Merge branch 'master' into MDBranchMachineToDeviceParent

devices/hololens/hololens2-language-support.md

@@ -62,7 +62,7 @@ The setup process configures your HoloLens for a specific region and language. Y
 If the supported language that you're looking for is not in the menu, follow these steps:  
 
 1. Under **Preferred languages**, select **Add a language**.
-2. Locater and add the language.
+2. Locate and add the language.
 3. Select the **Windows display language** menu again, and then select the language that you added in the previous step.
 
 ### To change the keyboard layout

devices/surface/TOC.md

@@ -43,6 +43,7 @@
 ## Manage
 
 ### [Manage and deploy Surface driver and firmware updates](manage-surface-driver-and-firmware-updates.md)
+### [Manage Surface driver updates in Configuration Manager](manage-surface-driver-updates-configuration-manager.md)
 ### [Optimize Wi-Fi connectivity for Surface devices](surface-wireless-connect.md)
 ### [Best practice power settings for Surface devices](maintain-optimal-power-settings-on-Surface-devices.md)
 ### [Surface Dock Firmware Update](surface-dock-firmware-update.md)

devices/surface/manage-surface-driver-and-firmware-updates.md

@@ -35,11 +35,10 @@ Microsoft Endpoint Configuration Manager allows you to synchronize and deploy Su
 
 For detailed steps, see the following resources:
 
-- [How to manage Surface driver updates in Configuration Manager.](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager)
+- [How to manage Surface driver updates in Configuration Manager](https://docs.microsoft.com/surface/manage-surface-driver-updates-configuration-manager.md)
-- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications).
+- [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications)
 - [Endpoint Configuration Manager documentation](https://docs.microsoft.com/configmgr/)
 
-
 ### Manage updates with Microsoft Deployment Toolkit
 
 Included in Endpoint Configuration Manager, the Microsoft Deployment Toolkit (MDT) contains optional deployment tools that you may wish to use depending on your environment. These include the Windows Assessment and Deployment Kit (Windows ADK), Windows System Image Manager (Windows SIM), Deployment Image Servicing and Management (DISM), and User State Migration Tool (USMT). You can download the latest version of MDT from the [Microsoft Deployment Toolkit download page](https://www.microsoft.com/download/details.aspx?id=54259).
@@ -54,7 +53,6 @@ Surface driver and firmware updates are packaged as Windows Installer (*.msi) fi
 
 For instructions on how to deploy updates by using Endpoint Configuration Manager refer to [Deploy applications with Configuration Manager](https://docs.microsoft.com/configmgr/apps/deploy-use/deploy-applications). For instructions on how to deploy updates by using MDT, see [Deploy a Windows 10 image using MDT](https://docs.microsoft.com/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt).
 
-
 **WindowsPE and Surface firmware and drivers**
 
 Endpoint Configuration Manager and MDT both use the Windows Preinstallation Environment (WindowsPE) during the deployment process. WindowsPE only supports a limited set of basic drivers such as those for network adapters and storage controllers. Drivers for Windows components that are not part of WindowsPE might produce errors. As a best practice, you can prevent such errors by configuring the deployment process to use only the required drivers during the WindowsPE phase.
@@ -67,7 +65,6 @@ Starting in Endpoint Configuration Manager, you can synchronize and deploy Micro
 
 Downloadable .msi files are available for Surface devices from Surface Pro 2 and later. Information about .msi files for the newest Surface devices such as Surface Pro 7, Surface Pro X, and Surface Laptop 3 will be available from this page upon release.
 
-
 ## Managing firmware with DFCI
 
 With Device Firmware Configuration Interface (DFCI) profiles built into Intune (now available in [public preview](https://docs.microsoft.com/intune/configuration/device-firmware-configuration-interface-windows)), Surface UEFI management extends the modern management stack down to the UEFI hardware level. DFCI supports zero-touch provisioning, eliminates BIOS passwords, provides control of security settings including boot options and built-in peripherals, and lays the groundwork for advanced security scenarios in the future. For more information, see:
@@ -93,7 +90,6 @@ Specific versions of Windows 10 have separate .msi files, each containing all re
 - Management engine (ME)
 - Unified extensible firmware interface (UEFI)
 
-
 ### Downloading .msi files
 
 1. Browse to [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware) on the Microsoft Download Center.
@@ -103,7 +99,6 @@ Specific versions of Windows 10 have separate .msi files, each containing all re
 
     *Figure 1. Downloading Surface updates*
 
- 
 ### Surface .msi naming convention
 
 Since August 2019, .msi files have used the following naming convention:
@@ -126,8 +121,9 @@ This file name provides the following information:
 - **Revision of version:** 0 (first release of this version)
 
 ### Legacy Surface .msi naming convention
+
 Legacy .msi files (files built before August 2019) followed the same overall naming formula but used a different method to derive the version number.
- ****
+
 **Example**
 
 - SurfacePro6_Win10_16299_1900307_0.msi
@@ -143,8 +139,6 @@ This file name provides the following information:
   - **Product version number:** 07 (Surface Pro 6 is officially the seventh version of Surface Pro)
 - **Revision of version:** 0 (first release of this version)
 
-
-
 ## Learn more
 
 - [Download drivers and firmware for Surface](https://support.microsoft.com/help/4023482/surface-download-drivers-and-firmware)
@@ -157,4 +151,3 @@ This file name provides the following information:
 - [Intune management of Surface UEFI settings](https://docs.microsoft.com/surface/surface-manage-dfci-guide)
 - [Ignite 2019: Announcing remote management of Surface UEFI settings from Intune](https://techcommunity.microsoft.com/t5/Surface-IT-Pro-Blog/Ignite-2019-Announcing-remote-management-of-Surface-UEFI/ba-p/978333).
 - [Build deployment rings for Windows 10 updates](https://docs.microsoft.com/windows/deployment/update/waas-deployment-rings-windows-10-updates)
-

devices/surface/manage-surface-driver-updates-configuration-manager.md

@@ -0,0 +1,181 @@
+---
+title: Manage Surface driver updates in Configuration Manager
+description: This article describes the available options to manage and deploy firmware and driver updates for Surface devices.
+ms.assetid: b64879c4-37eb-4fcf-a000-e05cbb3d26ea
+ms.reviewer: 
+author: v-miegge
+manager: laurawi
+keywords: Surface, Surface Pro 3, firmware, update, device, manage, deploy, driver, USB
+ms.localizationpriority: medium
+ms.prod: w10
+ms.mktglfcycl: manage
+ms.pagetype: surface, devices
+ms.sitesec: library
+author: coveminer
+ms.author: daclark
+ms.topic: article
+audience: itpro
+---
+
+# Manage Surface driver updates in Configuration Manager
+
+## Summary
+
+Starting in [Microsoft System Center Configuration Manager version 1710](https://docs.microsoft.com/sccm/core/plan-design/changes/whats-new-in-version-1710#software-updates), you can synchronize and deploy Microsoft Surface firmware and driver updates directly through the Configuration Manager client. The process resembles deploying regular updates. However, some additional configurations are required to get the Surface driver updates into your catalog.
+
+## Prerequisites
+
+To manage Surface driver updates, the following prerequisites must be met:
+
+- You must use Configuration Manager version 1710 or a later version.
+- All Software Update Points (SUPs) must run Windows Server 2016 or a later version. Otherwise, Configuration Manager ignores this setting and Surface drivers won't be synchronized.
+
+> [!NOTE]
+> If your environment doesn’t meet the prerequisites, refer to the [alternative methods](https://support.microsoft.com/help/4098906/manage-surface-driver-updates-in-configuration-manager#1) to deploy Surface driver and firmware updates in the [FAQ](#frequently-asked-questions-faq) section.
+
+## Useful log files
+
+The following logs are especially useful when you manage Surface driver updates.
+
+|Log name|Description|
+|---|---|
+|WCM.log|Records details about the software update point configuration and connections to the WSUS server for subscribed update categories, classifications, and languages.|
+|WsyncMgr.log|Records details about the software updates sync process.|
+
+These logs are located on the site server that manages the SUP, or on the SUP itself if it's installed directly on a site server.
+For a complete list of Configuration Manager logs, see [Log files in System Center Configuration Manager](https://docs.microsoft.com/sccm/core/plan-design/hierarchy/log-files).
+
+## Enabling Surface driver updates management
+
+To enable Surface driver updates management in Configuration Manager, follow these steps:
+
+1. In the Configuration Manager console, go to **Administration** > **Overview** > **Site Configuration** > **Sites**.
+1. Select the site that contains the top-level SUP server for your environment.
+1. On the ribbon, select **Configure Site Components**, and then select **Software Update Point**. Or, right-click the site, and then select **Configure Site Components** > **Software Update Point**.
+1. On the **Classifications** tab, select the **Include Microsoft Surface drivers and firmware updates** check box.
+
+   ![Software Update Point Component Properties](images/manage-surface-driver-updates-1.png)
+
+1. When you're prompted by the following warning message, select **OK**.
+
+   ![Configuration Manager](images/manage-surface-driver-updates-2.png)
+
+1. On the Products tab, select the products that you want to update, and then select **OK**.
+
+   Most drivers belong to the following product groups:
+
+   - Windows 10 and later version drivers
+   - Windows 10 and later Upgrade & Servicing Drivers
+   - Windows 10 Anniversary Update and Later Servicing Drivers
+   - Windows 10 Anniversary Update and Later Upgrade & Servicing Drivers
+   - Windows 10 Creators Update and Later Servicing Drivers
+   - Windows 10 Creators Update and Later Upgrade & Servicing Drivers
+   - Windows 10 Fall Creators Update and Later Servicing Drivers
+   - Windows 10 Fall Creators Update and Later Upgrade & Servicing Drivers
+   - Windows 10 S and Later Servicing Drivers
+   - Windows 10 S Version 1709 and Later Servicing Drivers for testing
+   - Windows 10 S Version 1709 and Later Upgrade & Servicing Drivers for testing
+
+   > [!NOTE]
+   > Most Surface drivers belong to multiple Windows 10 product groups. You may not have to select all the products that are listed here. To help reduce the number of products that populate your Update Catalog, we recommend that you select only the products that are required by your environment for synchronization.
+
+## Verifying the configuration
+
+To verify that the SUP is configured correctly, follow these steps:
+
+1. Open WsyncMgr.log, and then look for the following entry:
+
+   ```console
+   Surface Drivers can be supported in this hierarchy since all SUPs are on Windows Server 2016, WCM SCF property Sync Catalog Drivers is set.
+
+   Sync Catalog Drivers SCF value is set to : 1
+   ```
+
+   If either of the following entries is logged in WsyncMgr.log, recheck step 4 in the previous section:
+
+   ```console
+   Sync Surface Drivers option is not set
+
+   Sync Catalog Drivers SCF value is set to : 0
+   ```
+
+1. Open WCM.log, and then look for an entry that resembles the following:
+
+   ![WCM.log settings](images/manage-surface-driver-updates-3.png)
+
+   This entry is an XML element that lists every product group and classification that's currently synchronized by your SUP server. For example, you might see an entry that resembles the following:
+
+   ```xml
+   <Categories>
+       <Category Id="Product:05eebf61-148b-43cf-80da-1c99ab0b8699"><![CDATA[Windows 10 and later drivers]]></Category>
+       <Category Id="Product:06da2f0c-7937-4e28-b46c-a37317eade73"><![CDATA[Windows 10 Creators Update and Later Upgrade & Servicing Drivers]]></Category>
+       <Category Id="Product:c1006636-eab4-4b0b-b1b0-d50282c0377e"><![CDATA[Windows 10 S and Later Servicing Drivers]]></Category>
+   </Categories>
+   ```
+
+   If you can't find the products that you selected in step 6 in the previous section, double-check whether the SUP settings are saved.
+
+   You can also wait until the next synchronization finishes, and then check whether the Surface driver and firmware updates are listed in Software Updates in the Configuration Manager console. For example, the console might display the following information:
+
+   ![All Software Updates Search Results](images/manage-surface-driver-updates-4.png)
+
+## Manual synchronization
+
+If you don't want to wait until the next synchronization, follow these steps to start a synchronization:
+
+1. In the Configuration Manager console, go to **Software Library** > **Overview** > **Software Updates** > **All Software Updates**.
+1. On the ribbon, select **Synchronize Software Updates**. Or, right-click **All Software Update**, and then select **Synchronize Software Update**.
+1. Monitor the synchronization progress by looking for the following entries in WsyncMgr.log:
+
+   ```console
+   Surface Drivers can be supported in this hierarchy since all SUPs are on Windows Server 2016, WCM SCF property Sync Catalog Drivers is set.
+
+   sync: SMS synchronizing categories 
+   sync: SMS synchronizing categories, processed 0 out of 311 items (0%)
+   sync: SMS synchronizing categories, processed 311 out of 311 items (100%)
+   sync: SMS synchronizing categories, processed 311 out of 311 items (100%)
+   sync: SMS synchronizing updates
+
+   Synchronizing update 7eaa0148-c42b-45fd-a1ab-012c82972de6 - Microsoft driver update for Surface Type Cover Integration
+   Synchronizing update 2dcb07f8-37ec-41ef-8cd5-030bf24dc1d8 - Surface driver update for Surface Pen Pairing
+   Synchronizing update 63067414-ae52-422b-b3d1-0382a4d6519a - Surface driver update for Surface UEFI
+   Synchronizing update 8e4e3a41-a784-4dd7-9a42-041f43ddb775 - Surface driver update for Surface Integration
+   Synchronizing update 7f8baee8-419f-47e2-918a-045a15a188e7 - Microsoft driver update for Surface DTX
+   Synchronizing update aed66e05-719b-48cd-a0e7-059e50f67fdc - Microsoft driver update for Surface Base Firmware Update
+   Synchronizing update 8ffe1526-6e66-43cc-86e3-05ad92a24e3a - Surface driver update for Surface UEFI
+   Synchronizing update 74102899-0a49-48cf-97e6-05bde18a27ff - Microsoft driver update for Surface UEFI
+   ```
+
+## Deploying Surface firmware and driver updates
+
+You can deploy Surface firmware and driver updates in the same manner as you deploy other updates.
+
+For more information about deployment, see [System Center 2012 Configuration Manager–Part7: Software Updates (Deploy)](https://blogs.technet.microsoft.com/elie/2012/05/25/system-center-2012-configuration-managerpart7-software-updates-deploy/).
+
+## Frequently asked questions (FAQ)
+
+**After I follow the steps in this article, my Surface drivers are still not synchronized. Why?**
+
+If you synchronize from an upstream Windows Server Update Services (WSUS) server, instead of Microsoft Update, make sure that the upstream WSUS server is configured to support and synchronize Surface driver updates. All downstream servers are limited to updates that are present in the upstream WSUS server database.
+
+There are more than 68,000 updates that are classified as drivers in WSUS. To prevent non-Surface related drivers from synchronizing to Configuration Manager, Microsoft filters driver synchronization against an allow list. After the new allow list is published and incorporated into Configuration Manager, the new drivers are added to the console following the next synchronization. Microsoft aims to get the Surface drivers added to the allow list each month in line with Patch Tuesday to make them available for synchronization to Configuration Manager.
+
+If your Configuration Manager environment is offline, a new allow list is imported every time you import [servicing updates](https://docs.microsoft.com/mem/configmgr/core/servers/manage/use-the-service-connection-tool) to Configuration Manager. You will also have to import a [new WSUS catalog](https://docs.microsoft.com/mem/configmgr/sum/get-started/synchronize-software-updates-disconnected) that contains the drivers before the updates are displayed in the Configuration Manager console. Because a stand-alone WSUS environment contains more drivers than a Configuration Manager SUP, we recommend that you establish a Configuration Manager environment that has online capabilities, and that you configure it to synchronize Surface drivers. This provides a smaller WSUS export that closely resembles the offline environment.
+
+If your Configuration Manager environment is online and able to detect new updates, you will receive updates to the list automatically. If you don’t see the expected drivers, please review the WCM.log and WsyncMgr.log for any synchronization failures.
+
+**My Configuration Manager environment is offline, can I manually import Surface drivers into WSUS?**
+
+No. Even if the update is imported into WSUS, the update won't be imported into the Configuration Manager console for deployment if it isn't listed in the allow list. You must use the [Service Connection Tool](https://docs.microsoft.com/mem/configmgr/core/servers/manage/use-the-service-connection-tool) to import servicing updates to Configuration Manager to update the allow list.
+
+**What alternative methods do I have to deploy Surface driver and firmware updates?**
+
+For information about how to deploy Surface driver and firmware updates through alternative channels, see [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-driver-and-firmware-updates). If you want to download the .msi or .exe file, and then deploy through traditional software deployment channels, see [Keeping Surface Firmware Updated with Configuration Manager](https://docs.microsoft.com/archive/blogs/thejoncallahan/keeping-surface-firmware-updated-with-configuration-manager).
+
+## Additional Information
+
+For more information about Surface driver and firmware updates, see the following articles:
+
+- [Download the latest firmware and drivers for Surface devices](https://docs.microsoft.com/surface/deploy-the-latest-firmware-and-drivers-for-surface-devices)
+- [Manage Surface driver and firmware updates](https://docs.microsoft.com/surface/manage-surface-pro-3-firmware-updates)
+- [Considerations for Surface and System Center Configuration Manager](https://docs.microsoft.com/surface/considerations-for-surface-and-system-center-configuration-manager)

windows/client-management/administrative-tools-in-windows-10.md

@@ -29,7 +29,7 @@ The tools in the folder might vary depending on which edition of Windows you are
 
 ![Screenshot of folder of admin tools](images/admin-tools-folder.png)
 
-These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list links to documentation for each tool.
+These tools were included in previous versions of Windows and the associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders.
 
  
 
@@ -43,6 +43,8 @@ These tools were included in previous versions of Windows and the associated doc
 -   [ODBC Data Sources]( https://go.microsoft.com/fwlink/p/?LinkId=708494)
 -   [Performance Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708495)
 -   [Print Management](https://go.microsoft.com/fwlink/p/?LinkId=708496)
+-   [Recovery Drive](https://support.microsoft.com/help/4026852/windows-create-a-recovery-drive)
+-   [Registry Editor](https://docs.microsoft.com/windows/win32/sysinfo/registry)
 -   [Resource Monitor](https://go.microsoft.com/fwlink/p/?LinkId=708497)
 -   [Services](https://go.microsoft.com/fwlink/p/?LinkId=708498)
 -   [System Configuration](https://go.microsoft.com/fwlink/p/?LinkId=708499)
@@ -60,7 +62,3 @@ These tools were included in previous versions of Windows and the associated doc
 
  
 
-
-
-
-

windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md

@@ -37,7 +37,7 @@ The auto-enrollment relies on the presence of an MDM service and the Azure Activ
 
 When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
 
-In Windows 10, version 1709, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/).
+In Windows 10, version 1709 or later, when the same policy is configured in GP and MDM, the GP policy wins (GP policy takes precedence over MDM). Since Windows 10, version 1803, a new setting allows you to change the policy conflict winner to MDM. For additional information, see [Windows 10 Group Policy vs. Intune MDM Policy who wins?](https://blogs.technet.microsoft.com/cbernier/2018/04/02/windows-10-group-policy-vs-intune-mdm-policy-who-wins/)
 
 For this policy to work, you must verify that the MDM service provider allows the GP triggered MDM enrollment for domain joined devices.
 
@@ -52,9 +52,10 @@ The following steps demonstrate required settings using the Intune service:
 
     ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png)
 
-> [!IMPORTANT]
+    > [!IMPORTANT]
-> For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
+    > For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
-> For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.
+    >
+    > For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled.
 
 3. Verify that the device OS version is Windows 10, version 1709 or later.
 4. Auto-enrollment into Intune via Group Policy is valid only for devices which are hybrid Azure AD joined. This means that the device must be joined into both local Active Directory and Azure Active Directory. To verify that the device is  hybrid Azure AD joined, run  `dsregcmd /status` from the command line.
@@ -93,7 +94,7 @@ You may contact your domain administrators to verify if the group policy has bee
 This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the [Group Policy Management Console process](#configure-the-auto-enrollment-for-a-group-of-devices).
 
 Requirements:
-- AD-joined PC running Windows 10, version 1709
+- AD-joined PC running Windows 10, version 1709 or later
 - Enterprise has MDM service already configured 
 - Enterprise AD must be registered with Azure AD
 
@@ -109,27 +110,27 @@ Requirements:
 
     ![MDM policies](images/autoenrollment-mdm-policies.png)
 
-4. Double-click **Enable Automatic MDM enrollment using default Azure AD credentials**.
+4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** (support for Device Credential is coming) as the Selected Credential Type to use. User Credential enrolls Windows 10, version 1709 and later once an Intune licensed user logs into the device. Device Credential will enroll the device and then assign a user later, once support for this is available.
 
     ![MDM autoenrollment policy](images/autoenrollment-policy.png)
 
 5. Click **Enable**, then click **OK**.
 
-> [!NOTE]
+    > [!NOTE]
-> In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. 
+    > In Windows 10, version 1903, the MDM.admx file was updated to include an option to select which credential is used to enroll the device. **Device Credential** is a new option that will only have an effect on clients that have installed Windows 10, version 1903 or later. 
-The default behavior for older releases is to revert to **User Credential**.
+    > The default behavior for older releases is to revert to **User Credential**.
 
-When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." 
+    When a group policy refresh occurs on the client, a task is created and scheduled to run every 5 minutes for the duration of one day. The task is called " Schedule created by enrollment client for automatically enrolling in MDM from AAD." 
 
-To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
+    To see the scheduled task, launch the [Task Scheduler app](#task-scheduler-app).
 
-If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot.
+    If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot.
 
-![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png)
+    ![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png)
 
-> [!Tip]
+    > [!Tip]
-> You can avoid this behavior by using Conditional Access Policies in Azure AD.
+    > You can avoid this behavior by using Conditional Access Policies in Azure AD.
-Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview).
+    Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/azure/active-directory/conditional-access/overview).
 
 6. To verify successful enrollment to MDM , click **Start > Settings > Accounts > Access work or school**, then select your domain account.
 
@@ -159,27 +160,28 @@ Learn more by reading [What is Conditional Access?](https://docs.microsoft.com/a
 ## Configure the auto-enrollment for a group of devices
 
 Requirements:
-- AD-joined PC running Windows 10, version 1709
+- AD-joined PC running Windows 10, version 1709 or later
 - Enterprise has MDM service already configured (with Intune or a third party service provider)
 - Enterprise AD must be integrated with Azure AD.
 - Ensure that PCs belong to same computer group.
 
-> [!IMPORTANT]
+[!IMPORTANT]
-> If you do not see the policy, it may be because you don’t have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):        
+If you do not see the policy, it may be because you don’t have the ADMX for Windows 10, version 1803, version 1809, or version 1903 installed. To fix the issue, follow these steps (Note: the latest MDM.admx is backwards compatible):        
->   1. Download:  
+  1. Download:  
->   1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or  
+  1803 -->[Administrative Templates (.admx) for Windows 10 April 2018 Update (1803)](https://www.microsoft.com/download/details.aspx?id=56880) or  
->   1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or
+  1809 --> [Administrative Templates for Windows 10 October 2018 Update (1809)](https://www.microsoft.com/download/details.aspx?id=57576) or
->   1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all)
+  1903 --> [Administrative Templates (.admx) for Windows 10 May 2019 Update (1903)](https://www.microsoft.com/download/details.aspx?id=58495&WT.mc_id=rss_alldownloads_all)
->   2. Install the package on the Domain Controller.
+  2. Install the package on the Domain Controller.
->   3. Navigate, depending on the version to the folder:
+  3. Navigate, depending on the version to the folder:
->   1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or  
+  1803 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2**, or  
->   1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or
+  1809 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2**, or
->   1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**
+  1903 --> **C:\Program Files (x86)\Microsoft Group Policy\Windows 10 May 2019 Update (1903) v3**
->   4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
+  4. Rename the extracted Policy Definitions folder to **PolicyDefinitions**.
->   5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. 
+  5. Copy PolicyDefinitions folder to **C:\Windows\SYSVOL\domain\Policies**. 
->   (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain).
+  (If this folder does not exist, then be aware that you will be switching to a [central policy store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra) for your entire domain).
->   6. Restart the Domain Controller for the policy to be available.
+  6. Restart the Domain Controller for the policy to be available.
->   This procedure will work for any future version as well.
+
+  This procedure will work for any future version as well.
 
 1. Create a Group Policy Object (GPO) and enable the Group Policy **Computer Configuration** > **Policies** > **Administrative Templates** > **Windows Components** > **MDM** > **Enable automatic MDM enrollment using default Azure AD credentials**.
 2. Create a Security Group for the PCs.
@@ -187,7 +189,6 @@ Requirements:
 4. Filter using Security Groups.
 
 ## Troubleshoot auto-enrollment of devices
-
 Investigate the log file if you have issues even after performing all the mandatory verification steps. The first log file to investigate is the event log on the target Windows 10 device. 
 
 To collect Event Viewer logs:
@@ -241,10 +242,10 @@ To collect Event Viewer logs:
 - [Link a Group Policy Object](https://technet.microsoft.com/library/cc732979(v=ws.11).aspx)
 - [Filter Using Security Groups](https://technet.microsoft.com/library/cc752992(v=ws.11).aspx)
 - [Enforce a Group Policy Object Link](https://technet.microsoft.com/library/cc753909(v=ws.11).aspx)
+- [Group Policy Central Store](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administra)
 
 ### Useful Links
 
 - [Windows 10 Administrative Templates for Windows 10 November 2019 Update 1909](https://www.microsoft.com/download/details.aspx?id=100591)
 - [Windows 10 Administrative Templates for Windows 10 May 2019 Update 1903](https://www.microsoft.com/download/details.aspx?id=58495)
 - [Windows 10 Administrative Templates for Windows 10 October 2018 Update 1809](https://www.microsoft.com/download/details.aspx?id=57576)
-- [Windows 10 Administrative Templates for Windows 10 April 2018 Update 1803](https://www.microsoft.com/download/details.aspx?id=56880)

windows/client-management/mdm/understanding-admx-backed-policies.md

@@ -260,7 +260,7 @@ Note that the data payload of the SyncML needs to be encoded so that it does not
 
 The **LocURI** for the above GP policy is:
 
-`.\Device\Vendor\MSFT\Policy\Config\AppVirtualization\PublishingAllowServer2`
+`./Device/Vendor/MSFT/Policy/Config/AppVirtualization/PublishingAllowServer2`
 
 To construct SyncML for your area/policy using the samples below, you need to update the **data id** and the **value** in the `<Data>` section of the SyncML. The items prefixed with an '&' character are the escape characters needed and can be retained as shown.
 

windows/client-management/new-policies-for-windows-10.md

@@ -25,6 +25,33 @@ ms.topic: reference
 
 Windows 10 includes the following new policies for management. [Download the complete set of Administrative Template (.admx) files for Windows 10](https://www.microsoft.com/download/100591).
 
+## New Group Policy settings in Windows 10, version 1903
+
+The following Group Policy settings were added in Windows 10, version 1903:
+
+**System**
+
+- System\Service Control Manager Settings\Security Settings\Enable svchost.exe mitigation options
+- System\Storage Sense\Allow Storage Sense
+- System\Storage Sense\Allow Storage Sense Temporary Files cleanup
+- System\Storage Sense\Configure Storage Sense
+- System\Storage Sense\Configure Storage Sense Cloud content dehydration threshold
+- System\Storage Sense\Configure Storage Sense Recycle Bin cleanup threshold
+- System\Storage Sense\Configure Storage Sense Downloads cleanup threshold
+- System\Troubleshooting and Diagnostics\Microsoft Support Diagnostic Tool\Troubleshooting:Allow users to access recommended troubleshooting for known problems
+
+
+**Windows Components**
+
+- Windows Components\App Privacy\Let Windows apps activate with voice 
+- Windows Components\App Privacy\Let Windows apps activate with voice while the system is locked
+- Windows Components\Data Collection and Preview Builds\Allow commercial data pipeline
+- Windows Components\Data Collection and Preview Builds\Configure collection of browsing data for Desktop Analytics 
+- Windows Components\Data Collection and Preview Builds\Configure diagnostic data upload endpoint for Desktop Analytics
+- Windows Components\Delivery Optimization\Delay background download Cache Server fallback (in seconds)
+- Windows Components\Delivery Optimization\Delay Foreground download Cache Server fallback (in seconds)
+- Windows Components\Remote Desktop Services\Remote Desktop Session Host\Remote Session Environment\Use WDDM graphics display driver for Remote Desktop Connections
+- Windows Components\Windows Logon Options\Configure the mode of automatically signing in and locking last interactive user after a restart or cold boot
 
 ## New Group Policy settings in Windows 10, version 1809
 
@@ -496,4 +523,3 @@ No new [Exchange ActiveSync policies](https://go.microsoft.com/fwlink/p/?LinkId=
 
 
 
-

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md

@@ -294,6 +294,8 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted
 5. In the **Enterprise Root Certificate** blade, click **Assignments**.  In the **Include** tab, select **All Devices** from the **Assign to** list.  Click **Save**.
 ![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png)
 6. Sign out of the Microsoft Azure Portal.
+> [!NOTE]
+> After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same.
 
 ## Configure Windows Hello for Business Device Enrollment
 

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md

@@ -19,7 +19,7 @@ ms.reviewer:
 # Configure Windows Hello for Business: Active Directory Federation Services
 
 **Applies to**
--   Windows10, version 1703 or later
+-   Windows 10, version 1703 or later
 -   Hybrid deployment
 -   Certificate trust
 
@@ -36,15 +36,14 @@ The Windows Hello for Business Authentication certificate template is configured
 Sign-in the AD FS server with *Domain Admin* equivalent credentials. 
 
 1. Open a **Windows PowerShell** prompt.
-2. Type the following command   
+2. Enter the following command:
   
     ```PowerShell
     Set-AdfsCertificateAuthority -EnrollmentAgent -EnrollmentAgentCertificateTemplate WHFBEnrollmentAgent -WindowsHelloCertificateTemplate WHFBAuthentication -WindowsHelloCertificateProxyEnabled $true
     ```
 
-
+    >[!NOTE]
->[!NOTE]
+    > If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the preceding command with the name of your certificate templates.  It's important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template by using the **Certificate Template** management console (certtmpl.msc).  Or, you can view the template name by using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
-> If you gave your Windows Hello for Business Enrollment Agent and Windows Hello for Business Authentication certificate templates different names, then replace **WHFBEnrollmentAgent** and WHFBAuthentication in the above command with the name of your certificate templates.  It's important that you use the template name rather than the template display name.  You can view the template name on the **General** tab of the certificate template using the **Certificate Template** management console (certtmpl.msc).  Or, you can view the template name using the **Get-CATemplate** ADCS Administration Windows PowerShell cmdlet on a Windows Server 2012 or later certificate authority.
 
 
 ### Group Memberships for the AD FS Service Account
@@ -66,8 +65,8 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 
 ### Section Review
 > [!div class="checklist"]
-> * Configure the registration authority
+> * Configure the registration authority.
-> * Update group memberships for the AD FS service account
+> * Update group memberships for the AD FS service account.
 > 
 > 
 > [!div class="step-by-step"]

windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md

@@ -16,6 +16,7 @@ localizationpriority: medium
 ms.date: 10/23/2017
 ms.reviewer: 
 ---
+
 # Configure Hybrid Windows Hello for Business: Directory Synchronization
 
 **Applies to**
@@ -62,7 +63,7 @@ Sign-in a domain controller or management workstation with _Domain Admin_ equiva
 6. Click **OK** to return to **Active Directory Users and Computers**.
 
 > [!NOTE]
-> If your AD forest has multiple domains. Please make sure you add the ADConnect sync service account (that is, MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest.
+> If your AD forest has multiple domains, make sure you add the ADConnect sync service account (ie. MSOL_12121212) into "Enterprise Key Admins" group to gain permission across the domains in the forest.
 
 ### Section Review
 

windows/security/threat-protection/microsoft-defender-atp/enable-attack-surface-reduction.md

@@ -12,14 +12,14 @@ ms.localizationpriority: medium
 audience: ITPro
 author: levinec
 ms.author: ellevin
-ms.date: 05/20/2020
+ms.date: 05/29/2020
 ms.reviewer: 
 manager: dansimp
 ---
 
 # Enable attack surface reduction rules
 
-[Attack surface reduction rules](attack-surface-reduction.md) help prevent actions that malware often abuses to compromise devices and networks. You can set attack surface reduction rules for devices running any of the following editions and versions of Windows:
+[Attack surface reduction rules](attack-surface-reduction.md) (ASR rules) help prevent actions that malware often abuses to compromise devices and networks. You can set ASR rules for devices running any of the following editions and versions of Windows:
 - Windows 10 Pro, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
 - Windows 10 Enterprise, [version 1709](https://docs.microsoft.com/windows/whats-new/whats-new-windows-10-version-1709) or later
 - Windows Server, [version 1803 (Semi-Annual Channel)](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server-1803) or later
@@ -27,22 +27,22 @@ manager: dansimp
 
 Each ASR rule contains one of three settings:
 
-* Not configured: Disable the ASR rule
+- Not configured: Disable the ASR rule
-* Block: Enable the ASR rule
+- Block: Enable the ASR rule
-* Audit: Evaluate how the ASR rule would impact your organization if enabled
+- Audit: Evaluate how the ASR rule would impact your organization if enabled
 
-To use ASR rules, you need either a Windows 10 Enterprise E3 or E5 license. We recommend an E5 license so you can take advantage of the advanced monitoring and reporting capabilities available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). These advanced capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
+To use ASR rules, you must have either a Windows 10 Enterprise E3 or E5 license. We recommend E5 licenses so you can take advantage of the advanced monitoring and reporting capabilities that are available in [Microsoft Defender Advanced Threat Protection](https://docs.microsoft.com/windows/security/threat-protection) (Microsoft Defender ATP). Advanced monitoring and reporting capabilities aren't available with an E3 license, but you can develop your own monitoring and reporting tools to use in conjunction with ASR rules.
 
 > [!TIP]
 > To learn more about Windows licensing, see [Windows 10 Licensing](https://www.microsoft.com/licensing/product-licensing/windows10?activetab=windows10-pivot:primaryr5) and get the [Volume Licensing guide for Windows 10](https://download.microsoft.com/download/2/D/1/2D14FE17-66C2-4D4C-AF73-E122930B60F6/Windows-10-Volume-Licensing-Guide.pdf).
 
 You can enable attack surface reduction rules by using any of these methods:
 
-* [Microsoft Intune](#intune)
+- [Microsoft Intune](#intune)
-* [Mobile Device Management (MDM)](#mdm)
+- [Mobile Device Management (MDM)](#mdm)
-* [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
+- [Microsoft Endpoint Configuration Manager](#microsoft-endpoint-configuration-manager)
-* [Group Policy](#group-policy)
+- [Group Policy](#group-policy)
-* [PowerShell](#powershell)
+- [PowerShell](#powershell)
 
 Enterprise-level management such as Intune or Microsoft Endpoint Configuration Manager is recommended. Enterprise-level management will overwrite any conflicting Group Policy or PowerShell settings on startup.
 
@@ -50,6 +50,8 @@ Enterprise-level management such as Intune or Microsoft Endpoint Configuration M
 
 You can exclude files and folders from being evaluated by most attack surface reduction rules. This means that even if an ASR rule determines the file or folder contains malicious behavior, it will not block the file from running. This could potentially allow unsafe files to run and infect your devices.
 
+You can also exclude ASR rules from triggering based on certificate and file hashes by allowing specified Microsoft Defender ATP file and certificate indicators. (See [Manage indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/manage-indicators).)
+
 > [!IMPORTANT]
 > Excluding files or folders can severely reduce the protection provided by ASR rules. Excluded files will be allowed to run, and no report or event will be recorded.
 > If ASR rules are detecting files that you believe shouldn't be detected, you should [use audit mode first to test the rule](evaluate-attack-surface-reduction.md).
@@ -67,9 +69,9 @@ The following procedures for enabling ASR rules include instructions for how to
 
 2. In the **Endpoint protection** pane, select **Windows Defender Exploit Guard**, then select **Attack Surface Reduction**. Select the desired setting for each ASR rule.
 
-3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be in the following format:
+3. Under **Attack Surface Reduction exceptions**, you can enter individual files and folders, or you can select **Import** to import a CSV file that contains files and folders to exclude from ASR rules. Each line in the CSV file should be formatted as follows:
 
-   *C:\folder*, *%ProgramFiles%\folder\file*, *C:\path*
+   `C:\folder`, `%ProgramFiles%\folder\file`, `C:\path`
 
 4. Select **OK** on the three configuration panes and then select **Create** if you're creating a new endpoint protection file or **Save** if you're editing an existing one.
 
@@ -79,23 +81,23 @@ Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules](https
 
 The following is a sample for reference, using [GUID values for ASR rules](attack-surface-reduction.md#attack-surface-reduction-rules).
 
-OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules
+`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionRules`
 
-Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1
+`Value: {75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84}=2|{3B576869-A4EC-4529-8536-B80A7769E899}=1|{D4F940AB-401B-4EfC-AADC-AD5F3C50688A}=2|{D3E037E1-3EB8-44C8-A917-57927947596D}=1|{5BEB7EFE-FD9A-4556-801D-275E5FFC04CC}=0|{BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550}=1`
 
 The values to enable, disable, or enable in audit mode are:
 
-* Disable = 0
+- Disable = 0
-* Block (enable ASR rule) = 1
+- Block (enable ASR rule) = 1
-* Audit = 2
+- Audit = 2
 
 Use the [./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-defender#defender-attacksurfacereductiononlyexclusions) configuration service provider (CSP) to add exclusions.
 
 Example:
 
-OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions
+`OMA-URI path: ./Vendor/MSFT/Policy/Config/Defender/AttackSurfaceReductionOnlyExclusions`
 
-Value: c:\path|e:\path|c:\Whitelisted.exe
+`Value: c:\path|e:\path|c:\Whitelisted.exe`
 
 > [!NOTE]
 > Be sure to enter OMA-URI values without spaces.
@@ -103,11 +105,16 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
 ## Microsoft Endpoint Configuration Manager
 
 1. In Microsoft Endpoint Configuration Manager, click **Assets and Compliance** > **Endpoint Protection** > **Windows Defender Exploit Guard**.
-1. Click **Home** > **Create Exploit Guard Policy**.
+
-1. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
+2. Click **Home** > **Create Exploit Guard Policy**.
-1. Choose which rules will block or audit actions and click **Next**.
+
-1. Review the settings and click **Next** to create the policy.
+3. Enter a name and a description, click **Attack Surface Reduction**, and click **Next**.
-1. After the policy is created, click **Close**.
+
+4. Choose which rules will block or audit actions and click **Next**.
+
+5. Review the settings and click **Next** to create the policy.
+
+6. After the policy is created, click **Close**.
 
 ## Group Policy
 
@@ -120,13 +127,13 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
 
 3. Expand the tree to **Windows components** > **Windows Defender Antivirus** > **Windows Defender Exploit Guard** > **Attack surface reduction**.
 
-4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section:
+4. Select **Configure Attack surface reduction rules** and select **Enabled**. You can then set the individual state for each rule in the options section.
 
-   * Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
+   Click **Show...** and enter the rule ID in the **Value name** column and your desired state in the **Value** column as follows:
 
-       * Disable = 0
+   - Disable = 0
-       * Block (enable ASR rule) = 1
+   - Block (enable ASR rule) = 1
-       * Audit = 2
+   - Audit = 2
 
    ![Group policy setting showing a blank attack surface reduction rule ID and value of 1](../images/asr-rules-gp.png)
 
@@ -169,11 +176,11 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
     > Set-MpPreference -AttackSurfaceReductionRules_Ids <rule ID 1>,<rule ID 2>,<rule ID 3>,<rule ID 4> -AttackSurfaceReductionRules_Actions Enabled, Enabled, Disabled, AuditMode
     > ```
 
-    You can also the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
+    You can also use the `Add-MpPreference` PowerShell verb to add new rules to the existing list.
 
     > [!WARNING]
     > `Set-MpPreference` will always overwrite the existing set of rules. If you want to add to the existing set, you should use `Add-MpPreference` instead.
-    > You can obtain a list of rules and their current state by using `Get-MpPreference`
+    > You can obtain a list of rules and their current state by using `Get-MpPreference`.
 
 3. To exclude files and folders from ASR rules, use the following cmdlet:
 
@@ -186,9 +193,12 @@ Value: c:\path|e:\path|c:\Whitelisted.exe
     > [!IMPORTANT]
     > Use `Add-MpPreference` to append or add apps to the list. Using the `Set-MpPreference` cmdlet will overwrite the existing list.
 
-## Related topics
+## Related articles
 
-* [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
+- [Reduce attack surfaces with attack surface reduction rules](attack-surface-reduction.md)
-* [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
+
-* [Attack surface reduction FAQ](attack-surface-reduction.md)
+- [Evaluate attack surface reduction](evaluate-attack-surface-reduction.md)
-* [Enable cloud-delivered protection](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)
+
+- [Attack surface reduction FAQ](attack-surface-reduction.md)
+
+- [Enable cloud-delivered protection](../windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus.md)

windows/whats-new/whats-new-windows-10-version-2004.md

@@ -179,7 +179,7 @@ For updated information, see the [Microsoft 365 blog](https://aka.ms/CortanaUpda
 
 ### Windows Search
 
-Windows Search is [improved](https://insider.windows.com/community-news/desktop-search/) in several ways.
+Windows Search is improved in several ways. For more information, see [Supercharging Windows Search](https://aka.ms/AA8kllm).
 
 ### Virtual Desktops
 
@@ -231,7 +231,8 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha
 
 ## See Also
 
-[What’s new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/)<br>
+[What’s new for IT pros in Windows 10, version 2004](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/what-s-new-for-it-pros-in-windows-10-version-2004/ba-p/1419764): Windows IT Pro blog.<br>
+[What’s new in the Windows 10 May 2020 Update](https://blogs.windows.com/windowsexperience/2020/05/27/whats-new-in-the-windows-10-may-2020-update/): Windows Insider blog.<br>
 [What's New in Windows Server](https://docs.microsoft.com/windows-server/get-started/whats-new-in-windows-server): New and updated features in Windows Server.<br>
 [Windows 10 Features](https://www.microsoft.com/windows/features): General information about Windows 10 features.<br>
 [What's New in Windows 10](https://docs.microsoft.com/windows/whats-new/): See what’s new in other versions of Windows 10.<br>
@@ -240,4 +241,3 @@ For information about Desktop Analytics and this release of Windows 10, see [Wha
 [What's new in Windows 10, version 2004 - Windows Insiders](https://docs.microsoft.com/windows-insider/at-home/whats-new-wip-at-home-20h1): This list also includes consumer focused new features.<br>
 [Features and functionality removed in Windows 10](https://docs.microsoft.com/windows/deployment/planning/windows-10-removed-features): Removed features.<br>
 [Windows 10 features we’re no longer developing](https://docs.microsoft.com/windows/deployment/planning/windows-10-deprecated-features): Features that are not being developed.<br>
-[What’s new for IT pros in Windows 10, version 2004](https://aka.ms/whats-new-in-2004): Windows IT Pro blog.<br>