resolve the conflict

2025-06-18 11:53:37 +00:00 · 2019-03-01 11:02:11 -08:00
parent 91eda0ee01 20f0c67ee6
commit 18994cc939
19 changed files with 396 additions and 199 deletions
--- a/store-for-business/TOC.md
+++ b/store-for-business/TOC.md
@ -8,16 +8,16 @@
 ### [Settings reference: Microsoft Store for Business and Education](settings-reference-microsoft-store-for-business.md)
 ## [Find and acquire apps](find-and-acquire-apps-overview.md)
 ### [Apps in the Microsoft Store for Business and Education](apps-in-microsoft-store-for-business.md)
-### [Acquire apps in the Microsoft Store for Business and Education](acquire-apps-microsoft-store-for-business.md)
+### [Acquire apps](acquire-apps-microsoft-store-for-business.md)
 ### [Working with line-of-business apps](working-with-line-of-business-apps.md)
-## [Distribute apps to your employees from the Microsoft Store for Business and Education](distribute-apps-to-your-employees-microsoft-store-for-business.md)
+## [Distribute apps](distribute-apps-to-your-employees-microsoft-store-for-business.md)
 ### [Distribute apps using your private store](distribute-apps-from-your-private-store.md)
 ### [Assign apps to employees](assign-apps-to-employees.md)
 ### [Distribute apps with a management tool](distribute-apps-with-management-tool.md)
 ### [Distribute offline apps](distribute-offline-apps.md)
 ## [Manage products and services](manage-apps-microsoft-store-for-business-overview.md)
-### [App inventory managemement for Microsoft Store for Business and Education](app-inventory-management-microsoft-store-for-business.md)
+### [App inventory managemement](app-inventory-management-microsoft-store-for-business.md)
-### [Manage app orders in Microsoft Store for Business and Education](manage-orders-microsoft-store-for-business.md)
+### [Manage orders](manage-orders-microsoft-store-for-business.md)
 ### [Manage access to private store](manage-access-to-private-store.md)
 ### [Manage private store settings](manage-private-store-settings.md)
 ### [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md)
@ -25,13 +25,17 @@
 ### [Microsoft Store for Business and Education PowerShell module - preview](microsoft-store-for-business-education-powershell-module.md)
 ### [Manage software purchased with Microsoft Products and Services agreement in Microsoft Store for Business](manage-mpsa-software-microsoft-store-for-business.md)
 ### [Working with solution providers in Microsoft Store for Business](work-with-partner-microsoft-store-business.md)
 ## [Billing and payments](billing-payments-overview.md)
 ### [Understand your invoice](billing-understand-your-invoice-msfb.md)
 ### [Payment methods](payment-methods.md)
 ### [Understand billing profiles](billing-profile.md)
 ## [Manage settings in the Microsoft Store for Business and Education](manage-settings-microsoft-store-for-business.md)
 ### [Update account settings](update-microsoft-store-for-business-account-settings.md)
 ### [Manage user accounts ](manage-users-and-groups-microsoft-store-for-business.md)
 ## [Device Guard signing portal](device-guard-signing-portal.md)
 ### [Add unsigned app to code integrity policy](add-unsigned-app-to-code-integrity-policy.md)
 ### [Sign code integrity policy with Device Guard signing](sign-code-integrity-policy-with-device-guard-signing.md)
-## [Manage settings in the Microsoft Store for Business and Education](manage-settings-microsoft-store-for-business.md)
+## [Troubleshoot](troubleshoot-microsoft-store-for-business.md)
-### [Update Microsoft Store for Business and Microsoft Store for Education account settings](update-microsoft-store-for-business-account-settings.md)
+## [Notifications](notifications-microsoft-store-business.md)
-### [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md)
+## [Change history](sfb-change-history.md)
 ## [Troubleshoot Microsoft Store for Business](troubleshoot-microsoft-store-for-business.md)
 ## [Notifications in Microsoft Store for Business and Education](notifications-microsoft-store-business.md)
 ## [Change history for Microsoft Store for Business and Education](sfb-change-history.md)
--- a/store-for-business/billing-payments-overview.md
+++ b/store-for-business/billing-payments-overview.md
@ -0,0 +1,26 @@
 ---
 title: Billing and payments overview
 description: Find topics about billing and payment support in Microsoft Store for Business.
 keywords: billing, payment methods, invoices, credit card, debit card
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 03/01/2019
 ---
 # Billing and payments
 Access invoices and managed your payment methods.
 ## In this section
 | Topic | Description |
 | ----- | ----------- |
 | [Understand your invoice](billing-understand-your-invoice-msfb.md) | Information about invoices provided by Microsoft Store for Business.  |
 | [Understand billing profiles](billing-profile.md) | Information about billing profiles and how they relate to invoices.  |
 | [Payment methods](payment-methods.md) | Information about managing payment methods.  |
--- a/store-for-business/billing-profile.md
+++ b/store-for-business/billing-profile.md
@ -0,0 +1,43 @@
 ---
 title: Understand billing profiles
 description: Learn how billing profiles support invoices
 keywords: billing profile, invoices, charges, managed charges
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: trudyha
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 03/01/2019
 ---
 # Understand billing profiles
 For commercial customers purchasing software or hardware products from Microsoft using a Microsoft customer agreement, billing profiles let you customeize what products are included on your invoice, and how you pay your invoices. 
 Billing profiles include:
 - **Payment methods** – Credit cards or check/wire transfer
 - **Contact info** - Billing address and a contact name
 - **Permissions** – Permissions that allow you to change the billing profile, pay bills, or use the payment method on the billing profile to make purchases
 Use billing profiles to control your purchases and customize your invoice. A monthly invoice is generated for the products bought using the billing profile. You can customize the invoice such as update the purchase order number and email invoice preference.
 A billing profile is automatically created for your billing account during your first purchase. You can create new billing profiles to set up additional invoices when you make a purchase. For example, you use different billing profiles when you make purchases for each department in your organization. On your next billing date, you'll receive an invoice for each billing profile. 
 Roles on the billing profiles have permissions to control purchases, and view and manage invoices. Assign these roles to users who track, organize, and pay invoices like members of the procurement team in your organization. 
 ## View billing profile
 **To view billing profiles**
 1. Sign in to [Microsoft Store for Business]( https://businessstore.microsoft.com/), or M365 admin center. 
 2. Select **Manage**, and then select **Billing and payments**. 
 3. Select **Billing profiles**, and then select a billing profile from the list to see details.
    - On **Overview**, you can edit billing profile details, and turn on or off sending an invoice by email.
    - On **Permissions**, you can assign roles to users to pay invoices.
    - On **Azure credit balance**, Azure customers can see transaction balance history for the azure credits used by that billing profile.
    - On **Azure credits**, Azure customers can see a list of Azure credits associated with that billing profile, and their expiration dates.
 ## Need help? Contact us.
 If you have questions or need help with your Azure charges, [create a support request with Azure support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).
 If you have questions or need help with your invoice in Microsoft Store for Business, [create a support request with Store for Business support](https://businessstore.microsoft.com).
--- a/store-for-business/billing-understand-your-invoice-msfb.md
+++ b/store-for-business/billing-understand-your-invoice-msfb.md
@ -0,0 +1,118 @@
 ---
 title: Understand your Microsoft Customer Agreement invoice
 description: Learn how to read and understand your MCA bill
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: trudyha
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 03/01/2019
 ---
 # Understand your Microsoft Customer Agreement invoice
 The invoice provides a summary of your charges and provides instructions for payment. It’s available for
 download in the Portable Document Format (.pdf) for commercial customers from Microsoft Store for Business [Microsoft Store for Business - Invoice](https://businessstore.microsoft.com/manage/payments-billing/invoices) or can be sent via email. This article applies to invoices generated for a Microsoft Customer Agreement billing account. Check if you have a [Microsoft Customer Agreement](https://businessstore.microsoft.com/manage/organization/agreements).
 ## General invoice information
 Invoices are your bill from Microsoft. A few things to note:
 - **Invoice schedule** - You’re invoiced on a monthly basis. You can find out which day of the month you receive invoices by checking invoice date under billing profile overview in [Microsoft Store for Business](https://businessstore.microsoft.com/manage/payments-billing/billing-profiles). Charges that occur between the end of the billing period and the invoice date are included in the next month's invoice, since they are in the next billing period. The billing period start and end dates for each invoice are listed in the invoice PDF above **Billing Summary**.
 - **Billing profile** - Billing profiles are created during your purchase. Invoices are created for each billing profile. Billing profiles let you customize what products are purchased, how you pay for them, and who can make purchases. For more information, see [Understand billing profiles](billing-profile.md)
 - **Items included** - Your invoice includes total charges for all first and third-party software and hardware products purchased under a Microsoft Customer Agreement. That includes items purchased from Microsoft Store for Business and Azure Marketplace. 
 - **Charges** - Your invoice provides information about products purchased and their related charges and taxes. Purchases are aggregated to provide a concise view of your bill. 
 - **International customers** - Charges on invoices for international customers are converted to their local currencies. Exchange rate information is listed at the bottom of the invoice.
 ## Online invoice
 For Store for Business customers, invoices are also available online. A few things to note:
 - **Link to online invoice** - Available from your PDF invoice, and from an email notification.
 - **Invoice details** - Expandable view of the charges on your invoice, so you can see more details for each item.
 - **Pricing details** - Additional information including discounting and pricing details.
 - **Pay online** - Option to make a payment online from the invoice. 
 - **Azure cost management** - For Azure customers, online invoices include a link to Azure cost management. 
 **To view your online invoice**
 1. Sign in to [Microsoft Store for Business]( https://businessstore.microsoft.com/). 
 2. Select **Manage**, and then select **Billing and payments**. 
 3. Select an invoice from the list to view your online invoice. 
 ## Detailed terms and descriptions of your invoice
 The following sections list the important terms that you see on your
 invoice and descriptions for each term.
 ### Understand the invoice summary
 The **Invoice Summary** is on the top of the first page and shows information about your billing profile and how you pay.
 ![Invoice summary section](images/invoicesummary.png)
 | Term | Description |
 | --- | --- |
 | Sold to |Address of your legal entity, found in billing account properties|
 | Bill to |Billing address of the billing profile receiving the invoice, found in billing profile properties|
 | Billing Profile |The name of the billing profile receiving the invoice |
 | P.O. number |An optional purchase order number, assigned by you for tracking |
 | Invoice number |A unique, Microsoft-generated invoice number used for tracking purposes |
 | Invoice date |Date that the invoice is generated, typically five to 12 days after end of the Billing cycle. You can check your invoice date in billing profile properties.|
 | Payment terms |How you pay for your Microsoft bill. *Net 30 days* means you pay by check or wire transfer within 30 days of the invoice date. |
 ### Understand the billing summary
 The **Billing Summary**  shows the charges against the billing profile since the previous billing period, any credits that were applied, tax, and the total amount due.
 ![Billing summary section](images/billingsummary.png)
 | Term | Description |
 | --- | --- |
 | Charges|Total number of Microsoft charges for this billing profile since the last billing period |
 | Credits |Credits you received from returns |
 | Azure credits applied |Your Azure credits that are automatically applied to Azure charges each billing period |
 | Subtotal |The pre-tax amount due |
 | Tax |The type and amount of tax that you pay, depending on the country of your billing profile. If you don't have to pay tax, then you won't see tax on your invoice. |
 | Estimated total savings |The estimated total amount you saved from effective discounts. If applicable, effective discount rates are listed beneath the purchase line items in Details by Invoice Section. |
 ### Understand your charges
 You'll see the charges, tax, and the total amount due. Azure customers will also see the amount of Azure credits applied. 
 `Total = Charges - Azure Credit + Tax`
 The details show the cost broken down by product order name. For Azure customers, this might be organized by invoice section. For more information about how invoice sections are used with Azure products, see [Understand invoice sections](https://review.docs.microsoft.com/azure/billing/billing-mca-overview?branch=release-modern-billing#understand-invoice-sections). 
 Within each product order, cost is broken down by service family.
 The total amount due for each service family is calculated by subtracting Azure credits from credits/charges and adding tax:
 `Total = Charges/Credits - Azure Credit + Tax`
 ![Details by invoice section](images/invoicesectiondetails.png)
 | Term |Description |
 | --- | --- |
 | Unit price | The effective unit price of the service (in pricing currency) that is used to the rate the usage. This is unique for a product, service family, meter, and offer. |
 | Qty | Quantity purchased or consumed during the billing period |
 | Charges/Credits | Net amount of charges after credits/refunds are applied |
 | Azure Credit | The amount of Azure credits applied to the Charges/Credits|
 | Tax rate | Tax rate(s) depending on country |
 | Tax amount | Amount of tax applied to purchase based on tax rate |
 | Total | The total amount due for the purchase |
 ### How to pay
 At the bottom of the invoice, there are instructions for paying your bill. You can pay by check, wire, or online. If you pay online, you can use a credit/debit card or Azure credits, if applicable.
 ### Publisher information
 If you have third-party services in your bill, the name and address of each publisher is listed at the bottom of your invoice.
 ### Exchange rate
 If prices were converted to your local currency, the exchange rates are listed in this section at the bottom of the invoice. All Azure charges are priced in USD and third-party services are priced in the seller's currency.
 ## Next steps
 If there are Azure charges on your invoice that you would like more details on, see [Understand the Azure charges on your Microsoft Customer Agreement invoice](https://review.docs.microsoft.com/en-us/azure/billing/billing-understand-your-invoice-mca?branch=release-modern-billing).
 ## Need help? Contact us.
 If you have questions or need help with your Azure charges, [create a support request with Azure support](https://portal.azure.com/#blade/Microsoft_Azure_Support/HelpAndSupportBlade/newsupportrequest).
 If you have questions or need help with your invoice in Microsoft Store for Business, [create a support request with Store for Business support](https://businessstore.microsoft.com).
--- a/store-for-business/images/billing-acct-roles.png
+++ b/store-for-business/images/billing-acct-roles.png
--- a/store-for-business/images/billingsummary.png
+++ b/store-for-business/images/billingsummary.png
--- a/store-for-business/images/invoicesectiondetails.png
+++ b/store-for-business/images/invoicesectiondetails.png
--- a/store-for-business/images/invoicesummary.png
+++ b/store-for-business/images/invoicesummary.png
--- a/store-for-business/images/purchasing-roles.png
+++ b/store-for-business/images/purchasing-roles.png
--- a/store-for-business/manage-settings-microsoft-store-for-business.md
+++ b/store-for-business/manage-settings-microsoft-store-for-business.md
@ -10,7 +10,7 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 10/17/2017
+ms.date: 2/19/2018
 ---
 # Manage settings for Microsoft Store for Business and Education
@ -28,5 +28,6 @@ You can add users and groups, as well as update some of the settings associated
 | ----- | ----------- |
 | [Update Microsoft Store for Business and Education account settings](update-microsoft-store-for-business-account-settings.md) | **Billing - Account profile**  in Microsoft Store for Business shows information about your organization that you can update. Payment options can be managed on **Billing - Payment methods**, and offline license settings can be managed on **Settings - Shop**. |
 | [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md) | Microsoft Store for Business manages permissions with a set of roles. You can [assign these roles to individuals in your organization](roles-and-permissions-microsoft-store-for-business.md) and to groups.|
 | [Understand your invoice](billing-understand-your-invoice-msfb.md) | Information on invoices for products and services bought under the Microsoft Customer Agreement.|
--- a/store-for-business/payment-methods.md
+++ b/store-for-business/payment-methods.md
@ -0,0 +1,51 @@
 ---
 title: Payment methods for commercial customers
 description: Learn what payment methods are available in Store for Business and M365 admin center
 keywords: payment method, credit card, debit card, add credit card, update payment method
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
 ms.pagetype: store
 author: trudyha
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
 ms.date: 03/01/2019
 ---
 # Payment methods
 You can purchase products and services from Microsoft Store for Business using your credit card. You can enter your credit card information on **Payment methods**, or when you purchase an app. We currently accept these credit cards:
 - VISA
 - MasterCard
 - Discover
 - American Express
 - Japan Commercial Bureau (JCB)
 > [!NOTE]
 > Not all cards available in all countries. When you add a payment option, Microsoft Store for Business shows which cards are available in your region.
 ## Add a payment method
 **To add a new payment option**
 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com).
 2. Select **Manage**, select **Billing & payments**, and then select **Payments methods**.
 3. Select **Add a payment options**, and then select the type of credit card that you want to add.
 4. Add information to required fields, and then select **Add**.
 Once you select **Add**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any issues.
 > [!NOTE]
 > When adding credit or debit cards, you may be prompted to enter a CVV. The CVV is only used for verification purposes and is not stored in our systems after validation.
 ## Edit payment method
 **To update a payment option**
 1. Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com).
 2. Click **Manage**, click **Billing & payments**, and then click **Payments methods**.
 3. Select the payment option that you want to update, select the ellipses, and then choose **Edit payment method**.
 4. Enter any updated information in the appropriate fields, and then se;ect**Save**.
 Once you click **Update**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
 > [!NOTE]
 > Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time, or have a low balance.
--- a/store-for-business/roles-and-permissions-microsoft-store-for-business.md
+++ b/store-for-business/roles-and-permissions-microsoft-store-for-business.md
@ -1,6 +1,7 @@
 ---
 title: Roles and permissions in Microsoft Store for Business and Education (Windows 10)
 description: The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.
 keywords: roles, permissions
 ms.assetid: CB6281E1-37B1-4B8B-991D-BC5ED361F1EE
 ms.prod: w10
 ms.mktglfcycl: manage
@ -10,17 +11,10 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 8/7/2018
+ms.date: 03/01/2019
 ---
 # Roles and permissions in Microsoft Store for Business and Education
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 The first person to sign in to Microsoft Store for Business or Microsoft Store for Education must be a Global Admin of the Azure Active Directory (AD) tenant. Once the Global Admin has signed in, they can give permissions to others employees.
 Microsoft Store for Business and Education has a set of roles that help admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access the Store. Global Administrators and global user accounts that are used with other Microsoft services, such as Azure, or Office 365 can sign in to Microsoft Store. Global user accounts have some permissions in Microsoft Store, and Microsoft Store has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store.
@ -33,69 +27,60 @@ This table lists the global user accounts and the permissions they have in Micro
 | ------------------------------ | --------------------- | --------------------- |
 | Sign up for Microsoft Store for Business and Education |  X                    |
 | Modify company profile settings | X                    |                       |
-| Acquire apps                   |  X                    | X                     |
+| Purchase apps                   |  X                    | X                     |
 | Distribute apps                |  X                    | X                     |
 | Purchase subscription-based software  |  X             | X                     |
-   **Global Administrator** - IT Pros with this account have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store.
+**Global Administrator** - IT Pros with this account have full access to Microsoft Store. They can do everything allowed in the Microsoft Store Admin role, plus they can sign up for Microsoft Store.
-   **Billing Administrator** - IT Pros with this account have the same permissions as Microsoft Store Purchaser role.
+**Billing Administrator** - IT Pros with this account have the same permissions as Microsoft Store Purchaser role.
-## Microsoft Store roles and permissions
+## Billing account roles and permissions
-
+There are a set of roles, managed at your billing account level, that help IT admins and employees manage access to and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store for Business.
 Microsoft Store for Business has a set of roles that help IT admins and employees manage access to apps and tasks for Microsoft Store. Employees with these roles will need to use their Azure AD account to access Microsoft Store.
 This table lists the roles and their permissions.
-|                                |  Admin | Purchaser | Device Guard signer |
+|      Role               |  Buy from<br /><br /> Microsoft Store | Assign<br /><br /> roles | Edit<br /><br /> account | Sign<br /><br /> agreements | View<br /><br /> account |
-| ------------------------------ | ------ | --------  | ------------------- |
+| ------------------------| ------ | --------  | ------ | -------| -------- |
-| Assign roles                   | X      |           |                     |
+| Billing account owner   | X      |   X       | X      | X      | X        |
-| Manage Microsoft Store for Business and Education settings |  X |           |                     |
+| Billing account contributor |       |          | X      | X      | X    |
-| Acquire apps                   | X      | X         |                     |
+| Billing account reader  |       |          |       |       | X        |
-| Distribute apps                | X      | X         |                     |
+| Signatory              |       |         |      | X      | X        |
 | Sign policies and catalogs     | X      |           |                     |
 | Sign Device Guard changes      | X      |           |  X                   |
 <!---
 These permissions allow people to:
-
+-   **Edit account**:
 -   **Manage Microsoft Store settings**:
    -   Account information (view only)
    -   Device Guard signing
    -   LOB publishers
    -   Management tools
    -   Offline licensing
    -   Permissions
    -   Private store
 -   **Acquire apps** - Acquire apps from Microsoft Store and add them to your inventory.
 -   **Distribute apps** - Distribute apps that are in your inventory. 
    - Admins can assign apps to people, add apps to the private store, or use a management tool.
-    - Purchasers can assign apps to people. 
+    - Purchasers can assign apps to people.
    --> 
 ## Purchasing roles and permissions
 There are also a set of roles for purchasing and managing items bought. 
 This table lists the roles and their permissions.
 |      Role   |  Buy from<br /><br /> Microsoft Store | Manage all items | Manage items<br /><br /> I buy |
 | ------------| ------ | --------  | ------ |
 | Purchaser   | X      |   X       |      |
 | Basic purchaser |  X     |          | X      |
 ## Assign roles
 **To assign roles to people**
-1.  Sign in to Microsoft Store for Business or Microsoft Store for Education.
+1.  Sign in to [Microsoft Store for Business](https://businessstore.microsoft.com).
    >[!Note]
-    >You need to be a Global Administrator, or have the Microsoft Store Admin role to access the **Permissions** page. 
+    >You need to be a Global Administrator, or have the Billing account owner role to access **Permissions**. 
-    To assign roles, you need to be a Global Administrator or a Store Administrator.
+2.  Select **Manage**, and then select **Permissions**.
-
+3.  On **Roles**, or **Purchasing roles**, select **Assing roles**. 
-2.  Click **Settings**, and then choose **Permissions**.
+4.  Enter a name, choose the role you want to assign, and select **Save**.
-
+    If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts](manage-users-and-groups-microsoft-store-for-business.md).
    OR
    Click **Manage**, and then click **Permissions** on the left-hand menu.
    <!--- ![Image showing Permissions page in Microsoft Store for Business.](images/wsfb-settings-permissions.png) -->
 3.  Click **Add people**, type a name, choose the role you want to assign, and click **Save** .
    <!--- ![Image showing Assign roles to people box in Microsoft Store for Business.](images/wsfb-permissions-assignrole.png) -->
 4.  If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts in Microsoft Store for Business and Education](manage-users-and-groups-microsoft-store-for-business.md).
--- a/store-for-business/settings-reference-microsoft-store-for-business.md
+++ b/store-for-business/settings-reference-microsoft-store-for-business.md
@ -10,23 +10,17 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 11/01/2017
+ms.date: 03/01/2019
 ---
 # Settings reference: Microsoft Store for Business and Education
 **Applies to**
 -   Windows 10
 -   Windows 10 Mobile
 The Microsoft Store for Business and Education has a group of settings that admins use to manage the store.
 | Setting              | Description  | Location under **Manage** |
 | -------              | -----------  | ------------------------------ |
-| Account information  | Manage organization information. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-microsoft-store-for-business-account-settings.md).| **Billing - Account profile** |
+| Billing account information  | Manage organization information. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-microsoft-store-for-business-account-settings.md).| **Billing accounts** |
-| Payment options  | Manage payment options. For more information, see [Manage settings for the Microsoft Store for Business and Education](update-microsoft-store-for-business-account-settings.md#payment-options).| **Billing - Payment methods** |
+| Payment options  | Manage payment options. For more information, see [Manage settings for the Microsoft Store for Business and Education](payment-methods.md).| **Billing & payments - Payment methods** |
 | Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). | **Settings - Distribute** |
 | Offline licensing  | Configure whether or not to make offline-licensed apps available in the Microsoft Store for Business and Education. For more information, see [Distribute offline apps](distribute-offline-apps.md). | **Settings - Shop** |
 | Allow users to shop  | Configure whether or not people in your organization or school can see and use the shop function in Store for Business or Store for Education. For more information, see [Allow users to shop](acquire-apps-microsoft-store-for-business.md#allow-users-to-shop). | **Settings - Shop** |
@ -34,5 +28,5 @@ The Microsoft Store for Business and Education has a group of settings that admi
 | App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-microsoft-store-for-business.md). | **Settings - Distribute** |
 | Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md). | **Settings - Distribute** |
 | Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Settings - Devices**  |
-| Permissions   | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md). | **Permissions - Roles** and **Permissions - Blocked basic purchasers** |
+| Permissions   | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md). | **Permissions - Roles**, **Permissions - Purchasing roles**, and **Permissions - Blocked basic purchasers** |
 | Line-of-business (LOB) publishers  | Invite devs to become LOB publishers for your organization. Existing LOB publishers are listed on the page, and you can deactivate or invite them again. For more information, see [Work with line-of-business apps](working-with-line-of-business-apps.md). | **Permissions - Line-of-business apps** |
--- a/store-for-business/update-microsoft-store-for-business-account-settings.md
+++ b/store-for-business/update-microsoft-store-for-business-account-settings.md
@ -1,6 +1,7 @@
 ---
-title: Update Microsoft Store for Business and Microsoft Store for Education account settings (Windows 10)
+title: Update Microsoft Store for Business and Microsoft Store for Education billing account settings (Windows 10)
-description: The Account information page in Microsoft Store for Business and Microsoft Store for Education shows information about your organization that you can update, including country or region, organization name, default domain, and language preference.
+description: The billing account page in Microsoft Store for Business and Microsoft Store for Education shows information about your organization that you can update, including country or region, organization contact info, agreements with Microsoft and admin approvals.
 keywords: billing accounts, organization info
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
@ -9,17 +10,16 @@ author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
 ms.localizationpriority: medium
-ms.date: 10/17/2017
+ms.date: 03/01/2019
 ---
 # Update Microsoft Store for Business and Microsoft Store for Education account settings
 A billing account contains defining information about your organization. 
-**Applies to**
+>[!NOTE]
 >Billing accounts are available in Microsoft Store for Business, and M365 admin center preview. For more infomation, see [aka.ms/aboutM365preview](https://aka.ms/aboutM365preview).
-   Windows 10
+The **Billing account** page allows you to manage organization information, purchasing agreements that you have with Microsoft, and admin approvals. The organization information and payment options are required before you can shop for products that have a price.
 -   Windows 10 Mobile
 The **Payments & billing** page in Microsoft Store for Business allows you to manage organization information, billing information, and payment options. The organization information and payment options are required before you can acquire apps that have a price.
 ## Organization information
@ -27,17 +27,19 @@ We need your business address, email contact, and tax-exemption certificates tha
 ### Business address and email contact
-Before purchasing apps that have a fee, you need to add or update your organization's business address, and contact email address.
+Before purchasing apps that have a fee, you need to add or update your organization's business address, contact email address, and contact name.
 We use the Business address to calculate sales tax. If your organization's address has already been entered for other commercial purchases through Microsoft Store, or through other online purchases such as Office 365 or Azure subscriptions, then we’ll use the same address in Microsoft Store for Business and Microsoft Store for Education. If we don’t have an address, we’ll ask you to enter it during your first purchase.
 We need an email address in case we need to contact you about your Microsoft Store for Business and for Education account. This email account should reach the admin for your organization’s Office 365 or Azure AD tenant that is used with Microsoft Store.
-**To update Organization information**
+**To update billing account information**
 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com)
-2. Click **Manage**, click **Billing**, **Account profile**, and then click **Edit**.
+2. Select **Manage**, and then select  **Billing accounts**.
 3. On **Overview**, select **Edit billing account information**.
 4. Make your updates, and then select **Save**. 
-## Organization tax information
+### Organization tax information
 Taxes for Microsoft Store for Business purchases are determined by your business address. Businesses in these countries can provide their VAT number or local equivalent:
 - Austria
 - Belgium
@ -72,7 +74,7 @@ Taxes for Microsoft Store for Business purchases are determined by your business
 - Switzerland
 - United Kingdom
-These countries can provide their VAT number or local equivalent in **Payments & billing**.
+These countries can provide their VAT number or local equivalent on their **Billing account** information.
 |Market| Tax identifier |
 |------|----------------|
@ -90,7 +92,7 @@ If you qualify for tax-exempt status in your market, start a service request to
 **To start a service request**
 1.  Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com).
-2.	Click **Manage**, click **Support**, and then under **Store settings & configuration** click **Create technical support ticket**.
+2.	Select **Manage**, click **Support**, and then under **Store settings & configuration** select **Create technical support ticket**.
 You’ll need this documentation:
@ -101,7 +103,6 @@ You’ll need this documentation:
 | Ireland | 13B/56A Tax Exemption Certificate|
 | International organizations that hold tax exaemption | Certification / letter confirmation from local tax authorities |
 ### Calculating tax
 Sales taxes are calculated against the unit price, and then aggregated.
@ -113,41 +114,15 @@ For example:<br>
 ($1.29 X .095) X 100 = $12.25
-## Payment options
+## Agreements
-You can purchase apps from Microsoft Store for Business using your credit card. You can enter your credit card information on Account Information, or when you purchase an app. We currently accept these credit cards:
+Each billing account inculdes access to the purchasing agreements your organization has signed with Microsoft. This could include:
-1. VISA
+- Microsoft Enterprise Agreement
-2. MasterCard
+- Select agreements
-3. Discover
+- Open agreements
-4. American Express
+- Microsoft customer agreement
 5. Japan Commercial Bureau (JCB)
-> [!NOTE]
+If you there is an updated version of the Microsoft customer agreement for you to sign, you'll be prompted to on **Agreements**, or during a purchase. 
-> Not all cards available in all countries. When you add a payment option, Microsoft Store for Business shows which cards are available in your region.
+<!--- ## Offline licensing
 **To add a new payment option**
 1. Sign in to the [Store for Business](https://businessstore.microsoft.com) or [Store for Education](https://educationstore.microsoft.com).
 2. Click **Manage**, click **Billing**, and then click **Payments methods**.
 3. Click **Add a payment options**, and then select the type of credit card that you want to add.
 4. Add information to required fields, and then click **Next**.
 Once you click Next, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
 > [!NOTE]
 > When adding credit or debit cards, you may be prompted to enter a CVV. The CVV is only used for verification purposes and is not stored in our systems after validation.
 **To update a payment option**
 1. Sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com) or [Microsoft Store for Education](https://educationstore.microsoft.com).
 2. Click **Manage**, click **Billing**, and then click **Payments methods**.
 3. Select the payment option that you want to update, and then click **Update**.
 4. Enter any updated information in the appropriate fields, and then click **Next**.
 Once you click **Next**, the information you provided will be validated with a test authorization transaction and, if validated, the payment option will be added to your list of available payment options. Otherwise, you will be prompted for additional information or notified if there are any problems.
 > [!NOTE]
 > Certain actions, like updating or adding a payment option, require temporary “test authorization” transactions to validate the payment option. These may appear on your statement as $0.00 authorizations or as small pending transactions. These transactions are temporary and should not impact your account unless you make several changes in a short period of time, or have a low balance.
 ## Offline licensing
 Offline licensing is a new licensing option for Windows 10. With offline licenses, organizations can cache apps and their licenses to deploy within their network. ISVs or devs can opt-in their apps for offline licensing when they submit them to the developer center. Only apps that are opted in to offline licensing will show that they are available for offline licensing in Microsoft Store for Business. This model means organizations can deploy apps when users or devices do not have connectivity to the Store. For more information on Microsoft Store for Business licensing model, see [licensing model](https://docs.microsoft.com/microsoft-store/apps-in-microsoft-store-for-business#licensing-model).
@ -162,4 +137,4 @@ Admins can decide whether or not offline licenses are shown for apps in Microsof
 You have the following distribution options for offline-licensed apps:
 - Include the app in a provisioning package, and then use it as part of imaging a device.
 - Distribute the app through a management tool.
-For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-with-management-tool.md).
+For more information, see [Distribute apps to your employees from Microsoft Store for Business](distribute-apps-with-management-tool.md). -->
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@ -12,16 +12,17 @@ manager: dansimp
 ms.collection: M365-identity-device-management
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 12/10/2018
+ms.date: 02/28/2019
 ---
 # Local Accounts
 **Applies to**
 -   Windows 10
 -   Windows Server 2019
 -   Windows Server 2016
-This reference topic for the IT professional describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. This topic does not describe the default local user accounts for an Active Directory domain controller.
+This reference topic for IT professionals describes the default local user accounts for servers, including how to manage these built-in accounts on a member or standalone server. 
 ## <a href="" id="about-local-user-accounts-"></a>About local user accounts
@ -37,6 +38,8 @@ This topic describes the following:
    -   [HelpAssistant account (installed by using a Remote Assistance session)](#sec-helpassistant)
    -   [DefaultAccount](#defaultaccount)
 -   [Default local system accounts](#sec-localsystem)
 -   [How to manage local accounts](#sec-manage-accounts)
@ -53,42 +56,29 @@ For information about security principals, see [Security Principals](security-pr
 ## <a href="" id="sec-default-accounts"></a>Default local user accounts
 The default local user accounts are built-in accounts that are created automatically when you install Windows. 
-The default local user accounts are built-in accounts that are created automatically when you install the Windows Server operating system on a stand-alone server or member server. The **Applies To** list at the beginning of this article designates the Windows operating systems to which this topic applies.
+After Windows is installed, the default local user accounts cannot be removed or deleted. In addition, default local user accounts do not provide access to network resources.
 After the Windows Server operating system is installed, the default local user accounts cannot be removed or deleted. In addition, default local user accounts do not provide access to network resources.
 Default local user accounts are used to manage access to the local server’s resources based on the rights and permissions that are assigned to the account. The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC). Computer Management is a collection of administrative tools that you can use to manage a single local or remote computer. For more information, see [How to manage local accounts](#sec-manage-accounts) later in this topic.
-The default local user accounts that are provided include the Administrator account, Guest account and HelpAssistant account. Each of these default local user accounts is described in the following sections.
+Default local user accounts are described in the following sections.
 ### <a href="" id="sec-administrator"></a>Administrator account
-The default local Administrator account is a user account for the system administrator. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the installation for all Windows Server operating systems, and for Windows client operating systems.
+The default local Administrator account is a user account for the system administrator. Every computer has an Administrator account (SID S-1-5-*domain*-500, display name Administrator). The Administrator account is the first account that is created during the Windows installation.
-For Windows Server operating systems, the Administrator account gives the user full control of the files, directories, services, and other resources that are under the control of the local server. The Administrator account can be used to create local users, and assign user rights and access control permissions. The Administrator account can also be used take control of local resources at any time simply by changing the user rights and permissions.
+The Administrator account has full control of the files, directories, services, and other resources on the local computer. The Administrator account can create other local users, assign user rights, and assign permissions. The Administrator account can take control of local resources at any time simply by changing the user rights and permissions.
 The default Administrator account cannot be deleted or locked out, but it can be renamed or disabled.
-The default Administrator account is initially installed differently for Windows Server operating systems, and the Windows client operating systems. The following table provides a comparison.
+In Windows 10 and Windows Server 20016, Windows setup disables the built-in Administrator account and creates another local account that is a member of the Administrators group. Members of the Administrators groups can run apps with elevated permissions without using the **Run as Administrator** option. Fast User Switching is more secure than using Runas or different-user elevation.  
 | Default restriction | Windows Server operating systems | Windows client operating systems |
 |---------------------|----------------------------------|----------------------------------|
 | Administrator account is disabled on installation | No | Yes |
 | Administrator account is set up on first sign-in | Yes | No, keep disabled |
 | Administrator account is used to set up the local server or client computer | Yes | No, use a local user account with **Run as administrator** to obtain administrative rights |
 | Administrator account requires a strong password when it is enabled | Yes | Yes |
 | Administrator account can be disabled, locked out, or renamed | Yes | Yes |
 In summary, for Windows Server operating systems, the Administrator account is used to set up the local server only for tasks that require administrative rights. The default Administrator account is set up by using the default settings that are provided on installation. Initially, the Administrator account is not associated with a password. After installation, when you first set up Windows Server, your first task is to set up the Administrator account properties securely. This includes creating a strong password and securing the **Remote control** and **Remote Desktop Services Profile** settings. You can also disable the Administrator account when it is not required.
 In comparison, for the Windows client operating systems, the Administrator account has access to the local system only. The default Administrator account is initially disabled by default, and this account is not associated with a password. It is a best practice to leave the Administrator account disabled. The default Administrator account is considered only as a setup and disaster recovery account, and it can be used to join the computer to a domain. When administrator access is required, do not sign in as an administrator. You can sign in to your computer with your local (non-administrator) credentials and use **Run as administrator**.
 **Account group membership**
 By default, the Administrator account is installed as a member of the Administrators group on the server. It is a best practice to limit the number of users in the Administrators group because members of the Administrators group on a local server have Full Control permissions on that computer.
-The Administrator account cannot be deleted or removed from the Administrators group, but it can be renamed or disabled.
+The Administrator account cannot be deleted or removed from the Administrators group, but it can be renamed.
 **Security considerations**
@ -122,53 +112,78 @@ By default, the Guest account is the only member of the default Guests group (SI
 **Security considerations**
-When an administrator enables the Guest account, it is a best practice to create a strong password for this account. In addition, the administrator on the computer should also grant only limited rights and permissions for the Guest account. For security reasons, the Guest account should not be used over the network and made accessible to other computers.
+When enabling the Guest account, only grant limited rights and permissions. For security reasons, the Guest account should not be used over the network and made accessible to other computers.
 When a computer is shutting down or starting up, it is possible that a guest user or anyone with local access could gain unauthorized access to the computer. To help prevent this risk, do not grant the Guest account the [Shut down the system](/windows/device-security/security-policy-settings/shut-down-the-system) user right.
 In addition, the guest user in the Guest account should not be able to view the event logs. After the Guest account is enabled, it is a best practice to monitor the Guest account frequently to ensure that other users cannot use services and other resources, such as resources that were unintentionally left available by a previous user.
 ### <a href="" id="sec-helpassistant"></a>HelpAssistant account (installed by using a Remote Assistance session)
-The default HelpAssistant account is enabled when a Windows Remote Assistance session is run. The Windows Remote Assistance session can be used to connect from the server to another computer running the Windows operating system. For solicited remote assistance, a user initiates a Windows Remote Assistance session, and it is initiated by invitation. For solicited remote assistance, a user sends an invitation from their computer, through e-mail or as a file, to a person who can provide assistance.
+### DefaultAccount
-After the user’s invitation for a Windows Remote Assistance session is accepted, the default HelpAssistant account is automatically created. The HelpAssistant account provides limited access to the computer to the person who provides assistance. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service. The HelpAssistant account is automatically deleted after there are no Remote Assistance requests are pending.
+The DefaultAccount, also known as the Default System Managed Account (DSMA), is a built-in account introduced in Windows 10 version 1607 and Windows Server 2016. 
 The DMSA is a well-known user account type. 
 It is a user neutral account that can be used to run processes that are either multi-user aware or user-agnostic. 
 The DMSA is disabled by default on the desktop SKUs (full windows SKUs) and WS 2016 with the Desktop. 
-The security identifiers (SIDs) that pertain to the default HelpAssistant account include:
+The DMSA has a well-known RID of 503. The security identifier (SID) of the DMSA will thus have a well-known SID in the following format: S-1-5-21-<ComputerIdentifier>-503 
-   SID: S-1-5-13, display name Terminal Server User. This group includes all users who sign in to a server with Remote Desktop Services enabled.
+The DMSA is a member of the well-known group **System Managed Accounts Group**, which has a well-known SID of S-1-5-32-581. 
-   SID: S-1-5-14, display name Remote Interactive Logon. This group includes all users who sign in to the computer by using Remote Desktop Connection. This group is a subset of the Interactive group. Access tokens that contain the Remote Interactive Logon SID also contain the Interactive SID.
+The DMSA alias can be granted access to resources during offline staging even before the account itself has been created. The account and the group are created during first boot of the machine within the Security Accounts Manager (SAM).
-For the Windows Server operating system, Remote Assistance is an optional component that is not installed by default. You must install Remote Assistance before it can be used.
+#### How Windows uses the DefaultAccount
 From a permission perspective, the DefaultAccount is a standard user account. 
 The DefaultAccount is needed to run multi-user-manifested-apps (MUMA apps). 
 MUMA apps run all the time and react to users signing in and signing out of the devices. 
 Unlike Windows Desktop where apps run in context of the user and get terminated when the user signs off, MUMA apps run by using the DSMA. 
-In comparison, for the Windows client operating system, the HelpAssistant account is enabled on installation by default.
+MUMA apps are functional in shared session SKUs such as Xbox. For example, Xbox shell is a MUMA app. 
 Today, Xbox automatically signs in as Guest account and all apps run in this context. 
 All the apps are multi-user-aware and respond to events fired by user manager. 
 The apps run as the Guest account.
 Similarly, Phone auto logs in as a “DefApps” account which is akin to the standard user account in Windows but with a few extra privileges. Brokers, some services and apps run as this account. 
 In the converged user model, the multi-user-aware apps and multi-user-aware brokers will need to run in a context different from that of the users. 
 For this purpose, the system creates DSMA. 
 #### How the DefaultAccount gets created on domain controllers
 If the domain was created with domain controllers that run Windows Server 2016, the DefaultAccount will exist on all domain controllers in the domain.
 If the domain was created with domain controllers that run an earlier version of Windows Server, the DefaultAccount will be created after the PDC Emulator role is transferred to a domain controller that runs Windows Server 2016. The DefaultAccount will then be replicated to all other domain controllers in the domain.
 #### Recommendations for managing the Default Account (DSMA)
 Microsoft does not recommend changing the default configuration, where the account is disabled. There is no security risk with having the account in the disabled state. Changing the default configuration could hinder future scenarios that rely on this account.
 ## <a href="" id="sec-localsystem"></a>Default local system accounts
 ### SYSTEM
 The SYSTEM account is used by the operating system and by services that run under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The SYSTEM account was designed for that purpose, and Windows manages the SYSTEM account’s user rights. It is an internal account that does not show up in User Manager, and it cannot be added to any groups. 
-The system account and the Administrator account of the Administrators group have the same file rights and permissions, but they have different functions. The system account is used by the operating system and by services that run under Windows. There are many services and processes in the Windows operating system that need the capability to sign in internally, such as during a Windows installation. The system account was designed for that purpose. It is an internal account that does not show up in User Manager, it cannot be added to any groups, and it cannot have user rights assigned to it.
+On the other hand, the SYSTEM account does appear on an NTFS file system volume in File Manager in the **Permissions** portion of the **Security** menu. By default, the SYSTEM account is granted Full Control permissions to all files on an NTFS volume. Here the SYSTEM account has the same functional rights and permissions as the Administrator account.
 On the other hand, the system account does appear on an NTFS file system volume in File Manager in the **Permissions** portion of the **Security** menu. By default, the system account is granted Full Control permissions to all files on an NTFS volume. Here the system account has the same functional rights and permissions as the Administrator account.
 **Note**  
-To grant the account Administrators group file permissions does not implicitly give permission to the system account. The system account's permissions can be removed from a file, but we do not recommend removing them.
+To grant the account Administrators group file permissions does not implicitly give permission to the SYSTEM account. The SYSTEM account's permissions can be removed from a file, but we do not recommend removing them.
- 
+### NETWORK SERVICE 
 The NETWORK SERVICE account is a predefined local account used by the service control manager (SCM). A service that runs in the context of the NETWORK SERVICE account presents the computer's credentials to remote servers. For more information, see [NetworkService Account](https://docs.microsoft.com/windows/desktop/services/networkservice-account).
 ### LOCAL SERVICE
 The LOCAL SERVICE account is a predefined local account used by the service control manager. It has minimum privileges on the local computer and presents anonymous credentials on the network. For more information, see [LocalService Account](https://docs.microsoft.com/windows/desktop/services/localservice-account).
 ## <a href="" id="sec-manage-accounts"></a>How to manage local user accounts
-The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in the Local Users and Groups folder in the local Computer Management Microsoft Management Console (MMC), a collection of administrative tools that you can use to manage a single local or remote computer. For more information about creating and managing local user accounts, see [Manage Local Users](https://technet.microsoft.com/library/cc731899.aspx).
+The default local user accounts, and the local user accounts that you create, are located in the Users folder. The Users folder is located in Local Users and Groups. For more information about creating and managing local user accounts, see [Manage Local Users](https://technet.microsoft.com/library/cc731899.aspx).
 You can use Local Users and Groups to assign rights and permissions on the local server, and that server only, to limit the ability of local users and groups to perform certain actions. A right authorizes a user to perform certain actions on a server, such as backing up files and folders or shutting down a server. An access permission is a rule that is associated with an object, usually a file, folder, or printer. It regulates which users can have access to an object on the server and in what manner.
-You cannot use Local Users and Groups to view local users and groups after a member server is used as a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers that are not domain controllers on the network.
+You cannot use Local Users and Groups on a domain controller. However, you can use Local Users and Groups on a domain controller to target remote computers that are not domain controllers on the network.
 **Note**  
-You use Active Directory Users and Computers to manage users and groups in Active Directory.
+You use Active Directory Users and Computers to manage users and groups in Active Directory.loca
- 
+You can also manage local users by using NET.EXE USER and manage local groups by using NET.EXE LOCALGROUP, or by using a variety of PowerShell cmdlets and other scripting technologies.
 ### <a href="" id="sec-restrict-protect-accounts"></a>Restrict and protect local accounts with administrative rights
@ -199,7 +214,7 @@ UAC makes it possible for an account with administrative rights to be treated as
 In addition, UAC can require administrators to specifically approve applications that make system-wide changes before those applications are granted permission to run, even in the administrator's user session.
-For example, a default feature of UAC is shown when a local account signs in from a remote computer by using Network logon (for example, by using NET.EXE USE). In this instance, it is issued a standard user token with no administrative rights, but with the ability to request or receive elevation. Consequently, local accounts that sign in by using Network logon cannot access administrative shares such as C$, or ADMIN$, or perform any remote administration.
+For example, a default feature of UAC is shown when a local account signs in from a remote computer by using Network logon (for example, by using NET.EXE USE). In this instance, it is issued a standard user token with no administrative rights, but without the ability to request or receive elevation. Consequently, local accounts that sign in by using Network logon cannot access administrative shares such as C$, or ADMIN$, or perform any remote administration.
 For more information about UAC, see [User Account Control](/windows/access-protection/user-account-control/user-account-control-overview).
@ -270,6 +285,9 @@ The following table shows the Group Policy and registry settings that are used t
 </tbody>
 </table>
 >[!NOTE]
 >You can also enforce the default for LocalAccountTokenFilterPolicy by using the custom ADMX in Security Templates. 
 **To enforce local account restrictions for remote access**
@ -292,7 +310,7 @@ The following table shows the Group Policy and registry settings that are used t
 6.  Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by doing the following:
-    1.  Navigate to the Computer Configuration\\Policies\\Windows Settings, and &gt; **Security Options**.
+    1.  Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\, and &gt; **Security Options**.
    2.  Double-click **User Account Control: Run all administrators in Admin Approval Mode** &gt; **Enabled** &gt; **OK**.
@ -374,8 +392,8 @@ The following table shows the Group Policy settings that are used to deny networ
 <tr class="even">
 <td><p></p></td>
 <td><p>Policy setting</p></td>
-<td><p>User name of the default Administrator account</p>
+<td><p>Local account and member of Administrators group</p>
-<p>(Might be renamed through policy.)</p></td>
+</td>
 </tr>
 <tr class="odd">
 <td><p>2</p></td>
@ -390,8 +408,8 @@ The following table shows the Group Policy settings that are used to deny networ
 <tr class="odd">
 <td><p></p></td>
 <td><p>Policy setting</p></td>
-<td><p>User name of the default Administrator account</p>
+<td><p>Local account and member of Administrators group</p>
-<p>(Might be renamed through policy).</p></td>
+</td>
 </tr>
 </tbody>
 </table>
@ -416,35 +434,19 @@ The following table shows the Group Policy settings that are used to deny networ
 6.  Configure the user rights to deny network logons for administrative local accounts as follows:
-    1.  Navigate to the Computer Configuration\\Policies\\Windows Settings, and &gt; **User Rights Assignment**.
+    1.  Navigate to the Computer Configuration\\Windows Settings\\Security Settings\\, and &gt; **User Rights Assignment**.
-    2.  Double-click **Deny access to this computer from the network**, and &gt; **Define these policy settings**.
+    2.  Double-click **Deny access to this computer from the network**.
-    3.  Click **Add User or Group**, type the name of the default Administrator account, and &gt; **OK**. The default name is Administrator on US English installations, but it can be renamed either by policy or manually.
+    3.  Click **Add User or Group**, type **Local account and member of Administrators group**, and &gt; **OK**. 
        ![local accounts 9](images/localaccounts-proc2-sample3.png)
        **Important**  
        In the **User and group names** box, type the user name of the account that you identified at the start of this process. Do not click **Browse** and do not type the domain name or the local computer name in this dialog box. For example, type only **Administrator**. If the text that you typed resolved to a name that is underlined, includes a computer name, or includes the domain, it restricts the wrong account and causes this mitigation to work incorrectly. Also, be careful that you do not enter the group name Administrator to prevent blocking domain accounts in that group.
    4.  For any additional local accounts in the Administrators group on all of the workstations that you are configuring, click **Add User or Group**, type the user names of these accounts in the dialog box in the same manner as described in the previous step, and then click **OK**.
 7.  Configure the user rights to deny Remote Desktop (Remote Interactive) logons for administrative local accounts as follows:
    1.  Navigate to Computer Configuration\\Policies\\Windows Settings and Local Policies, and then click **User Rights Assignment**.
-    2.  Double-click **Deny log on through Remote Desktop Services**, and then select **Define these settings**.
+    2.  Double-click **Deny log on through Remote Desktop Services**.
-    3.  Click **Add User or Group**, type the user name of the default Administrator account, and &gt; **OK**. (The default name is Administrator on US English installations, but it can be renamed either by policy or manually.
+    3.  Click **Add User or Group**, type type **Local account and member of Administrators group**, and &gt; **OK**. 
        **Important**  
        In the **User and group names** box, type the user name of the account that you identified at the start of this process. Do not click **Browse** and do not type the domain name or the local computer name in this dialog box. For example, type only **Administrator**. If the text that you typed resolves to a name that is underlined or includes a domain name, it restricts the wrong account and causes this mitigation to work incorrectly. Also, be careful that you do not enter the group name Administrator because this also blocks domain accounts in that group.
    4.  For any additional local accounts in the Administrators group on all of the workstations that you are setting up, click **Add User or Group**, type the user names of these accounts in the dialog box in the same manner as the previous step, and &gt; **OK**.
 8.  Link the GPO to the first **Workstations** OU as follows:
@ -463,7 +465,6 @@ The following table shows the Group Policy settings that are used to deny networ
    **Note**  
    You might have to create a separate GPO if the user name of the default Administrator account is different on workstations and servers.
 ### <a href="" id="sec-create-unique-passwords"></a>Create unique passwords for local accounts with administrative rights
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@ -12,7 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/26/2019
+ms.date: 02/28/2019
 ---
 # Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
@ -416,7 +416,7 @@ There are no default locations included with WIP, you must add each of your netw
        <tr>
            <td>Cloud Resources</td>
            <td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<br><br><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
-            <td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code><br><br><strong>Note</strong><br>To add subdomain for a cloud resource, use a period (.) instead of an asterisk (*). For example: To add all subdomains within Office.com, use ".office.com" (without the quotation marks).<br><br>When you use this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access) by using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
+            <td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p>Personal applications will be able to access Enterprise Cloud Resources if the resource in the Enterprise Cloud Resource Policy has a blank space or an invalid character, such as a trailing dot in the URL. <br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<br><br>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
        </tr>
        <tr>
            <td>Protected domains</td>
--- a/windows/security/threat-protection/auditing/audit-security-group-management.md
+++ b/windows/security/threat-protection/auditing/audit-security-group-management.md
@ -8,7 +8,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.localizationpriority: none
 author: Mir0sh
-ms.date: 04/19/2017
+ms.date: 02/28/2019
 ---
 # Audit Security Group Management
@ -32,9 +32,9 @@ This subcategory allows you to audit events generated by changes to security gro
 | Computer Type     | General Success | General Failure | Stronger Success | Stronger Failure | Comments                                                                                                                                                                                                                                                                                                                                                                                                                         |
 |-------------------|-----------------|-----------------|------------------|------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| Domain Controller | Yes             | No              | Yes              | No               | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.|
+| Domain Controller | Yes             | No              | Yes              | No               | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.|
-| Member Server     | Yes             | No              | Yes              | No               | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.|
+| Member Server     | Yes             | No              | Yes              | No               | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.|
-| Workstation       | Yes             | No              | Yes              | No               | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> We recommend Failure auditing, to collect information about failed attempts to create, change, or delete new security groups.|
+| Workstation       | Yes             | No              | Yes              | No               | We recommend Success auditing of security groups, to see new group creation events, changes and deletion of critical groups. Also you will get information about new members of security groups, when a member was removed from a group and when security group membership was enumerated. <br> This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory.|
 **Events List:**
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: tedhardyMSFT
-ms.date: 02/16/2018
+ms.date: 02/28/2019
 ms.localizationpriority: medium
 ---
@ -338,7 +338,7 @@ If your organizational audit policy enables additional auditing to meet its need
 | Category           | Subcategory                     | Audit settings      |
 |--------------------|---------------------------------|---------------------|
 | Account Logon      | Credential Validation           | Success and Failure |
-| Account Management | Security Group Management       | Success and Failure |
+| Account Management | Security Group Management       | Success  |
 | Account Management | User Account Management         | Success and Failure |
 | Account Management | Computer Account Management     | Success and Failure |
 | Account Management | Other Account Management Events | Success and Failure |
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/administer-applocker.md
@ -12,7 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 09/21/2017
+ms.date: 02/28/2019
 ---
 # Administer AppLocker
@ -37,7 +37,6 @@ AppLocker helps administrators control how users can access and use files, such
 | Topic | Description |
 | - | - |
 | [Administer AppLocker using Mobile Device Management (MDM)](administer-applocker-using-mdm.md) | This topic describes how to use MDM to manage AppLocker policies. |
 | [Maintain AppLocker policies](maintain-applocker-policies.md) | This topic describes how to maintain rules within AppLocker policies. |
 | [Edit an AppLocker policy](edit-an-applocker-policy.md) | This topic for IT professionals describes the steps required to modify an AppLocker policy. |
 | [Test and update an AppLocker policy](test-and-update-an-applocker-policy.md) | This topic discusses the steps required to test an AppLocker policy prior to deployment. |