hololens1-upgrade-enterprise.md).
@ -138,6 +137,7 @@ After you're done, click **Create**. It only takes a few seconds. When the packa
 10. When the build completes, click **Finish**.
 <span id="apply" />
 ## Apply a provisioning package to HoloLens during setup
 1. Connect the device via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box).
@ -157,7 +157,7 @@ After you're done, click **Create**. It only takes a few seconds. When the packa
 >[!NOTE]
 >If the device was purchased before August 2016, you will need to sign into the device with a Microsoft account, get the latest OS update, and then reset the OS in order to apply the provisioning package.
-## Apply a provisioning package to HoloLens after setup
+### 4. Apply a provisioning package to HoloLens after setup
 >[!NOTE]
 >Windows 10, version 1809 only
@ -192,9 +192,4 @@ In Windows Configuration Designer, when you create a provisioning package for Wi
 >[!NOTE]
 >App installation (**UniversalAppInstall**) using a provisioning package is not currently supported for HoloLens.
-
+## Next Step: [Enroll your device](hololens-enroll-mdm.md)
--- a/devices/hololens/hololens-recovery.md
+++ b/devices/hololens/hololens-recovery.md
@ -110,8 +110,8 @@ The Advanced Recovery Companion is a new app in Microsoft Store restore the oper
 >In the event that a HoloLens 2 gets into a state where Advanced Recovery Companion cannot recognize the device, and it does not boot, try forcing the device into Flashing Mode and recovering it with Advanced Recovery Companion:
 1.	Connect the HoloLens 2 to a PC with Advanced Recovery Companion installed.
-1.	Press and hold the **Volume Up and Power buttons** until the device reboots.  Release the Power button, but continue to hold the Volume Up button until the third LED is lit. It will the the only lit LED.
+1.	Press and hold the **Volume Up and Power buttons** until the device reboots.  Release the Power button, but continue to hold the Volume Up button until the third LED is lit.
-   1.	The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device:
+1.	The device should be visible in **Device Manager** as a **Microsoft HoloLens Recovery** device.
 1.	Launch Advanced Recovery Companion, and follow the on-screen prompts to reflash the OS to the HoloLens 2.
 ### HoloLens (1st gen)
--- a/devices/hololens/hololens-release-notes.md
+++ b/devices/hololens/hololens-release-notes.md
@ -19,9 +19,17 @@ appliesto:
 # HoloLens Release Notes
 ## HoloLens 2
 > [!Note]
 > HoloLens Emulator Release Notes can be found [here](https://docs.microsoft.com/windows/mixed-reality/hololens-emulator-archive).
 ### February Update - build 18362.1053
 - Temporarily disabled the HolographicSpace.UserPresence API for Unity applications to avoid an issue which causes some apps to pause when the visor is flipped up, even if the setting to run in the background is enabled.
 - Fixed a random HUP crash cased by hand tracking, in which user will notice an UI freeze then back to shell after several seconds.
 - We made an improvement in hand tracking so that while poking using index finger, the upper part of that finger will be less likely to curl unexpectedly.
 - Improved reliability of head tracking, spatial mapping, and other runtimes.
 ### January Update - build 18362.1043
 - Stability improvements for exclusive apps when working with the HoloLens 2 emulator.
@ -85,7 +93,7 @@ Windows 10, version 1803, is the first feature update to Windows Holographic for
 - Previously, you could only verify that upgrade license for Commercial Suite had been applied to your HoloLens device by checking to see if VPN was an available option on the device. Now, **Settings** > **System** will display **Windows Holographic for Business** after the upgrade license is applied. [Learn how to unlock Windows Holographic for Business features](hololens1-upgrade-enterprise.md).
 - You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq).
- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#wizard).
+- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#provisioning-package-hololens-wizard).
    ![Provisioning HoloLens devices](images/provision-hololens-devices.png)
--- a/devices/hololens/hololens-requirements.md
+++ b/devices/hololens/hololens-requirements.md
@ -6,6 +6,7 @@ ms.sitesec: library
 ms.assetid: 88bf50aa-0bac-4142-afa4-20b37c013001
 author: scooley
 ms.author: scooley
 audience: ITPro
 ms.topic: article
 ms.localizationpriority: medium
 ms.date: 07/15/2019
@ -13,62 +14,67 @@ ms.date: 07/15/2019
 # Deploy HoloLens in a commercial environment
-You can deploy and configure HoloLens at scale in a commercial setting.  
+You can deploy and configure HoloLens at scale in a commercial setting. This article provides instructions for deploying HoloLens devices in a commercial environment. This guide assumes basic familiarity with HoloLens. Follow the [get started guide](hololens1-setup.md) to set up HoloLens for the first time.
-This article includes:
+This document also assumes that the HoloLens has been evaluated by security teams as safe to use on the corporate network. Frequently asked security questions can be found [here](hololens-faq-security.md)
- Infrastructure requirements and recommendations for HoloLens management
+## Overview of Deployment Steps
 - Tools for provisioning HoloLens
 - Instructions for remote device management
 - Options for application deployment
-This guide assumes basic familiarity with HoloLens. Follow the [get started guide](hololens1-setup.md) to set up HoloLens for the first time.
+1. [Determine what features you need](hololens-requirements.md#step-1-determine-what-you-need)
 1. [Determine what licenses you need](hololens-licenses-requirements.md)
 1. [Configure your network for HoloLens](hololens-commercial-infrastructure.md).
    1. This section includes bandwidth requirements, URL, and ports that need to be whitelisted on your firewall; Azure AD guidance; Mobile Device Management (MDM) Guidance; app deployment/management guidance; and certificate guidance.
 1. (Optional) [Configure HoloLens using a provisioning package](hololens-provisioning.md)
 1. [Enroll Device](hololens-enroll-mdm.md)
 1. [Set up ring based updates for HoloLens](hololens-updates.md)
 1. [Enable Bitlocker device encryption for HoloLens](hololens-encryption.md)
-## Infrastructure for managing HoloLens
+## Step 1. Determine what you need
-HoloLens is, at its core, a Windows mobile device integrated with Azure.  It works best in commercial environments with wireless network availability (wi-fi) and access to Microsoft services.
+Before deploying the HoloLens in your environment, it is important to first determine what features, apps, and type of identities are needed. It is also important to ensure that your security team has approved of the use of the HoloLens on the company's network. Please see [Frequently ask security questions](hololens-faq-security.md) for additional security information.
-Critical cloud services include:
+### Type of Features
- Azure active directory (AAD)
+Your feature requirements will determine which HoloLens you need. One popular feature that we see deployed in customer environments frequently is Kiosk Mode. A list of HoloLens key features, and the editions of HoloLens that support them, can be found [here](hololens-commercial-features.md).
 - Windows Update (WU)
-Commercial customers will need enterprise mobility management (EMM) or mobile device management (MDM) infrastructure to manage HoloLens devices at scale.  This guide uses [Microsoft Intune](https://www.microsoft.com/enterprise-mobility-security/microsoft-intune) as an example, though any provider with full support for Microsoft Policy can support HoloLens.  Ask your mobile device management provider if they support HoloLens 2.
+**What is Kiosk Mode?**
-HoloLens does support a limited set of cloud disconnected experiences.
+Kiosk mode is a way to restrict the apps that a user has access to. This means that users will only be allowed to access certain apps.
-## Initial set up at scale
+**What Kiosk Mode do I require?**
-The HoloLens out of box experience is great for setting up one or two devices or for experiencing HoloLens for the first time.  If you're provisioning many HoloLens devices, however, selecting your language and settings manually for each device gets tedious and limits scale.
+There are two types of Kiosk Modes: Single app and multi-app. Single app kiosk mode allows user to only access one app while multi-app kiosk mode allows users to access multiple, specified apps. To determine which kiosk mode is right for your corporation, the following two questions need to be answered:
-This section:
+1. **Do different users require different experiences/restrictions?** Consider the following example: User A is a field service engineer who only needs access to Remote Assist. User B is a trainee who only needs access to Guides.
    1. If yes, you will require the following:
        1. Azure AD Accounts as the method of signing into the device.
        1. **Multi-app** kiosk mode.
    1. If no, continue to question two
 1. **Do you require a multi-app experience?**
    1. If yes, **Multi-app** kiosk is mode is needed
    1. If your answer to question 1 and 2 are both no, **single-app** kiosk mode can be used
- Introduces Windows provisioning using provisioning packages
+**How to Configure Kiosk Mode:**
 - Walks through applying a provisioning package during first setup
-### Create and apply a provisioning package
+There are two main ways ([provisioning packages](hololens-kiosk.md#set-up-kiosk-mode-using-a-provisioning-package-windows-10-version-1803) and [MDM](hololens-kiosk.md#set-up-kiosk-mode-using-microsoft-intune-or-mdm-windows-10-version-1803)) to deploy kiosk mode for HoloLens. These options will be discussed later in the document; however, you can use the links above to jump to the respective sections in this doc.
-The best way to configure many new HoloLens device is with Windows provisioning.  You can use it to specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in minutes.
+### Apps
-A [provisioning package](https://docs.microsoft.com/windows/configuration/provisioning-packages/provisioning-packages)  (.ppkg) is a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device.
+The majority of the steps found in this document will also apply to the following apps:
-### Upgrade to Windows Holographic for Business
+1. Remote Assist
 2. Guides
 3. Customer Apps
- HoloLens Enterprise license XML file
+### Type of identity
-Some of the HoloLens configurations you can apply in a provisioning package:
+Determine the type of identity that will be used to sign into the device.
- Apply certificates to the device
+1. **Local Accounts:** This account is local to the device (like a local admin account on a windows PC). This will allow only 1 user to log into the device.
- Set up a Wi-Fi connection
+2. **MSA:** This is a personal account (like outlook, hotmail, gmail, yahoo, etc.) This will allow only 1 user to log into the device.
- Pre-configure out of box questions like language and locale
+3. **Azure Active Directory (Azure AD) accounts:** This is an account created in Azure AD. This grants your corporation the ability to manage the HoloLens device. This will allow multiple users to log into the HoloLens 1st Gen Commercial Suite/the HoloLens 2 device.
 - (HoloLens 2) bulk enroll in mobile device management
 - (HoloLens v1) Apply key to enable Windows Holographic for Business
-Follow [this guide](https://docs.microsoft.com/hololens/hololens-provisioning) to create and apply a provisioning package to HoloLens.
+### Determine your enrollment method
 ### Set up user identity and enroll in device management
 The last step in setting up HoloLens for management at scale is to enroll devices with mobile device management infrastructure.  There are several ways to enroll:
 1. Bulk enrollment with a security token in a provisioning package.  
  Pros: this is the most automated approach  
@ -80,66 +86,29 @@ The last step in setting up HoloLens for management at scale is to enroll device
  Pros: possible to enroll after set up  
  Cons: most manual approach and devices aren't centrally manageable until they're manually enrolled.
-Learn more about MDM enrollment [here](hololens-enroll-mdm.md).
+  More information can be found [here](hololens-enroll-mdm.md)
-## Ongoing device management
+### Determine if you need to create a provisioning package
-Ongoing device management will depend on your mobile device management infrastructure.  Most have the same general functionality but the user interface may vary widely.
+There are two methods to configure a HoloLens device (Provisioning packages and MDMs). We suggest using your MDM to configure you HoloLens device. However, there are some scenarios where using a provisioning package is the better choice:
-This article outlines [policies and capabilities HoloLens supports](https://docs.microsoft.com/windows/client-management/mdm/configuration-service-provider-reference#hololens).
+1. You want to configure the HoloLens to skip the Out of Box Experience (OOBE)
 1. You are having trouble deploying certificate in a complex network. The majority of the time you can deploy certificates using MDM (even in complex environments). However, some scenarios require certificates to be deployed through the provisioning package.
-[This article](https://docs.microsoft.com/intune/windows-holographic-for-business) talks about Intune's management tools for HoloLens.
+Some of the HoloLens configurations you can apply in a provisioning package:
-### Push compliance policy via Intune
+- Apply certificates to the device
 - Set up a Wi-Fi connection
 - Pre-configure out of box questions like language and locale
 - (HoloLens 2) bulk enroll in mobile device management
 - (HoloLens v1) Apply key to enable Windows Holographic for Business
-[Compliance policies](https://docs.microsoft.com/intune/device-compliance-get-started) are rules and settings that devices must meet to be compliant in your corporate infrastructure. Use these policies with Conditional Access to block access to company resources for devices that are non-compliant.
+If you decide to use provisioning packages, follow [this guide](hololens-provisioning.md).
-For example, you can create a policy that requires Bitlocker be enabled.
+## Next Step: [Determine what licenses you need](hololens-licenses-requirements.md)
 [Create compliance policies with Intune](https://docs.microsoft.com/intune/compliance-policy-create-windows).
 ### Manage updates
 Intune includes a feature called Update rings for Windows 10 devices, including HoloLens 2 and HoloLens v1 (with Holographic for Business). Update rings include a group of settings that determine how and when updates are installed.
 For example, you can create a maintenance window to install updates, or choose to restart after updates are installed.  You can also choose to pause updates indefinitely until you're ready to update.
 Read more about [configuring update rings with Intune](https://docs.microsoft.com/intune/windows-update-for-business-configure).
 ## Application management
 Manage HoloLens applications through:
 1. Microsoft Store  
  The Microsoft Store is the best way to distribute and consume applications on HoloLens.  There is a great set of core HoloLens applications already available in the store or you can [publish your own](https://docs.microsoft.com/windows/uwp/publish/).  
  All applications in the store are available publicly to everyone, but if it isn't acceptable, checkout the Microsoft Store for Business.  
 1. [Microsoft Store for Business](https://docs.microsoft.com/microsoft-store/)  
  Microsoft Store for Business and Education is a custom store for your corporate environment.  It lets you use the Microsoft Store built into Windows 10 and HoloLens to find, acquire, distribute, and manage apps for your organization.  It also lets you deploy apps that are specific to your commercial environment but not to the world.
 1. Application deployment and management via Intune or another mobile device management solution  
  Most mobile device management solutions, including Intune, provide a way to deploy line of business applications directly to a set of enrolled devices.  See this article for [Intune app install](https://docs.microsoft.com/intune/apps-deploy).
 1. _not recommended_ Device Portal  
  Applications can also be installed on HoloLens directly using the Windows Device Portal.  This isn't recommended since Developer Mode has to be enabled to use the device portal.
 Read more about [installing apps on HoloLens](https://docs.microsoft.com/hololens/hololens-install-apps).
 ## Get support
 Get support through the Microsoft support site.
-[File a support request](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f).
+[File a support request](https://support.microsoft.com/supportforbusiness/productselection?sapid=e9391227-fa6d-927b-0fff-f96288631b8f)
 ## Technical Reference
 ### Wireless network EAP support
 - PEAP-MS-CHAPv2
 - PEAP-TLS
 - TLS
 - TTLS-CHAP
 - TTLS-CHAPv2
 - TTLS-MS-CHAPv2
 - TTLS-PAP
 - TTLS-TLS
--- a/devices/hololens/hololens-whats-new.md
+++ b/devices/hololens/hololens-whats-new.md
@ -45,7 +45,6 @@ manager: dansimp
 ### For international customers
 Feature | Details  
 --- | ---
 Localized Chinese and Japanese builds | Use HoloLens with localized user interface for Simplified Chinese or Japanese, including localized Pinyin keyboard, dictation, and voice commands.  
@ -53,7 +52,6 @@ Speech Synthesis (TTS) | Speech synthesis feature now supports Chinese, Japanese
 [Learn how to install the Chinese and Japanese versions of HoloLens.](hololens1-install-localized.md)
 ## Windows 10, version 1803 for Microsoft HoloLens
 > **Applies to:** Hololens (1st gen)
@ -64,7 +62,7 @@ Windows 10, version 1803, is the first feature update to Windows Holographic for
 - You can view the operating system build number in device properties in the File Explorer app and in the [Windows Device Recovery Tool (WDRT)](https://support.microsoft.com/help/12379/windows-10-mobile-device-recovery-tool-faq).
- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#wizard).
+- Provisioning a HoloLens device is now easier with the new **Provision HoloLens devices** wizard in the Windows Configuration Designer tool. In the wizard, you can configure the setup experience and network connections, set developer mode, and obtain bulk Azure AD tokens. [Learn how to use the simple provisioning wizard for HoloLens](hololens-provisioning.md#provisioning-package-hololens-wizard).
    ![Provisioning HoloLens devices](images/provision-hololens-devices.png)
--- a/devices/hololens/hololens1-start.md
+++ b/devices/hololens/hololens1-start.md
@ -6,7 +6,7 @@ ms.prod: hololens
 author: Teresa-Motiv
 ms.author: v-tea
 ms.topic: article
-ms.date: 8/12/19
+ms.date: 8/12/2019
 manager: jarrettr
 ms.topic: article
 ms.localizationpriority: high
@ -26,9 +26,9 @@ Before you get started, make sure you have the following available:
 **A Wi-Fi connection**. You'll need to connect your HoloLens to a Wi-Fi network to set it up. The first time you connect, you'll need an open or password-protected network that doesn't require navigating to a website or using certificates to connect. [Learn more about the websites that HoloLens uses](hololens-offline.md).
-**A Microsoft account or a work account**. You'll also need to use a Microsoft account (or a work account, if your organization owns the device) to sign in to HoloLens. If you don't have a Microsoft account, go to [account.microsoft.com](http://account.microsoft.com) and set one up for free.
+**A Microsoft account or a work account**. You'll also need to use a Microsoft account (or a work account, if your organization owns the device) to sign in to HoloLens. If you don't have a Microsoft account, go to [account.microsoft.com](https://account.microsoft.com) and set one up for free.
-**A safe, well-lit space with no tripping hazards**. [Health and safety info](http://go.microsoft.com/fwlink/p/?LinkId=746661).
+**A safe, well-lit space with no tripping hazards**. [Health and safety info](https://go.microsoft.com/fwlink/p/?LinkId=746661).
 **The optional comfort accessories** that came with your HoloLens, to help you get the most comfortable fit. [More on fit and comfort](https://support.microsoft.com/help/12632/hololens-fit-your-hololens).
--- a/devices/hololens/images/mdm-enrollment-error.png
+++ b/devices/hololens/images/mdm-enrollment-error.png
--- a/devices/hololens/scep-whitepaper.md
+++ b/devices/hololens/scep-whitepaper.md
@ -0,0 +1,77 @@
 ---
 title: SCEP Whitepaper
 description: A whitepaper that describes how Microsoft mitigates the vulnerabilities of SCEP.
 ms.assetid: bd55ecd1-697a-4b09-8274-48d1499fcb0b
 author: pawinfie
 ms.author: pawinfie
 ms.date: 02/12/2020
 keywords: hololens, Windows Mixed Reality, security
 ms.prod: hololens
 ms.sitesec: library
 ms.topic: article
 audience: ITPro
 ms.localizationpriority: high
 appliesto:
 - HoloLens 1 (1st gen)
 - HoloLens 2
 ---
 # SCEP Whitepaper
 ## High Level
 ### How the SCEP Challenge PW is secured
 We work around the weakness of the SCEP protocol by generating custom challenges in Intune itself. The challenge string we create is signed/encrypted, and contains the information we’ve configured in Intune for certificate issuance into the challenge blob. This means the blob used as the challenge string contains the expected CSR information like the Subject Name, Subject Alternative Name, and other attributes.
 We then pass that to the device and then the device generates it’s CSR and passes it, and the blob to the SCEP URL it received in the MDM profile. On NDES servers running the Intune SCEP module we perform a custom challenge validation that validates the signature on the blob, decrypts the challenge blob itself, compare it to the CSR received, and then determine if we should issue the cert.  If any portion of this check fails then the certificate request is rejected.
 ## Behind the scenes
 ### Intune Connector has a number of responsibilities
 1. The connector is SCEP policy module which contains a "Certification Registration Point" component which interacts with the Intune service, and is responsible for validating, and securing the SCEP request coming into the NDES server.
 1. The connector will install an App Pool on the NDES IIS server > Microsoft Intune CRP service Pool, and a CertificateRegistrationSvc under the "Default Web Site" on IIS.
 1. **When the Intune NDES connector is first configured/setup on the NDES server, a certificate is issued from the Intune cloud service to the NDES server. This cert is used to securely communicate with the Intune cloud service - customer tenant. The cert is unique to the customers NDES server. Can be viewed in Certlm.msc issued by SC_Online_Issuing. This certs Public key is used by Intune in the cloud to encrypt the challenge blob. In addition, when the connector is configured, Intune's public key is sent to the NDES server.**
    >[!NOTE]
    >The connector communication with Intune is strictly outbound traffic.
 1. The Intune cloud service combined with the Intune connector/policy module addresses the SCEP protocol challenge password weakness (in the SCEP protocol) by generating a custom challenge.  The challenge is generated in Intune itself.
    1. In the challenge blob, Intune puts information that we expect in the cert request (CSR - Certificate Signing Request) coming from a mobile device like the following: what we expect the Subject and SAN (validated against AAD attributes/properties of the user/device) to be, and specifics contained in the Intune SCEP profile that is created by an Intune admin, i.e., Request Handling, EKU, Renewal, validity period, key size, renewal period.
        >[!NOTE]
        >The Challenge blob is Encrypted with the Connectors Public Key, and Signed with Intune's (cloud service) Private Key.  The device cannot decrypt the challenge
    1. When an Intune admin creates a SCEP profile in their tenant, Intune will send the SCEP profile payload along with the Encrypted and Signed Challenge to the targeted device. The device generates a CSR, and reaches out to NDES URL (contained in the SCEP profile). The device cert request payload contains the CSR, and the encrypted, signed challenge blob.
        1. When the device reaches out to the NDES server (via the NDES/SCEP URL provided in the SCEP Profile payload), the SCEP cert request validation is performed by the policy module running on the NDES server. The challenge signature is verified using Intune's public key (which is on the NDES server, when the connector was installed and configured) and decrypted using the connectors private key. The policy module compares the CSR details against the decrypted challenge and determines if a cert should be issued. If the CSR passes validation, the NDES server requests a certificate from the CA on behalf of the user/device.
            >[!NOTE]
            >The above process takes place on the NDES server running the Policy Module.  No interaction with the Intune cloud service takes place.
    1. The NDES connector notification/reporting of cert delivery takes place after NDES sends the issued cert to the device.  This is performed as a separate operation outside the cert request flow. Meaning that once NDES sends the cert to the device via the AAD app proxy (or other publishing firewall/proxy, a log is written with the cert delivery details on the NDES server by the connector (file location \Program Files\Microsoft Intune\CertificateRequestStatus\Succeed\ folder. The connector will look here, and send updates to Intune.
    1. The mobile device must be enrolled in Intune. If not, we reject the request as well
    1. The Intune connector disables the standard NDES challenge password request URL on the NDES server.
    1. The NDES server SCEP URI in most customer deployments is made available to the internet via Azure App Proxy, or an on-prem reverse proxy, i.e. F5.  
        >[!NOTE]
        >The Azure App Proxy is an outbound-only connection over Port 443, from the customers onprem network where the App Proxy connector is running on a server. The AAD app proxy can also be hosted on the NDES server. No inbound ports required when using Azure App Proxy.
        1. The mobile device talks only to the NDES URI
        1. Side note: AAD app proxy's role is to make onprem resources (like NDES and other customer onprem web services) securely available to the internet.
    1. The Intune connector must communicate with the Intune cloud service. The connector communication will not go through the Azure App Proxy. The connector will talk with the Intune cloud service via whatever mechanism a customer has onprem to allow outbound traffic to the internet, i.e. Internal proxy service.
        >[!NOTE]
        > if a proxy is used by the customer, no SSL packet inspection can take place for the NDES/Connector server going out.
 1. Connector traffic with Intune cloud service consists of the following operations:
    1. 1st time configuration of the connector: Authentication to AAD during the initial connector setup.
    1. Connector checks in with Intune, and will process and any cert revocation transactions (i.e, if the Intune tenant admin issues a remote wipe – full or partial,  also If a user unenrolls their device from Intune), reporting on issued certs, renewing the connectors’ SC_Online_Issuing  certificate from Intune.  Also note: the NDES Intune connector has shared PKCS cert functionality (if you decide to issue PKCS/PFX based certs) so the connector checks to Intune for PKCS cert requests even though there won’t be any requests to process.  We are splitting that functionality out, so this connector just handles SCEP, but no ETA yet.
 1. [Here](https://docs.microsoft.com/intune/intune-endpoints#microsoft-intune-certificate-connector) is a reference for Intune NDES connector network communications.
--- a/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
+++ b/devices/surface-hub/appendix-a-powershell-scripts-for-surface-hub.md
@ -617,7 +617,7 @@ try {
 catch
 {
    PrintError "Some dependencies are missing"
-    PrintError "Please install the Windows PowerShell Module for Lync Online. For more information go to http://www.microsoft.com/download/details.aspx?id=39366"
+    PrintError "Please install the Windows PowerShell Module for Lync Online. For more information go to https://www.microsoft.com/download/details.aspx?id=39366"
    PrintError "Please install the Azure Active Directory module for PowerShell from https://go.microsoft.com/fwlink/p/?linkid=236297"
    CleanupAndFail
 }
@ -1104,7 +1104,7 @@ if ($fSfbIsOnline)
    }
    catch
    {
-        CleanupAndFail "To verify Skype for Business in online tenants you need the Lync Online Connector module from http://www.microsoft.com/download/details.aspx?id=39366"
+        CleanupAndFail "To verify Skype for Business in online tenants you need the Lync Online Connector module from https://www.microsoft.com/download/details.aspx?id=39366"
    }
 }
 else
@ -1518,7 +1518,7 @@ if ($online)
    catch
    {
        PrintError "Some dependencies are missing"
-        PrintError "Please install the Windows PowerShell Module for Lync Online. For more information go to http://www.microsoft.com/download/details.aspx?id=39366"
+        PrintError "Please install the Windows PowerShell Module for Lync Online. For more information go to https://www.microsoft.com/download/details.aspx?id=39366"
        PrintError "Please install the Azure Active Directory module for PowerShell from https://go.microsoft.com/fwlink/p/?linkid=236297"
        CleanupAndFail
    }
--- a/devices/surface-hub/images/surface-hub-2s-repack-1.png
+++ b/devices/surface-hub/images/surface-hub-2s-repack-1.png
--- a/devices/surface-hub/images/surface-hub-2s-repack-10.png
+++ b/devices/surface-hub/images/surface-hub-2s-repack-10.png
--- a/devices/surface-hub/images/surface-hub-2s-repack-11.png
+++ b/devices/surface-hub/images/surface-hub-2s-repack-11.png
--- a/devices/surface-hub/images/surface-hub-2s-repack-12.png
+++ b/devices/surface-hub/images/surface-hub-2s-repack-12.png
--- a/devices/surface-hub/images/surface-hub-2s-repack-13.png
+++ b/devices/surface-hub/images/surface-hub-2s-repack-13.png
--- a/devices/surface-hub/images/surface-hub-2s-repack-2.png
+++ b/devices/surface-hub/images/surface-hub-2s-repack-2.png
--- a/devices/surface-hub/images/surface-hub-2s-repack-3.png
+++ b/devices/surface-hub/images/surface-hub-2s-repack-3.png
--- a/devices/surface-hub/images/surface-hub-2s-repack-4.png
+++ b/devices/surface-hub/images/surface-hub-2s-repack-4.png
--- a/devices/surface-hub/images/surface-hub-2s-repack-5.png
+++ b/devices/surface-hub/images/surface-hub-2s-repack-5.png
--- a/devices/surface-hub/images/surface-hub-2s-repack-6.png
+++ b/devices/surface-hub/images/surface-hub-2s-repack-6.png
--- a/devices/surface-hub/images/surface-hub-2s-repack-7.png
+++ b/devices/surface-hub/images/surface-hub-2s-repack-7.png
--- a/devices/surface-hub/images/surface-hub-2s-repack-8.png
+++ b/devices/surface-hub/images/surface-hub-2s-repack-8.png
--- a/devices/surface-hub/images/surface-hub-2s-repack-9.png
+++ b/devices/surface-hub/images/surface-hub-2s-repack-9.png
--- a/devices/surface-hub/images/surface-hub-2s-replace-camera-1.png
+++ b/devices/surface-hub/images/surface-hub-2s-replace-camera-1.png
--- a/devices/surface-hub/images/surface-hub-2s-replace-camera-2.png
+++ b/devices/surface-hub/images/surface-hub-2s-replace-camera-2.png
--- a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-1.png
+++ b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-1.png
--- a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-10.png
+++ b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-10.png
--- a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-2.png
+++ b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-2.png
--- a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-3.png
+++ b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-3.png
--- a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-4.png
+++ b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-4.png
--- a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-5.png
+++ b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-5.png
--- a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-6.png
+++ b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-6.png
--- a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-7.png
+++ b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-7.png
--- a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-8.png
+++ b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-8.png
--- a/devices/surface-hub/images/surface-hub-2s-replace-cartridge-9.png
+++ b/devices/surface-hub/images/surface-hub-2s-replace-cartridge-9.png
--- a/devices/surface-hub/surface-hub-2s-onprem-powershell.md
+++ b/devices/surface-hub/surface-hub-2s-onprem-powershell.md
@ -26,12 +26,6 @@ $ExchSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUr
 Import-PSSession $ExchSession
 ```
 ```PowerShell
 $ExchServer = Read-Host "Please Enter the FQDN of your Exchange Server"
 $ExchSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://$ExchServer/PowerShell/ -Authentication Kerberos -Credential (Get-Credential)
 Import-PSSession $ExchSession
 ```
 ## Create the device account
 ```PowerShell
--- a/devices/surface-hub/surface-hub-2s-pack-components.md
+++ b/devices/surface-hub/surface-hub-2s-pack-components.md
@ -9,7 +9,7 @@ ms.author: greglin
 manager: laurawi
 audience: Admin
 ms.topic: article
-ms.date: 07/1/2019
+ms.date: 02/06/2019
 ms.localizationpriority: Medium
 ---
@ -24,62 +24,45 @@ If you replace your Surface Hub 2S, one of its components, or a related accessor
 Use the following steps to pack your Surface Hub 2S 50" for shipment.
 ![The Surface Hub unit and mobile stand.](images/surface-hub-2s-repack-1.png)
-![Remove the pen and the camera. Do not pack them with the unit.](images/surface-hub-2s-repack-2.png)
+|   |                                                                                                                                                 |       |
 | - | ----------------------------------------------------------------------------------------------------------------------------------------------- | ----- |
 | **1.**  | Remove the pen and the camera. Do not pack them with the unit.                                                   | ![Remove the pen and the camera. Do not pack them with the unit.](images/surface-hub-2s-repack-2.png) |
 | **2.**  | Remove the drive and the power cable. Do not pack them with the unit. Do not pack the Setup guide with the unit. | ![Remove the drive and the power cable. Do not pack them with the unit.](images/surface-hub-2s-repack-3.png) |
 | **3.**  | Unplug all cables, slide the cover sideways, and unscrew the locking screw of the Compute Cartridge.             | ![Unplug all cables, slide the cover sideways, and unscrew the locking screw of the Compute Cartridge.](images/surface-hub-2s-repack-5.png) |
 | **4.**  | Slide the Compute Cartridge out of the unit.                                                                     | ![Slide the Compute Cartridge out of the unit.](images/surface-hub-2s-repack-6.png) |
 | **5.**  | You will need the Compute Cartridge and a screwdriver.                                                           | ![You will need the Compute Cartridge and a screwdriver.](images/surface-hub-2s-repack-7.png)|
 | **6.**  | Remove the cover screw and the cover from the Compute Cartridge, and then remove the solid state drive (SSD).    | ![Remove the cover screw and the cover from the Compute Cartridge, and then remove the solid state drive (SSD).](images/surface-hub-2s-repack-8.png)|
 | **7.** | Replace the cover and slide the Compute Cartridge back into the unit.                                            | ![Replace the cover and slide the Compute Cartridge back into the unit.](images/surface-hub-2s-repack-9.png)|
 | **8.**  | Re-fasten the locking screw and slide the cover into place.                                                      | ![Re-fasten the locking screw and slide the cover into place.](images/surface-hub-2s-repack-10.png)|
 | **9.**  | Remove any base or mounting hardware. Using two people, place the unit in the base of the shipping container.    | ![Remove any base or mounting hardware. Using two people, place the unit in the base of the shipping container.](images/surface-hub-2s-repack-11.png)|
 | **10.** | Replace the cover of the shipping container, and insert the four clips.                                          | ![Replace the cover of the shipping container, and insert the four clips.](images/surface-hub-2s-repack-12.png|
 | **11.** | Close the four clips.                                                                                            | ![Close the four clips.](images/surface-hub-2s-repack-13.png)|
 ![Remove the drive and the power cable. Do not pack them with the unit.](images/surface-hub-2s-repack-3.png)
 ![Do not pack the Setup guide with the unit.](images/surface-hub-2s-repack-4.png)
 ![Unplug all cables, slide the cover sideways, and unscrew the locking screw of the Compute Cartridge.](images/surface-hub-2s-repack-5.png)
 ![Slide the Compute Cartridge out of the unit.](images/surface-hub-2s-repack-6.png)
 ![You will need the Compute Cartridge and a screwdriver.](images/surface-hub-2s-repack-7.png)
 ![Remove the cover screw and the cover from the Compute Cartridge, and then remove the solid state drive (SSD).](images/surface-hub-2s-repack-8.png)
 ![Replace the cover and slide the Compute Cartridge back into the unit.](images/surface-hub-2s-repack-9.png)
 ![Re-fasten the locking screw and slide the cover into place.](images/surface-hub-2s-repack-10.png)
 ![Remove any base or mounting hardware. Using two people, place the unit in the base of the shipping container.](images/surface-hub-2s-repack-11.png)
 ![Replace the cover of the shipping container, and insert the four clips.](images/surface-hub-2s-repack-12.png)
 ![Close the four clips.](images/surface-hub-2s-repack-13.png)
 ## How to replace and pack your Surface Hub 2S Compute Cartridge
-Use the following steps to remove the Surface Hub 2S Compute Cartridge, pack it for shipment, and install the new Compute Cartridge.
+Use the following steps to remove the Surface Hub 2S Compute Cartridge, pack it for shipment, and install the new Compute Cartridge.<br>
    ![Image of the compute cartridge.](images/surface-hub-2s-replace-cartridge-1.png)
-![Image of the compute cartridge.](images/surface-hub-2s-replace-cartridge-1.png)
+|   |                                                                                                                                                 |       |
-
+| - | ----------------------------------------------------------------------------------------------------------------------------------------------- | ----- |
-![Unplug all cables, slide the cover sideways, and unscrew the locking screw of the Compute Cartridge.](images/surface-hub-2s-replace-cartridge-2.png)
+| **1.** | Unplug all cables, slide the cover sideways, and unscrew the locking screw of the Compute Cartridge.                                            | ![Unplug all cables, slide the cover sideways, and unscrew the locking screw of the Compute Cartridge.](images/surface-hub-2s-replace-cartridge-2.png) |
-
+| **2.**  | Slide the Compute Cartridge out of the unit.                                                                                                    | ![Slide the Compute Cartridge out of the unit.](images/surface-hub-2s-replace-cartridge-3.png) |
-![Slide the Compute Cartridge out of the unit.](images/surface-hub-2s-replace-cartridge-3.png)
+| **3.**  | You will need the Compute Cartridge and a screwdriver.                                                                                          | ![You will need the Compute Cartridge and a screwdriver.](images/surface-hub-2s-replace-cartridge-4.png) |
-
+| **4.**  | Remove the cover screw and the cover from the Compute Cartridge, and then remove the solid state drive (SSD). When finished, replace the cover. | ![Remove the cover screw and the cover from the Compute Cartridge, and then remove the solid state drive (SSD). When finished, replace the cover.](images/surface-hub-2s-repack-8.png) |
-![You will need the Compute Cartridge and a screwdriver.](images/surface-hub-2s-replace-cartridge-4.png)
+| **5.**| You will need the packaging fixtures that were used to package your replacement Compute Cartridge.                                              | ![You will need the packaging fixtures that were used to package your replacement Compute Cartridge.](images/surface-hub-2s-replace-cartridge-6.png) |
-
+| **6.**| Place the old Compute Cartridge in the packaging fixtures.                                                                                      | ![Place the old Compute Cartridge in the packaging fixtures.](images/surface-hub-2s-replace-cartridge-7.png) |
-![Remove the cover screw and the cover from the Compute Cartridge, and then remove the solid state drive (SSD). When finished, replace the cover.](images/surface-hub-2s-repack-8.png)
+| **7.** | Place the old Compute Cartridge and its packaging into the box that was used for the replacement Compute Cartridge. Reseal the box.             | ![Place the old Compute Cartridge and its packaging into the box that was used for the replacement Compute Cartridge. Reseal the box.](images/surface-hub-2s-replace-cartridge-8.png)|
-
+| **8.**| Slide the replacement Compute Cartridge into the unit.                                                                                          | ![Slide the replacement Compute Cartridge into the unit.](images/surface-hub-2s-replace-cartridge-9.png) |
-![You will need the packaging fixtures that were used to package your replacement Compute Cartridge.](images/surface-hub-2s-replace-cartridge-6.png)
+| **9.**| Fasten the locking screw and slide the cover into place                                                                                         | ![Fasten the locking screw and slide the cover into place.](images/surface-hub-2s-replace-cartridge-10.png) |
 ![Place the old Compute Cartridge in the packaging fixtures.](images/surface-hub-2s-replace-cartridge-7.png)
 ![Place the old Compute Cartridge and its packaging into the box that was used for the replacement Compute Cartridge. Reseal the box.](images/surface-hub-2s-replace-cartridge-8.png)
 ![Image of the replacement Compute Cartridge.](images/surface-hub-2s-replace-cartridge-1.png)
 ![Slide the replacement Compute Cartridge into the unit.](images/surface-hub-2s-replace-cartridge-9.png)
 ![Fasten the locking screw and slide the cover into place.](images/surface-hub-2s-replace-cartridge-10.png)
 ## How to replace your Surface Hub 2S Camera
 Use the following steps to remove the Surface Hub 2S camera and install the new camera.
 ![You will need the new camera and the two-millimeter allen wrench](images/surface-hub-2s-replace-camera-1.png)
-![Unplug the old camera from the unit. If needed, use the allen wrench to adjust the new camera. Plug the new camera into the unit.](images/surface-hub-2s-replace-camera-2.png)
+|   |                                                                                                                                                 |       |
 | - | ----------------------------------------------------------------------------------------------------------------------------------------------- | ----- |
 | **1.** | You will need the new camera and the two-millimeter allen wrench.                                             |![You will need the new camera and the two-millimeter allen wrench](images/surface-hub-2s-replace-camera-1.png)  |
 | **2.**  |  Unplug the old camera from the unit. If needed, use the allen wrench to adjust the new camera. Plug the new camera into the unit. | ![Unplug the old camera from the unit. If needed, use the allen wrench to adjust the new camera. Plug the new camera into the unit.](images/surface-hub-2s-replace-camera-2.png) |
--- a/devices/surface-hub/surface-hub-2s-recover-reset.md
+++ b/devices/surface-hub/surface-hub-2s-recover-reset.md
@ -23,8 +23,10 @@ To begin, sign in to Surface Hub 2S with admin credentials, open the **Settings*
 1. To reset the device, select **Get Started**.
 2. When the **Ready to reset this device** window appears, select **Reset**. 
  >[!NOTE]
  >Surface Hub 2S reinstalls the operating system from the recovery partition. This may take up to one hour to complete.
 3. To reconfigure the device, run the first-time Setup program.
 4. If you manage the device using Microsoft Intune or another mobile device management solution, retire and delete the previous record, and then re-enroll the new device. For more information, see [Remove devices by using wipe, retire, or manually unenrolling the device](https://docs.microsoft.com/intune/devices-wipe).
--- a/devices/surface-hub/surface-hub-update-history.md
+++ b/devices/surface-hub/surface-hub-update-history.md
@ -24,6 +24,17 @@ Please refer to the “[Surface Hub Important Information](https://support.micro
 ## Windows 10 Team Creators Update 1703
 <details>
 <summary>January 14, 2020—update for Team edition based on KB4534296* (OS Build 15063.2254)</summary>
 This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include:
 * Addresses an issue with log collection for Microsoft Surface Hub 2S.
 Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface-hub/) for enabling/disabling device features and services.
 *[KB4534296](https://support.microsoft.com/help/4534296)
 </details>
 <details>
 <summary>September 24, 2019—update for Team edition based on KB4516059*  (OS Build 15063.2078)</summary>
@ -57,7 +68,6 @@ Please refer to the [Surface Hub Admin guide](https://docs.microsoft.com/surface
 This update to the Surface Hub includes quality improvements and security fixes. Key updates to Surface Hub, not already outlined in [Windows 10 Update History](https://support.microsoft.com/help/4018124/windows-10-update-history), include:
 * Addresses an issue with log collection for Microsoft Surface Hub 2S.
 * Addresses an issue preventing a user from signing in to a Microsoft Surface Hub device with an Azure Active Directory account. This issue occurs because a previous session did not end successfully.
 * Adds support for TLS 1.2 connections to identity providers and Exchange in device account setup scenarios.
 * Fixes to improve reliability of Hardware Diagnostic App on Hub 2S. 
@ -520,7 +530,6 @@ This update to the Surface Hub includes quality improvements and security fixes.
 ## Related topics
 * [Windows 10 feature roadmap](https://go.microsoft.com/fwlink/p/?LinkId=785967)
 * [Windows 10 release information](https://go.microsoft.com/fwlink/p/?LinkId=724328)
 * [Windows 10 November update: FAQ](https://windows.microsoft.com/windows-10/windows-update-faq)
 * [Microsoft Surface update history](https://go.microsoft.com/fwlink/p/?LinkId=724327)
--- a/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
+++ b/devices/surface-hub/use-surface-hub-diagnostic-test-device-account.md
@ -89,11 +89,11 @@ The Surface Hub Hardware Diagnostic tool is an easy-to-navigate tool that lets t
 Field |Success |Failure |Comment |Reference
 |------|------|------|------|------|
-Internet Connectivity |Device does have Internet connectivity |Device does not have Internet connectivity |Verifies internet connectivity, including proxy connection |[Configuring a proxy for your Surface Hub](https://blogs.technet.microsoft.com/y0av/2017/12/03/7/)
+Internet Connectivity |Device does have Internet connectivity |Device does not have Internet connectivity |Verifies internet connectivity, including proxy connection |
 HTTP Version |1.1 |1.0 |If HTTP 1.0 found, it will cause issue with WU and Store |
 Direct Internet Connectivity |Device has a Proxy configured Device has no Proxy configured |N/A |Informational. Is your device behind a proxy? |
 Proxy Address | | |If configured, returns proxy address. |
-Proxy Authentication |Proxy does not require Authentication |Proxy requires Proxy Auth |Result may be a false positive if a user already has an open session in Edge and has authenticated through the proxy. |[Configuring a proxy for your Surface Hub](https://blogs.technet.microsoft.com/y0av/2017/12/03/7/)
+Proxy Authentication |Proxy does not require Authentication |Proxy requires Proxy Auth |Result may be a false positive if a user already has an open session in Edge and has authenticated through the proxy. |
 Proxy Auth Types | | |If proxy authentication is used, return the Authentication methods advertised by the proxy.  |
 #### Environment
@ -131,5 +131,5 @@ SIP Pool Cert Root CA | | |Information. Display the SIP Pool Cert Root CA, if av
 Field |Success |Failure |Comment |Reference
 |------|------|------|------|------|
-Trust Model Status |No Trust Model Issue Detected. |SIP Domain and server domain are different please add the following domains. |Check the LD FQDN/ LD Server Name/ Pool Server name for Trust model issue. |[Surface Hub and the Skype for Business Trusted Domain List](https://blogs.technet.microsoft.com/y0av/2017/10/25/95/)
+Trust Model Status |No Trust Model Issue Detected. |SIP Domain and server domain are different please add the following domains. |Check the LD FQDN/ LD Server Name/ Pool Server name for Trust model issue. 
 Domain Name(s) | | |Return the list of domains that should be added for SFB to connect. |
--- a/devices/surface/TOC.md
+++ b/devices/surface/TOC.md
@ -1,4 +1,4 @@
-# [Surface](index.md)
+# [Surface](index.yml)
 ## [Get started](get-started.md)
--- a/devices/surface/images/config-mgr-semm-fig3.png
+++ b/devices/surface/images/config-mgr-semm-fig3.png
--- a/devices/surface/images/dataeraser-arch.png
+++ b/devices/surface/images/dataeraser-arch.png
--- a/devices/surface/index.md
+++ b/devices/surface/index.md
@ -1,151 +0,0 @@
 --- 
 title: Microsoft Surface documentation and resources
 layout: HubPage
 hide_bc: true
 description: Surface and Surface Hub documentation for admins & IT professionals
 author: greg-lindsay
 ms.author: greglin
 manager: laurawi
 ms.topic: hub-page
 keywords: Microsoft Surface, Microsoft Surface Hub, Surface documentation
 ms.localizationpriority: High
 audience: ITPro
 ms.prod: Surface
 description: Learn about Microsoft Surface and Surface Hub devices.
 ---
 <div id="main" class="v2">
    <div class="container">
        <h1>Microsoft Surface</h1>
        <p>Learn how to plan, deploy, and manage Microsoft Surface and Surface Hub devices.<br><br></p>
        <ul class="pivots">
            <li>
                <a href="#home"></a>
                <ul id="home">
                    <li>
                        <a href="#home-all"></a>
                        <ul id="home-all" class="cardsK">
                            <li>
                                <a href="get-started.md">
                                    <div class="cardSize">
                                        <div class="cardPadding">
                                            <div class="card">
                                                <div class="cardImageOuter">
                                                    <div class="cardImage bgdAccent1"> 
                                                            <img src="images/surface-devices-400x140.svg" alt="Surface Devices" />
                                                    </div>
                                                </div>
                                                <div class="cardText">
                                                    <h3>Surface Devices</h3>
                                                    <p>Harness the power of Surface, Windows, and Office connected together through the cloud. Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface devices in your organization.</p>
                                                </div>
                                            </div>
                                        </div>
                                    </div>
                                </a>
                            </li>
                            <li>
                                <a href="https://docs.microsoft.com/surface-hub/index">
                                    <div class="cardSize">
                                        <div class="cardPadding">
                                            <div class="card">
                                                <div class="cardImageOuter">
                                                    <div class="cardImage bgdAccent1"> 
                                                        <img src="images/surface-hub-400x140.svg" alt="Surface Hub" />
                                                    </div>
                                                </div>
                                                <div class="cardText">
                                                    <h3>Surface Hub</h3>
                                                    <p>Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device that brings the power of Windows 10 to team collaboration. Learn how to plan, deploy, manage, and support your Surface Hub devices.</p>
                                                </div>
                                            </div>
                                        </div>
                                    </div>
                                </a>
                            </li>
                            <li>
                                <a href="https://www.microsoft.com/surface/business">
                                    <div class="cardSize">
                                        <div class="cardPadding">
                                            <div class="card">
                                                <div class="cardImageOuter">
                                                    <div class="cardImage bgdAccent1"> 
                                                        <img src="images/surface-workplace-400x140.svg" alt="Surface for Business" />
                                                    </div>
                                                </div>
                                                <div class="cardText">
                                                    <h3>Surface for Business</h3>
                                                    <p>Explore how Surface devices are transforming the modern workplace with people-centric design and flexible form factors, helping you get the most out of AI, big data, the cloud, and other foundational technologies.</p>
                                                </div>
                                            </div>
                                        </div>
                                    </div>
                                </a>
                            </li>
                            <li class="fullSpan">
                              <hr />
                              <br>
                              <ul class="cardsF panelContent singlePanelContent" style="display:flex!important;">
                                    <li>
                                        <div class="cardSize">
                                            <div class="cardPadding">
                                                <div class="card">
                                                    <div class="cardImageOuter">
                                                        <div class="cardImage">
                                                            <img src="https://docs.microsoft.com/office/media/icons/blog-site-blue.svg" alt="Communities" />
                                                        </div>
                                                    </div>
                                                    <div class="cardText">
                                                       <h3>Communities</h3>
                                                        <P><a href="https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro" target="_blank">Surface IT Pro blog</a></p>
                                                        <P><a href="https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices" target="_blank">Surface Devices Tech Community</a></p>
                                                    </div>
                                                </div>
                                            </div>
                                        </div>
                                    </li>
                                    <li>
                                        <div class="cardSize">
                                            <div class="cardPadding">
                                                <div class="card">
                                                    <div class="cardImageOuter">
                                                        <div class="cardImage">
                                                            <img src="https://docs.microsoft.com/office/media/icons/education-tutorial-blue.svg" alt="Learn" />
                                                        </div>
                                                    </div>
                                                    <div class="cardText">
                                                        <h3>Learn</h3>
                                                        <P><a href="https://docs.microsoft.com/learn/browse/?term=Surface" target="_blank">Surface training on Microsoft Learn</a></p>
                                                        <P><a href="https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ" target="_blank">Microsoft Mechanics Surface videos</a></p>
                                                       <P><a href="https://docs.microsoft.com/surface-hub/surface-hub-2s-adoption-kit" target="_blank">Surface Hub 2S adoption and training</a></p>
                                                    </div>
                                                </div>
                                            </div>
                                        </div>
                                    </li>
                                    <li>
                                        <div class="cardSize">
                                            <div class="cardPadding">
                                                <div class="card">
                                                    <div class="cardImageOuter">
                                                        <div class="cardImage">
                                                            <img src="https://docs.microsoft.com/office/media/icons/chat.svg" alt="Need help?" />
                                                        </div>
                                                    </div>
                                                    <div class="cardText">
                                                        <h3>Need help?</h3>
                                                        <P><a href="https://support.microsoft.com/products/surface-devices" target="_blank">Surface Devices</a></p>
                                                        <P><a href="https://support.microsoft.com/hub/4343507/surface-hub-help" target="_blank">Surface Hub</a></p>
                                                    </div>
                                                </div>
                                            </div>
                                        </div>
                                    </li>
                                </ul>
                            </li>
                        </ul>
                    </li>
                </ul>
            </li>
        </ul>
    </div>
 </div>
--- a/devices/surface/index.yml
+++ b/devices/surface/index.yml
@ -0,0 +1,62 @@
 ### YamlMime:Hub
 title: Microsoft Surface # < 60 chars
 summary: Learn how to plan, deploy, and manage Microsoft Surface and Surface Hub devices. # < 160 chars
 # brand: aspnet | azure | dotnet | dynamics | m365 | ms-graph | office | power-platform | project | sharepoint | sql | sql-server | teams | vs | visual-studio | windows | xamarin
 brand: windows
 metadata:
  title: Microsoft Surface # Required; page title displayed in search results. Include the brand. < 60 chars.
  description: Learn how to plan, deploy, and manage Microsoft Surface and Surface Hub devices. # Required; article description that is displayed in search results. < 160 chars.
  ms.prod: surface #Required; service per approved list. service slug assigned to your service by ACOM.
  ms.topic: hub-page # Required
  audience: ITPro
  author: samanro #Required; your GitHub user alias, with correct capitalization.
  ms.author: samanro #Required; microsoft alias of author; optional team alias.
  ms.date: 07/03/2019 #Required; mm/dd/yyyy format.
  localization_priority: Priority
 # additionalContent section (optional)
 # Card with summary style
 additionalContent:
  # Supports up to 3 sections
  sections:
    - title: For IT Professionals # < 60 chars (optional)
      items:
        # Card
        - title: Surface devices
          summary: Harness the power of Surface, Windows, and Office connected together through the cloud. Find tools, step-by-step guides, and other resources to help you plan, deploy, and manage Surface devices in your organization.
          url: https://docs.microsoft.com/en-us/surface/get-started
        # Card
        - title: Surface Hub
          summary: Surface Hub 2S is an all-in-one digital interactive whiteboard, meetings platform, and collaborative computing device that brings the power of Windows 10 to team collaboration. Learn how to plan, deploy, manage, and support your Surface Hub devices.
          url: https://docs.microsoft.com/surface-hub/index
        # Card
        - title: Surface for Business
          summary: Explore how Surface devices are transforming the modern workplace with people-centric design and flexible form factors, helping you get the most out of AI, big data, the cloud, and other foundational technologies.
          url: https://www.microsoft.com/surface/business
    - title: Other resources # < 60 chars (optional)
      items:
        # Card
        - title: Communities
          links:
            - text: Surface IT Pro blog
              url: https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/bg-p/SurfaceITPro
            - text: Surface Devices Tech Community
              url: https://techcommunity.microsoft.com/t5/Surface-Devices/ct-p/SurfaceDevices
        # Card
        - title: Learn
          links:
            - text: Surface training on Microsoft Learn
              url: https://docs.microsoft.com/learn/browse/?term=Surface
            - text: Microsoft Mechanics Surface videos
              url: https://www.youtube.com/watch?v=Uk2kJ5FUZxY&list=PLXtHYVsvn_b__1Baibdu4elN4SoF3JTBZ
            - text: Surface Hub 2S adoption and training
              url: https://docs.microsoft.com/surface-hub/surface-hub-2s-adoption-kit
        # Card
        - title: Need help?
          links:
            - text: Surface devices
              url: https://support.microsoft.com/products/surface-devices
            - text: Surface Hub
              url: https://support.microsoft.com/hub/4343507/surface-hub-help
--- a/devices/surface/manage-surface-uefi-settings.md
+++ b/devices/surface/manage-surface-uefi-settings.md
@ -39,7 +39,7 @@ The PC information page includes detailed information about your Surface device:
 - **UUID** – This Universally Unique Identification number is specific to your device and is used to identify the device during deployment or management. 
 - **Serial Number** – This number is used to identify this specific Surface device for asset tagging and support scenarios.
- **Asset Tag** – The asset tag is assigned to the Surface device with the [Asset Tag Tool](https://www.microsoft.com/download/details.aspx?id=44076). 
+- **Asset Tag** – The asset tag is assigned to the Surface device with the [Asset Tag Tool](https://docs.microsoft.com/surface/assettag). 
 You will also find detailed information about the firmware of your Surface device. Surface devices have several internal components that each run different versions of firmware. The firmware version of each of the following devices is displayed on the **PC information** page (as shown in Figure 1): 
--- a/devices/surface/microsoft-surface-data-eraser.md
+++ b/devices/surface/microsoft-surface-data-eraser.md
@ -14,7 +14,7 @@ author: dansimp
 ms.author: dansimp
 ms.topic: article
 ms.audience: itpro
-ms.date: 11/13/2019
+ms.date: 02/20/2020
 ---
 # Microsoft Surface Data Eraser
@ -90,23 +90,28 @@ After the creation tool is installed, follow these steps to create a Microsoft S
   ![Start the Microsoft Surface Data Eraser tool](images/dataeraser-start-tool.png "Start the Microsoft Surface Data Eraser tool")
   *Figure 1. Start the Microsoft Surface Data Eraser tool*
 4.  Choose **x64** for most Surface devices or  **ARM64** for Surface Pro X from the **Architecture Selection** page, as shown in Figure 2. Select **Continue**.
-4. Select the USB drive of your choice from the **USB Thumb Drive Selection** page as shown in Figure 2, and then click **Start** to begin the USB creation process. The drive you select will be formatted and any existing data on this drive will be lost.
+    ![Architecture selection](images/dataeraser-arch.png "Architecture Selection")<br>
       *Figure 2. Select device architecture*
 4. Select the USB drive of your choice from the **USB Thumb Drive Selection** page as shown in Figure 3, and then click **Start** to begin the USB creation process. The drive you select will be formatted and any existing data on this drive will be lost.
   >[!NOTE]
   >If the Start button is disabled, check that your removable drive has a total capacity of at least 4 GB.
   ![USB thumb drive selection](images/dataeraser-usb-selection.png "USB thumb drive selection")
-   *Figure 2. USB thumb drive selection*
+   *Figure 3. USB thumb drive selection*
 5. After the creation process is finished, the USB drive has been formatted and all binaries are copied to the USB drive. Click **Success**.
-6. When the **Congratulations** screen is displayed, you can eject and remove the thumb drive. This thumb drive is now ready to be inserted into a Surface device, booted from, and wipe any data on the device. Click **Complete** to finish the USB creation process, as shown in Figure 3.
+6. When the **Congratulations** screen is displayed, you can eject and remove the thumb drive. This thumb drive is now ready to be inserted into a Surface device, booted from, and wipe any data on the device. Click **Complete** to finish the USB creation process, as shown in Figure 4.
   ![Surface Data Eraser USB creation process](images/dataeraser-complete-process.png "Surface Data Eraser USB creation process")
-   *Figure 3. Complete the Microsoft Surface Data Eraser USB creation process*
+   *Figure 4. Complete the Microsoft Surface Data Eraser USB creation process*
 7. Click **X** to close Microsoft Surface Data Eraser.
@ -130,11 +135,11 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
   >[!NOTE]
   >If your device does not boot to USB using these steps, you may need to turn on the **Enable Alternate Boot Sequence** option in Surface UEFI. You can read more about Surface UEFI boot configuration in [Manage Surface UEFI Settings](https://technet.microsoft.com/itpro/surface/manage-surface-uefi-settings).
-3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed, as shown in Figure 4.
+3. When the Surface device boots, a **SoftwareLicenseTerms** text file is displayed, as shown in Figure 5.
   ![Booting the Microsoft Surface Data Eraser USB stick](images/data-eraser-3.png "Booting the Microsoft Surface Data Eraser USB stick")
-   *Figure 4. Booting the Microsoft Surface Data Eraser USB stick*
+   *Figure 5. Booting the Microsoft Surface Data Eraser USB stick*
 4. Read the software license terms, and then close the Notepad file.
@ -147,14 +152,14 @@ After you create a Microsoft Surface Data Eraser USB stick, you can boot a suppo
   ![Partition to be erased is displayed](images/sda-fig5-erase.png "Partition to be erased is displayed")
-   *Figure 5. Partition to be erased is displayed in Microsoft Surface Data Eraser*
+   *Figure 6. Partition to be erased is displayed in Microsoft Surface Data Eraser*
 7. If you pressed **Y** in step 6, due to the destructive nature of the data erasure process, an additional dialog box is displayed to confirm your choice.
 8. Click the **Yes** button to continue erasing data on the Surface device.
->[!NOTE]
+   >[!NOTE]
->When you run Surface Data Eraser on the Surface Data Eraser USB drive, a log file is generated in the **SurfaceDataEraserLogs** folder.
+   >When you run Surface Data Eraser on the Surface Data Eraser USB drive, a log file is generated in the **SurfaceDataEraserLogs** folder.
 ## Changes and updates
@ -222,8 +227,8 @@ This version of Microsoft Surface Data Eraser adds support for the following:
 - Surface Pro 1TB
->[!NOTE]
+   >[!NOTE]
->Surface Data Eraser v3.2.45.0 and above can be used to restore Surface Pro or Surface Laptop devices with the 1TB storage option in the scenario that the device shows two separate 512GB volumes or encounters errors when attempting to deploy or install Windows 10. See [Surface Pro Model 1796 and Surface Laptop 1TB display two drives](https://support.microsoft.com/help/4046105/surface-pro-model-1796-and-surface-laptop-1tb-display-two-drives) for more information.
+   >Surface Data Eraser v3.2.45.0 and above can be used to restore Surface Pro or Surface Laptop devices with the 1TB storage option in the scenario that the device shows two separate 512GB volumes or encounters errors when attempting to deploy or install Windows 10. See [Surface Pro Model 1796 and Surface Laptop 1TB display two drives](https://support.microsoft.com/help/4046105/surface-pro-model-1796-and-surface-laptop-1tb-display-two-drives) for more information.
 ### Version 3.2.36.0
--- a/devices/surface/surface-dock-firmware-update.md
+++ b/devices/surface/surface-dock-firmware-update.md
@ -5,50 +5,71 @@ ms.localizationpriority: medium
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: dansimp
+author: greg-lindsay
-ms.author: dansimp
+ms.author: greglin
 ms.topic: article
 ms.date: 10/09/2019
 ms.reviewer: scottmca
 manager: dansimp
 ms.audience: itpro
 ---
 # Microsoft Surface Dock Firmware Update
-This article explains how to use Microsoft Surface Dock Firmware Update, newly redesigned to update Surface Dock firmware while running in the background on your Surface device. Once installed, it will update any Surface Dock attached to your Surface device. 
+This article explains how to use Microsoft Surface Dock Firmware Update to update Surface Dock firmware. When installed on your Surface device, it will update any Surface Dock attached to your Surface device.
-> [!NOTE]
+Microsoft Surface Dock Firmware Update supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. It was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version number). The earlier tool is no longer available for download and should not be used.
 >Microsoft Surface Dock Firmware Update supersedes the earlier Microsoft Surface Dock Updater tool, previously available for download as part of Surface Tools for IT. It was named Surface_Dock_Updater_vx.xx.xxx.x.msi (where x indicates the version of the tool). The earlier tool has been retired, is no longer available for download, and should not be used.
-## To run Surface Dock Firmware Update
+> [!IMPORTANT]
 >Microsoft periodically releases new versions of Surface Dock Firmware Update. The MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version.
 ## Monitor the Surface Dock Firmware Update
 This section is optional and provides an overview of how to monitor installation of the firmware update. When you are ready to install the update, see [Install the Surface Dock Firmware Update](#install-the-surface-dock-firmware-update) below. For more detailed information about monitoring the update process, see the following sections in this article: 
  - [How to verify completion of firmware update](#how-to-verify-completion-of-the-firmware-update)
  - [Event logging](#event-logging)
  - [Troubleshooting tips](#troubleshooting-tips)
  - [Versions reference](#versions-reference)
 To monitor the update:
 1. Open Event Viewer, browse to **Windows Logs > Application**, and then under **Actions** in the right-hand pane click **Filter Current Log**, enter **SurfaceDockFwUpdate** next to **Event sources**, and then click **OK**.
 2. Type the following command at an elevated command prompt:
  ```cmd
  Reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WUDF\Services\SurfaceDockFwUpdate\Parameters"
  ```
 3. Install the update as described in the [next section](#install-the-surface-dock-firmware-update) of this article.
 4. Event 2007 with the following text indicates a successful update: **Firmware update finished. hr=0 DriverTelementry EventCode = 2007**. 
  - If the update is not successful, then event ID 2007 will be displayed as an **Error** event rather than **Information**. Additionally, the version reported in the Windows Registry will not be current.
 5. When the update is complete, updated DWORD values will be displayed in the Windows Registry, corresponding to the current version of the tool. See the [Versions reference](#versions-reference) section in this article for details. For example:
  - Component10CurrentFwVersion 0x04ac3970 (78395760)
  - Component20CurrentFwVersion 0x04915a70 (76634736)
 >[!TIP]
 >If you see "The description for Event ID xxxx from source SurfaceDockFwUpdate cannot be found" in event text, this is expected and can be ignored.
 ## Install the Surface Dock Firmware Update
 This section describes how to install the firmware update.
 1. Download and install [Microsoft Surface Dock Firmware Update](https://www.microsoft.com/download/details.aspx?id=46703).
-    - The file is released in the following naming format: **Surface_Dock_FwUpdate_X.XX.XXX_Win10_XXXXX_XX.XXX.XXXXX_X.MSI** and installs by default to C:\Program Files\SurfaceUpdate.
+  - The update requires a Surface device running Windows 10, version 1803 or later.
-    - Requires Surface devices running at least Windows 10 version 1803 or later.
+  - Installing the MSI file might prompt you to restart Surface. However, restarting is not required to perform the update.
-2. After you connect Surface Dock to your Surface device, the tool checks the firmware status while running in the background.
+2. Disconnect your Surface device from the Surface Dock (using the power adapter), wait ~5 seconds, and then reconnect. The Surface Dock Firmware Update will update the dock silently in background. The process can take a few minutes to complete and will continue even if interrupted. 
 4. After several seconds, disconnect your Surface Dock from your device and then wait for 5 seconds before reconnecting. The Surface Dock Firmware Update will normally update the dock silently in background after you disconnect from the dock and reconnect. The process can take a few minutes to complete and will continue even if interrupted. 
 ### Manual installation
 If preferred, you can manually complete the update as follows:
 - Reconnect your Surface Dock for 2 minutes and then disconnect it from your device. The DisplayPort firmware update will be installed while the hardware is disconnected. The LED in the Ethernet port of the dock will blink while the update is in progress. Please wait until the LED stops blinking before you unplug your Surface Dock from power.
 > [!NOTE]
 >
 > - Manually installing the MSI file may prompt you to restart Surface; however, restarting is optional and not required.
 > - You will need to disconnect and reconnect the dock twice before the update fully completes.
 > - To create a log file, specify the path in the Msiexec command. For example, append /l*v %windir%\logs\ SurfaceDockFWI.log".
 ## Network deployment
 You can use Windows Installer commands (Msiexec.exe) to deploy Surface Dock Firmware Update to multiple devices across your network. When using Microsoft Endpoint Configuration Manager or other deployment tool, enter the following syntax to ensure the installation is silent:
- **Msiexec.exe /i <name of msi> /quiet /norestart** 
+- **Msiexec.exe /i \<path to msi file\> /quiet /norestart** 
  For example:
  ```
  msiexec /i "\\share\folder\Surface_Dock_FwUpdate_1.42.139_Win10_17134_19.084.31680_0.msi" /quiet /norestart
  ```
 > [!NOTE]
-> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]"
+> A log file is not created by default. In order to create a log file, you will need to append "/l*v [path]". For example: Msiexec.exe /i \<path to msi file\> /l*v %windir%\logs\ SurfaceDockFWI.log"
 For more information, refer to [Command line options](https://docs.microsoft.com/windows/win32/msi/command-line-options) documentation.
@ -56,12 +77,13 @@ For more information, refer to [Command line options](https://docs.microsoft.com
 > If you want to keep your Surface Dock updated using any other method, refer to [Update your Surface Dock](https://support.microsoft.com/help/4023478/surface-update-your-surface-dock) for details.
 ## Intune deployment
 You can use Intune to distribute Surface Dock Firmware Update to your devices. First you will need to convert the MSI file to the .intunewin format, as described in the following documentation: [Intune Standalone - Win32 app management](https://docs.microsoft.com/intune/apps/apps-win32-app-management).
 Use the following command:
-  - **msiexec /i <name of msi> /quiet /q**
+  - **msiexec /i \<path to msi file\> /quiet /q**
-## How to verify completion of firmware update
+## How to verify completion of the firmware update
 Surface dock firmware consists of two components:
@ -117,11 +139,11 @@ Events are logged in the Application Event Log.  Note:  Earlier versions of this
 - Ensure that the Surface Dock is disconnected, and then allow enough time for the update to complete as monitored via an LED in the Ethernet port of the dock. Wait until the LED stops blinking before you unplug Surface Dock from power.
 - Connect the Surface Dock to a different device to see if it is able to update the dock.
 ## Changes and updates
 Microsoft periodically releases new versions of Surface Dock Firmware Update.Note that the MSI file is not self-updating. If you have deployed the MSI to Surface devices and a new version of the firmware is released, you will need to deploy the new version of the MSI.
 ## Versions reference
 >[!NOTE]
 >The installation file is released with the following naming format: **Surface_Dock_FwUpdate_X.XX.XXX_Win10_XXXXX_XX.XXX.XXXXX_X.MSI** (ex: Surface_Dock_FwUpdate_1.42.139_Win10_17134_19.084.31680_0.msi) and installs by default to C:\Program Files\SurfaceUpdate.
 ### Version 1.42.139 
 *Release Date: September 18 2019*
--- a/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
+++ b/devices/surface/use-system-center-configuration-manager-to-manage-devices-with-semm.md
@ -75,10 +75,9 @@ To create a new application and deploy it to a collection that contains your Sur
   * **Import Information** – The Create Application Wizard will parse the .msi file and read the **Application Name** and **Product Code**. SurfaceUEFIManagerSetup.msi should be listed as the only file under the line **Content Files**, as shown in Figure 1. Select **Next** to proceed.
      ![Information from Surface UEFI Manager setup is automatically parsed](images/config-mgr-semm-fig1.png "Information from Surface UEFI Manager setup is automatically parsed")
-   ![Information from Surface UEFI Manager setup is automatically parsed](images/config-mgr-semm-fig1.png "Information from Surface UEFI Manager setup is automatically parsed")
+      *Figure 1. Information from Microsoft Surface UEFI Manager setup is automatically parsed*
   *Figure 1. Information from Microsoft Surface UEFI Manager setup is automatically parsed*
   * **General Information** – You can modify the name of the application and information about the publisher and version, or add comments on this page. The installation command for Microsoft Surface UEFI Manager is displayed in the Installation Program field. The default installation behavior of Install for system will allow Microsoft Surface UEFI Manager to install the required assemblies for SEMM even if a user is not logged on to the Surface device. Select **Next** to proceed.
   * **Summary** – The information that was parsed in the **Import Information** step and your selections from the **General Information** step is displayed on this page. Select **Next** to confirm your selections and create the application.
@ -107,7 +106,7 @@ The sample scripts include examples of how to set Surface UEFI settings and how
 The first region of the script that you need to modify is the portion that specifies and loads the SEMM certificate, and also indicates SurfaceUEFIManager version, and the names for the SEMM configuration package and SEMM reset package. The certificate name and SurfaceUEFIManager version are specified on lines 56 through 73 in the ConfigureSEMM.ps1 script.
-  ```
+  ```powershell
  56	$WorkingDirPath = split-path -parent $MyInvocation.MyCommand.Definition
  57	$packageRoot = "$WorkingDirPath\Config"
  58	$certName = "FabrikamSEMMSample.pfx"
@ -137,7 +136,7 @@ On line 73, replace the value of the **$password** variable, from **1234** to th
 > [!Note]
 > The last two characters of the certificate thumbprint are required to enroll a device in SEMM. This script will display these digits to the user, which allows the user or technician to record these digits before the system reboots to enroll the device in SEMM. The script uses the following code, found on lines 150-155, to accomplish this.
-```
+```powershell
 150	# Device owners will need the last two characters of the thumbprint to accept SEMM ownership.
 151	# For convenience we get the thumbprint here and present to the user.
 152	$pw = ConvertTo-SecureString $password -AsPlainText -Force
@ -163,7 +162,7 @@ Administrators with access to the certificate file (.pfx) can read the thumbprin
 The first region of the script where you will specify the configuration for Surface UEFI is the **Configure Permissions** region. This region begins at line 210 in the sample script with the comment **# Configure Permissions** and continues to line 247. The following code fragment first sets permissions to all Surface UEFI settings so that they may be modified by SEMM only, then adds explicit permissions to allow the local user to modify the Surface UEFI password, TPM, and front and rear cameras.
-```
+```powershell
 210	# Configure Permissions
 211	foreach ($uefiV2 IN $surfaceDevices.Values) {
 212 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) {
@ -215,7 +214,7 @@ You can find information about the available settings names and IDs for Surface
 The second region of the script where you will specify the configuration for Surface UEFI is the **Configure Settings** region of the ConfigureSEMM.ps1 script, which configures whether each setting is enabled or disabled. The sample script includes instructions to set all settings to their default values. The script then provides explicit instructions to disable IPv6 for PXE Boot and to leave the Surface UEFI Administrator password unchanged. You can find this region beginning with the **# Configure Settings** comment at line 291 through line 335 in the sample script. The region appears as follows.
-```
+```powershell
 291	# Configure Settings
 292	foreach ($uefiV2 IN $surfaceDevices.Values) {
 293 if ($uefiV2.SurfaceUefiFamily -eq $Device.Model) {
@ -277,7 +276,7 @@ To identify enrolled systems for Configuration Manager, the ConfigureSEMM.ps1 sc
 The following code fragment, found on lines 380-477, is used to write these registry keys.
-```
+```powershell
 380	# For Endpoint Configuration Manager or other management solutions that wish to know what version is applied, tattoo the LSV and current DateTime (in UTC) to the registry:
 381	$UTCDate = (Get-Date).ToUniversalTime().ToString()
 382	$certIssuer = $certPrint.Issuer
@ -480,10 +479,10 @@ To add the SEMM Configuration Manager scripts to Configuration Manager as an app
       - Select **Registry** from the **Setting Type** drop-down menu.
       - Select **HKEY_LOCAL_MACHINE** from the **Hive** drop-down menu.
       - Enter **SOFTWARE\Microsoft\Surface\SEMM** in the **Key** field.
-       - Enter **Enabled_Version1000** in the **Value** field.
+       - Enter **CertName** in the **Value** field.
       - Select **String** from the **Data Type** drop-down menu.
       - Select the **This registry setting must satisfy the following rule to indicate the presence of this application** button.
-       - Enter **1** in the **Value** field.
+       - Enter the name of the certificate you entered in line 58 of the script in the **Value** field.
       - Select **OK** to close the **Detection Rule** window.
     ![Use a registry key to identify devices enrolled in SEMM](images/config-mgr-semm-fig3.png "Use a registry key to identify devices enrolled in SEMM")
--- a/devices/surface/windows-autopilot-and-surface-devices.md
+++ b/devices/surface/windows-autopilot-and-surface-devices.md
@ -13,7 +13,7 @@ ms.author: dansimp
 ms.topic: article
 ms.localizationpriority: medium
 ms.audience: itpro
-ms.date: 11/26/2019
+ms.date: 02/14/2020
 ---
 # Windows Autopilot and Surface devices
@ -25,15 +25,24 @@ Windows Autopilot-registered devices are identified over the Internet at first s
 You can register Surface devices at the time of purchase from a Surface partner that's enabled for Windows Autopilot. These partners can ship new devices directly to your users. The devices will be automatically enrolled and configured when they are first turned on. This process eliminates reimaging during deployment, which lets you implement new, agile methods of device management and distribution.
 ## Modern management
 Autopilot is the recommended deployment option for Surface devices, including Surface Pro 7, Surface Laptop 3, and Surface Pro X, which is specifically designed for deployment through Autopilot.
 It's best to enroll your Surface devices with the help of a Microsoft Cloud Solution Provider. This step allows you to manage UEFI firmware settings on Surface directly from Intune. It eliminates the need to physically touch devices for certificate management. See [Intune management of Surface UEFI settings](surface-manage-dfci-guide.md) for details.
 ## Windows version considerations
 Broad deployment of Surface devices through Windows Autopilot, including enrollment by Surface partners at the time of purchase, requires Windows 10 Version 1709 (Fall Creators Update) or later.
 These Windows versions support a 4,000-byte (4k) hash value that uniquely identifies devices for Windows Autopilot, which is necessary for deployments at scale. All new Surface devices, including Surface Pro 7, Surface Pro X, and Surface Laptop 3, ship with Windows 10 Version 1903 or later.
 ## Exchange experience on Surface devices in need of repair or replacement
 Microsoft automatically checks every Surface for Autopilot enrollment and will deregister the device from the customer’s tenant.  Microsoft ensures the replacement device is enrolled into Windows Autopilot once a replacement is shipped back to the customer. This service is available on all device exchange service orders directly with Microsoft.
 > [!NOTE]
 > When customers use a Partner to return devices, the Partner is responsible for managing the exchange process including deregistering and enrolling devices into Windows Autopilot.
 ## Surface partners enabled for Windows Autopilot
 Select Surface partners can enroll Surface devices in Windows Autopilot for you at the time of purchase. They can also ship enrolled devices directly to your users. The devices can be configured entirely through a zero-touch process by using Windows Autopilot, Azure AD, and mobile device management.
@ -42,7 +51,7 @@ Surface partners that are enabled for Windows Autopilot include:
 - [ALSO](https://www.also.com/ec/cms5/de_1010/1010_anbieter/microsoft/windows-autopilot/index.jsp) 
 - [Atea](https://www.atea.com/)
- [Bechtle](https://www.bechtle.com/de-en) 
+- [Bechtle](https://www.bechtle.com/marken/microsoft/microsoft-windows-autopilot) 
 - [Cancom](https://www.cancom.de/)
 - [CDW](https://www.cdw.com/)
 - [Computacenter](https://www.computacenter.com/uk)
@ -53,6 +62,7 @@ Surface partners that are enabled for Windows Autopilot include:
 - [Techdata](https://www.techdata.com/)
 ## Learn more
 For more information about Windows Autopilot, see:
 - [Overview of Windows Autopilot](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-10-autopilot)
 - [Windows Autopilot requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot-requirements)
--- a/mdop/appv-v5/app-v-50-prerequisites.md
+++ b/mdop/appv-v5/app-v-50-prerequisites.md
@ -100,8 +100,8 @@ The following table lists the installation prerequisites for the App-V 5.0 clien
 <tr class="odd">
 <td align="left"><p><strong>Software requirements</strong></p></td>
 <td align="left"><ul>
-<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="http://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="http://www.microsoft.com/download/details.aspx?id=17718">http://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
+<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="https://www.microsoft.com/download/details.aspx?id=17718">https://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
-<li><p><a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="[Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)">Windows PowerShell 3.0</a> (<a href="http://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="http://www.microsoft.com/download/details.aspx?id=34595">http://www.microsoft.com/download/details.aspx?id=34595</a>)</p>
+<li><p><a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="[Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)">Windows PowerShell 3.0</a> (<a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="https://www.microsoft.com/download/details.aspx?id=34595">https://www.microsoft.com/download/details.aspx?id=34595</a>)</p>
 <p></p>
 <div class="alert">
 <strong>Note</strong><br/><p>Installing PowerShell 3.0 requires a restart.</p>
@ -109,7 +109,7 @@ The following table lists the installation prerequisites for the App-V 5.0 clien
 <div>
 </div></li>
-<li><p>Download and install <a href="https://support.microsoft.com/kb/2533623" data-raw-source="[KB2533623](https://support.microsoft.com/kb/2533623)">KB2533623</a> (<a href="http://support.microsoft.com/kb/2533623" data-raw-source="http://support.microsoft.com/kb/2533623">http://support.microsoft.com/kb/2533623</a>)</p>
+<li><p>Download and install <a href="https://support.microsoft.com/kb/2533623" data-raw-source="[KB2533623](https://support.microsoft.com/kb/2533623)">KB2533623</a> (<a href="https://support.microsoft.com/kb/2533623" data-raw-source="https://support.microsoft.com/kb/2533623">https://support.microsoft.com/kb/2533623</a>)</p>
 <p></p>
 <div class="alert">
 <strong>Important</strong><br/><p>You can download and install the previous KB article. However, it may have been replaced with a more recent version.</p>
@ -120,12 +120,12 @@ The following table lists the installation prerequisites for the App-V 5.0 clien
 <li><p>The client installer (.exe) will detect if it is necessary to install the following prerequisites, and it will do so accordingly:</p>
 <p></p>
 <ul>
-<li><p><a href="https://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="[Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)">Visual C++ Redistributable Packages for Visual Studio 2013</a> (<a href="http://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="http://www.microsoft.com/download/details.aspx?id=40784">http://www.microsoft.com/download/details.aspx?id=40784</a>)</p>
+<li><p><a href="https://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="[Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)">Visual C++ Redistributable Packages for Visual Studio 2013</a> (<a href="https://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="https://www.microsoft.com/download/details.aspx?id=40784">https://www.microsoft.com/download/details.aspx?id=40784</a>)</p>
 <p>This prerequisite is only required if you have installed Hotfix Package 4 for Application Virtualization 5.0 SP2 or later.</p>
 <p></p></li>
 <li><p><a href="https://www.microsoft.com/download/details.aspx?id=26999" data-raw-source="[The Microsoft Visual C++ 2010 Redistributable](https://www.microsoft.com/download/details.aspx?id=26999)">The Microsoft Visual C++ 2010 Redistributable</a> (<a href="https://go.microsoft.com/fwlink/?LinkId=26999" data-raw-source="https://go.microsoft.com/fwlink/?LinkId=26999">https://go.microsoft.com/fwlink/?LinkId=26999</a>)</p>
 <p></p></li>
-<li><p><a href="https://www.microsoft.com/download/details.aspx?id=5638" data-raw-source="[Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://www.microsoft.com/download/details.aspx?id=5638)">Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)</a> (<a href="http://www.microsoft.com/download/details.aspx?id=5638" data-raw-source="http://www.microsoft.com/download/details.aspx?id=5638">http://www.microsoft.com/download/details.aspx?id=5638</a>)</p></li>
+<li><p><a href="https://www.microsoft.com/download/details.aspx?id=5638" data-raw-source="[Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://www.microsoft.com/download/details.aspx?id=5638)">Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=5638" data-raw-source="https://www.microsoft.com/download/details.aspx?id=5638">https://www.microsoft.com/download/details.aspx?id=5638</a>)</p></li>
 </ul></li>
 </ul></td>
 </tr>
@ -158,8 +158,8 @@ The following table lists the installation prerequisites for the App-V 5.0 Remot
 <tr class="odd">
 <td align="left"><p><strong>Software requirements</strong></p></td>
 <td align="left"><ul>
-<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft.NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft.NET Framework 4 (Full Package)</a> (<a href="http://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="http://www.microsoft.com/download/details.aspx?id=17718">http://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
+<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft.NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft.NET Framework 4 (Full Package)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="https://www.microsoft.com/download/details.aspx?id=17718">https://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
-<li><p><a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="[Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)">Windows PowerShell 3.0</a> (<a href="http://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="http://www.microsoft.com/download/details.aspx?id=34595">http://www.microsoft.com/download/details.aspx?id=34595</a>)</p>
+<li><p><a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="[Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)">Windows PowerShell 3.0</a> (<a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="https://www.microsoft.com/download/details.aspx?id=34595">https://www.microsoft.com/download/details.aspx?id=34595</a>)</p>
 <p></p>
 <div class="alert">
 <strong>Note</strong><br/><p>Installing PowerShell 3.0 requires a restart.</p>
@ -178,12 +178,12 @@ The following table lists the installation prerequisites for the App-V 5.0 Remot
 <li><p>The client (.exe) installer will detect if it is necessary to install the following prerequisites, and it will do so accordingly:</p>
 <p></p>
 <ul>
-<li><p><a href="https://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="[Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)">Visual C++ Redistributable Packages for Visual Studio 2013</a> (<a href="http://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="http://www.microsoft.com/download/details.aspx?id=40784">http://www.microsoft.com/download/details.aspx?id=40784</a>)</p>
+<li><p><a href="https://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="[Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)">Visual C++ Redistributable Packages for Visual Studio 2013</a> (<a href="https://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="https://www.microsoft.com/download/details.aspx?id=40784">https://www.microsoft.com/download/details.aspx?id=40784</a>)</p>
 <p>This prerequisite is required only if you have installed Hotfix Package 4 for Application Virtualization 5.0 SP2 or later.</p>
 <p></p></li>
 <li><p><a href="https://www.microsoft.com/download/details.aspx?id=26999" data-raw-source="[The Microsoft Visual C++ 2010 Redistributable](https://www.microsoft.com/download/details.aspx?id=26999)">The Microsoft Visual C++ 2010 Redistributable</a> (<a href="https://go.microsoft.com/fwlink/?LinkId=26999" data-raw-source="https://go.microsoft.com/fwlink/?LinkId=26999">https://go.microsoft.com/fwlink/?LinkId=26999</a>)</p>
 <p></p></li>
-<li><p><a href="https://www.microsoft.com/download/details.aspx?id=5638" data-raw-source="[Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://www.microsoft.com/download/details.aspx?id=5638)">Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)</a> (<a href="http://www.microsoft.com/download/details.aspx?id=5638" data-raw-source="http://www.microsoft.com/download/details.aspx?id=5638">http://www.microsoft.com/download/details.aspx?id=5638</a>)</p></li>
+<li><p><a href="https://www.microsoft.com/download/details.aspx?id=5638" data-raw-source="[Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)](https://www.microsoft.com/download/details.aspx?id=5638)">Microsoft Visual C++ 2005 SP1 Redistributable Package (x86)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=5638" data-raw-source="https://www.microsoft.com/download/details.aspx?id=5638">https://www.microsoft.com/download/details.aspx?id=5638</a>)</p></li>
 </ul></li>
 </ul></td>
 </tr>
@ -221,14 +221,14 @@ If the system requirements of a locally installed application exceed the require
 <tr class="odd">
 <td align="left"><p><strong>Software requirements</strong></p></td>
 <td align="left"><ul>
-<li><p><a href="https://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="[Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)">Visual C++ Redistributable Packages for Visual Studio 2013</a> (<a href="http://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="http://www.microsoft.com/download/details.aspx?id=40784">http://www.microsoft.com/download/details.aspx?id=40784</a>)</p>
+<li><p><a href="https://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="[Visual C++ Redistributable Packages for Visual Studio 2013](https://www.microsoft.com/download/details.aspx?id=40784)">Visual C++ Redistributable Packages for Visual Studio 2013</a> (<a href="https://www.microsoft.com/download/details.aspx?id=40784" data-raw-source="https://www.microsoft.com/download/details.aspx?id=40784">https://www.microsoft.com/download/details.aspx?id=40784</a>)</p>
 <p>This prerequisite is required only if you have installed Hotfix Package 4 for Application Virtualization 5.0 SP2.</p>
 <p></p></li>
-<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="http://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="http://www.microsoft.com/download/details.aspx?id=17718">http://www.microsoft.com/download/details.aspx?id=17718</a>)</p>
+<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="https://www.microsoft.com/download/details.aspx?id=17718">https://www.microsoft.com/download/details.aspx?id=17718</a>)</p>
 <p></p></li>
-<li><p><a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="[Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)">Windows PowerShell 3.0</a> (<a href="http://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="http://www.microsoft.com/download/details.aspx?id=34595">http://www.microsoft.com/download/details.aspx?id=34595</a>)</p>
+<li><p><a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="[Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)">Windows PowerShell 3.0</a> (<a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="https://www.microsoft.com/download/details.aspx?id=34595">https://www.microsoft.com/download/details.aspx?id=34595</a>)</p>
 <p></p></li>
-<li><p>Download and install <a href="https://support.microsoft.com/kb/2533623" data-raw-source="[KB2533623](https://support.microsoft.com/kb/2533623)">KB2533623</a> (<a href="http://support.microsoft.com/kb/2533623" data-raw-source="http://support.microsoft.com/kb/2533623">http://support.microsoft.com/kb/2533623</a>)</p>
+<li><p>Download and install <a href="https://support.microsoft.com/kb/2533623" data-raw-source="[KB2533623](https://support.microsoft.com/kb/2533623)">KB2533623</a> (<a href="https://support.microsoft.com/kb/2533623" data-raw-source="https://support.microsoft.com/kb/2533623">https://support.microsoft.com/kb/2533623</a>)</p>
 <p></p></li>
 <li><p>For computers running Microsoft Windows Server 2008 R2 SP1, download and install <a href="https://go.microsoft.com/fwlink/?LinkId=286102" data-raw-source="[KB2533623](https://go.microsoft.com/fwlink/?LinkId=286102 )">KB2533623</a> (<a href="https://go.microsoft.com/fwlink/?LinkId=286102" data-raw-source="https://go.microsoft.com/fwlink/?LinkId=286102">https://go.microsoft.com/fwlink/?LinkId=286102</a>)</p>
 <p></p>
@ -254,7 +254,7 @@ The following prerequisites are already installed for computers that run Windows
 -   Windows PowerShell 3.0
-   Download and install [KB2533623](https://support.microsoft.com/kb/2533623) (http://support.microsoft.com/kb/2533623)
+-   Download and install [KB2533623](https://support.microsoft.com/kb/2533623) (https://support.microsoft.com/kb/2533623)
    **Important**  
    You can still download install the previous KB. However, it may have been replaced with a more recent version.
@ -292,8 +292,8 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
 <tr class="odd">
 <td align="left"><p><strong>Management Server</strong></p></td>
 <td align="left"><ul>
-<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="http://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="http://www.microsoft.com/download/details.aspx?id=17718">http://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
+<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="https://www.microsoft.com/download/details.aspx?id=17718">https://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
-<li><p><a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="[Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)">Windows PowerShell 3.0</a> (<a href="http://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="http://www.microsoft.com/download/details.aspx?id=34595">http://www.microsoft.com/download/details.aspx?id=34595</a>)</p>
+<li><p><a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="[Windows PowerShell 3.0](https://www.microsoft.com/download/details.aspx?id=34595)">Windows PowerShell 3.0</a> (<a href="https://www.microsoft.com/download/details.aspx?id=34595" data-raw-source="https://www.microsoft.com/download/details.aspx?id=34595">https://www.microsoft.com/download/details.aspx?id=34595</a>)</p>
 <div class="alert">
 <strong>Note</strong><br/><p>Installing PowerShell 3.0 requires a restart.</p>
 </div>
@ -301,7 +301,7 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
 </div></li>
 <li><p>Windows Web Server with the IIS role enabled and the following features: <strong>Common HTTP Features</strong> (static content and default document), <strong>Application Development</strong> (ASP.NET, .NET Extensibility, ISAPI Extensions and ISAPI Filters), <strong>Security</strong> (Windows Authentication, Request Filtering), <strong>Management Tools</strong> (IIS Management Console).</p></li>
-<li><p>Download and install <a href="https://support.microsoft.com/kb/2533623" data-raw-source="[KB2533623](https://support.microsoft.com/kb/2533623)">KB2533623</a> (<a href="http://support.microsoft.com/kb/2533623" data-raw-source="http://support.microsoft.com/kb/2533623">http://support.microsoft.com/kb/2533623</a>)</p>
+<li><p>Download and install <a href="https://support.microsoft.com/kb/2533623" data-raw-source="[KB2533623](https://support.microsoft.com/kb/2533623)">KB2533623</a> (<a href="https://support.microsoft.com/kb/2533623" data-raw-source="https://support.microsoft.com/kb/2533623">https://support.microsoft.com/kb/2533623</a>)</p>
 <p></p>
 <div class="alert">
 <strong>Important</strong><br/><p>You can still download install the previous KB. However, it may have been replaced with a more recent version.</p>
@ -309,7 +309,7 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
 <div>
 </div></li>
-<li><p><a href="https://www.microsoft.com/download/details.aspx?id=13523" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x64)](https://www.microsoft.com/download/details.aspx?id=13523)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x64)</a> (<a href="http://www.microsoft.com/download/details.aspx?id=13523" data-raw-source="http://www.microsoft.com/download/details.aspx?id=13523">http://www.microsoft.com/download/details.aspx?id=13523</a>)</p></li>
+<li><p><a href="https://www.microsoft.com/download/details.aspx?id=13523" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x64)](https://www.microsoft.com/download/details.aspx?id=13523)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x64)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=13523" data-raw-source="https://www.microsoft.com/download/details.aspx?id=13523">https://www.microsoft.com/download/details.aspx?id=13523</a>)</p></li>
 <li><p><a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)</a> (<a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="https://go.microsoft.com/fwlink/?LinkId=267110">https://go.microsoft.com/fwlink/?LinkId=267110</a>)</p></li>
 <li><p>64-bit ASP.NET registration</p></li>
 </ul>
@ -339,7 +339,7 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
 </div>
 <ul>
-<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="http://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="http://www.microsoft.com/download/details.aspx?id=17718">http://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
+<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="https://www.microsoft.com/download/details.aspx?id=17718">https://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
 <li><p><a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)</a>(<a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="https://go.microsoft.com/fwlink/?LinkId=267110">https://go.microsoft.com/fwlink/?LinkId=267110</a>)</p></li>
 </ul>
 <p>The App-V 5.0 server components are dependent but they have varying requirements and installation options that must be deployed. Use the following information to prepare your environment to run the App-V 5.0 management database.</p>
@ -355,7 +355,7 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
 <tr class="odd">
 <td align="left"><p><strong>Reporting Server</strong></p></td>
 <td align="left"><ul>
-<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="http://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="http://www.microsoft.com/download/details.aspx?id=17718">http://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
+<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="https://www.microsoft.com/download/details.aspx?id=17718">https://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
 <li><p><a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)</a>(<a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="https://go.microsoft.com/fwlink/?LinkId=267110">https://go.microsoft.com/fwlink/?LinkId=267110</a>)</p></li>
 <li><div class="alert">
 <strong>Note</strong><br/><p>To help reduce the risk of unwanted or malicious data being sent to the reporting server, you should restrict access to the Reporting Web Service per your corporate security policy.</p>
@ -380,7 +380,7 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
 </div>
 <ul>
-<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="http://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="http://www.microsoft.com/download/details.aspx?id=17718">http://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
+<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="https://www.microsoft.com/download/details.aspx?id=17718">https://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
 <li><p><a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)</a>(<a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="https://go.microsoft.com/fwlink/?LinkId=267110">https://go.microsoft.com/fwlink/?LinkId=267110</a>)</p></li>
 </ul>
 <p>The App-V 5.0 server components are dependent but they have varying requirements and installation options that must be deployed. Use the following information to prepare your environment to run the App-V 5.0 reporting database.</p>
@ -396,7 +396,7 @@ The installation of the App-V 5.0 server on a computer that runs any previous ve
 <tr class="odd">
 <td align="left"><p><strong>Publishing Server</strong></p></td>
 <td align="left"><ul>
-<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="http://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="http://www.microsoft.com/download/details.aspx?id=17718">http://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
+<li><p><a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="[Microsoft .NET Framework 4 (Full Package)](https://www.microsoft.com/download/details.aspx?id=17718)">Microsoft .NET Framework 4 (Full Package)</a> (<a href="https://www.microsoft.com/download/details.aspx?id=17718" data-raw-source="https://www.microsoft.com/download/details.aspx?id=17718">https://www.microsoft.com/download/details.aspx?id=17718</a>)</p></li>
 <li><p><a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="[Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)](https://go.microsoft.com/fwlink/?LinkId=267110)">Microsoft Visual C++ 2010 SP1 Redistributable Package (x86)</a>(<a href="https://go.microsoft.com/fwlink/?LinkId=267110" data-raw-source="https://go.microsoft.com/fwlink/?LinkId=267110">https://go.microsoft.com/fwlink/?LinkId=267110</a>)</p></li>
 <li><p>Windows Web Server with the IIS role with the following features: <strong>Common HTTP Features</strong> (static content and default document), <strong>Application Development</strong> (ASP.NET, .NET Extensibility, ISAPI Extensions and ISAPI Filters), <strong>Security</strong> (Windows Authentication, Request Filtering), <strong>Security</strong> (Windows Authentication, Request Filtering), <strong>Management Tools</strong> (IIS Management Console)</p></li>
 <li><p>64-bit ASP.NET registration</p></li>
--- a/mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md
+++ b/mdop/mbam-v1/known-issues-in-the-mbam-international-release-mbam-1.md
@ -36,7 +36,7 @@ If you are using a certificate for authentication between MBAM servers, after up
 ### MBAM Svclog File Filling Disk Space
-If you have followed Knowledge Base article 2668170, [http://support.microsoft.com/kb/2668170](https://go.microsoft.com/fwlink/?LinkID=247277), you might have to repeat the KB steps after you install this update.
+If you have followed Knowledge Base article 2668170, [https://support.microsoft.com/kb/2668170](https://go.microsoft.com/fwlink/?LinkID=247277), you might have to repeat the KB steps after you install this update.
 **Workaround**: None.
--- a/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md
+++ b/mdop/mbam-v2/mbam-20-privacy-statement-mbam-2.md
@ -92,7 +92,7 @@ Incorrectly editing the registry may severely damage your system. Before making
 Important Information: Enterprise customers can use Group Policy to configure how Microsoft Error Reporting behaves on their PCs. Configuration options include the ability to turn off Microsoft Error Reporting. If you are an administrator and wish to configure Group Policy for Microsoft Error Reporting, technical details are available on [TechNet](https://technet.microsoft.com/library/cc709644.aspx).
-Additional information on how to modify enable and disable error reporting is available at this support article: [(http://support.microsoft.com/kb/188296)](https://support.microsoft.com/kb/188296).
+Additional information on how to modify enable and disable error reporting is available at this support article: [(https://support.microsoft.com/kb/188296)](https://support.microsoft.com/kb/188296).
 ### Microsoft Update
--- a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
+++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
@ -19,7 +19,10 @@ author: shortpatti
 This topic describes the process for applying the hotfixes for Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1
 ### Before you begin, download the latest hotfix of Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1
-[Desktop Optimization Pack](https://www.microsoft.com/download/details.aspx?id=58345)
+[Desktop Optimization Pack](https://www.microsoft.com/download/details.aspx?id=57157)
 > [!NOTE]
 > For more information about the hotfix releases, see the [MBAM version chart](https://docs.microsoft.com/archive/blogs/dubaisec/mbam-version-chart).
 #### Steps to update the MBAM Server for existing MBAM environment 
 1. Remove MBAM server feature (do this by opening the MBAM Server Configuration Tool, then selecting Remove Features).
--- a/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md
+++ b/mdop/mbam-v25/upgrading-to-mbam-25-sp1-from-mbam-25.md
@ -26,24 +26,21 @@ Verify you have a current documentation of your MBAM environment, including all
 ### Upgrade steps
 #### Steps to upgrade the MBAM Database (SQL Server)
 1. Using the MBAM Configurator; remove the Reports role from the SQL server, or wherever the SSRS database is hosted. Depending on your environment, this can be the same server or a separate one.
-   Note: You will not see an option to remove the Databases; this is expected.  
+  > [!NOTE]
  > You will not see an option to remove the Databases; this is expected.  
 2. Install 2.5 SP1 (Located with MDOP - Microsoft Desktop Optimization Pack 2015 from the Volume Licensing Service Center site:  <https://www.microsoft.com/Licensing/servicecenter/default.aspx>
 3. Do not configure it at this time 
-4. Install the May 2019 Rollup: https://www.microsoft.com/download/details.aspx?id=58345
+4. Using the MBAM Configurator; re-add the Reports role
-5. Using the MBAM Configurator; re-add the Reports role
+5. Using the MBAM Configurator; re-add the SQL Database role on the SQL Server
-6. This will configure the SSRS connection using the latest MBAM code from the rollup 
+6. At the end, you will be warned that the DBs already exist and  weren’t created, but this is expected
-7. Using the MBAM Configurator; re-add the SQL Database role on the SQL Server.
+7. This process updates the existing databases to the current version being installed.              
 8. At the end, you will be warned that the DBs already exist and  weren’t created, but this is expected.
 9. This process updates the existing databases to the current version  being installed                  
 #### Steps to upgrade the MBAM Server (Running MBAM and IIS)
 1. Using the MBAM Configurator; remove the Admin and Self Service Portals from  the IIS server
 2. Install MBAM 2.5 SP1
 3. Do not configure it at this time  
-4. Install the May 2019 Rollup on the IIS server(https://www.microsoft.com/download/details.aspx?id=58345)
+4. Using the MBAM Configurator; re-add the Admin and Self Service Portals to the IIS server 
-5. Using the MBAM Configurator; re-add the Admin and Self Service Portals to the IIS server 
+5. Open an elevated command prompt, type **IISRESET**, and hit Enter.
 6. This will configure the sites using the latest MBAM code from the May 2019 Rollup
 7. Open an elevated command prompt, Type: **IISRESET** and Hit Enter.
 #### Steps to upgrade the MBAM Clients/Endpoints
 1. Uninstall the 2.5 Agent from client endpoints
--- a/windows/application-management/manage-windows-mixed-reality.md
+++ b/windows/application-management/manage-windows-mixed-reality.md
@ -33,14 +33,14 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
 2. Windows Mixed Reality Feature on Demand (FOD) is downloaded from Windows Update. If access to Windows Update is blocked, you must manually install the Windows Mixed Reality FOD.
-   a. Download the FOD .cab file for [Windows 10, version 1903](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab).
+   a. Download the FOD .cab file for [Windows 10, version 1903 and 1909](https://software-download.microsoft.com/download/pr/Microsoft-Windows-Holographic-Desktop-FOD-Package-31bf3856ad364e35-amd64.cab), [Windows 10, version 1809](https://software-download.microsoft.com/download/pr/microsoft-windows-holographic-desktop-fod-package31bf3856ad364e35amd64_1.cab), [Windows 10, version 1803](https://download.microsoft.com/download/9/9/3/9934B163-FA01-4108-A38A-851B4ACD1244/Microsoft-Windows-Holographic-Desktop-FOD-Package~31bf3856ad364e35~amd64~~.cab), or [Windows 10, version 1709](https://download.microsoft.com/download/6/F/8/6F816172-AC7D-4F45-B967-D573FB450CB7/Microsoft-Windows-Holographic-Desktop-FOD-Package.cab).
   >[!NOTE]
   >You must download the FOD .cab file that matches your operating system version.
   b. Use `Add-Package` to add Windows Mixed Reality FOD to the image.
-    ```
+    ```powershell
    Add-Package
    Dism /Online /add-package /packagepath:(path)
    ```
--- a/windows/client-management/TOC.md
+++ b/windows/client-management/TOC.md
@ -32,5 +32,6 @@
 #### [Advanced troubleshooting for stop error or blue screen error](troubleshoot-stop-errors.md)
 #### [Advanced troubleshooting for stop error 7B or Inaccessible_Boot_Device](troubleshoot-inaccessible-boot-device.md)
 #### [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md)
 #### [Stop error occurs when you update the in-box Broadcom network adapter driver](troubleshoot-stop-error-on-broadcom-driver-update.md)
 ## [Mobile device management for solution providers](mdm/index.md)
 ## [Change history for Client management](change-history-for-client-management.md)
--- a/windows/client-management/advanced-troubleshooting-802-authentication.md
+++ b/windows/client-management/advanced-troubleshooting-802-authentication.md
@ -59,7 +59,7 @@ First, validate the type of EAP method being used:
 ![eap authentication type comparison](images/comparisontable.png)
-If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu:
+If a certificate is used for its authentication method, check if the certificate is valid. For server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Right click on the policy and select **Properties**. In the pop-up window, go to the **Constraints** tab and select the **Authentication Methods** section.
 ![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png)
@ -118,4 +118,3 @@ Even if audit policy appears to be fully enabled, it sometimes helps to disable
 [Troubleshooting Windows Vista 802.11 Wireless Connections](https://technet.microsoft.com/library/cc766215%28v=ws.10%29.aspx)<br>
 [Troubleshooting Windows Vista Secure 802.3 Wired Connections](https://technet.microsoft.com/library/cc749352%28v=ws.10%29.aspx)
--- a/windows/client-management/change-history-for-client-management.md
+++ b/windows/client-management/change-history-for-client-management.md
@ -9,7 +9,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: dansimp
 ms.author: dansimp
-ms.date: 12/27/2019
+ms.date: 1/21/2020
 ms.reviewer: 
 manager: dansimp
 ms.topic: article
@ -19,11 +19,19 @@ ms.topic: article
 This topic lists new and updated topics in the [Client management](index.md) documentation for Windows 10 and Windows 10 Mobile.
 ## February 2020
 New or changed topic | Description
 --- | ---
 [Blue screen occurs when you update the in-box Broadcom NIC driver](troubleshoot-stop-error-on-broadcom-driver-update.md) | New
 [Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md) | Updated
 ## December 2019
 New or changed topic | Description
 --- | ---
 [Change in default removal policy for external storage media in Windows 10, version 1809](change-default-removal-policy-external-storage-media.md) | New
 [Advanced troubleshooting for Windows startup](troubleshoot-windows-startup.md) | Updated
 [Advanced troubleshooting for Event ID 41 "The system has rebooted without cleanly shutting down first"](troubleshoot-event-id-41-restart.md) | New
 ## December 2018
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@ -65,7 +65,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
 ## Supported configurations
-In organizations that have integrated Active Directory and Azure AD, you can connect from a domain-joined PC to an Azure AD-joined PC using:
+In organizations that have integrated Active Directory and Azure AD, you can connect from a Hybrid-joined PC to an Azure AD-joined PC using:
 - Password
 - Smartcards
--- a/windows/client-management/mdm/bitlocker-csp.md
+++ b/windows/client-management/mdm/bitlocker-csp.md
@ -31,12 +31,15 @@ The following diagram shows the BitLocker configuration service provider in tree
 ![BitLocker csp](images/provisioning-csp-bitlocker.png)
 <a href="" id="--device-vendor-msft-bitlocker"></a>**./Device/Vendor/MSFT/BitLocker**  
 Defines the root node for the BitLocker configuration service provider.
-
+<!--Policy-->
 <a href="" id="requirestoragecardencryption"></a>**RequireStorageCardEncryption**  
 <!--Description-->
 Allows the administrator to require storage card encryption on the device. This policy is valid only for a mobile SKU.
-
+<!--/Description-->
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Home</th>
@ -57,12 +60,13 @@ Allows the administrator to require storage card encryption on the device. This
    <td><img src="images/checkmark.png" alt="check mark" /></td>
 </tr>
 </table> 
 <!--/SupportedSKUs-->
 Data type is integer. Sample value for this node to enable this policy: 1. Disabling this policy will not turn off the encryption on the storage card, but the user will no longer be prompted to turn it on.
-
+<!--SupportedValues-->
 - 0 (default) – Storage cards do not need to be encrypted.
 - 1 – Require storage cards to be encrypted.  
-
+<!--/SupportedValues-->
 Disabling this policy will not turn off the encryption on the system card, but the user will no longer be prompted to turn it on.
 If you want to disable this policy use the following SyncML:
@ -87,11 +91,13 @@ If you want to disable this policy use the following SyncML:
 ```
 Data type is integer. Supported operations are Add, Get, Replace, and Delete.
-
+<!--/Policy-->
 <!--Policy-->
 <a href="" id="requiredeviceencryption"></a>**RequireDeviceEncryption**  
-
+<!--Description-->
 Allows the administrator to require encryption to be turned on by using BitLocker\Device Encryption.
-
+<!--/Description-->
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Home</th>
@ -112,7 +118,7 @@ Allows the administrator to require encryption to be turned on by using BitLocke
    <td><img src="images/checkmark.png" alt="check mark" /></td>
 </tr>
 </table> 
-
+<!--/SupportedSKUs-->
 Data type is integer. Sample value for this node to enable this policy: 1.
 Supported operations are Add, Get, Replace, and Delete.
@ -126,12 +132,12 @@ Encryptable fixed data volumes are treated similarly to OS volumes. However, fix
 - It must not be a system partition.
 - It must not be backed by virtual storage.
 - It must not have a reference in the BCD store.
-
+<!--SupportedValues-->
 The following list shows the supported values:
 -   0 (default) — Disable. If the policy setting is not set or is set to 0, the device's enforcement status is not checked. The policy does not enforce encryption and it does not decrypt encrypted volumes.
 -   1 – Enable. The device's enforcement status is checked. Setting this policy to 1 triggers encryption of all drives (silently or non-silently based on [AllowWarningForOtherDiskEncryption](#allowwarningforotherdiskencryption) policy).  
-
+<!--/SupportedValues-->
 If you want to disable this policy, use the following SyncML:
 ```xml
@ -152,10 +158,13 @@ If you want to disable this policy, use the following SyncML:
    </SyncBody>
 </SyncML>        
 ```
-
+<!--/Policy-->
 <!--Policy-->
 <a href="" id="encryptionmethodbydrivetype"></a>**EncryptionMethodByDriveType**
-
+<!--Description-->
 Allows you to set the default encryption method for each of the different drive types: operating system drives, fixed data drives, and removable data drives. Hidden, system, and recovery partitions are skipped from encryption. This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)&quot;.
 <!--/Description-->
 <!--SupportedValues-->
 <table>
 <tr>
    <th>Home</th>
@ -176,6 +185,8 @@ Allows you to set the default encryption method for each of the different drive
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table> 
 <!--/SupportedValues-->
 <!--ADMXMapped-->
 ADMX Info:
 <ul>
 <li>GP English name: <em>Choose drive encryption method and cipher strength (Windows 10 [Version 1511] and later)</em></li>
@ -183,6 +194,7 @@ ADMX Info:
 <li>GP path: <em>Windows Components/Bitlocker Drive Encryption</em></li>
 <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
 </ul>
 <!--/ADMXMapped-->
 > [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@ -202,14 +214,14 @@ If you disable or do not configure this policy setting, BitLocker will use the d
 EncryptionMethodWithXtsOsDropDown_Name = Select the encryption method for operating system drives
 EncryptionMethodWithXtsFdvDropDown_Name = Select the encryption method for fixed data drives.
 EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for removable data drives.
-
+<!--SupportedValues-->
 The possible values for &#39;xx&#39; are:
 - 3 = AES-CBC 128
 - 4 = AES-CBC 256
 - 6 = XTS-AES 128
 - 7 = XTS-AES 256
-
+<!--/SupportedValues-->
 > [!NOTE]
 > When you enable EncryptionMethodByDriveType, you must specify values for all three drives (operating system, fixed data, and removable data), otherwise it will fail (500 return status). For example, if you only set the encrytion method for the OS and removable drives, you will get a 500 return status.  
@ -231,9 +243,13 @@ EncryptionMethodWithXtsRdvDropDown_Name = Select the encryption method for remov
 ```
 Data type is string. Supported operations are Add, Get, Replace, and Delete.
-
+<!--/Policy-->
 <!--Policy-->
 <a href="" id="systemdrivesrequirestartupauthentication"></a>**SystemDrivesRequireStartupAuthentication**  
 <!--Description-->
 This setting is a direct mapping to the Bitlocker Group Policy &quot;Require additional authentication at startup&quot;.
 <!--/Description-->
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Home</th>
@ -254,6 +270,8 @@ This setting is a direct mapping to the Bitlocker Group Policy &quot;Require add
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table> 
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
 <ul>
 <li>GP English name: <em>Require additional authentication at startup</em></li>
@ -261,6 +279,7 @@ ADMX Info:
 <li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Operating System Drives</em></li>
 <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
 </ul>
 <!--/ADMXMapped-->
 > [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@ -297,7 +316,7 @@ Data id:
 <li>ConfigureTPMPINKeyUsageDropDown_Name = (for computer with TPM) Configure TPM startup key and PIN.</li>
 <li>ConfigureTPMUsageDropDown_Name = (for computer with TPM) Configure TPM startup.</li>
 </ul>
-
+<!--SupportedValues-->
 The possible values for &#39;xx&#39; are:
 <ul>
 <li>true = Explicitly allow</li>
@ -310,7 +329,7 @@ The possible values for &#39;yy&#39; are:
 <li>1 = Required</li>
 <li>0 = Disallowed</li>
 </ul>
-
+<!--/SupportedValues-->
 Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
 ```xml
@ -328,9 +347,13 @@ Disabling the policy will let the system choose the default behaviors. If you wa
                         </Replace>
 ```
 Data type is string. Supported operations are Add, Get, Replace, and Delete.
-
+<!--/Policy-->
 <!--Policy-->
 <a href="" id="systemdrivesminimumpinlength"></a>**SystemDrivesMinimumPINLength**  
 <!--Description-->
 This setting is a direct mapping to the Bitlocker Group Policy &quot;Configure minimum PIN length for startup&quot;.
 <!--/Description-->
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Home</th>
@ -351,6 +374,8 @@ This setting is a direct mapping to the Bitlocker Group Policy &quot;Configure m
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
 <ul>
 <li>GP English name:<em>Configure minimum PIN length for startup</em></li>
@ -358,6 +383,7 @@ ADMX Info:
 <li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Operating System Drives</em></li>
 <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
 </ul>
 <!--/ADMXMapped-->
 > [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@ -397,9 +423,14 @@ Disabling the policy will let the system choose the default behaviors. If you wa
 ```
 Data type is string. Supported operations are Add, Get, Replace, and Delete.
-
+<!--/Policy-->
 <!--Policy-->
 <a href="" id="systemdrivesrecoverymessage"></a>**SystemDrivesRecoveryMessage** 
-This setting is a direct mapping to the Bitlocker Group Policy &quot;Configure pre-boot recovery message and URL&quot; (PrebootRecoveryInfo_Name).
+<!--Description-->
 This setting is a direct mapping to the Bitlocker Group Policy &quot;Configure pre-boot recovery message and URL&quot;
 (PrebootRecoveryInfo_Name).
 <!--/Description-->
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Home</th>
@ -420,6 +451,8 @@ This setting is a direct mapping to the Bitlocker Group Policy &quot;Configure p
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
 <ul>
 <li>GP English name: <em>Configure pre-boot recovery message and URL</em></li>
@ -427,6 +460,7 @@ ADMX Info:
 <li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Operating System Drives</em></li>
 <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
 </ul>
 <!--/ADMXMapped-->
 > [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@ -445,6 +479,7 @@ Sample value for this node to enable this policy is:
 ```xml
 <enabled/><data id="PrebootRecoveryInfoDropDown_Name" value="xx"/><data id="RecoveryMessage_Input" value="yy"/><data id="RecoveryUrl_Input" value="zz"/>
 ```
 <!--SupportedValues-->
 The possible values for &#39;xx&#39; are:
 -  0 = Empty
@ -453,7 +488,7 @@ The possible values for &#39;xx&#39; are:
 -  3 = Custom recovery URL is set.
 -  'yy' = string of max length 900.
 -  'zz' = string of max length 500.
-
+<!--/SupportedValues-->
 > [!NOTE]
 > When you enable SystemDrivesRecoveryMessage, you must specify values for all three settings (pre-boot recovery screen, recovery message, and recovery URL), otherwise it will fail (500 return status). For example, if you only specify values for message and URL, you will get a 500 return status.
@ -478,9 +513,13 @@ Disabling the policy will let the system choose the default behaviors.  If you w
 > Not all characters and languages are supported in pre-boot. It is strongly recommended that you test that the characters you use for the custom message or URL appear correctly on the pre-boot recovery screen.
 Data type is string. Supported operations are Add, Get, Replace, and Delete.
-
+<!--/Policy-->
 <!--Policy-->
 <a href="" id="systemdrivesrecoveryoptions"></a>**SystemDrivesRecoveryOptions**  
 <!--Description-->
 This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose how BitLocker-protected operating system drives can be recovered&quot; (OSRecoveryUsage_Name).
 <!--/Description-->
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Home</th>
@ -501,6 +540,8 @@ This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose how
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
 <ul>
 <li>GP English name: <em>Choose how BitLocker-protected operating system drives can be recovered</em></li>
@ -508,6 +549,7 @@ ADMX Info:
 <li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Operating System Drives</em></li>
 <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
 </ul>
 <!--/ADMXMapped-->
 > [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@ -536,7 +578,7 @@ Sample value for this node to enable this policy is:
 ```xml
 <enabled/><data id="OSAllowDRA_Name" value="xx"/><data id="OSRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="OSRecoveryKeyUsageDropDown_Name" value="yy"/><data id="OSHideRecoveryPage_Name" value="xx"/><data id="OSActiveDirectoryBackup_Name" value="xx"/><data id="OSActiveDirectoryBackupDropDown_Name" value="zz"/><data id="OSRequireActiveDirectoryBackup_Name" value="xx"/>
 ```
-
+<!--SupportedValues-->
 The possible values for &#39;xx&#39; are:  
 - true = Explicitly allow
 - false = Policy not set
@ -549,7 +591,7 @@ The possible values for &#39;yy&#39; are:
 The possible values for &#39;zz&#39; are:  
 - 2 = Store recovery passwords only
 - 1 = Store recovery passwords and key packages
-
+<!--/SupportedValues-->
 Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
 ```xml
@ -568,9 +610,13 @@ Disabling the policy will let the system choose the default behaviors. If you wa
 ```
 Data type is string. Supported operations are Add, Get, Replace, and Delete.
-
+<!--/Policy-->
 <!--Policy-->
 <a href="" id="fixeddrivesrecoveryoptions"></a>**FixedDrivesRecoveryOptions**  
 <!--Description-->
 This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose how BitLocker-protected fixed drives can be recovered&quot; ().
 <!--/Description-->
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Home</th>
@ -591,6 +637,8 @@ This setting is a direct mapping to the Bitlocker Group Policy &quot;Choose how
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
 <ul>
 <li>GP English name: <em>Choose how BitLocker-protected fixed drives can be recovered</em></li>
@ -598,6 +646,7 @@ ADMX Info:
 <li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Fixed Drives</em></li>
 <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
 </ul>
 <!--/ADMXMapped-->
 > [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@ -627,7 +676,7 @@ Sample value for this node to enable this policy is:
 ```xml
 <enabled/><data id="FDVAllowDRA_Name" value="xx"/><data id="FDVRecoveryPasswordUsageDropDown_Name" value="yy"/><data id="FDVRecoveryKeyUsageDropDown_Name" value="yy"/><data id="FDVHideRecoveryPage_Name" value="xx"/><data id="FDVActiveDirectoryBackup_Name" value="xx"/><data id="FDVActiveDirectoryBackupDropDown_Name" value="zz"/><data id="FDVRequireActiveDirectoryBackup_Name" value="xx"/>
 ```
-
+<!--SupportedValues-->
 The possible values for &#39;xx&#39; are:
 <ul>
 <li>true = Explicitly allow</li>
@ -647,7 +696,7 @@ The possible values for &#39;zz&#39; are:
 <li>2 = Store recovery passwords only</li>
 <li>1 = Store recovery passwords and key packages</li>
 </ul>
-
+<!--/SupportedValues-->
 Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
 ```xml
@ -666,9 +715,13 @@ Disabling the policy will let the system choose the default behaviors. If you wa
 ```
 Data type is string. Supported operations are Add, Get, Replace, and Delete.
-
+<!--/Policy-->
 <!--Policy-->
 <a href="" id="fixeddrivesrequireencryption"></a>**FixedDrivesRequireEncryption**  
 <!--Description-->
 This setting is a direct mapping to the Bitlocker Group Policy &quot;Deny write access to fixed drives not protected by BitLocker&quot; (FDVDenyWriteAccess_Name).
 <!--/Description-->
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Home</th>
@ -689,6 +742,8 @@ This setting is a direct mapping to the Bitlocker Group Policy &quot;Deny write
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
 <ul>
 <li>GP English name: <em>Deny write access to fixed drives not protected by BitLocker</em></li>
@ -696,6 +751,7 @@ ADMX Info:
 <li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Fixed Drives</em></li>
 <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
 </ul>
 <!--/ADMXMapped-->
 > [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@ -728,9 +784,13 @@ If you disable or do not configure this setting, all fixed data drives on the co
 ```
 Data type is string. Supported operations are Add, Get, Replace, and Delete.
-
+<!--/Policy-->
 <!--Policy-->
 <a href="" id="removabledrivesrequireencryption"></a>**RemovableDrivesRequireEncryption**  
 <!--Description-->
 This setting is a direct mapping to the Bitlocker Group Policy &quot;Deny write access to removable drives not protected by BitLocker&quot; (RDVDenyWriteAccess_Name).
 <!--/Description-->
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Home</th>
@ -751,6 +811,8 @@ This setting is a direct mapping to the Bitlocker Group Policy &quot;Deny write
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <!--ADMXMapped-->
 ADMX Info:
 <ul>
 <li>GP English name: <em>Deny write access to removable drives not protected by BitLocker</em></li>
@ -758,6 +820,7 @@ ADMX Info:
 <li>GP path: <em>Windows Components/Bitlocker Drive Encryption/Removeable Drives</em></li>
 <li>GP ADMX file name: <em>VolumeEncryption.admx</em></li>
 </ul>
 <!--/ADMXMapped-->
 > [!TIP]
 > For a step-by-step guide to enable ADMX-backed policies, see [Enable ADMX-backed policies in MDM](enable-admx-backed-policies-in-mdm.md). For additional information, see [Understanding ADMX-backed policies](understanding-admx-backed-policies.md).
@ -777,13 +840,13 @@ Sample value for this node to enable this policy is:
 ```xml
 <enabled/><data id="RDVCrossOrg" value="xx"/>
 ```
-
+<!--SupportedValues-->
 The possible values for &#39;xx&#39; are:
 <ul>
 <li>true = Explicitly allow</li>
 <li>false = Policy not set</li>
 </ul>
-
+<!--/SupportedValues-->
 Disabling the policy will let the system choose the default behaviors. If you want to disable this policy use the following SyncML:
 ```xml
@ -800,17 +863,18 @@ Disabling the policy will let the system choose the default behaviors. If you wa
                           </Item>
                         </Replace>
 ```
-
+<!--/Policy-->
 <!--Policy-->
 <a href="" id="allowwarningforotherdiskencryption"></a>**AllowWarningForOtherDiskEncryption**  
-
+<!--Description-->
 Allows the admin to disable the warning prompt for other disk encryption on the user machines that are targeted when the RequireDeviceEncryption policy is also set to 1.
-
+<!--/Description-->
 > [!IMPORTANT]
 > Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices. When RequireDeviceEncryption is set to 1 and AllowWarningForOtherDiskEncryption is set to 0, Windows will attempt to silently enable [BitLocker](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview).
 > [!Warning]
 > When you enable BitLocker on a device with third-party encryption, it may render the device unusable and require you to reinstall Windows.
-
+<!--SupportedSKUs-->
 <table>
 <tr>
    <th>Home</th>
@ -831,12 +895,13 @@ Allows the admin to disable the warning prompt for other disk encryption on the
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table> 
-
+<!--/SupportedSKUs-->
 <!--SupportedValues-->
 The following list shows the supported values:
 -   0 – Disables the warning prompt. Starting in Windows 10, version 1803, the value 0 can only be set for Azure Active Directory joined devices.  Windows will attempt to silently enable BitLocker for value 0.
 -   1 (default) – Warning prompt allowed.
-
+<!--/SupportedValues-->
 ```xml
 <Replace>
    <CmdID>110</CmdID>
@ -846,7 +911,6 @@ The following list shows the supported values:
        </Target>
        <Meta>
            <Format xmlns="syncml:metinf">int</Format>
        </Meta>
        <Data>0</Data>
    </Item>
 </Replace>
@ -861,22 +925,24 @@ The following list shows the supported values:
  >3. The user's personal OneDrive (MDM/MAM only).
 >
 >Encryption will wait until one of these three locations backs up successfully.
-
+<!--/Policy-->
 <!--Policy-->
 <a href="" id="allowstandarduserencryption"></a>**AllowStandardUserEncryption**
 <!--Description-->
 Allows Admin to enforce "RequireDeviceEncryption" policy for scenarios where policy is pushed while current logged on user is non-admin/standard user Azure AD account.
-
+<!--/Description-->
 > [!NOTE]
 > This policy is only supported in Azure AD accounts.
 "AllowStandardUserEncryption" policy is tied to "AllowWarningForOtherDiskEncryption" policy  being set to "0", i.e, silent encryption is enforced.
 If "AllowWarningForOtherDiskEncryption" is not set, or is set to "1", "RequireDeviceEncryption" policy will not try to encrypt drive(s) if a standard user is the current logged on user in the system.
-
+<!--SupportedValues-->
 The expected values for this policy are:
 - 1 = "RequireDeviceEncryption" policy will try to enable encryption on all fixed drives even if a current logged in user is standard user.
 - 0 = This is the default, when the policy is not set. If current logged on user is a standard user, "RequireDeviceEncryption" policy will not try to enable encryption on any drive.
-
+<!--/SupportedValues-->
 If you want to disable this policy use the following SyncML:
 ```xml
@ -893,9 +959,18 @@ If you want to disable this policy use the following SyncML:
   </Item>
 </Replace>
 ```
 <!--/Policy-->
 <!--Policy-->
 <a href="" id="configurerecoverypasswordrotation"></a>**ConfigureRecoveryPasswordRotation**  
 <!--Description-->
 This setting initiates a client-driven recovery password refresh after an OS drive recovery (either by using bootmgr or WinRE) and recovery password unlock on a Fixed data drive. This setting will refresh the specific recovery password that was used, and other unused passwords on the volume will remain unchanged. If the initialization of the refresh fails, the device will retry the refresh during the next reboot. When password refresh is initiated, the client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure. After the recovery password has been successfully backed up to Azure AD, the recovery key that was used locally will be removed. This setting refreshes only the used key and retains other unused keys. 
 <!--/Description-->
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Home</th>
@ -916,15 +991,28 @@ This setting initiates a client-driven recovery password refresh after an OS dri
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table> 
 <!--/SupportedSKUs-->
 Value type is int. Supported operations are Add, Delete, Get, and Replace.
 <!--SupportedValues-->
 Supported values are:
 - 0 – Refresh off (default)
 - 1 – Refresh on for Azure AD-joined devices 
 - 2 – Refresh on for both Azure AD-joined and hybrid-joined devices 
 <!--/SupportedValues-->
 <!--/Policy-->
 <!--Policy-->
 <a href="" id="rotaterecoverypasswords"></a>**RotateRecoveryPasswords**  
 <!--Description-->
 This setting refreshes all recovery passwords for OS and fixed drives (removable drives are not included so they can be shared between users). All recovery passwords for all drives will be refreshed and only one password per volume is retained. In case of errors, an error code will be returned so that server can take appropriate action to remediate.
 <!--/Description-->
 The client will generate a new recovery password. The client will use the existing API in Azure AD to upload the new recovery key and retry on failure.  
@ -937,6 +1025,7 @@ Recovery password refresh will only occur for devices that are joined to Azure A
 Each server-side recovery key rotation is represented by a request ID. The server can query the following nodes to make sure it reads status/result for same rotation request.
 - RotateRecoveryPasswordsRequestID: Returns request ID of last request processed.
 - RotateRecoveryPasswordsRotationStatus: Returns status of last request processed.
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Home</th>
@ -957,14 +1046,21 @@ Each server-side recovery key rotation is represented by a request ID. The serve
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table> 
 <!--/SupportedSKUs-->
 Value type is string. Supported operation is Execute. Request ID is expected as a parameter.
 <a href="" id="status"></a>**Status**  
 Interior node. Supported operation is Get.
-<a href="" id="status-deviceencryptionstatus"></a>**Status/DeviceEncryptionStatus**  
+<!--/Policy-->
 This node reports compliance state of device encryption on the system.
 <!--Policy-->
 <a href="" id="status-deviceencryptionstatus"></a>**Status/DeviceEncryptionStatus** 
 <!--Description-->
 This node reports compliance state of device encryption on the system.
 <!--/Description-->
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Home</th>
@ -985,15 +1081,25 @@ This node reports compliance state of device encryption on the system.
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table> 
 <!--/SupportedSKUs-->
 <!--SupportedValues-->
 Supported values:  
 - 0 - Indicates that the device is compliant.
 - Any other value represents a non-compliant device.
 <!--/SupportedValues-->
 Value type is int. Supported operation is Get.
 <!--/Policy-->
 <!--Policy-->
 <a href="" id="status-rotaterecoverypasswordsstatus"></a>**Status/RotateRecoveryPasswordsStatus**  
 <!--Description-->
 This node reports the status of RotateRecoveryPasswords request. 
 <!--/Description-->
 Status code can be one of the following:  
@ -1001,6 +1107,7 @@ Status code can be one of the following:
 - 1 - Pending
 - 0 - Pass
 - Any other code - Failure HRESULT
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Home</th>
@ -1021,11 +1128,21 @@ Status code can be one of the following:
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table> 
 <!--/SupportedSKUs-->
 Value type is int. Supported operation is Get.
 <!--/Policy-->
 <!--Policy-->
 <a href="" id="status-rotaterecoverypasswordsrequestid"></a>**Status/RotateRecoveryPasswordsRequestID**  
 <!--Description-->
 This node reports the RequestID corresponding to RotateRecoveryPasswordsStatus. 
 This node needs to be queried in synchronization with RotateRecoveryPasswordsStatus to ensure the status is correctly matched to the request ID.
 <!--/Description-->
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Home</th>
@ -1046,6 +1163,9 @@ This node needs to be queried in synchronization with RotateRecoveryPasswordsSta
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 </table> 
 <!--/SupportedSKUs-->
 Value type is string. Supported operation is Get.
 ### SyncML example
@ -1211,3 +1331,4 @@ The following example is provided to show proper format and should not be taken
    </SyncBody>
 </SyncML>
 ```
 <!--/Policy-->
--- a/windows/client-management/mdm/certificate-authentication-device-enrollment.md
+++ b/windows/client-management/mdm/certificate-authentication-device-enrollment.md
@ -15,7 +15,7 @@ ms.date: 06/26/2017
 # Certificate authentication device enrollment
-This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
+This section provides an example of the mobile device enrollment protocol using certificate authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
 > **Note**  To set up devices to use certificate authentication for enrollment, you should create a provisioning package. For more information about provisioning packages, see [Build and apply a provisioning package](https://msdn.microsoft.com/library/windows/hardware/dn916107).
--- a/windows/client-management/mdm/dmclient-csp.md
+++ b/windows/client-management/mdm/dmclient-csp.md
@ -264,7 +264,8 @@ Optional. Number of days after last successful sync to unenroll.
 Supported operations are Add, Delete, Get, and Replace. Value type is integer.
 <a href="" id="provider-providerid-aadsenddevicetoken"></a>**Provider/*ProviderID*/AADSendDeviceToken**  
-Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token cannot be obtained.
+
 Device. Added in Windows 10 version 1803. For Azure AD backed enrollments, this will cause the client to send a Device Token if the User Token can not be obtained.
 Supported operations are Add, Delete, Get, and Replace. Value type is bool.
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@ -1,6 +1,6 @@
 ---
 title: EAP configuration
-description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, plus info about EAP certificate filtering in Windows 10.
+description: Learn how to create an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including details about EAP certificate filtering in Windows 10.
 ms.assetid: DD3F2292-4B4C-4430-A57F-922FED2A8FAE
 ms.reviewer: 
 manager: dansimp
@ -15,46 +15,46 @@ ms.date: 06/26/2017
 # EAP configuration
-The topic provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile and information about EAP certificate filtering in Windows 10.
+This article provides a step-by-step guide for creating an Extensible Authentication Protocol (EAP) configuration XML for a VPN profile, including information about EAP certificate filtering in Windows 10.
-## Create an Extensible Authentication Protocol (EAP) configuration XML for the VPN profile
+## Create an EAP configuration XML for a VPN profile
-Here is an easy way to get the EAP configuration from your desktop using the rasphone tool that is shipped in the box.
+To get the EAP configuration from your desktop using the rasphone tool that is shipped in the box:
 1.  Run rasphone.exe.
    ![vpnv2 rasphone](images/vpnv2-csp-rasphone.png)
-2.  If you don't currently have any VPN connections and you see the following message, click **OK**.
+1.  If you don't currently have a VPN connection and you see the following message, select **OK**.
    ![vpnv2 eap configuration](images/vpnv2-csp-networkconnections.png)
-3.  Select **Workplace network** in the wizard.
+1.  In the wizard, select **Workplace network**.
    ![vpnv2 eap configuration](images/vpnv2-csp-setupnewconnection.png)
-4.  Enter any dummy information for the internet address and connection name. These can be fake since it does not impact the authentication parameters.
+1.  Enter an Internet address and connection name. These can be fake since it does not impact the authentication parameters.
    ![vpnv2 eap configuration](images/vpnv2-csp-setupnewconnection2.png)
-5.  Create a fake VPN connection. In the UI shown below, click **Properties**.
+1.  Create a fake VPN connection. In the UI shown here, select **Properties**.
    ![vpnv2 eap configuration](images/vpnv2-csp-choosenetworkconnection.png)
-6.  In the **Test Properties** dialog, click the **Security** tab.
+1.  In the **Test Properties** dialog, select the **Security** tab.
    ![vpnv2 eap configuration](images/vpnv2-csp-testproperties.png)
-7.  In the **Security** tab, select **Use Extensible Authentication Protocol (EAP)** radio button.
+1.  On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**.
    ![vpnv2 eap configuration](images/vpnv2-csp-testproperties2.png)
-8.  From the drop down menu, select the EAP method that you want to configure. Then click **Properties** to configure as needed.
+1.  From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed.
    ![vpnv2 eap configuration](images/vpnv2-csp-testproperties3.png)![vpnv2 eap configuration](images/vpnv2-csp-testproperties4.png)
-9.  Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
+1.  Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
    ```powershell
    Get-VpnConnection -Name Test
@ -88,7 +88,7 @@ Here is an easy way to get the EAP configuration from your desktop using the ras
    $a.EapConfigXmlStream.InnerXml
    ```
-    Here is an example output
+    Here is an example output.
    ```xml
    <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig"><EapMethod><Type xmlns="http://www.microsoft.co
@ -106,7 +106,8 @@ Here is an easy way to get the EAP configuration from your desktop using the ras
    /></FilteringInfo></TLSExtensions></EapType></Eap></Config></EapHostConfig>
    ```
-    **Note**  You should check with MDM vendor if you need to pass this XML in escaped format. The XSDs for all EAP methods are shipped in the box and can be found at the following locations:
+    > [!NOTE]
    > You should check with mobile device management (MDM) vendor if you need to pass this XML in escaped format. The XSDs for all EAP methods are shipped in the box and can be found at the following locations:
    -   C:\\Windows\\schemas\\EAPHost
    -   C:\\Windows\\schemas\\EAPMethods
@ -115,46 +116,45 @@ Here is an easy way to get the EAP configuration from your desktop using the ras
 ## EAP certificate filtering
-In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you may see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria such that it matches only one certificate.
+In your deployment, if you have multiple certificates provisioned on the device and the Wi-Fi profile provisioned does not have a strict filtering criteria, you might see connection failures when connecting to Wi-Fi. The solution is to ensure that the Wi-Fi profile provisioned has strict filtering criteria so that it matches only one certificate.
-Enterprises deploying certificate based EAP authentication for VPN/Wi-Fi can face a situation where there are multiple certificates that meet the default criteria for authentication. This can lead to issues such as:
+Enterprises deploying certificate-based EAP authentication for VPN and Wi-Fi can encounter a situation where there are multiple certificates that meet the default criteria for authentication. This can lead to issues such as:
-   The user may be prompted to select the certificate.
+-   The user might be prompted to select the certificate.
-   The wrong certificate may get auto selected and cause an authentication failure.
+-   The wrong certificate might be auto-selected and cause an authentication failure.
-A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP Configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication.
+A production ready deployment must have the appropriate certificate details as part of the profile being deployed. The following information explains how to create or update an EAP configuration XML such that the extraneous certificates are filtered out and the appropriate certificate can be used for the authentication.
-EAP XML must be updated with relevant information for your environment This can be done either manually by editing the XML sample below, or by using the step by step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
+EAP XML must be updated with relevant information for your environment. This can be done manually by editing the following XML sample, or by using the step-by-step UI guide. After the EAP XML is updated, refer to instructions from your MDM to deploy the updated configuration as follows:
-   For Wi-Fi, look for the `<EAPConfig>` section of your current WLAN Profile XML (This is what you specify for the WLanXml node in the Wi-Fi CSP). Within these tags you will find the complete EAP configuration. Replace the section under `<EAPConfig>` with your updated XML and update your Wi-Fi profile. You might need to refer to your MDM’s guidance on how to deploy a new Wi-Fi profile.
+-   For Wi-Fi, look for the `<EAPConfig>` section of your current WLAN Profile XML. (This is what you specify for the WLanXml node in the Wi-Fi CSP.) Within these tags you will find the complete EAP configuration. Replace the section under `<EAPConfig>` with your updated XML and update your Wi-Fi profile. You can refer to your MDM’s guidance on how to deploy a new Wi-Fi profile.
-   For VPN, EAP Configuration is a separate field in the MDM Configuration. Work with your MDM provider to identify and update the appropriate Field.
+-   For VPN, EAP configuration is a separate field in the MDM configuration. Work with your MDM provider to identify and update the appropriate field.
-For information about EAP Settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>
+For information about EAP settings, see <https://technet.microsoft.com/library/hh945104.aspx#BKMK_Cfg_cert_Selct>.
-For information about generating an EAP XML, see EAP configuration
+For information about generating an EAP XML, see the EAP configuration article.
-For more information about extended key usage, see <http://tools.ietf.org/html/rfc5280#section-4.2.1.12>
+For more information about extended key usage (EKU), see <http://tools.ietf.org/html/rfc5280#section-4.2.1.12>.
-For information about adding extended key usage (EKU) to a certificate, see <https://technet.microsoft.com/library/cc731792.aspx>
+For information about adding EKU to a certificate, see <https://technet.microsoft.com/library/cc731792.aspx>.
 The following list describes the prerequisites for a certificate to be used with EAP:
-   The certificate must have at least one of the following EKU (Extended Key Usage) properties:
+-   The certificate must have at least one of the following EKU properties:
-    -   Client Authentication
+    -   Client Authentication. As defined by RFC 5280, this is a well-defined OID with value 1.3.6.1.5.5.7.3.2.
-        -   As defined by RFC 5280, this is a well-defined OID with Value 1.3.6.1.5.5.7.3.2
+    -   Any Purpose. This is an EKU defined and published by Microsoft, and is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that additional non-critical or custom EKUs can still be added to the certificate for effective filtering.
-    -   Any Purpose
+    -   All Purpose. As defined by RFC 5280, if a CA includes EKUs to satisfy some application needs, but does not want to restrict usage of the key, the CA can add an EKU value of 0. A certificate with such an EKU can be used for all purposes.
-        -   An EKU Defined and published by Microsoft, is a well-defined OID with value 1.3.6.1.4.1.311.10.12.1. The inclusion of this OID implies that the certificate can be used for any purpose. The advantage of this EKU over the All Purpose EKU is that additional non-critical or custom EKUs can still be added to the certificate for effective filtering.
+    
-    -   All Purpose
+-   The user or the computer certificate on the client must chain to a trusted root CA.
        -   As defined by RFC 5280, If a CA includes extended key usages to satisfy some application needs, but does not want to restrict usage of the key, the CA can add an Extended Key Usage Value of 0. A certificate with such an EKU can be used for all purposes.
 -   The user or the computer certificate on the client chains to a trusted root CA
 -   The user or the computer certificate does not fail any one of the checks that are performed by the CryptoAPI certificate store, and the certificate passes requirements in the remote access policy.
 -   The user or the computer certificate does not fail any one of the certificate object identifier checks that are specified in the Internet Authentication Service (IAS)/Radius Server.
 -   The Subject Alternative Name (SubjectAltName) extension in the certificate contains the user principal name (UPN) of the user.
-The following XML sample explains the properties for the EAP TLS XML including certificate filtering.
+The following XML sample explains the properties for the EAP TLS XML, including certificate filtering.
-> **Note**  For PEAP or TTLS Profiles the EAP TLS XML is embedded within some PEAP or TTLS specific elements.
+> [!NOTE]
 > For PEAP or TTLS profiles, the EAP TLS XML is embedded within some PEAP-specific or TTLS-specific elements.
@ -257,35 +257,38 @@ The following XML sample explains the properties for the EAP TLS XML including c
 </EapHostConfig>
 ```
-> **Note**  The EAP TLS XSD is located at **%systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd**
+> [!NOTE]
 > The EAP TLS XSD is located at %systemdrive%\\Windows\\schemas\\EAPMethods\\eaptlsconnectionpropertiesv3.xsd.
-Alternately you can use the following procedure to create an EAP Configuration XML.
+Alternatively, you can use the following procedure to create an EAP configuration XML:
-1.  Follow steps 1 through 7 in the EAP configuration topic.
+1.  Follow steps 1 through 7 in the EAP configuration article.
-2.  In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.)
+1.  In the **Microsoft VPN SelfHost Properties** dialog box, select **Microsoft: Smart Card or other Certificate** from the drop-down menu (this selects EAP TLS).
    ![vpn self host properties window](images/certfiltering1.png)
-    **Note**  For PEAP or TTLS, select the appropriate method and continue following this procedure.
+    > [!NOTE]
    > For PEAP or TTLS, select the appropriate method and continue following this procedure.
-3.  Click the **Properties** button underneath the drop down menu.
+1.  Select the **Properties** button underneath the drop-down menu.
-4.  In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
+1.  On the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
    ![smart card or other certificate properties window](images/certfiltering2.png)
-5.  In the **Configure Certificate Selection** menu, adjust the filters as needed.
+1.  On the **Configure Certificate Selection** menu, adjust the filters as needed.
    ![configure certificate window](images/certfiltering3.png)
-6.  Click **OK** to close the windows to get back to the main rasphone.exe dialog box.
+1.  Select **OK** to close the windows and get back to the main rasphone.exe dialog box.
-7.  Close the rasphone dialog box.
+1.  Close the rasphone dialog box.
-8.  Continue following the procedure in the EAP configuration topic from Step 9 to get an EAP TLS profile with appropriate filtering.
+1.  Continue following the procedure in the EAP configuration article from step 9 to get an EAP TLS profile with appropriate filtering.
-> **Note**  You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) topic.
+> [!NOTE]
 > You can also set all the other applicable EAP Properties through this UI as well. A guide for what these properties mean can be found in the [Extensible Authentication Protocol (EAP) Settings for Network Access](https://technet.microsoft.com/library/hh945104.aspx) article.
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@ -49,10 +49,14 @@ The following steps demonstrate required settings using the Intune service:
    ![Intune license verification](images/auto-enrollment-intune-license-verification.png)
 2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](https://docs.microsoft.com/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal). 
 Also verify that the **MAM user scope** is set to **None**. Otherwise, it will have precedence over the MDM scope that will lead to issues. 
    ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png)
 > [!IMPORTANT]
 > For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
 > For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.
 3. Verify that the device OS version is Windows 10, version 1709 or later.
 4. Auto-enrollment into Intune via Group Policy is valid only for devices which are hybrid Azure AD joined. This means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is  hybrid Azure AD joined, run  `dsregcmd /status` from the command line.
@ -62,7 +66,7 @@ Also verify that the **MAM user scope** is set to **None**. Otherwise, it will h
    Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**.
-    ![Auto-enrollment azure AD prt verification](images/auto-enrollment-azureadprt-verification.png)
+    ![Auto-enrollment Azure AD prt verification](images/auto-enrollment-azureadprt-verification.png)
    This information can also be found on the Azure AD device list.
@ -116,9 +120,6 @@ Requirements:
 > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have the Windows 10, version 1903 feature update installed. 
 The default behavior for older releases is to revert to **User Credential**.
 > [!NOTE]
 > Device credential group policy setting is not supported for enrolling into Microsoft Intune. 
 When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." 
 To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
@ -170,7 +171,7 @@ Requirements:
 >   1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or  
 >   1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or
 >   1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all)
->   2. Install the package on the Primary Domain Controller (PDC).
+>   2. Install the package on the Domain Controller.
 >   3. Navigate, depending on the version to the folder:
 >   1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or  
 >   1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or
@ -178,14 +179,13 @@ Requirements:
 >   4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
 >   5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. 
 >   (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain).
->   6. Restart the Primary Domain Controller for the policy to be available.
+>   6. Restart the Domain Controller for the policy to be available.
 >   This procedure will work for any future version as well.
 1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
 2. Create a Security Group for the PCs.
 3. Link the GPO.
 4. Filter using Security Groups.
 5. Enforce a GPO link.
 ## Troubleshoot auto-enrollment of devices
--- a/windows/client-management/mdm/federated-authentication-device-enrollment.md
+++ b/windows/client-management/mdm/federated-authentication-device-enrollment.md
@ -19,7 +19,7 @@ This section provides an example of the mobile device enrollment protocol using
 The &lt;AuthenticationServiceURL&gt; element the discovery response message specifies web authentication broker page start URL.
-For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
+For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
 ## In this topic
--- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
@ -1,6 +1,6 @@
 ---
-title: Provide server-side support for mobile app management on Windows
+title: Implement server-side support for mobile application management on Windows
-description: The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices.
+description: Learn about implementing the Windows version of mobile application management (MAM), which is a lightweight solution for managing company data access and security on personal devices.
 ms.author: dansimp
 ms.topic: article
 ms.prod: w10
@ -16,21 +16,21 @@ manager: dansimp
 The Windows version of mobile application management (MAM) is a lightweight solution for managing company data access and security on personal devices. MAM support is built into Windows on top of Windows Information Protection (WIP), starting in Windows 10, version 1703.
-## Integration with Azure Active Directory
+## Integration with Azure AD
 MAM on Windows is integrated with Azure Active Directory (Azure AD) identity service. The MAM service supports Azure AD integrated authentication for the user and the device during enrollment and the downloading of MAM policies. MAM integration with Azure AD is similar to mobile device management (MDM) integration. See [Azure Active Directory integration with MDM](azure-active-directory-integration-with-mdm.md).  
-MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD integrated MDM services are provided in an organization, a users’ personal devices will be enrolled to MAM or MDM depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.  
+MAM enrollment is integrated with adding a work account flow to a personal device. If both MAM and Azure AD integrated MDM services are provided in an organization, a users’ personal devices will be enrolled to MAM or MDM, depending on the user’s actions. If a user adds their work or school Azure AD account as a secondary account to the machine, their device will be enrolled to MAM. If a user joins their device to Azure AD, it will be enrolled to MDM.  In general, a device that has a personal account as its primary account is considered a personal device and should be enrolled to MAM. An Azure AD join, and enrollment to MDM, should be used to manage corporate devices.  
-On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings>Accounts>Access work or school**.  
+On personal devices, users can add an Azure AD account as a secondary account to the device while keeping their personal account as primary. Users can add an Azure AD account to the device from a supported Azure AD integrated application, such as the next update of Microsoft Office 365 or Microsoft Office Mobile. Alternatively, users can add an Azure AD account from **Settings > Accounts > Access work or school**.  
 Regular non-admin users can enroll to MAM.  
 ## Integration with Windows Information Protection 
-MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip) and WIP-aware applications. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they do not handle personal data, and therefore it is safe for Windows to protect data on their behalf.  
+MAM on Windows takes advantage of [built-in Windows Information Protection (WIP) policies](https://technet.microsoft.com/itpro/windows/keep-secure/protect-enterprise-data-using-wip) to protect company data on the device. To protect user-owned applications on personal devices, MAM limits enforcement of WIP policies to [enlightened apps](https://technet.microsoft.com/itpro/windows/keep-secure/enlightened-microsoft-apps-and-wip) and WIP-aware apps. Enlightened apps can differentiate between corporate and personal data, correctly determining which to protect based on WIP policies. WIP-aware apps indicate to Windows that they do not handle personal data, and therefore it is safe for Windows to protect data on their behalf.  
-To make applications WIP-aware, app developers need to include the following data in the app resource file:  
+To make applications WIP-aware, app developers need to include the following data in the app resource file.  
 ``` syntax
 // Mark this binary as Allowed for WIP (EDP) purpose  
@ -42,7 +42,7 @@ To make applications WIP-aware, app developers need to include the following dat
 ## Configuring an Azure AD tenant for MAM enrollment
-MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the Management app for an IT admin configuration.  
+MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.  
 ![Mobile application management app](images/implement-server-side-mobile-application-management.png)
@ -53,9 +53,9 @@ MAM and MDM services in an organization could be provided by different vendors.
 MAM enrollment is based on the MAM extension of [[MS-MDE2] protocol](https://msdn.microsoft.com/library/mt221945.aspx). MAM enrollment supports Azure AD [federated authentication](federated-authentication-device-enrollment.md) as the only authentication method.  
 Below are protocol changes for MAM enrollment:  
- MDM discovery is not supported  
+- MDM discovery is not supported.  
- APPAUTH node in [DMAcc CSP](dmacc-csp.md) is optional
+- APPAUTH node in [DMAcc CSP](dmacc-csp.md) is optional.
- MAM enrollment variation of [MS-MDE2] protocol does not support the client authentication certificate, and therefore, does not support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication. 
+- MAM enrollment variation of [MS-MDE2] protocol does not support the client authentication certificate, and therefore does not support the [MS-XCEP] protocol. Servers must use an Azure AD token for client authentication during policy syncs. Policy sync sessions must be performed over one-way SSL using server certificate authentication. 
 Here is an example provisioning XML for MAM enrollment.  
@ -73,39 +73,36 @@ Here is an example provisioning XML for MAM enrollment.
 Since the [Poll](dmclient-csp.md#provider-providerid-poll) node isn’t provided above, the device would default to once every 24 hours.
-## Supported Configuration Service Providers (CSPs)
+## Supported CSPs
-MAM on Windows support the following CSPs. All other CSPs will be blocked. Note the list may change later based on customer feedback.
+MAM on Windows supports the following configuration service providers (CSPs). All other CSPs will be blocked. Note the list may change later based on customer feedback:
- [AppLocker CSP](applocker-csp.md) for configuration of WIP enterprise allowed apps
+- [AppLocker CSP](applocker-csp.md) for configuration of WIP enterprise allowed apps.
- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing  VPN and Wi-Fi certs
+- [ClientCertificateInstall CSP](clientcertificateinstall-csp.md) for installing VPN and Wi-Fi certs.
- [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703)
+- [DeviceStatus CSP](devicestatus-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
- [DevInfo CSP](devinfo-csp.md)
+- [DevInfo CSP](devinfo-csp.md).
- [DMAcc CSP](dmacc-csp.md)
+- [DMAcc CSP](dmacc-csp.md).
- [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL
+- [DMClient CSP](dmclient-csp.md) for polling schedules configuration and MDM discovery URL.
- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has WIP policies
+- [EnterpriseDataProtection CSP](enterprisedataprotection-csp.md) has WIP policies.
- [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703)
+- [Health Attestation CSP](healthattestation-csp.md) required for Conditional Access support (starting with Windows 10, version 1703).
- [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management
+- [PassportForWork CSP](passportforwork-csp.md) for Windows Hello for Business PIN management.
- [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas
+- [Policy CSP](policy-configuration-service-provider.md) specifically for NetworkIsolation and DeviceLock areas.
- [Reporting CSP](reporting-csp.md) for retrieving WIP logs
+- [Reporting CSP](reporting-csp.md) for retrieving WIP logs.
- [RootCaTrustedCertificates CSP](rootcacertificates-csp.md)
+- [RootCaTrustedCertificates CSP](rootcacertificates-csp.md).
- [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM
+- [VPNv2 CSP](vpnv2-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM.
- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM 
+- [WiFi CSP](wifi-csp.md) should be omitted for deployments where IT is planning to allow access and protect cloud-only resources with MAM. 
 ## Device lock policies and EAS
 MAM supports device lock policies similar to MDM. The policies are configured by DeviceLock area of Policy CSP and PassportForWork CSP. 
-We do not recommend configuring both Exchange Active Sync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows: 
+We do not recommend configuring both Exchange ActiveSync (EAS) and MAM policies for the same device. However, if both are configured, the client will behave as follows: 
-<ol>
+- When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies and reports compliance to EAS.
-<li>When EAS policies are sent to a device that already has MAM policies, Windows evaluates whether the existing MAM policies are compliant with the configured EAS policies and reports compliance to EAS:</li><ul>
+- If the device is found to be compliant, EAS will report compliance to the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance does not require device admin rights.
-<li>If the device is found to be compliant, EAS will report compliance to the server to allow mail to sync. MAM supports mandatory EAS policies only. Checking EAS compliance does not require device admin rights.</li>
+- If the device is found to be non-compliant, EAS will enforce its own policies to the device and the resultant set of policies will be a superset of both. Applying EAS policies to the device requires admin rights.
-<li>If the device is found to be non-compliant, EAS will enforce its own policies to the device and the resultant set of policies will be a superset of both. Applying EAS policies to the device requires admin rights.</li>
+- If a device that already has EAS policies is enrolled to MAM, the device will have both sets of policies: MAM and EAS, and the resultant set of policies will be a superset of both.
 </ul>
 <li>If a device that already has EAS policies is enrolled to MAM, the device will have both sets of policies: MAM, EAS, and the resultant set of policies will be a superset of both.</li>
 </ol>
 ## Policy sync
@ -115,20 +112,18 @@ MAM policy syncs are modeled after MDM. The MAM client uses an Azure AD token to
 Windows does not support applying both MAM and MDM policies to the same devices. If configured by the admin, a user can change his MAM enrollment to MDM.
-> [!Note]
+> [!NOTE]
-> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On the Home edition, we do not recommend pushing MDM policies to enable users to upgrade.
+> When users upgrade from MAM to MDM on Windows Home edition, they lose access to WIP. On Windows Home edition, we do not recommend pushing MDM policies to enable users to upgrade.
 To configure MAM device for MDM enrollment, the admin needs to configure the MDM Discovery URL in the DMClient CSP. This URL will be used for MDM enrollment.
 In the process of changing MAM enrollment to MDM, MAM policies will be removed from the device after MDM policies have been successfully applied. Normally when WIP policies are removed from the device, the user’s access to WIP-protected documents is revoked (selective wipe) unless EDP CSP RevokeOnUnenroll is set to false. To prevent selective wipe on enrollment change from MAM to MDM, the admin needs to ensure that:
-<ol>
+- Both MAM and MDM policies for the organization support WIP.
-<li>Both MAM and MDM policies for the organization support WIP</li>
+- EDP CSP Enterprise ID is the same for both MAM and MDM.
-<li>EDP CSP Enterprise ID is the same for both MAM and MDM</li>
+- EDP CSP RevokeOnMDMHandoff is set to false.
 <li>EDP CSP RevokeOnMDMHandoff is set to FALSE</li>
 </ol>
-If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings>Accounts>Access work or school**. The user can click on this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account will not be affected.
+If the MAM device is properly configured for MDM enrollment, then the Enroll only to device management link will be displayed in **Settings > Accounts > Access work or school**. The user can select this link, provide their credentials, and the enrollment will be changed to MDM. Their Azure AD account will not be affected.
 ## Skype for Business compliance with MAM
@ -164,7 +159,7 @@ We have updated Skype for Business to work with MAM. The following table explain
 <td>October 10 2017</td>
 <td>Office 365 ProPlus</td>
 </tr><tr>
-<td><a href="https://technet.microsoft.com/library/mt455210.aspx#BKMK_FRCBB" data-raw-source="[First release for deferred channel](https://technet.microsoft.com/library/mt455210.aspx#BKMK_FRCBB)">First release for deferred channel</a></td>
+<td><a href="https://technet.microsoft.com/library/mt455210.aspx#BKMK_FRCBB" data-raw-source="[First release for deferred channel](https://technet.microsoft.com/library/mt455210.aspx#BKMK_FRCBB)">First release for Deferred channel</a></td>
 <td>Provide pilot users and application compatibility testers the opportunity to test the next Deferred Channel. </td>
 <td>June 13 2017</td>
 <td></td>
--- a/windows/client-management/mdm/mobile-device-enrollment.md
+++ b/windows/client-management/mdm/mobile-device-enrollment.md
@ -34,7 +34,7 @@ The enrollment process includes the following steps:
 ## Enrollment protocol
-There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
+There are a number of changes made to the enrollment protocol to better support a variety of scenarios across all platforms. For detailed information about the mobile device enrollment protocol, see [\[MS-MDM\]: Mobile Device Management Protocol](https://go.microsoft.com/fwlink/p/?LinkId=619346) and [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
 The enrollment process involves the following steps:
--- a/windows/client-management/mdm/on-premise-authentication-device-enrollment.md
+++ b/windows/client-management/mdm/on-premise-authentication-device-enrollment.md
@ -14,7 +14,7 @@ ms.date: 06/26/2017
 # On-premises authentication device enrollment
-This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( http://go.microsoft.com/fwlink/p/?LinkId=619347).
+This section provides an example of the mobile device enrollment protocol using on-premises authentication policy. For details about the Microsoft mobile device enrollment protocol for Windows 10, see [\[MS-MDE2\]: Mobile Device Enrollment Protocol Version 2]( https://go.microsoft.com/fwlink/p/?LinkId=619347).
 ## In this topic
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@ -15,6 +15,8 @@ ms.date: 07/18/2019
 # Policy CSP
 > [!WARNING] 
 > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
 The Policy configuration service provider enables the enterprise to configure policies on Windows 10. Use this configuration service provider to configure any company policies.
@ -198,6 +200,9 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-allowshareduserappdata" id="applicationmanagement-allowshareduserappdata">ApplicationManagement/AllowSharedUserAppData</a>
  </dd>
  <dd> 
    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-blocknonadminuserinstall"id="applicationmanagement-blocknonadminuserinstall">ApplicationManagement/BlockNonAdminUserInstall</a> 
  </dd>
  <dd>
    <a href="./policy-csp-applicationmanagement.md#applicationmanagement-disablestoreoriginatedapps" id="applicationmanagement-disablestoreoriginatedapps">ApplicationManagement/DisableStoreOriginatedApps</a>
  </dd>
@ -612,6 +617,9 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-bluetooth.md#bluetooth-servicesallowedlist" id="bluetooth-servicesallowedlist">Bluetooth/ServicesAllowedList</a>
  </dd>
   <dd>
    <a href="./policy-csp-bluetooth.md#bluetooth-setminimumencryptionkeysize"id=bluetooth-setminimumencryptionkeysize>Bluetooth/SetMinimumEncryptionKeySize</a>
  </dd>
 </dl>
 ### Browser policies
@ -3325,6 +3333,23 @@ The following diagram shows the Policy configuration service provider in tree fo
  <dd>
    <a href="./policy-csp-storage.md#storage-allowdiskhealthmodelupdates" id="storage-allowdiskhealthmodelupdates">Storage/AllowDiskHealthModelUpdates</a>
  </dd>
  <dd>
    <a href="./policy-csp-storage.md#storage-allowstoragesenseglobal"id="storage-allowstoragesenseglobal">Storage/AllowStorageSenseGlobal</a>
  </dd>
  <dd>
    <a href="./policy-csp-storage.md#storage-allowstoragesensetemporaryfilescleanup"id="storage-allowstoragesensetemporaryfilescleanup">Storage/AllowStorageSenseTemporaryFilesCleanup</a>
  </dd>
  <dd>
    <a href="./policy-csp-storage.md#storage-configstoragesensecloudcontentdehydrationthreshold"id="storage-configstoragesensecloudcontentdehydrationthreshold">Storage/ConfigStorageSenseCloudContentDehydrationThreshold</a>
  </dd>
  <dd>
    <a href="./policy-csp-storage.md#storage-configstoragesensedownloadscleanupthreshold"id="storage-configstoragesensedownloadscleanupthreshold">Storage/ConfigStorageSenseDownloadsCleanupThreshold</a>
  </dd>
  <dd>
    <a href="./policy-csp-storage.md#storage-configstoragesenseglobalcadence"id="storage-configstoragesenseglobalcadence">Storage/ConfigStorageSenseGlobalCadence</a>
  </dd>
  <dd>
    <a href="./policy-csp-storage.md#storage-configstoragesenserecyclebincleanupthreshold"id="storage-configstoragesenserecyclebincleanupthreshold">Storage/ConfigStorageSenseRecycleBinCleanupThreshold</a>
  <dd>
    <a href="./policy-csp-storage.md#storage-enhancedstoragedevices" id="storage-enhancedstoragedevices">Storage/EnhancedStorageDevices</a>
  </dd>
--- a/windows/client-management/mdm/policy-csp-accounts.md
+++ b/windows/client-management/mdm/policy-csp-accounts.md
@ -232,6 +232,9 @@ Added in Windows 10, version 1703. Allows IT Admins the ability to disable the "
 > [!NOTE]
 > If the MSA service is disabled, Windows Update will no longer offer feature updates to devices running Windows 10 1709 or higher. See [Feature updates are not being offered while other updates are](https://docs.microsoft.com/windows/deployment/update/windows-update-troubleshooting#feature-updates-are-not-being-offered-while-other-updates-are).
 > [!NOTE]
 > If the MSA service is disabled, the Subscription Activation feature will not work properly and your users will not be able to “step-up” from Windows 10 Pro to Windows 10 Enterprise, because the MSA ticket for license authentication cannot be generated. The machine will remain on Windows 10 Pro and no error will be displayed in the Activation Settings app. 
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:
--- a/windows/client-management/mdm/policy-csp-applicationmanagement.md
+++ b/windows/client-management/mdm/policy-csp-applicationmanagement.md
@ -7,7 +7,7 @@ ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 02/11/2020
 ms.reviewer: 
 manager: dansimp
 ---
@ -39,6 +39,9 @@ manager: dansimp
  <dd>
    <a href="#applicationmanagement-allowshareduserappdata">ApplicationManagement/AllowSharedUserAppData</a>
  </dd>
  <dd> 
    <a href="#applicationmanagement-blocknonadminuserinstall">ApplicationManagement/BlockNonAdminUserInstall</a> 
  </dd>
  <dd>
    <a href="#applicationmanagement-disablestoreoriginatedapps">ApplicationManagement/DisableStoreOriginatedApps</a>
  </dd>
@ -414,6 +417,83 @@ Most restricted value: 0
 <hr/>
 <!--Policy-->
 <a href="" id="applicationmanagement-blocknonadminuserinstall"></a>**ApplicationManagement/BlockNonAdminUserInstall**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Windows Edition</th>
    <th>Supported?</th>
 </tr>
 <tr>
    <td>Home</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Pro</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Business</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Education</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 Added in the next major release of Windows 10.
 Manages non-administrator users' ability to install Windows app packages.
 If you enable this policy, non-administrators will be unable to initiate installation of Windows app packages. Administrators who wish to install an app will need to do so from an Administrator context (for example, an Administrator PowerShell window). All users will still be able to install Windows app packages via the Microsoft Store, if permitted by other policies.
 If you disable or do not configure this policy, all users will be able to initiate installation of Windows app packages.
 <!--/Description-->
 <!--ADMXMapped-->
 ADMX Info:  
 -   GP English name: *Prevent non-admin users from installing packaged Windows apps*
 -   GP name: *BlockNonAdminUserInstall*
 -   GP path: *Windows Components/App Package Deployment*
 -   GP ADMX file name: *AppxPackageManager.admx*
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 The following list shows the supported values:  
 - 0 (default) - Disabled. All users will be able to initiate installation of Windows app packages.
 - 1 - Enabled. Non-administrator users will not be able to initiate installation of Windows app packages.
 <!--/SupportedValues-->
 <!--Example-->
 <!--/Example-->
 <!--Validation-->
 <!--/Validation-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="applicationmanagement-disablestoreoriginatedapps"></a>**ApplicationManagement/DisableStoreOriginatedApps**  
@ -1032,6 +1112,7 @@ Footnotes:
 -   4 - Added in Windows 10, version 1803.
 -   5 - Added in Windows 10, version 1809.
 -   6 - Added in Windows 10, version 1903.
 -   7 - Added in the next major release of Windows 10.
 <!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-bluetooth.md
+++ b/windows/client-management/mdm/policy-csp-bluetooth.md
@ -7,14 +7,15 @@ ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.localizationpriority: medium
-ms.date: 09/27/2019
+ms.date: 02/12/2020
 ms.reviewer: 
 manager: dansimp
 ---
 # Policy CSP - Bluetooth
-
+> [!WARNING] 
 > Some information relates to prereleased products, which may be substantially modified before it's commercially released. Microsoft makes no warranties, expressed or implied, concerning the information provided here.
 <hr/>
@ -40,6 +41,9 @@ manager: dansimp
  <dd>
    <a href="#bluetooth-servicesallowedlist">Bluetooth/ServicesAllowedList</a>
  </dd>
  <dd>
    <a href="#bluetooth-setminimumencryptionkeysize">Bluetooth/SetMinimumEncryptionKeySize</a>
  </dd>
 </dl>
@ -390,6 +394,72 @@ The default value is an empty string. For more information, see [ServicesAllowed
 <!--/Description-->
 <!--/Policy-->
 <hr/>
 <!--Policy-->
 <a href="" id="bluetooth-setminimumencryptionkeysize"></a>**Bluetooth/SetMinimumEncryptionKeySize**  
 <!--SupportedSKUs-->
 <table>
 <tr>
    <th>Windows Edition</th>
    <th>Supported?</th>
 </tr>
 <tr>
    <td>Home</td>
    <td><img src="images/crossmark.png" alt="cross mark" /></td>
 </tr>
 <tr>
    <td>Pro</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Business</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Enterprise</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 <tr>
    <td>Education</td>
    <td><img src="images/checkmark.png" alt="check mark" /><sup>7</sup></td>
 </tr>
 </table>
 <!--/SupportedSKUs-->
 <hr/>
 <!--Scope-->
 [Scope](./policy-configuration-service-provider.md#policy-scope):
 > [!div class = "checklist"]
 > * Device
 <hr/>
 <!--/Scope-->
 <!--Description-->
 Added in the next major release of Windows 10.
 There are multiple levels of encryption strength when pairing Bluetooth devices. This policy helps prevent weaker devices cryptographically being used in high security environments.
 <!--/Description-->
 <!--SupportedValues-->
 The following list shows the supported values:  
 - 0 (default) - All Bluetooth traffic is allowed.
 - N - A number from 1 through 16 representing the bytes that must be used in the encryption process. Currently, 16 is the largest allowed value for N and 16 bytes is the largest key size that Bluetooth supports. If you want to enforce Windows to always use Bluetooth encryption, ignoring the precise encryption key strength, use 1 as the value for N.
 For more information on allowed key sizes, refer to Bluetooth Core Specification v5.1.
 <!--/SupportedValues-->
 <!--Example-->
 <!--/Example-->
 <!--Validation-->
 <!--/Validation-->
 <!--/Policy-->
 <hr/>
 Footnotes:
@ -400,6 +470,7 @@ Footnotes:
 -   4 - Added in Windows 10, version 1803.
 -   5 - Added in Windows 10, version 1809.
 -   6 - Added in Windows 10, version 1903.
 -   7 - Added in the next major release of Windows 10.
 <!--/Policies-->
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@ -307,6 +307,10 @@ ADMX Info:
 <!--/ADMXMapped-->
 <!--SupportedValues-->
 The following list shows the supported values:
 -   0 (default) – Disabled.
 -   1 – Allowed.
 <!--/SupportedValues-->
 <!--Example-->
--- a/windows/client-management/mdm/vpnv2-profile-xsd.md
+++ b/windows/client-management/mdm/vpnv2-profile-xsd.md
@ -194,7 +194,6 @@ Here's the XSD for the ProfileXML node in VPNv2 CSP for Windows 10 and some pro
    <NativeProtocolType>IKEv2</NativeProtocolType>  
    <Authentication>  
      <UserMethod>Eap</UserMethod>  
      <MachineMethod>Eap</MachineMethod>  
      <Eap>  
       <Configuration>
          <EapHostConfig xmlns="http://www.microsoft.com/provisioning/EapHostConfig">
--- a/windows/client-management/troubleshoot-stop-error-on-broadcom-driver-update.md
+++ b/windows/client-management/troubleshoot-stop-error-on-broadcom-driver-update.md
@ -0,0 +1,46 @@
 ---
 title: Stop error occurs when you update the in-box Broadcom network adapter driver
 description: Describes an issue that causes a stop error when you update an in-box Broadcom driver on Windows Server 2019, version 1809.
 author: Teresa-Motiv
 ms.author: v-tea
 ms.date: 2/3/2020
 ms.prod: w10
 ms.topic: article
 ms.custom: 
 - CI 113175
 - CSSTroubleshooting
 audience: ITPro
 ms.localizationpriority: medium
 keywords: 
 manager: kaushika
 ---
 # Stop error occurs when you update the in-box Broadcom network adapter driver
 This issue affects computers that meet the following criteria:
 - The operating system is Windows Server 2019, version 1809.
 - The network adapter is a Broadcom NX1 Gigabit Ethernet network adapter.
 - The number of logical processors is large (for example, a computer that has more than 38 logical processors).
 On such a computer, when you update the in-box Broadcom network adapter driver to a later version, the computer experiences a Stop error (also known as a blue screen error or bug check error).
 ## Cause
 The operating system media for Windows Server 2019, version 1809, contains version 17.2 of the Broadcom NIC driver. When you upgrade this driver to a later version, the process of uninstalling the version 17.2 driver generates an error. This is a known issue.  
 This issue was resolved in Windows Server 2019 version 1903. The operating system media use a later version of the Broadcom network adapter driver.
 ## Workaround
 To update the Broadcom network adapter driver on an affected computer, follow these steps:
 > [!NOTE]  
 > This procedure describes how to use Device Manager to disable and re-enable the Broadcom network adapter. Alternatively, you can use the computer BIOS to disable and re-enable the adapter. For specific instructions, see your OEM BIOS configuration guide.
 1. Download the driver update to the affected computer.
 1. Open Device Manager, and then select the Broadcom network adapter.
 1. Right-click the adapter and then select **Disable device**.
 1. Right-click the adapter again and then select **Update driver** > **Browse my computer for driver software**.
 1. Select the update that you downloaded, and then start the update.
 1. After the update finishes, right-click the adapter and then select **Enable device**.
--- a/windows/client-management/troubleshoot-stop-errors.md
+++ b/windows/client-management/troubleshoot-stop-errors.md
@ -59,7 +59,7 @@ To troubleshoot Stop error messages, follow these general steps:
 3. Run the [Machine Memory Dump Collector](https://home.diagnostics.support.microsoft.com/selfhelp?knowledgebasearticlefilter=2027760&wa=wsignin1.0) Windows diagnostic package. This diagnostic tool is used to collect machine memory dump files and check for known solutions.
-4. Run [Microsoft Safety Scanner](http://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections.
+4. Run [Microsoft Safety Scanner](https://www.microsoft.com/security/scanner/en-us/default.aspx) or any other virus detection program that includes checks of the Master Boot Record for infections.
 5. Make sure that there is sufficient free space on the hard disk. The exact requirement varies, but we recommend 10–15 percent free disk space.
--- a/windows/client-management/troubleshoot-windows-freeze.md
+++ b/windows/client-management/troubleshoot-windows-freeze.md
@ -251,7 +251,7 @@ If the physical computer is still running in a frozen state, follow these steps
 Pool Monitor shows you the number of allocations and outstanding bytes of allocation by type of pool and the tag that is passed into calls of ExAllocatePoolWithTag.   
-Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](http://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx). 
+Learn [how to use Pool Monitor](https://support.microsoft.com/help/177415) and how to [use the data to troubleshoot pool leaks](https://blogs.technet.com/b/markrussinovich/archive/2009/03/26/3211216.aspx). 
 ### Use memory dump to collect data for the virtual machine that's running in a frozen state 
@ -284,4 +284,4 @@ On Windows Server 2008, you may not have enough free disk space to generate a co
 Additionally, on Windows Server 2008 Service Pack (SP2), there's a second option if the system drive doesn't have sufficient space. Namely, you can use the DedicatedDumpFile registry entry. To learn how to use the registry entry, see [New behavior in Windows Vista and Windows Server 2008](https://support.microsoft.com/help/969028).   
-For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](http://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx).
+For more information, see [How to use the DedicatedDumpFile registry value to overcome space limitations on the system drive](https://blogs.msdn.com/b/ntdebugging/archive/2010/04/02/how-to-use-the-dedicateddumpfile-registry-value-to-overcome-space-limitations-on-the-system-drive-when-capturing-a-system-memory-dump.aspx).
--- a/windows/client-management/troubleshoot-windows-startup.md
+++ b/windows/client-management/troubleshoot-windows-startup.md
@ -7,7 +7,7 @@ ms.topic: troubleshooting
 author: dansimp
 ms.localizationpriority: medium
 ms.author: dansimp
-ms.date: 
+ms.date: 2/3/2020
 ms.reviewer: 
 manager: dansimp
 ---
@ -51,3 +51,5 @@ These articles will walk you through the resources you need to troubleshoot Wind
 - [Advanced troubleshooting for Stop error or blue screen error](https://docs.microsoft.com/windows/client-management/troubleshoot-stop-errors)
 - [Advanced troubleshooting for Windows-based computer freeze issues](https://docs.microsoft.com/windows/client-management/troubleshoot-windows-freeze)
 - [Stop error occurs when you update the in-box Broadcom network adapter driver](troubleshoot-stop-error-on-broadcom-driver-update.md)
--- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
@ -18,6 +18,9 @@ manager: dansimp
 -   Windows 10, version 1703
 -   Windows 10 Mobile, version 1703
 >[!IMPORTANT]
 >Cortana for Power BI is deprecated and will not be available in future releases. This topic is provided as a reference for previous versions only.
 Integration between Cortana and Power BI shows how Cortana can work with custom business analytics solutions to enable you to get answers directly from your key business data, including introducing new features that let you create custom Cortana “answers” using the full capabilities of Power BI Desktop.
 >[!Note]
@ -35,6 +38,7 @@ To use this walkthrough, you’ll need:
 - **Azure Active Directory (Azure AD)/Work or School account**. You can use the account that you created for Office 365, or you can create a new one while you’re establishing your Power BI account. If you choose to use Azure AD, you must connect your Azure AD account to your Windows account.
    **To connect your account to Windows**
    a. Open **Windows Settings**, click **Accounts**, click **Access work or school**, and then in the **Connect to work or school** section, click **Connect**.
    b. Follow the instructions to add your Azure Active Directory (Azure AD) account to Windows.
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@ -253,6 +253,7 @@
 ##### [Update Compliance Perspectives](update/update-compliance-perspectives.md)
 ### Best practices
 #### [Best practices for feature updates on mission-critical devices](update/feature-update-mission-critical.md)
 #### [Update Windows 10 media with Dynamic Update](update/media-dynamic-update.md)
 #### [Deploy feature updates during maintenance windows](update/feature-update-maintenance-window.md)
 #### [Deploy feature updates for user-initiated installations](update/feature-update-user-install.md)
 #### [Conclusion](update/feature-update-conclusion.md)
--- a/windows/deployment/update/images/update-catalog.png
+++ b/windows/deployment/update/images/update-catalog.png
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@ -0,0 +1,453 @@
 ---
 title: Update Windows 10 media with Dynamic Update
 description: Learn how to deploy feature updates to your mission critical devices
 ms.prod: w10
 ms.mktglfcycl: manage
 audience: itpro
 itproauthor: jaimeo
 author: SteveDiAcetis
 ms.localizationpriority: medium
 ms.author: jaimeo
 ms.reviewer: 
 manager: laurawi
 ms.collection: M365-modern-desktop
 ms.topic: article
 ---
 # Update Windows 10 media with Dynamic Update
 **Applies to**: Windows 10
 This topic explains how to acquire and apply Dynamic Update packages to existing Windows 10 images <em>prior to deployment</em> and includes Windows PowerShell scripts you can use to automate this process.
 Volume-licensed media is available for each release of Windows 10 in the Volume Licensing Service Center (VLSC) and other relevant channels such as Windows Update for Business, Windows Server Update Services (WSUS), and Visual Studio Subscriptions. You can use Dynamic Update to ensure that Windows 10 devices have the latest feature update packages as part of an in-place upgrade while preserving language pack and Features on Demand (FODs) that might have been previously installed. Dynamic Update also eliminates the need to install a separate quality update as part of the in-place upgrade process.
 ## Dynamic Update
 Whenever installation of a feature update starts (whether from media or an environment connected to Windows Update), *Dynamic Update* is one of the first steps. Windows 10 Setup contacts a Microsoft endpoint to fetch Dynamic Update packages, and then applies those updates to your operating system installation media. The update packages includes the following kinds of updates:
 - Updates to Setup.exe binaries or other files that Setup uses for feature updates
 - Updates for the "safe operating system" (SafeOS) that is used for the Windows recovery environment
 - Updates to the servicing stack necessary to complete the feature update (see [Servicing stack updates](servicing-stack-updates.md) for more information)
 - The latest cumulative (quality) update
 - Updates to applicable drivers already published by manufacturers specifically intended for Dynamic Update
 Dynamic Update preserves language pack and Features on Demand packages by reacquiring them.
 Devices must be able to connect to the internet to obtain Dynamic Updates. In some environments, it's not an option to obtain Dynamic Updates. You can still do a media-based feature update by acquiring Dynamic Update packages and applying it to the image prior to starting Setup on the device.
 ## Acquire Dynamic Update packages
 You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. For example, you could enter *1809 Dynamic Update x64*, which would return results like this:
 ![Table with columns labeled Title, Products, Classification, Last Updated, Version, and Size and four rows listing various dynamic updates and associated KB articles](images/update-catalog.png)
 The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the s. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in <em>bold</em> the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
 |To find this Dynamic Update packages, search for or check the results here-->  |Title  |Product  |Description (select the **Title** link to see **Details**)  |
 |---------|---------|---------|---------|
 |Safe OS Dynamic Update      | 2019-08 Dynamic Update...        | Windows 10 Dynamic Update,Windows **Safe OS Dynamic Update**         | ComponentUpdate:        |
 |Setup Dynamic Update     | 2019-08 Dynamic Update...         | Windows 10 Dynamic Update        | **SetupUpdate**        |
 |Latest cumulative update     | 2019-08 **Cumulative Update for Windows 10**    |  Windows 10       |  Install this update to resolve issues in Windows...       |
 |Servicing stack Dynamic Update     | 2019-09 **Servicing Stack Update for Windows 10**        |  Windows 10...       | Install this update to resolve issues in Windows...        |
 If you want to customize the image with additional languages or Features on Demand, download supplemental media ISO files from the [Volume Licensing Service Center](https://www.microsoft.com/licensing/servicecenter/default.aspx). For example, since Dynamic Update will be disabled for your devices, and if users require specific Features on Demand, you can preinstall these into the image.
 ## Update Windows 10 installation media
 Properly updating the installation media involves a large number of actions operating on several different targets (image files). Some actions are repeated on different targets. The target images files include:
 - Windows Preinstallation Environment (WinPE): a small operating system used to install, deploy, and repair Windows operating systems
 - Windows Recovery Environment (WinRE): repairs common causes of unbootable operating systems. WinRE is based on WinPE and can be customized with additional drivers, languages, optional packages, and other troubleshooting or diagnostic tools.
 - Windows operating system: one or more editions of Windows 10 stored in \sources\install.wim
 - Windows installation media: the complete collection of files and folders in the Windows 10 installation media. For example, \sources folder, \boot folder, Setup.exe, and so on.
 This table shows the correct sequence for applying the various tasks to the files. For example, the full sequence starts with adding the servicing stack update to WinRE (1) and concludes with adding the Dynamic Update for Setup to the new media (26).
 |Task  |WinRE (winre.wim)  |WinPE (boot.wim)  |Operating system (install.wim)  | New media |
 |---------|---------|---------|---------|------|
 |Add servicing stack Dynamic Update     |  1       | 9        | 18        |
 |Add language pack     | 2        |   10      |  19       |
 |Add localized optional packages     |  3       | 11        |         |
 |Add font support     |  4       |  12       |         |
 |Add text-to-speech      | 5        |   13      |         |
 |Update Lang.ini     |         |  14       |         |
 |Add Features on Demand     |         |         |  20       |
 |Add Safe OS Dynamic Update     | 6        |        |       |
 |Add Setup Dynamic Update     |         |         |         | 26
 |Add latest cumulative update     |         | 15        | 21        |
 |Clean up the image     |  7       | 16        | 22        |
 |Add Optional Components     |         |         |  23       |
 |Add .Net and .Net cumulative updates     |         |        | 24        |
 |Export image     | 8        |  17       | 25        |
 ### Multiple Windows editions
 The main operating system file (install.wim) contains multiple editions of Windows 10. It’s possible that only an update for a given edition is required to deploy it, based on the index. Or, it might be that all editions need an update. Further, ensure that languages are installed before Features on Demand, and the latest cumulative update is always applied last.
 ### Additional languages and features
 You don't have to add more languages and features to the image to accomplish the updates, but it's an opportunity to customize the image with more languages, Optional Components, and Features on Demand beyond what is in your starting image. To do this, it's important to make these changes in the correct order: first apply servicing stack updates, followed by language additions, then by feature additions, and finally the latest cumulative update. The provided sample script installs a second language (in this case Japanese (ja-JP)). Since this language is backed by an lp.cab, there's no need to add a Language Experience Pack. Japanese is added to both the main operating system and to the recovery environment to allow the user to see the recovery screens in Japanese. This includes adding localized versions of the packages currently installed in the recovery image. 
 Optional Components, along with the .Net feature, can be installed offline, however doing so creates pending operations that require the device to restart. As a result, the call to perform image cleanup would fail. There are two options to avoid this. One option is to skip the image cleanup step, though that will result in a larger install.wim. Another option is to install the .Net and Optional Components in a step after cleanup but before export. This is the option in the sample script. By doing this, you will have to start with the original install.wim (with no pending actions) when you maintain or update the image the next time (for example, the next month).
 ## Windows PowerShell scripts to apply Dynamic Updates to an existing image
 These examples are for illustration only, and therefore lack error handling. The script assumes that the following packages is stored locally in this folder structure:
 |Folder  |Description  |
 |---------|---------|
 |C:\mediaRefresh     |  Parent folder that contains the PowerShell script       |
 |C:\mediaRefresh\oldMedia |  Folder that contains the original media that will be refreshed. For example, contains Setup.exe, and \sources folder.       |
 |C:\mediaRefresh\newMedia     | Folder that will contain the updated media. It is copied from \oldMedia, then used as the target for all update and cleanup operations.        |
 ### Get started
 The script starts by declaring global variables and creating folders to use for mounting images. Then, make a copy of the original media, from \oldMedia to \newMedia, keeping the original media in case there is a script error and it's necessary to start over from a known state. Also, it will provide a comparison of old versus new media to evaluate changes. To ensure that the new media updates, make sure they are not read-only.
 ```
 function Get-TS { return "{0:HH:mm:ss}" -f (Get-Date) } 
 Write-Host "$(Get-TS): Starting media refresh"
 # Declare media for FOD and LPs
 $FOD_ISO_PATH = "C:\mediaRefresh\packages\FOD-PACKAGES_OEM_PT1_amd64fre_MULTI.iso"
 $LP_ISO_PATH = "C:\mediaRefresh\packages\CLIENTLANGPACKDVD_OEM_MULTI.iso"
 # Declare language for showcasing adding optional localized components
 $LANG = "ja-jp"
 $LANG_FONT_CAPABILITY = "jpan"
 # Declare Dynamic Update packages
 $LCU_PATH = “C:\mediaRefresh\packages\LCU.msu”
 $SSU_PATH = “C:\mediaRefresh\packages\SSU_DU.msu”
 $SETUP_DU_PATH = "C:\mediaRefresh\packages\Setup_DU.cab"
 $SAFE_OS_DU_PATH = “C:\mediaRefresh\packages\SafeOS_DU.cab”
 $DOTNET_CU_PATH = "C:\mediaRefresh\packages\DotNet_CU.msu”
 # Declare folders for mounted images and temp files
 $WORKING_PATH = "C:\mediaRefresh\temp"
 $MEDIA_OLD_PATH = "C:\mediaRefresh\oldMedia"
 $MEDIA_NEW_PATH = "C:\mediaRefresh\newMedia"
 $MAIN_OS_MOUNT = $WORKING_PATH + "\MainOSMount”
 $WINRE_MOUNT = $WORKING_PATH + "\WinREMount”
 $WINPE_MOUNT = $WORKING_PATH + "\WinPEMount”
 # Mount the language pack ISO
 Write-Host "$(Get-TS): Mounting LP ISO"
 $LP_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
 # Declare language related cabs
 $WINPE_OC_PATH = Join-Path $LP_ISO_DRIVE_LETTER":" -ChildPath "Windows Preinstallation Environment" | Join-Path -ChildPath "x64" | Join-Path -ChildPath "WinPE_OCs"
 $WINPE_OC_LANG_PATH = Join-Path $WINPE_OC_PATH $LANG
 $WINPE_OC_LANG_CABS = Get-ChildItem $WINPE_OC_LANG_PATH -name
 $WINPE_OC_LP_PATH = Join-Path $WINPE_OC_LANG_PATH "lp.cab"
 $WINPE_FONT_SUPPORT_PATH = Join-Path $WINPE_OC_PATH "WinPE-FontSupport-$LANG.cab"
 $WINPE_SPEECH_TTS_PATH = Join-Path $WINPE_OC_PATH "WinPE-Speech-TTS.cab"
 $WINPE_SPEECH_TTS_LANG_PATH = Join-Path $WINPE_OC_PATH "WinPE-Speech-TTS-$LANG.cab"
 $OS_LP_PATH = $LP_ISO_DRIVE_LETTER + ":\x64\langpacks\" + "Microsoft-Windows-Client-Language-Pack_x64_" + $LANG + ".cab"
 # Mount the Features on Demand ISO
 Write-Host "$(Get-TS): Mounting FOD ISO"
 $FOD_ISO_DRIVE_LETTER = (Mount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Get-Volume).DriveLetter
 $FOD_PATH = $FOD_ISO_DRIVE_LETTER + ":\" 
 # Create folders for mounting images and storing temporary files
 New-Item -ItemType directory -Path $WORKING_PATH -ErrorAction Stop | Out-Null
 New-Item -ItemType directory -Path $MAIN_OS_MOUNT -ErrorAction stop | Out-Null
 New-Item -ItemType directory -Path $WINRE_MOUNT -ErrorAction stop | Out-Null
 New-Item -ItemType directory -Path $WINPE_MOUNT -ErrorAction stop | Out-Null
 # Keep the original media, make a copy of it for the new, updateed media.
 Write-Host "$(Get-TS): Copying original media to new media path"
 Copy-Item -Path $MEDIA_OLD_PATH“\*” -Destination $MEDIA_NEW_PATH -Force -Recurse -ErrorAction stop | Out-Null
 Get-ChildItem -Path $MEDIA_NEW_PATH -Recurse | Where-Object { -not $_.PSIsContainer -and $_.IsReadOnly } | ForEach-Object { $_.IsReadOnly = $false }
 ```
 ### Update WinRE
 The script assumes that only a single edition is being updated, indicated by Index = 1 (Windows 10 Education Edition). Then the script mounts the image, saves Winre.wim to the working folder, and mounts it. It then applies servicing stack Dynamic Update, since its s are used for updating other s. Since the script is optionally adding Japanese, it adds the language pack to the image, and installs the Japanese versions of all optional packages already installed in Winre.wim. Then, it applies the Safe OS Dynamic Update package.
 It finishes by cleaning and exporting the image to reduce the image size.
 > [!NOTE]
 > Skip adding the latest cumulative update to Winre.wim because it contains unnecessary s in the recovery environment. The s that are updated and applicable are contained in the safe operating system Dynamic Update package. This also helps to keep the image small.
 ```
 # Mount the main operating system, used throughout the script
 Write-Host "$(Get-TS): Mounting main OS"
 Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH"\sources\install.wim” -Index 1 -Path $MAIN_OS_MOUNT -ErrorAction stop| Out-Null  
 #
 # update Windows Recovery Environment (WinRE)
 #
 Copy-Item -Path $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim” -Destination $WORKING_PATH"\winre.wim” -Force -Recurse -ErrorAction stop | Out-Null
 Write-Host "$(Get-TS): Mounting WinRE"
 Mount-WindowsImage -ImagePath $WORKING_PATH"\winre.wim” -Index 1 -Path $WINRE_MOUNT -ErrorAction stop | Out-Null 
 # Add servicing stack update
 Write-Host "$(Get-TS): Adding package $SSU_PATH"
 Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null  
 #
 # Optional: Add the language to recovery environment
 #
 # Install lp.cab cab
 Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
 Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null  
 # Install language cabs for each optional package installed
 $WINRE_INSTALLED_OC = Get-WindowsPackage -Path $WINRE_MOUNT
 Foreach ($PACKAGE in $WINRE_INSTALLED_OC) {
    if ( ($PACKAGE.PackageState -eq "Installed") `
            -and ($PACKAGE.PackageName.startsWith("WinPE-")) `
            -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
        $INDEX = $PACKAGE.PackageName.IndexOf("-Package")
        if ($INDEX -ge 0) {
            $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
            if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
                $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
                Write-Host "$(Get-TS): Adding package $OC_CAB_PATH"
                Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null  
            }
        }
    }
 }
 # Add font support for the new language
 if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
    Write-Host "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
    Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
 }
 # Add TTS support for the new language
 if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
    if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
        Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
        Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
        Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
        Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
    }
 }
 # Add Safe OS
 Write-Host "$(Get-TS): Adding package $SAFE_OS_DU_PATH"
 Add-WindowsPackage -Path $WINRE_MOUNT -PackagePath $SAFE_OS_DU_PATH -ErrorAction stop | Out-Null   
 # Perform image cleanup
 Write-Host "$(Get-TS): Performing image cleanup on WinRE"
 DISM /image:$WINRE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
 # Dismount
 Dismount-WindowsImage -Path $WINRE_MOUNT  -Save -ErrorAction stop | Out-Null 
 # Export
 Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\winre2.wim”
 Export-WindowsImage -SourceImagePath $WORKING_PATH"\winre.wim” -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\winre2.wim” -ErrorAction stop | Out-Null
 Move-Item -Path $WORKING_PATH"\winre2.wim” -Destination $WORKING_PATH"\winre.wim” -Force -ErrorAction stop | Out-Null
 ```
 ### Update WinPE
 This script is similar to the one that updates WinRE, but instead it mounts Boot.wim, applies the packages with the latest cumulative update last, and saves. It repeats this for all images inside of Boot.wim, typically two images. It starts by applying the servicing stack Dynamic Update. Since the script is customizing this media with Japanese, it installs the language pack from the WinPE folder on the language pack ISO. Additionally, add font support and text to speech (TTS) support. Since the script is adding a new language, it rebuilds lang.ini, used to identify languages installed in the image. Finally, it cleans and exports Boot.wim, and copies it back to the new media.
 ```
 # 
 # update Windows Preinstallation Environment (WinPE)
 # 
 # Get the list of images contained within WinPE
 $WINPE_IMAGES = Get-WindowsImage -ImagePath $MEDIA_NEW_PATH“\sources\boot.wim”
 Foreach ($IMAGE in $WINPE_IMAGES) {
    # update WinPE
    Write-Host "$(Get-TS): Mounting WinPE"
    Mount-WindowsImage -ImagePath $MEDIA_NEW_PATH“\sources\boot.wim” -Index $IMAGE.ImageIndex -Path $WINPE_MOUNT -ErrorAction stop | Out-Null  
    # Add SSU
    Write-Host "$(Get-TS): Adding package $SSU_PATH"
    Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
    # Install lp.cab cab
    Write-Host "$(Get-TS): Adding package $WINPE_OC_LP_PATH"
    Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_OC_LP_PATH -ErrorAction stop | Out-Null  
    # Install language cabs for each optional package installed
    $WINPE_INSTALLED_OC = Get-WindowsPackage -Path $WINPE_MOUNT
    Foreach ($PACKAGE in $WINPE_INSTALLED_OC) {
        if ( ($PACKAGE.PackageState -eq "Installed") `
                -and ($PACKAGE.PackageName.startsWith("WinPE-")) `
                -and ($PACKAGE.ReleaseType -eq "FeaturePack") ) {
            $INDEX = $PACKAGE.PackageName.IndexOf("-Package")
            if ($INDEX -ge 0) {
                $OC_CAB = $PACKAGE.PackageName.Substring(0, $INDEX) + "_" + $LANG + ".cab"
                if ($WINPE_OC_LANG_CABS.Contains($OC_CAB)) {
                    $OC_CAB_PATH = Join-Path $WINPE_OC_LANG_PATH $OC_CAB
                    Write-Host "$(Get-TS): Adding package $OC_CAB_PATH"
                    Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $OC_CAB_PATH -ErrorAction stop | Out-Null  
                }
            }
        }
    }
    # Add font support for the new language
    if ( (Test-Path -Path $WINPE_FONT_SUPPORT_PATH) ) {
        Write-Host "$(Get-TS): Adding package $WINPE_FONT_SUPPORT_PATH"
        Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_FONT_SUPPORT_PATH -ErrorAction stop | Out-Null
    }
    # Add TTS support for the new language
    if (Test-Path -Path $WINPE_SPEECH_TTS_PATH) {
        if ( (Test-Path -Path $WINPE_SPEECH_TTS_LANG_PATH) ) {
            Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_PATH"
            Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_PATH -ErrorAction stop | Out-Null
            Write-Host "$(Get-TS): Adding package $WINPE_SPEECH_TTS_LANG_PATH"
            Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $WINPE_SPEECH_TTS_LANG_PATH -ErrorAction stop | Out-Null
        }
    }
    # Generates a new Lang.ini file which is used to define the language packs inside the image
    if ( (Test-Path -Path $WINPE_MOUNT"\sources\lang.ini") ) {
        Write-Host "$(Get-TS): Updating lang.ini"
        DISM /image:$WINPE_MOUNT /Gen-LangINI /distribution:$WINPE_MOUNT | Out-Null
    }    
    # Add latest cumulative update
    Write-Host "$(Get-TS): Adding package $LCU_PATH"
    Add-WindowsPackage -Path $WINPE_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null  
    # Perform image cleanup
    Write-Host "$(Get-TS): Performing image cleanup on WinPE"
    DISM /image:$WINPE_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
    # Dismount
    Dismount-WindowsImage -Path $WINPE_MOUNT -Save -ErrorAction stop | Out-Null 
    #Export WinPE
    Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\boot2.wim”
    Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH“\sources\boot.wim” -SourceIndex $IMAGE.ImageIndex -DestinationImagePath $WORKING_PATH"\boot2.wim" -ErrorAction stop | Out-Null
 }
 Move-Item -Path $WORKING_PATH"\boot2.wim" -Destination $MEDIA_NEW_PATH“\sources\boot.wim” -Force -ErrorAction stop | Out-Null
 ```
 ### Update the main operating system
 For this next phase, there is no need to mount the main operating system, since it was already mounted in the previous scripts. This script starts by applying the servicing stack Dynamic Update. Then, it adds Japanese language support and then the Japanese language features. Unlike the Dynamic Update packages, it leverages `Add-WindowsCapability` to add these features. For a full list of such features, and their associated capability name, see [Available Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-non-language-fod).
 Now is the time to enable other Optional Components or add other Features on Demand. If such a feature has an associated cumulative update (for example, .Net), this is the time to apply those. The script then proceeds with applying the latest cumulative update. Finally, the script cleans and exports the image.
 You can install Optional Components, along with the .Net feature, offline, but that will require the device to be restarted. This is why the script installs .Net and Optional Components after cleanup and before export.
 ```
 # 
 # update Main OS
 # 
 # Add servicing stack update
 Write-Host "$(Get-TS): Adding package $SSU_PATH"
 Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $SSU_PATH -ErrorAction stop | Out-Null
 # Optional: Add language to main OS
 Write-Host "$(Get-TS): Adding package $OS_LP_PATH"
 Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $OS_LP_PATH -ErrorAction stop | Out-Null  
 # Optional: Add a Features on Demand to the image
 Write-Host "$(Get-TS): Adding language FOD: Language.Fonts.Jpan~~~und-JPAN~0.0.1.0"
 Add-WindowsCapability -Name "Language.Fonts.$LANG_FONT_CAPABILITY~~~und-$LANG_FONT_CAPABILITY~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
 Write-Host "$(Get-TS): Adding language FOD: Language.Basic~~~$LANG~0.0.1.0"
 Add-WindowsCapability -Name "Language.Basic~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
 Write-Host "$(Get-TS): Adding language FOD: Language.OCR~~~$LANG~0.0.1.0"
 Add-WindowsCapability -Name "Language.OCR~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
 Write-Host "$(Get-TS): Adding language FOD: Language.Handwriting~~~$LANG~0.0.1.0"
 Add-WindowsCapability -Name "Language.Handwriting~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
 Write-Host "$(Get-TS): Adding language FOD: Language.TextToSpeech~~~$LANG~0.0.1.0"
 Add-WindowsCapability -Name "Language.TextToSpeech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
 Write-Host "$(Get-TS): Adding language FOD:Language.Speech~~~$LANG~0.0.1.0"
 Add-WindowsCapability -Name "Language.Speech~~~$LANG~0.0.1.0" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
 # Note: If I wanted to enable additional Features on Demand, I'd add these here.
 # Add latest cumulative update
 Write-Host "$(Get-TS): Adding package $LCU_PATH"
 Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $LCU_PATH -ErrorAction stop | Out-Null 
 # Copy our updated recovery image from earlier into the main OS
 # Note: If I were updating more than 1 edition, I'd want to copy the same recovery image file 
 # into each edition to enable single instancing
 Copy-Item -Path $WORKING_PATH"\winre.wim” -Destination $MAIN_OS_MOUNT"\windows\system32\recovery\winre.wim” -Force -Recurse -ErrorAction stop | Out-Null
 # Perform image cleanup
 Write-Host "$(Get-TS): Performing image cleanup on main OS"
 DISM /image:$MAIN_OS_MOUNT /cleanup-image /StartComponentCleanup | Out-Null
 #
 # Note: If I wanted to enable additional Optional Components, I'd add these here. 
 # In addition, we'll add .Net 3.5 here as well. Both .Net and Optional Components might require 
 # the image to be booted, and thus if we tried to cleanup after installation, it would fail.
 #
 Write-Host "$(Get-TS): Adding NetFX3~~~~"
 Add-WindowsCapability -Name "NetFX3~~~~" -Path $MAIN_OS_MOUNT -Source $FOD_PATH -ErrorAction stop | Out-Null
 # Add .Net Cumulative Update
 Write-Host "$(Get-TS): Adding package $DOTNET_CU_PATH"
 Add-WindowsPackage -Path $MAIN_OS_MOUNT -PackagePath $DOTNET_CU_PATH -ErrorAction stop | Out-Null
 # Dismount
 Dismount-WindowsImage -Path $MAIN_OS_MOUNT -Save -ErrorAction stop | Out-Null
 # Export
 Write-Host "$(Get-TS): Exporting image to $WORKING_PATH\install2.wim”
 Export-WindowsImage -SourceImagePath $MEDIA_NEW_PATH“\sources\install.wim” -SourceIndex 1 -DestinationImagePath $WORKING_PATH"\install2.wim” -ErrorAction stop | Out-Null
 Move-Item -Path $WORKING_PATH"\install2.wim” -Destination $MEDIA_NEW_PATH“\sources\install.wim” -Force -ErrorAction stop | Out-Null
 ```
 ### Update remaining media files
 This part of the script updates the Setup files. It simply copies the individual files in the Setup Dynamic Update package to the new media. This step brings an updated Setup.exe as needed, along with the latest compatibility database, and replacement component manifests.
 ```
 #
 # update remaining files on media
 #
 # Add Setup DU by copy the files from the package into the newMedia
 Write-Host "$(Get-TS): Adding package $SETUP_DU_PATH"
 cmd.exe /c $env:SystemRoot\System32\expand.exe $SETUP_DU_PATH -F:* $MEDIA_NEW_PATH"\sources" | Out-Null
 ```
 ### Finish up
 As a last step, the script removes the working folder of temporary files, and unmounts our language pack and Features on Demand ISOs.
 ```
 #
 # Perform final cleanup
 #
 # Remove our working folder
 Remove-Item -Path $WORKING_PATH -Recurse -Force -ErrorAction stop | Out-Null
 # Dismount ISO images
 Write-Host "$(Get-TS): Dismounting ISO images"
 Dismount-DiskImage -ImagePath $LP_ISO_PATH -ErrorAction stop | Out-Null
 Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction stop | Out-Null 
 Write-Host "$(Get-TS): Media refresh completed!"
 ```
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@ -118,7 +118,7 @@ When Microsoft officially releases a feature update for Windows 10, it is made a
 Organizations are expected to initiate targeted deployment on Semi-Annual Channel releases.  All customers, independent software vendors (ISVs), and partners should use this time for testing and piloting within their environments. After 2-4 months, we will transition to broad deployment and encourage customers and partners to expand and accelerate the deployment of the release. For customers using Windows Update for Business, the Semi-Annual Channel provides three months of additional total deployment time before being required to update to the next release.
 > [!NOTE]
-> All releases of Windows 10 have 18 months of servicing for all editions--these updates provide security and feature updates for the release. Customers running Enterprise and Education editions have an additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release. These versions include Enterprise and Education editions for Windows 10, versions 1607 and later. Starting in October 2018, all Semi-Annual Channel releases in the September/October timeframe will also have the additional 12 months of servicing for a total of 30 months from the initial release. The Semi-Annual Channel versions released in March/April timeframe will continue to have an 18-month lifecycle.
+> All releases of Windows 10 have **18 months of servicing for all editions**--these updates provide security and feature updates for the release. However, fall releases of the **Enterprise and Education editions** will have an **additional 12 months of servicing for specific Windows 10 releases, for a total of 30 months from initial release**. This extended servicing window applies to Enterprise and Education editions starting with Windows 10, version 1607.
 > 
 > 
 > [!NOTE]
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@ -23,7 +23,7 @@ ms.topic: article
 ## Overview 
-You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. See 
+You can use Group Policy through the Group Policy Management Console (GPMC) to control how Windows Update for Business works. You should consider and devise a deployment strategy for updates before you make changes to the Windows Update for Business settings. See [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) for more information. 
 An IT administrator can set policies for Windows Update for Business by using Group Policy, or they can be set locally (per device). All of the relevant policies are under the path **Computer configuration > Administrative Templates > Windows Components > Windows Update**.
@ -42,10 +42,10 @@ Follow these steps on a device running the Remote Server Administration Tools or
 ### Set up a ring
 1. Start Group Policy Management Console (gpmc.msc).
-2. Expand **Forest > Domains > *\<your domain\>*.
+2. Expand **Forest > Domains > *\<your domain\>**.
 3. Right-click *\<your domain>* and select **Create a GPO in this domain and link it here**.
 4. In the **New GPO** dialog box, enter *Windows Update for Business - Group 1* as the name of the new Group Policy Object.
-5. Right-click the **Windows Update for Business - Group 1" object, and then select **Edit**.
+5. Right-click the **"Windows Update for Business - Group 1"** object, and then select **Edit**.
 6. In the Group Policy Management Editor, go to **Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update**. You are now ready to start assigning policies to this ring (group) of devices.
--- a/windows/deployment/update/windows-as-a-service.md
+++ b/windows/deployment/update/windows-as-a-service.md
@ -1,7 +1,6 @@
 ---
 title: Windows as a service  
 ms.prod: windows-10 
 layout: LandingPage  
 ms.topic: landing-page
 ms.manager: elizapo
 audience: itpro
--- a/windows/deployment/update/windows-update-troubleshooting.md
+++ b/windows/deployment/update/windows-update-troubleshooting.md
@ -60,7 +60,7 @@ The Settings UI is talking to the Update Orchestrator service which in turn is t
 On computers running [Windows 10 1709 or higher](#BKMK_DCAT) configured to update from Windows Update (usually WUfB scenario) servicing and definition updates are being installed successfully, but feature updates are never offered.
 Checking the WindowsUpdate.log reveals the following error:
-```
+```console
 YYYY/MM/DD HH:mm:ss:SSS PID  TID  Agent           * START * Finding updates CallerId = Update;taskhostw  Id = 25
 YYYY/MM/DD HH:mm:ss:SSS PID  TID  Agent           Online = Yes; Interactive = No; AllowCachedResults = No; Ignore download priority = No
 YYYY/MM/DD HH:mm:ss:SSS PID  TID  Agent           ServiceID = {855E8A7C-ECB4-4CA3-B045-1DFA50104289} Third party service
@ -85,7 +85,7 @@ YYYY/MM/DD HH:mm:ss:SSS PID  TID  Agent           * END * Finding updates Caller
 ``` 
 The 0x80070426 error code translates to:
-```
+```console
 ERROR_SERVICE_NOT_ACTIVE - # The service has not been started.
 ```
@ -98,7 +98,7 @@ Windows Update uses WinHttp with Partial Range requests (RFC 7233) to download u
 To fix this issue, configure a proxy in WinHTTP by using the following netsh command: 
-``` 
+```console
 netsh winhttp set proxy ProxyServerName:PortNumber 
 ```
@ -128,15 +128,15 @@ The most common reasons for this error are described in the following table:
 ## Issues related to firewall configuration 
 Error that may be seen in the WU logs:  
-```
+```console
 DownloadManager    Error 0x800706d9 occurred while downloading update; notifying dependent calls. 
 ```
 Or 
-``` 
+```console
 [DownloadManager] BITS job {A4AC06DD-D6E6-4420-8720-7407734FDAF2} hit a transient error, updateId = {D053C08A-6250-4C43-A111-56C5198FE142}.200 <NULL>, error = 0x800706D9 
 ``` 
 Or 
-``` 
+```console
 DownloadManager [0]12F4.1FE8::09/29/2017-13:45:08.530 [agent]DO job {C6E2F6DC-5B78-4608-B6F1-0678C23614BD} hit a transient error, updateId = 5537BD35-BB74-40B2-A8C3-B696D3C97CBA.201 <NULL>, error = 0x80D0000A 
 ``` 
@ -150,17 +150,17 @@ See [How to configure automatic updates by using Group Policy or registry settin
 ## Device cannot access update files
 Check that your device can access these Windows Update endpoints:
- http://windowsupdate.microsoft.com
+- `http://windowsupdate.microsoft.com`
- http://*.windowsupdate.microsoft.com
+- `http://*.windowsupdate.microsoft.com`
- https://*.windowsupdate.microsoft.com
+- `https://*.windowsupdate.microsoft.com`
- http://*.update.microsoft.com
+- `http://*.update.microsoft.com`
- https://*.update.microsoft.com
+- `https://*.update.microsoft.com`
- http://*.windowsupdate.com
+- `http://*.windowsupdate.com`
- http://download.windowsupdate.com
+- `http://download.windowsupdate.com`
- https://download.microsoft.com
+- `https://download.microsoft.com`
- http://*.download.windowsupdate.com
+- `http://*.download.windowsupdate.com`
- http://wustat.windows.com
+- `http://wustat.windows.com`
- http://ntservicepack.microsoft.com
+- `http://ntservicepack.microsoft.com`
 Whitelist these endpoints for future use.
@ -183,13 +183,13 @@ Check the output for the Name and OffersWindowsUPdates parameters, which you can
 ## You have a bad setup in the environment 
 If we look at the GPO being set through registry, the system is configured to use WSUS to download updates: 
-``` 
+```console
 HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU] 
 "UseWUServer"=dword:00000001                                        ===================================> it says use WSUS server.  
 ```
 From the WU logs: 
-```
+```console
 2018-08-06 09:33:31:085  480 1118 Agent ** START **  Agent: Finding updates [CallerId = OperationalInsight  Id = 49] 
 2018-08-06 09:33:31:085  480 1118 Agent ********* 
 2018-08-06 09:33:31:085  480 1118 Agent   * Include potentially superseded updates 
@ -206,7 +206,7 @@ In the above log snippet, we see that the Criteria = "IsHidden = 0 AND Deploymen
 Now if you look at the below logs, the Automatic update runs the scan and finds no update approved for it. So it reports there are 0 updates to install or download. This is due to bad setup or configuration in the environment. The WSUS side should approve the patches for WU so that it fetches the updates and installs it on the specified time according to the policy. Since this scenario doesn't include SCCM, there's no way to install unapproved updates. And that is the problem you are facing. You expect that the scan should be done by the operational insight agent and automatically trigger download and install but that won’t happen here.  
-```
+```console
 2018-08-06 10:58:45:992  480 5d8 Agent ** START **  Agent: Finding updates [CallerId = AutomaticUpdates  Id = 57] 
 2018-08-06 10:58:45:992  480 5d8 Agent ********* 
 2018-08-06 10:58:45:992  480 5d8 Agent   * Online = Yes; Ignore download priority = No 
@ -224,12 +224,12 @@ Users may see that Windows 10 is consuming all the bandwidth in the different of
 The following group policies can help mitigate this: 
- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](http://gpsearch.azurewebsites.net/#4728) (Set to enabled)
+- Blocking access to Windows Update servers: [Policy Turn off access to all Windows Update features](https://gpsearch.azurewebsites.net/#4728) (Set to enabled)
- Driver search: [Policy Specify search order for device driver source locations](http://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update")
+- Driver search: [Policy Specify search order for device driver source locations](https://gpsearch.azurewebsites.net/#183) (Set to "Do not search Windows Update")
- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](http://gpsearch.azurewebsites.net/#10876) (Set to enabled)
+- Windows Store automatic update: [Policy Turn off Automatic Download and Install of updates](https://gpsearch.azurewebsites.net/#10876) (Set to enabled)
 Other components that reach out to the internet:
- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](http://gpsearch.azurewebsites.net/#13362) (Set to disabled) 
+- Windows Spotlight: [Policy Configure Windows spotlight on lock screen](https://gpsearch.azurewebsites.net/#13362) (Set to disabled) 
- Consumer experiences: [Policy Turn off Microsoft consumer experiences](http://gpsearch.azurewebsites.net/#13329) (Set to enabled) 
+- Consumer experiences: [Policy Turn off Microsoft consumer experiences](https://gpsearch.azurewebsites.net/#13329) (Set to enabled) 
- Background traffic from Windows apps: [Policy Let Windows apps run in the background](http://gpsearch.azurewebsites.net/#13571) 
+- Background traffic from Windows apps: [Policy Let Windows apps run in the background](https://gpsearch.azurewebsites.net/#13571) 
--- a/windows/deployment/usmt/usmt-identify-users.md
+++ b/windows/deployment/usmt/usmt-identify-users.md
@ -8,83 +8,59 @@ ms.author: greglin
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-audience: itpro
author: greg-lindsay
+audience: itpro
-ms.date: 04/19/2017
+author: greg-lindsay
 ms.topic: article
 ms.localizationpriority: medium
 ---
 # Identify Users
 It is important to carefully consider how you plan to migrate users. By default, all users are migrated by User State Migration Tool (USMT) 5.0. You must specify which users to include by using the command line. You cannot specify users in the .xml files. For instructions on how to migrate users, see [Migrate User Accounts](usmt-migrate-user-accounts.md).
 ## In This Topic
-
+- [Migrating Local Accounts](#bkmk-8)
-   [Migrating Local Accounts](#bkmk-8)
+- [Migrating Domain Accounts](#bkmk-9)
-
+- [Command-Line Options](#bkmk-7)
 -   [Migrating Domain Accounts](#bkmk-9)
 -   [Command-Line Options](#bkmk-7)
 ## <a href="" id="bkmk-8"></a>Migrating Local Accounts
 Before migrating local accounts, note the following:
- [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#bkmk-8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the<strong>/lac</strong> option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated.
+- [You must explicitly specify that local accounts that are not on the destination computer should be migrated.](#bkmk-8) If you are migrating local accounts and the local account does not exist on the destination computer, you must use the **/lac** option when using the LoadState command. If the **/lac** option is not specified, no local user accounts will be migrated.
 - [Consider whether to enable user accounts that are new to the destination computer.](#bkmk-8) The **/lae** option enables the account that was created with the **/lac** option. However, if you create a disabled local account by using only the **/lac** option, a local administrator must enable the account on the destination computer.
 - [Be careful when specifying a password for local accounts.](#bkmk-8) If you create the local account with a blank password, anyone could log on to that account on the destination computer. If you create the local account with a password, the password is available to anyone with access to the USMT command-line tools.
-  **Note**  
+>[!NOTE]
-  If there are multiple users on a computer, and you specify a password with the **/lac** option, all migrated users will have the same password.
+>If there are multiple users on a computer, and you specify a password with the **/lac** option, all migrated users will have the same password.
 ## <a href="" id="bkmk-9"></a>Migrating Domain Accounts
 The source and destination computers do not need to be connected to the domain for domain user profiles to be migrated.
 ## <a href="" id="bkmk-7"></a>Command-Line Options
 USMT provides several options to migrate multiple users on a single computer. The following command-line options specify which users to migrate.
-   [Specifying users.](#bkmk-8) You can specify which users to migrate with the **/all**, **/ui**, **/uel**, and **/ue** options with both the ScanState and LoadState command-line tools.
+- [Specifying users.](#bkmk-8) You can specify which users to migrate with the **/all**, **/ui**, **/uel**, and **/ue** options with both the ScanState and LoadState command-line tools.
-    **Important**  
+  >[!IMPORTANT]
-    The **/uel** option excludes users based on the **LastModified** date of the Ntuser.dat file. The **/uel** option is not valid in offline migrations.
+  >The **/uel** option excludes users based on the **LastModified** date of the Ntuser.dat file. The **/uel** option is not valid in offline migrations.
 - [Moving users to another domain.](#bkmk-8) You can move user accounts to another domain using the **/md** option with the LoadState command-line tool.
 - [Creating local accounts.](#bkmk-8) You can create and enable local accounts using the **/lac** and **/lae** options with the LoadState command-line tool.
-   [Moving users to another domain.](#bkmk-8) You can move user accounts to another domain using the **/md** option with the LoadState command-line tool.
+- [Renaming user accounts.](#bkmk-8) You can rename user accounts using the **/mu** option.
 -   [Creating local accounts.](#bkmk-8) You can create and enable local accounts using the **/lac** and **/lae** options with the LoadState command-line tool.
 -   [Renaming user accounts.](#bkmk-8) You can rename user accounts using the **/mu** option.
    **Note**  
    By default, if a user name is not specified in any of the command-line options, the user will be migrated.
  >[!NOTE]
  >By default, if a user name is not specified in any of the command-line options, the user will be migrated.
 ## Related topics
-
+[Determine What to Migrate](usmt-determine-what-to-migrate.md)<br>
-[Determine What to Migrate](usmt-determine-what-to-migrate.md)
+[ScanState Syntax](usmt-scanstate-syntax.md)<br>
 [ScanState Syntax](usmt-scanstate-syntax.md)
 [LoadState Syntax](usmt-loadstate-syntax.md)
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@ -9,7 +9,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: activation
-audience: itpro
author: greg-lindsay
+audience: itpro
 author: greg-lindsay
 ms.localizationpriority: medium
 ms.date: 03/11/2019
 ms.topic: article
@ -31,11 +32,12 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
 ### Requirements
- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access and all updates applied
+- [Windows Server with Desktop Experience](https://docs.microsoft.com/windows-server/get-started/getting-started-with-server-with-desktop-experience), with internet access (for the main VAMT console) and all updates applied
- [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036)
+- [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042)
 - [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express)
 - alternatively any full SQL instance e.g. SQL Server 2014 or newer incl. CU / SP
-### Install SQL Server 2017 Express
+### Install SQL Server 2017 Express / alternatively use any Full SQL instance e.g. SQL Server 2014 or newer
 1. Download and open the [SQL Server 2017 Express](https://www.microsoft.com/sql-server/sql-server-editions-express) package.
 2. Select **Basic**.
@ -46,20 +48,23 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
 ### Install VAMT using the ADK
-1. Download and open the [Windows 10, version 1809 ADK](https://go.microsoft.com/fwlink/?linkid=2026036) package.
+1. Download and open the [Windows 10, version 1903 ADK](https://go.microsoft.com/fwlink/?linkid=2086042) package.
 Reminder: There won't be new ADK release for 1909.
 2. Enter an install location or use the default path, and then select **Next**.
 3. Select a privacy setting, and then select **Next**.
 4. Accept the license terms.
 5. On the **Select the features you want to install** page, select **Volume Activation Management Tool (VAMT)**, and then select **Install**. (You can select additional features to install as well.)
 6. On the completion page, select **Close**.
-### Configure VAMT to connect to SQL Server 2017 Express
+### Configure VAMT to connect to SQL Server 2017 Express or full SQL Server
 1. Open **Volume Active Management Tool 3.1** from the Start menu.
-2. Enter the server instance name and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example.
+2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL.
    ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png)
 for remote SQL Server use
 servername.yourdomain.com
--- a/windows/deployment/windows-autopilot/add-devices.md
+++ b/windows/deployment/windows-autopilot/add-devices.md
@ -135,7 +135,7 @@ A summary of each platform's capabilities is provided below.<br>
 </tr>
 <tr>
-<td><a href="https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles">Microsoft Store for Business</a><b><sup>4</sup></b></td>
+<td><a href="https://docs.microsoft.com/microsoft-store/add-profile-to-devices#manage-autopilot-deployment-profiles">Microsoft Store for Business</a></td>
 <td>YES - 1000 at a time max</td>
 <td>YES<b><sup>4</sup></b></td>
 <td>4K HH</td>
@ -153,7 +153,8 @@ A summary of each platform's capabilities is provided below.<br>
 ><b><sup>1</sup></b>Microsoft recommended platform to use<br>
 ><b><sup>2</sup></b>Intune license required<br>
 ><b><sup>3</sup></b>Feature capabilities are limited<br>
-><b><sup>4</sup></b>To be retired<br>
+><b><sup>4</sup></b>Device profile assignment will be retired from MSfB and Partner Center in the coming months<br>
 Also see the following topics for more information about device IDs:
 - [Device identification](#device-identification)
--- a/windows/deployment/windows-autopilot/white-glove.md
+++ b/windows/deployment/windows-autopilot/white-glove.md
@ -59,7 +59,7 @@ To enable white glove deployment, an additional Autopilot profile setting must b
 ![allow white glove](images/allow-white-glove-oobe.png)
-The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune.  That includes certificates, security templates, settings, apps, and more – anything targeting the device.  Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed.  
+The Windows Autopilot for white glove deployment pre-provisioning process will apply all device-targeted policies from Intune.  That includes certificates, security templates, settings, apps, and more – anything targeting the device.  Additionally, any apps (Win32 or LOB) that are configured to install in the device context and targeted to the user that has been pre-assigned to the Autopilot device will also be installed. Please make sure not to target both win32 and LOB apps to the same device. 
 >[!NOTE]
 >Other user-targeted policies will not apply until the user signs into the device.  To verify these behaviors, be sure to create appropriate apps and policies targeted to devices and users.
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
@ -101,6 +101,9 @@ To provide needed Azure Active Directory (automatic MDM enrollment and company b
 - [Intune for Education subscriptions](https://docs.microsoft.com/intune-education/what-is-intune-for-education), which include all needed Azure AD and Intune features.
 - [Azure Active Directory Premium P1 or P2](https://azure.microsoft.com/services/active-directory/) and [Microsoft Intune subscriptions](https://www.microsoft.com/cloud-platform/microsoft-intune) (or an alternative MDM service).
 > [!NOTE]
 > Even when using Microsoft 365 subscriptions, you still need to [assign Intune licenses to the users](https://docs.microsoft.com/intune/fundamentals/licenses-assign).
 Additionally, the following are also recommended (but not required):
 - [Office 365 ProPlus](https://www.microsoft.com/p/office-365-proplus/CFQ7TTC0K8R0), which can be deployed easily via Intune (or other MDM services).
 - [Windows Subscription Activation](https://docs.microsoft.com/windows/deployment/windows-10-enterprise-subscription-activation), to automatically step up devices from Windows 10 Pro to Windows 10 Enterprise.
--- a/windows/privacy/windows-10-and-privacy-compliance.md
+++ b/windows/privacy/windows-10-and-privacy-compliance.md
@ -140,7 +140,7 @@ Windows 10, version 1803 and later, allows users to change their diagnostic data
 #### 2.3.7 Diagnostic data: Managing device-based data delete
-Windows 10, version 1809 and later, allows a user to delete diagnostic data collected from their device by going into **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button. An IT administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet script.
+Windows 10, version 1803 and later, allows a user to delete diagnostic data collected from their device by going into **Settings** > **Privacy** > **Diagnostic & feedback** and clicking the **Delete** button. An IT administrator can also delete diagnostic data for a device using the [Clear-WindowsDiagnosticData](https://docs.microsoft.com/powershell/module/windowsdiagnosticdata/Clear-WindowsDiagnosticData?view=win10-ps) PowerShell cmdlet script.
 An administrator can disable a user’s ability to delete their device’s diagnostic data by setting the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **Data Collection and Preview Builds** > **Disable deleting diagnostic data** or the MDM policy `DisableDeviceDelete`.
--- a/Show More
+++ b/Show More
`@ -1,4 +1,4 @@`
	`# [Surface](index.md)`	`# [Surface](index.yml)`

	`## [Get started](get-started.md)`	`## [Get started](get-started.md)`