From ea74596c3b3bca206a65ac0875c71c13780a4129 Mon Sep 17 00:00:00 2001
From: jaimeo <jaimeo@microsoft.com>
Date: Tue, 22 May 2018 13:46:02 -0700
Subject: [PATCH 01/53] import of requested new topic material

---
 windows/deployment/TOC.md                     |  1 +
 .../upgrade-readiness-target-new-OS.md        | 49 +++++++++++++++++++
 2 files changed, 50 insertions(+)
 create mode 100644 windows/deployment/upgrade/upgrade-readiness-target-new-OS.md

diff --git a/windows/deployment/TOC.md b/windows/deployment/TOC.md
index 322fa570ca..e194452c11 100644
--- a/windows/deployment/TOC.md
+++ b/windows/deployment/TOC.md
@@ -250,6 +250,7 @@
 ##### [Step 2: Resolve issues](upgrade/upgrade-readiness-resolve-issues.md)
 ##### [Step 3: Deploy Windows](upgrade/upgrade-readiness-deploy-windows.md)
 ##### [Additional insights](upgrade/upgrade-readiness-additional-insights.md)
+##### [Targeting a new operating system version](upgrade/upgrade-readiness-target-new-OS.md)
 ### [Monitor Windows Updates with Update Compliance](update/update-compliance-monitor.md)
 #### [Get started with Update Compliance](update/update-compliance-get-started.md)
 #### [Use Update Compliance](update/update-compliance-using.md)
diff --git a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md
new file mode 100644
index 0000000000..e7556bced3
--- /dev/null
+++ b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md
@@ -0,0 +1,49 @@
+---
+title: Upgrade Readiness - Targeting a new operating system version
+description: Explains how to run Upgrade Readiness again to target a different operating system version or bulk-approve all apps from a given vendor
+ms.prod: w10
+author: jaimeo
+ms.date: 05/22/2018
+---
+
+# Targeting a new operating system version
+
+After you've used Upgrade Readiness to help deploy a given version of Windows 10, you might want to use it again to help deploy a newer version of Windows 10. When you change the target operating system version (as described in [Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades#target-version.md), the app states (Importance, AppOwner, UpgradeDecision, TestPlan and TestResult) are not reset. Follow this guidance to preserve or reset these states as needed: 
+ 
+## TestResults
+
+If you want to preserve the TestResults from the previous operating system version testing, there is nothing you need to do.
+ 
+If you want to reset them, click any of the rows in the **Prioritize Application** blade (described in [Upgrade Readiness - Step 1: Identify important apps](upgrade-readiness-identify-apps.md)). This will take you to the **Log Search** user experience. Replace the query in that window with the following query:
+ 
+`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and TestResult <> "Not started"`
+ 
+After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit** button, and then set the **TestResult** to *Not started*. Leave all other fields as they are.
+  
+## UpgradeDecision
+ 
+If you want to preserve the UpgradeDecision from the previous operating system version testing, there is nothing you need to do. 
+ 
+If you want to reset them, keep these important points in mind:
+ 
+- Make sure to *not* reset the **Ready to upgrade** decision for the "long tail" of apps that have importance of **Ignore** or **Low install count**. Doing this will make it extremely difficult to complete the Upgrade Readiness workflow.
+- Decide which decisions to reset. For example, one option is just to reset the decisions marked **Ready to upgrade** (in order to retest those), while preserving states of apps marked **Won't upgrade**. Doing this means you won't lose track of this previous marking. Or you can reset everything.
+ 
+To do this, type the following query in **Log Search**:
+ 
+`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and Importance <> "Ignore" and Importance <> "Low install count"` 
+
+>[!NOTE]
+>You can also append `'and UpgradeDecision="Ready to upgrade"'`, for example, if you just want to reset apps that were previously marked **Ready**.
+
+After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit** button, and then set the **UpgradeDecision** to *Not reviewed*. Leave all other fields as they are.
+ 
+ 
+## Bulk-approving apps from a given vendor
+ 
+You can bulk-approve all apps from a given vendor (for example, Microsoft) if there are no known compatibility issues. To do this, type the following query in **Log Search**:
+ 
+`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and AppVendor has "Microsoft" and UpgradeAssessment=="No known issues" and UpgradeDecision<>"Ready to upgrade"`
+ 
+After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit" button**, and then set the **UpgradeDecision** to *Ready to upgrade*. Leave all other fields as they are.
+

From c94a5915a96994e8ac0dfb52e5342eeb5d95a805 Mon Sep 17 00:00:00 2001
From: jaimeo <jaimeo@microsoft.com>
Date: Tue, 22 May 2018 14:37:17 -0700
Subject: [PATCH 02/53] fixing links and typos

---
 .../upgrade/upgrade-readiness-target-new-OS.md         | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md
index e7556bced3..85c0583285 100644
--- a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md
+++ b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md
@@ -8,13 +8,13 @@ ms.date: 05/22/2018
 
 # Targeting a new operating system version
 
-After you've used Upgrade Readiness to help deploy a given version of Windows 10, you might want to use it again to help deploy a newer version of Windows 10. When you change the target operating system version (as described in [Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades#target-version.md), the app states (Importance, AppOwner, UpgradeDecision, TestPlan and TestResult) are not reset. Follow this guidance to preserve or reset these states as needed: 
+After you've used Upgrade Readiness to help deploy a given version of Windows 10, you might want to use it again to help deploy a newer version of Windows 10. When you change the target operating system version (as described in [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades#target-version.md)), the app states (Importance, AppOwner, UpgradeDecision, TestPlan, and TestResult) are not reset. Follow this guidance to preserve or reset these states as needed: 
  
 ## TestResults
 
 If you want to preserve the TestResults from the previous operating system version testing, there is nothing you need to do.
  
-If you want to reset them, click any of the rows in the **Prioritize Application** blade (described in [Upgrade Readiness - Step 1: Identify important apps](upgrade-readiness-identify-apps.md)). This will take you to the **Log Search** user experience. Replace the query in that window with the following query:
+If you want to reset them, click any of the rows in the **Prioritize Application** blade (described in [Upgrade Readiness - Step 1: Identify important apps](upgrade/upgrade-readiness-identify-apps.md)). This will take you to the **Log Search** user experience. Replace the query in that window with the following query:
  
 `search in (UAApp) IsRollup == true and RollupLevel == "Granular" and TestResult <> "Not started"`
  
@@ -47,3 +47,9 @@ You can bulk-approve all apps from a given vendor (for example, Microsoft) if th
  
 After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit" button**, and then set the **UpgradeDecision** to *Ready to upgrade*. Leave all other fields as they are.
 
+## Related topics
+
+[Windows Analytics overview](../update/windows-analytics-overview)
+[Manage Windows upgrades with Upgrade Readiness](manage-windows-updgrades-with-upgrade-readiness)
+[Get started with Upgrade Readiness](upgrade-readiness-get-started)
+

From 4225e5679a4e5c2617383bcfd7cd92a86d5574fe Mon Sep 17 00:00:00 2001
From: jaimeo <jaimeo@microsoft.com>
Date: Tue, 22 May 2018 14:58:02 -0700
Subject: [PATCH 03/53] more link fu

---
 .../upgrade/upgrade-readiness-target-new-OS.md         | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md
index 85c0583285..c934082d93 100644
--- a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md
+++ b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md
@@ -8,13 +8,13 @@ ms.date: 05/22/2018
 
 # Targeting a new operating system version
 
-After you've used Upgrade Readiness to help deploy a given version of Windows 10, you might want to use it again to help deploy a newer version of Windows 10. When you change the target operating system version (as described in [Use Upgrade Readiness to manage Windows upgrades](upgrade/use-upgrade-readiness-to-manage-windows-upgrades#target-version.md)), the app states (Importance, AppOwner, UpgradeDecision, TestPlan, and TestResult) are not reset. Follow this guidance to preserve or reset these states as needed: 
+After you've used Upgrade Readiness to help deploy a given version of Windows 10, you might want to use it again to help deploy a newer version of Windows 10. When you change the target operating system version (as described in [Use Upgrade Readiness to manage Windows upgrades](use-upgrade-readiness-to-manage-windows-upgrades.md#target-version)), the app states (Importance, AppOwner, UpgradeDecision, TestPlan, and TestResult) are not reset. Follow this guidance to preserve or reset these states as needed: 
  
 ## TestResults
 
 If you want to preserve the TestResults from the previous operating system version testing, there is nothing you need to do.
  
-If you want to reset them, click any of the rows in the **Prioritize Application** blade (described in [Upgrade Readiness - Step 1: Identify important apps](upgrade/upgrade-readiness-identify-apps.md)). This will take you to the **Log Search** user experience. Replace the query in that window with the following query:
+If you want to reset them, click any of the rows in the **Prioritize Application** blade (described in [Upgrade Readiness - Step 1: Identify important apps](upgrade-readiness-identify-apps.md)). This will take you to the **Log Search** user experience. Replace the query in that window with the following query:
  
 `search in (UAApp) IsRollup == true and RollupLevel == "Granular" and TestResult <> "Not started"`
  
@@ -49,7 +49,7 @@ After a short period of time, you will see the "user input" perspective render,
 
 ## Related topics
 
-[Windows Analytics overview](../update/windows-analytics-overview)
-[Manage Windows upgrades with Upgrade Readiness](manage-windows-updgrades-with-upgrade-readiness)
-[Get started with Upgrade Readiness](upgrade-readiness-get-started)
+[Windows Analytics overview](../update/windows-analytics-overview.md)
+[Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md)
+[Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
 

From 71fbf9753ff6444234b36f1eef2a9383c8c3c8e5 Mon Sep 17 00:00:00 2001
From: jaimeo <jaimeo@microsoft.com>
Date: Tue, 22 May 2018 15:26:21 -0700
Subject: [PATCH 04/53] fixing spacing of related topics links

---
 windows/deployment/upgrade/upgrade-readiness-target-new-OS.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md
index c934082d93..a357be01c6 100644
--- a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md
+++ b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md
@@ -50,6 +50,8 @@ After a short period of time, you will see the "user input" perspective render,
 ## Related topics
 
 [Windows Analytics overview](../update/windows-analytics-overview.md)
+
 [Manage Windows upgrades with Upgrade Readiness](manage-windows-upgrades-with-upgrade-readiness.md)
+
 [Get started with Upgrade Readiness](upgrade-readiness-get-started.md)
 

From 0edbb4d12bc54e4e2699e07406a661ed9af81cf2 Mon Sep 17 00:00:00 2001
From: Patti Short <patti.short@microsoft.com>
Date: Sun, 27 May 2018 10:27:25 -0700
Subject: [PATCH 05/53] fixed invalid link

---
 .../identity-protection/vpn/vpn-conditional-access.md        | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index 7d22c3efb9..792ac66a13 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -23,9 +23,10 @@ The VPN client is now able to integrate with the cloud-based Conditional Access
 >Conditional Access is an Azure AD Premium feature. 
 
 Conditional Access Platform components used for Device Compliance include the following cloud-based services:
-- [Conditional Access Framework](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn/)
 
-- [Azure AD Connect Health](https://azure.microsoft.com/documentation/articles/active-directory-Azure ADconnect-health/)
+- [Conditional Access Framework](https://blogs.technet.microsoft.com/tip_of_the_day/2016/03/12/tip-of-the-day-the-conditional-access-framework-and-device-compliance-for-vpn)
+
+- [Azure AD Connect Health](https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health)
 
 - [Windows Health Attestation Service](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices#device-health-attestation) (optional)
 

From e3659a191f6fc80749a53a76d8c4f76114bf5151 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Tue, 29 May 2018 14:43:55 -0700
Subject: [PATCH 06/53] add UK

---
 ...orage-privacy-windows-defender-advanced-threat-protection.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
index e04a79d353..7a7abff824 100644
--- a/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/data-storage-privacy-windows-defender-advanced-threat-protection.md
@@ -51,7 +51,7 @@ In all scenarios, data is encrypted using 256-bit [AES encyption](https://en.wik
 
 ## Do I have the flexibility to select where to store my data?
 
-When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in Europe or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States.
+When onboarding the service for the first time, you can choose to store your data in Microsoft Azure datacenters in the United Kingdom, Europe, or in the United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Customer data in de-identified form may also be stored in the central storage and processing systems in the United States.
 
 ## Is my data isolated from other customer data?
 Yes, your data is isolated through access authentication and logical segregation based on customer identifier. Each customer can only access data collected from its own organization and generic data that Microsoft provides.

From 14564fcf817ed9e3effe7f2e73faf334bb915d6b Mon Sep 17 00:00:00 2001
From: Dune Desormeaux <dudeso@microsoft.com>
Date: Tue, 29 May 2018 15:58:07 -0700
Subject: [PATCH 07/53] Correct WMI Command language

Corrected a technical error around SCCM compatibility with Exploit Guard and cleaned up surrounding text.
---
 .../attack-surface-reduction-exploit-guard.md                   | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 00c9b0bbaa..64448f983d 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -191,7 +191,7 @@ Local Security Authority Subsystem Service (LSASS) authenticates users who log i
 This rule blocks processes through PsExec and WMI commands from running, to prevent remote code execution that can spread malware attacks.
 
 >[!WARNING]
->[Only use this rule if you are managing your devices with Intune or other MDM solution. If you use this rule with SCCM, it will prevent SCCM compliance rules from working, because this rule blocks the PSExec commands in SCCM.]
+>[Only use this rule if you are managing your devices with [Intune](https://docs.microsoft.com/intune) or another MDM solution. This rule is incompatible with management through [System Center Configuration Manager](https://docs.microsoft.com/sccm) because this rule blocks WMI commands that the Configuration Manager client uses to function correctly.]
  
 ### Rule: Block untrusted and unsigned processes that run from USB
  

From 894c48baccacd6bc90fa4ddfdfc359104272a5d9 Mon Sep 17 00:00:00 2001
From: Justin Krejcha <justin@justinkrejcha.com>
Date: Tue, 29 May 2018 22:13:11 -0700
Subject: [PATCH 08/53] Place SID and friendly name for Users in correct
 columns

Small fix
---
 .../identity-protection/access-control/security-identifiers.md  | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index 9a584e36e0..19f600c354 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -215,7 +215,7 @@ The SECURITY\_NT\_AUTHORITY (S-1-5) predefined identifier authority produces SID
 | S-1-5-*domain*-520| Group Policy Creator Owners| A global group that is authorized to create new Group Policy Objects in Active Directory. By default, the only member of the group is Administrator.<br/>Objects that are created by members of Group Policy Creator Owners are owned by the individual user who creates them. In this way, the Group Policy Creator Owners group is unlike other administrative groups (such as Administrators and Domain Admins). Objects that are created by members of these groups are owned by the group rather than by the individual.| 
 | S-1-5-*domain*-553| RAS and IAS Servers| A local domain group. By default, this group has no members. Computers that are running the Routing and Remote Access service are added to the group automatically.<br/>Members of this group have access to certain properties of User objects, such as Read Account Restrictions, Read Logon Information, and Read Remote Access Information.| 
 | S-1-5-32-544 | Administrators| A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group.| 
-| Users | S-1-5-32-545| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.| 
+| S-1-5-32-545 | Users| A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group.| 
 | S-1-5-32-546 | Guests| A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account.| 
 | S-1-5-32-547 | Power Users| A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. |
 | S-1-5-32-548| Account Operators| A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups.| 

From 4176d4921298fdbd8ce367bacc4f5b86852e77f3 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 30 May 2018 09:01:06 -0700
Subject: [PATCH 09/53] revised note about using MDM vs MAM

---
 .../create-wip-policy-using-intune-azure.md           | 11 +++++++----
 .../create-wip-policy-using-mam-intune-azure.md       |  9 +++++----
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 19991175b1..0163ad7144 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -19,10 +19,13 @@ ms.date: 05/09/2018
 
 Microsoft Intune helps you create and deploy your Windows Information Protection (WIP) policy, including letting you choose your protected apps, your WIP-protection level, and how to find enterprise data on the network.
 
->[!Important]
->This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, you must follow the instructions in the [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md) topic. 
->If the same user and device are targeted for both MDM policy and MAM-only (without device enrollment) policy, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined, the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. 
->Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. 
+## Alternative steps if you use MAM only (without device enrollment)
+
+This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, see [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md). 
+
+If the same user and device are targeted for both MDM policy and MAM-only (without device enrollment) policy, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined, the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. 
+
+Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. 
 
 ## Add a WIP policy
 Follow these steps to add a WIP policy using Intune.
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
index c4df5d699f..3d634dccbb 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
@@ -26,10 +26,11 @@ By using Microsoft Intune with Mobile application management (MAM), organization
 - Remove enterprise data from employee's devices
 - Report on mobile app inventory and track usage
 
->[!NOTE]
->This topic covers creating a Windows Information Protection (WIP) policy for organizations using a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without device enrollment. If you are already managing devices by using a Mobile Device Management (MDM) solution, you must follow the instructions in the [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md) topic.
->If the same user and device are targeted for both MAM-only (without device enrollment) policy and MDM policy, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined, the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. 
->Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. 
+## Alternative steps if you already manage devices with MDM
+
+This topic covers creating a Windows Information Protection (WIP) policy for organizations using a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without device enrollment. If you are already managing devices by using a Mobile Device Management (MDM) solution, see [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md).
+If the same user and device are targeted for both MAM-only (without device enrollment) policy and MDM policy, the MDM policy (with device enrollement) will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. 
+Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. 
 
 ## Prerequisites to using MAM with Windows Information Protection (WIP)
 Before you can create your WIP policy with MAM, you must first set up your MAM provider. For more info about how to do this, see the [Get ready to configure app protection policies for Windows 10](https://docs.microsoft.com/en-us/intune-classic/deploy-use/get-ready-to-configure-app-protection-policies-for-windows-10) topic.

From 3c1fb881529b8919900bed2a7f85f14ce885b15f Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 30 May 2018 09:10:23 -0700
Subject: [PATCH 10/53] revised note about using MDM vs MAM

---
 .../create-wip-policy-using-intune-azure.md                   | 3 ++-
 .../create-wip-policy-using-mam-intune-azure.md               | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 0163ad7144..48e93d15df 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -6,8 +6,9 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
+ms.author: justinha
 ms.localizationpriority: medium
-ms.date: 05/09/2018
+ms.date: 05/30/2018
 ---
 
 # Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
index 3d634dccbb..ed662d8105 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
@@ -6,8 +6,8 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.author: lizross
-ms.date: 10/13/2017
+ms.author: justinha
+ms.date: 05/30/2018
 localizationpriority: medium
 ---
 

From 0fd232c58919c39d1a511a5d0d8e37d53029384e Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 30 May 2018 09:27:11 -0700
Subject: [PATCH 11/53] removed en-us

---
 .../app-behavior-with-wip.md                   |  2 +-
 ...te-vpn-and-wip-policy-using-intune-azure.md |  2 +-
 .../create-wip-policy-using-intune-azure.md    | 16 ++++++++--------
 .../create-wip-policy-using-intune.md          |  8 ++++----
 ...create-wip-policy-using-mam-intune-azure.md | 18 +++++++++---------
 .../limitations-with-wip.md                    |  6 +++---
 .../mandatory-settings-for-wip.md              |  2 +-
 .../protect-enterprise-data-using-wip.md       |  4 ++--
 .../recommended-network-definitions-for-wip.md |  2 +-
 .../using-owa-with-wip.md                      |  2 +-
 .../wip-app-enterprise-context.md              |  2 +-
 11 files changed, 32 insertions(+), 32 deletions(-)

diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
index 9069e4634e..d7898455cc 100644
--- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
@@ -31,7 +31,7 @@ We strongly suggest that the only unenlightened apps you add to your allowed app
 >After revoking WIP, unenlightened apps will have to be uninstalled and re-installed since their settings files will remain encrypted.
 
 >[!Note]
->For more info about creating enlightened apps, see the [Windows Information Protection (WIP)](https://msdn.microsoft.com/en-us/windows/uwp/enterprise/wip-hub) topic in the Windows Dev Center.
+>For more info about creating enlightened apps, see the [Windows Information Protection (WIP)](https://msdn.microsoft.com/windows/uwp/enterprise/wip-hub) topic in the Windows Dev Center.
 
 ## Unenlightened app behavior
 This table includes info about how unenlightened apps might behave, based on your Windows Information Protection (WIP) networking policies, your app configuration, and potentially whether the app connects to network resources directly by using IP addresses or by using hostnames.
diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index 32d3fa955b..5d54aaac22 100644
--- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -24,7 +24,7 @@ Follow these steps to associate your WIP policy with your organization's existin
 
 **To associate your policies**
 
-1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](https://docs.microsoft.com/en-us/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration).
+1. Create your VPN profile. For info about how to do this, see [How to configure VPN settings in Microsoft Intune](https://docs.microsoft.com/intune-azure/configure-devices/how-to-configure-vpn-settings) and [How to create custom VPN profiles in Microsoft Intune](https://docs.microsoft.com/intune-azure/configure-devices/create-custom-vpn-profiles#create-a-custom-configuration).
 
 2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**.
 
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 48e93d15df..0d38165e64 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -52,7 +52,7 @@ Follow these steps to add a WIP policy using Intune.
         ![Add a mobile app policy](images/add-a-mobile-app-policy.png)
 
         >[!Important]
-        >Choosing **With enrollment** only applies for organizations using MDM. If you're using MAM only (without device enrollment), you must use these instructions instead: [Create and deploy Windows Information Protection (WIP) app protection policy with Intune](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune).
+        >Choosing **With enrollment** only applies for organizations using MDM. If you're using MAM only (without device enrollment), see [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md).
 
 4.  Click **Protected apps** and then click **Add apps**.
 
@@ -88,7 +88,7 @@ If you don't know the Store app publisher or product name, you can find them for
 
 1.	Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Power BI Mobile App*.
 
-2.	Copy the ID value from the app URL. For example, the Power BI Mobile App ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
+2.	Copy the ID value from the app URL. For example, the Power BI Mobile App ID URL is https://www.microsoft.com/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
 
 3.	In a browser, run the Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where `9nblgggzlxn1` is replaced with your ID value.
     
@@ -379,7 +379,7 @@ There are no default locations included with WIP, you must add each of your netw
         <tr>
             <td>Cloud Resources</td>
             <td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<br><br><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
-            <td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<br><br>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
+            <td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<br><br>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
         </tr>
         <tr>
             <td>Protected domains</td>
@@ -432,7 +432,7 @@ There are no default locations included with WIP, you must add each of your netw
 After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
 
 >[!Important]
->Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/en-us/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate) topic.
+>Using a DRA certificate isn’t mandatory. However, we strongly recommend it. For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://docs.microsoft.com/windows/threat-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate) topic.
 
 **To upload your DRA certificate**
 1.	From the **App policy** blade, click the name of your policy, and then click **Advanced settings** from the menu that appears.
@@ -477,7 +477,7 @@ After you've decided where your protected apps can access enterprise data on you
         - **Off, or not configured.** Stops using Azure Rights Management encryption with WIP.
 
 ## Choose to set up Azure Rights Management with WIP
-WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
+WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
 
 To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
 
@@ -487,7 +487,7 @@ Optionally, if you don’t want everyone in your organization to be able to shar
 >Curly braces -- {} -- are required around the RMS Template ID.
 
 >[!NOTE]
->For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
+>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic.
 
 ## Related topics
 - [How to collect Windows Information Protection (WIP) audit event logs](collect-wip-audit-event-logs.md)
@@ -498,9 +498,9 @@ Optionally, if you don’t want everyone in your organization to be able to shar
 
 - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
 
-- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
+- [What is Azure Rights Management?]( https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms)
 
-- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/en-us/intune/deploy-use/create-windows-information-protection-policy-with-intune)
+- [Create and deploy Windows Information Protection (WIP) app protection policy with Intune and MAM](https://docs.microsoft.com/intune/deploy-use/create-windows-information-protection-policy-with-intune)
 
 - [Intune MAM Without Enrollment](https://blogs.technet.microsoft.com/configmgrdogs/2016/02/04/intune-mam-without-enrollment/)
 
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
index 68e5de567f..abee275cdd 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
@@ -359,7 +359,7 @@ There are no default locations included with WIP, you must add each of your netw
         <tr>
             <td>Enterprise Cloud Resources</td>
             <td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<p><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
-            <td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<p>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
+            <td>Specify the cloud resources to be treated as corporate and protected by WIP.<p>For each cloud resource, you may also optionally specify a proxy server from your Enterprise Internal Proxy Servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Enterprise Internal Proxy Servers is considered enterprise.<p>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<p><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<p>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
         </tr>
         <tr>
             <td>Enterprise Network Domain Names (Required)</td>
@@ -414,7 +414,7 @@ There are no default locations included with WIP, you must add each of your netw
     For more info about how to find and export your data recovery certificate, see the [Data Recovery and Encrypting File System (EFS)](https://go.microsoft.com/fwlink/p/?LinkId=761462) topic. For more info about creating and verifying your EFS DRA certificate, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](create-and-verify-an-efs-dra-certificate.md).
 
 ## Choose to set up Azure Rights Management with WIP
-WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
+WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files via removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
 
 To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
 
@@ -424,7 +424,7 @@ Optionally, if you don’t want everyone in your organization to be able to shar
 >Curly braces -- {} -- are required around the RMS Template ID.
 
 >[!NOTE]
->For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
+>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic.
 
 ## Choose your optional WIP-related settings
 After you've decided where your protected apps can access enterprise data on your network, you’ll be asked to decide if you want to add any optional WIP settings.
@@ -475,7 +475,7 @@ After you've decided where your protected apps can access enterprise data on you
 
 - [Azure RMS Documentation Update for May 2016](https://blogs.technet.microsoft.com/enterprisemobility/2016/05/31/azure-rms-documentation-update-for-may-2016/)
 
-- [What is Azure Rights Management?]( https://docs.microsoft.com/en-us/information-protection/understand-explore/what-is-azure-rms)
+- [What is Azure Rights Management?]( https://docs.microsoft.com/information-protection/understand-explore/what-is-azure-rms)
 
 >[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
index ed662d8105..3d0884267e 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
@@ -33,9 +33,9 @@ If the same user and device are targeted for both MAM-only (without device enrol
 Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. 
 
 ## Prerequisites to using MAM with Windows Information Protection (WIP)
-Before you can create your WIP policy with MAM, you must first set up your MAM provider. For more info about how to do this, see the [Get ready to configure app protection policies for Windows 10](https://docs.microsoft.com/en-us/intune-classic/deploy-use/get-ready-to-configure-app-protection-policies-for-windows-10) topic.
+Before you can create your WIP policy with MAM, you need to [set up your MAM provider](https://docs.microsoft.com/intune-classic/deploy-use/get-ready-to-configure-app-protection-policies-for-windows-10).
 
-Additionally, you must have an [Azure AD Premium license](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-licensing-what-is) and be running at least Windows 10, version 1703 on your device.
+Additionally, you must have an [Azure AD Premium license](https://docs.microsoft.com/azure/active-directory/active-directory-licensing-what-is) and be running at least Windows 10, version 1703 on your device.
 
 >[!Important]
 >WIP doesn't support multi-identity. Only one managed identity can exist at a time.
@@ -65,7 +65,7 @@ After you’ve set up Intune for your organization, you must create a WIP-specif
         ![Microsoft Intune management console: Create your new policy in the Add a policy blade](images/wip-azure-add-policy.png)
 
         >[!Important]
-        >Choosing **Without enrollment** only applies for organizations using MAM. If you're using MDM, you must use these instructions, [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md), instead.
+        >Choosing **Without enrollment** only applies for organizations using MAM. If you're using MDM, see [Create a Windows Information Protection (WIP) policy with MDM using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md).
 
 4.  Click **Create**.
     
@@ -135,7 +135,7 @@ If you don't know the publisher or product name for your Store app, you can find
 **To find the publisher and product name values for Store apps without installing them**
 1.	Go to the [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkID=722910) website, and find your app. For example, *Microsoft Power BI*.
 
-2.	Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/en-us/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
+2.	Copy the ID value from the app URL. For example, Microsoft Power BI ID URL is https://www.microsoft.com/store/p/microsoft-power-bi/9nblgggzlxn1, and you'd copy the ID value, `9nblgggzlxn1`.
 
 3.	In a browser, run the Microsoft Store for Business portal web API, to return a JavaScript Object Notation (JSON) file that includes the publisher and product name values. For example, run https://bspmts.mp.microsoft.com/v1/public/catalog/Retail/Products/9nblgggzlxn1/applockerdata, where `9nblgggzlxn1` is replaced with your ID value.
 
@@ -448,7 +448,7 @@ There are no default locations included with WIP, you must add each of your netw
         <tr>
             <td>Cloud Resources</td>
             <td><strong>With proxy:</strong> contoso.sharepoint.com,contoso.internalproxy1.com|<br>contoso.visualstudio.com,contoso.internalproxy2.com<br><br><strong>Without proxy:</strong> contoso.sharepoint.com|contoso.visualstudio.com</td>
-            <td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<br><br>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
+            <td>Specify the cloud resources to be treated as corporate and protected by WIP.<br><br>For each cloud resource, you may also optionally specify a proxy server from your Internal proxy servers list to route traffic for this cloud resource. Be aware that all traffic routed through your Internal proxy servers is considered enterprise.<br><br>If you have multiple resources, you must separate them using the "|" delimiter. If you don’t use proxy servers, you must also include the "," delimiter just before the "|". For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;</code>.<br><br><strong>Important</strong><br>In some cases, such as when an app connects directly to a cloud resource through an IP address, Windows can’t tell whether it’s attempting to connect to an enterprise cloud resource or to a personal site. In this case, Windows blocks the connection by default. To stop Windows from automatically blocking these connections, you can add the <code>/&#42;AppCompat&#42;/</code> string to the setting. For example: <code>URL &lt;,proxy&gt;|URL &lt;,proxy&gt;|/&#42;AppCompat&#42;/</code>.<br><br>When using this string, we recommend that you also turn on [Azure Active Directory Conditional Access](https://docs.microsoft.com/azure/active-directory/active-directory-conditional-access), using the <strong>Domain joined or marked as compliant</strong> option, which blocks apps from accessing any enterprise cloud resources that are protected by conditional access.</td>
         </tr>
         <tr>
             <td>Network domain names</td>
@@ -553,7 +553,7 @@ After you've decided where your protected apps can access enterprise data on you
     - **MDM discovery URL.** Lets the **Windows Settings** > **Accounts** > **Access work or school** sign-in offer an **Upgrade to MDM** link. Additionally, this lets you switch to another MDM provider, so that Microsoft Intune can manage MAM, while the new MDM provider manages the MDM devices. By default, this is specified to use Microsoft Intune.
 
 #### Choose to set up Azure Rights Management with WIP
-WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/en-us/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
+WIP can integrate with Microsoft Azure Rights Management to enable secure sharing of files by using removable drives such as USB drives. For more info about Azure Rights Management, see [Microsoft Azure Rights Management](https://products.office.com/business/microsoft-azure-rights-management). To integrate Azure Rights Management with WIP, you must already have Azure Rights Management set up.
 
 To configure WIP to use Azure Rights Management, you must set the **AllowAzureRMSForEDP** MDM setting to **1** in Microsoft Intune. This setting tells WIP to encrypt files copied to removable drives with Azure Rights Management, so they can be shared amongst your employees on computers running at least Windows 10, version 1703.
 
@@ -563,7 +563,7 @@ Optionally, if you don’t want everyone in your organization to be able to shar
 >Curly braces -- {} -- are required around the RMS Template ID.
 
 >[!NOTE]
->For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/en-us/information-protection/deploy-use/configure-custom-templates) topic.
+>For more info about setting the **AllowAzureRMSForEDP** and the **RMSTemplateIDForEDP** MDM settings, see the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/enterprisedataprotection-csp) topic. For more info about setting up and using a custom template, see [Configuring custom templates for the Azure Rights Management service](https://docs.microsoft.com/information-protection/deploy-use/configure-custom-templates) topic.
 
 ### Choose whether to use and configure Windows Hello for Business
 You can turn on Windows Hello for Business, letting your employees use it as a sign-in method for their devices.
@@ -646,11 +646,11 @@ After you’ve created your policy, you'll need to deploy it to your employees.
 
 ## Related topics
 
-- [Implement server-side support for mobile application management on Windows](https://docs.microsoft.com/en-us/windows/client-management/mdm/implement-server-side-mobile-application-management) 
+- [Implement server-side support for mobile application management on Windows](https://docs.microsoft.com/windows/client-management/mdm/implement-server-side-mobile-application-management) 
 
 - [Microsoft Intune - Mobile Application Management (MAM) standalone blog post](https://blogs.technet.microsoft.com/cbernier/2016/01/05/microsoft-intune-mobile-application-management-mam-standalone/)
 
-- [MAM-supported apps](https://www.microsoft.com/en-us/cloud-platform/microsoft-intune-apps)
+- [MAM-supported apps](https://www.microsoft.com/cloud-platform/microsoft-intune-apps)
 
 - [General guidance and best practices for Windows Information Protection (WIP)](guidance-and-best-practices-wip.md)
 
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index 1f82d1ef3c..6a7f7a416c 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -69,7 +69,7 @@ This table provides info about the most common problems you might encounter whil
     <tr>
         <td>Redirected folders with Client Side Caching are not compatible with WIP.</td>
         <td>Apps might encounter access errors while attempting to read a cached, offline file.</td>
-        <td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.<br><br><strong>Note</strong><br>For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/kb/3187045).</td>
+        <td>Migrate to use another file synchronization method, such as Work Folders or OneDrive for Business.<br><br><strong>Note</strong><br>For more info about Work Folders and Offline Files, see the blog, [Work Folders and Offline Files support for Windows Information Protection](https://blogs.technet.microsoft.com/filecab/2016/08/29/work-folders-and-offline-files-support-for-windows-information-protection/). If you're having trouble opening files offline while using Offline Files and WIP, see the support article, [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/kb/3187045).</td>
     </tr>
     <tr>
         <td>You can't upload an enterprise file to a personal location using Microsoft Edge or Internet Explorer.</td>
@@ -79,7 +79,7 @@ This table provides info about the most common problems you might encounter whil
     <tr>
         <td>ActiveX controls should be used with caution.</td>
         <td>Webpages that use ActiveX controls can potentially communicate with other outside processes that aren’t protected by using WIP.</td>
-        <td>We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.<br><br>For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/en-us/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).</td>
+        <td>We recommend that you switch to using Microsoft Edge, the more secure and safer browser that prevents the use of ActiveX controls. We also recommend that you limit the usage of Internet Explorer 11 to only those line-of-business apps that require legacy technology.<br><br>For more info, see [Out-of-date ActiveX control blocking](https://technet.microsoft.com/itpro/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking).</td>
     </tr>
     <tr>
          <td>Resilient File System (ReFS) isn't currently supported with WIP.</td>
@@ -105,7 +105,7 @@ This table provides info about the most common problems you might encounter whil
             </ul>
         </td>
         <td>WIP isn’t turned on for employees in your organization.</td>
-        <td>Don’t set the <strong>MakeFolderAvailableOfflineDisabled</strong> option to <strong>False</strong> for any of the specified folders.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/en-us/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection).
+        <td>Don’t set the <strong>MakeFolderAvailableOfflineDisabled</strong> option to <strong>False</strong> for any of the specified folders.<br><br>If you currently use redirected folders, we recommend that you migrate to a file synchronization solution that supports WIP, such as Work Folders or OneDrive for Business. Additionally, if you apply redirected folders after WIP is already in place, you might be unable to open your files offline. For more info about these potential access errors, see [Can't open files offline when you use Offline Files and Windows Information Protection](https://support.microsoft.com/help/3187045/can-t-open-files-offline-when-you-use-offline-files-and-windows-information-protection).
         </td>
     </tr>
 </table>
diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
index 43ee4efa13..9ff661e183 100644
--- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -29,7 +29,7 @@ This list provides all of the tasks and settings that are required for the opera
 |Specify your corporate identity.|This field is automatically filled out for you by Microsoft Intune. However, you must manually correct it if it’s incorrect or if you need to add additional domains. For more info about where this area is and what it means, see the **Define your enterprise-managed corporate identity** section of the policy creation topics.
 |Specify your network domain names.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the DNS suffixes used in your environment. All traffic to the fully-qualified domains appearing in this list will be protected. For more info about where this area is and how to add your suffixes, see the table that appears in the **Choose where apps can access enterprise data** section of the policy creation topics.|
 |Specify your enterprise IPv4 or IPv6 ranges.|Starting with Windows 10, version 1703, this field is optional.<br><br>Specify the addresses for a valid IPv4 or IPv6 value range within your intranet. These addresses, used with your Network domain names, define your corporate network boundaries. For more info about where this area is and what it means, see the table that appears in the **Define your enterprise-managed corporate identity** section of the policy creation topics.|
-|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.<br><br>This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://technet.microsoft.com/en-us/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic.|
+|Include your Data Recovery Agent (DRA) certificate.|Starting with Windows 10, version 1703, this field is optional. But we strongly recommend that you add a certificate.<br><br>This certificate makes sure that any of your WIP-encrypted data can be decrypted, even if the security keys are lost. For more info about where this area is and what it means, see the [Create and verify an Encrypting File System (EFS) Data Recovery Agent (DRA) certificate](https://technet.microsoft.com/itpro/windows/keep-secure/create-and-verify-an-efs-dra-certificate) topic.|
 
 
 >[!NOTE]
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index 4227a5f80b..b685702bf0 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -18,7 +18,7 @@ ms.date: 09/11/2017
 - Windows 10, version 1607 and later
 - Windows 10 Mobile, version 1607 and later
 
->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
 
 With the increase of employee-owned devices in the enterprise, there’s also an increasing risk of accidental data leak through apps and services, like email, social media, and the public cloud, which are outside of the enterprise’s control. For example, when an employee sends the latest engineering pictures from their personal email account, copies and pastes product info into a tweet, or saves an in-progress sales report to their public cloud storage.
 
@@ -29,7 +29,7 @@ You’ll need this software to run WIP in your enterprise:
 
 |Operating system | Management solution |
 |-----------------|---------------------|
-|Windows 10, version 1607 or later | Microsoft Intune<br><br>-OR-<br><br>System Center Configuration Manager<br><br>-OR-<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/mt697634.aspx) documentation.|
+|Windows 10, version 1607 or later | Microsoft Intune<br><br>-OR-<br><br>System Center Configuration Manager<br><br>-OR-<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product. If your 3rd party MDM does not have UI support for the policies, refer to the [EnterpriseDataProtection CSP](https://msdn.microsoft.com/library/windows/hardware/mt697634.aspx) documentation.|
 
 ## What is enterprise data control?
 Effective collaboration means that you need to share data with others in your enterprise. This sharing can be from one extreme where everyone has access to everything without any security, all the way to the other extreme where people can’t share anything and it’s all highly secured. Most enterprises fall somewhere in between the two extremes, where success is balanced between providing the necessary access with the potential for improper data disclosure.
diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index 41d141a9d4..74cf595171 100644
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -18,7 +18,7 @@ ms.date: 09/11/2017
 - Windows 10, version 1607 and later
 - Windows 10 Mobile, version 1607 and later
 
->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
 
 We recommend that you add the following URLs to the Enterprise Cloud Resources and Neutral Resources network settings, when used with Windows Information Protection (WIP).
 
diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
index 15ca7a4e9e..9659622348 100644
--- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
@@ -17,7 +17,7 @@ ms.date: 09/11/2017
 - Windows 10, version 1607 and later
 - Windows 10 Mobile, version 1607 and later
 
->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
 
 Because Outlook on the web can be used both personally and as part of your organization, you have the following options to configure it with Windows Information Protection (WIP):
 
diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
index 82577755ce..711c0de53f 100644
--- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -17,7 +17,7 @@ ms.date: 09/11/2017
 - Windows 10, version 1607 and later
 - Windows 10 Mobile, version 1607 and later
 
->Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/en-us/WindowsForBusiness/Compare).
+>Learn more about what features and functionality are supported in each Windows edition at [Compare Windows 10 Editions](https://www.microsoft.com/WindowsForBusiness/Compare).
 
 Use Task Manager to check the context of your apps while running in Windows Information Protection (WIP) to make sure that your organization's policies are applied and running correctly.
 

From 147f5991afb370ce16f88e65e0d521bf1d1d963f Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 30 May 2018 09:31:38 -0700
Subject: [PATCH 12/53] updated metadata

---
 .../windows-information-protection/app-behavior-with-wip.md   | 4 ++--
 .../create-vpn-and-wip-policy-using-intune-azure.md           | 4 ++--
 .../create-wip-policy-using-intune.md                         | 4 ++--
 .../windows-information-protection/limitations-with-wip.md    | 4 ++--
 .../mandatory-settings-for-wip.md                             | 4 ++--
 .../protect-enterprise-data-using-wip.md                      | 4 ++--
 .../recommended-network-definitions-for-wip.md                | 4 ++--
 .../windows-information-protection/using-owa-with-wip.md      | 4 ++--
 .../wip-app-enterprise-context.md                             | 4 ++--
 9 files changed, 18 insertions(+), 18 deletions(-)

diff --git a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
index d7898455cc..1c8b475572 100644
--- a/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/app-behavior-with-wip.md
@@ -6,9 +6,9 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.pagetype: security
 ms.sitesec: library
-author: eross-msft
+ms.author: justinha
+ms.date: 05/30/2018
 ms.localizationpriority: medium
-ms.date: 09/11/2017
 ---
 
 # Unenlightened and enlightened app behavior while using Windows Information Protection (WIP)
diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index 5d54aaac22..c554266f44 100644
--- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -6,9 +6,9 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-author: eross-msft
+ms.author: justinha
+ms.date: 05/30/2018
 ms.localizationpriority: medium
-ms.date: 09/11/2017
 ---
 
 # Associate and deploy a VPN policy for Windows Information Protection (WIP) using the Azure portal for Microsoft Intune
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
index abee275cdd..12a7d8e8a4 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune.md
@@ -6,9 +6,9 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-author: eross-msft
+ms.author: justinha
+ms.date: 05/30/2018
 ms.localizationpriority: medium
-ms.date: 10/16/2017
 ---
 
 # Create a Windows Information Protection (WIP) policy using the classic console for Microsoft Intune
diff --git a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
index 6a7f7a416c..58d83ff733 100644
--- a/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/limitations-with-wip.md
@@ -7,8 +7,8 @@ ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
-ms.author: lizross
-ms.date: 10/26/2017
+ms.author: justinha
+ms.date: 05/30/2018
 ms.localizationpriority: medium
 ---
 
diff --git a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
index 9ff661e183..accb65ae90 100644
--- a/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/mandatory-settings-for-wip.md
@@ -6,9 +6,9 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-author: eross-msft
+ms.author: justinha
+ms.date: 05/30/2018
 ms.localizationpriority: medium
-ms.date: 09/11/2017
 ---
 
 # Mandatory tasks and settings required to turn on Windows Information Protection (WIP)
diff --git a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
index b685702bf0..b6041c8b1f 100644
--- a/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+++ b/windows/security/information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
@@ -7,9 +7,9 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-author: coreyp-at-msft
+ms.author: justinha
+ms.date: 05/30/2018
 ms.localizationpriority: medium
-ms.date: 09/11/2017
 ---
 
 # Protect your enterprise data using Windows Information Protection (WIP)
diff --git a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
index 74cf595171..d9b56f7ad3 100644
--- a/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+++ b/windows/security/information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
@@ -6,9 +6,9 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-author: eross-msft
+ms.author: justinha
+ms.date: 05/30/2018
 ms.localizationpriority: medium
-ms.date: 09/11/2017
 ---
 
 # Recommended Enterprise Cloud Resources and Neutral Resources network settings with Windows Information Protection (WIP)
diff --git a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
index 9659622348..0d85fb8053 100644
--- a/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
+++ b/windows/security/information-protection/windows-information-protection/using-owa-with-wip.md
@@ -6,9 +6,9 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-author: eross-msft
+ms.author: justinha
+ms.date: 05/30/2018
 ms.localizationpriority: medium
-ms.date: 09/11/2017
 ---
 
 # Using Outlook on the web with Windows Information Protection (WIP)
diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
index 711c0de53f..b971c3a054 100644
--- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -6,9 +6,9 @@ ms.prod: w10
 ms.mktglfcycl: explore
 ms.sitesec: library
 ms.pagetype: security
-author: eross-msft
+ms.author: justinha
+ms.date: 05/30/2018
 ms.localizationpriority: medium
-ms.date: 09/11/2017
 ---
 
 # Determine the Enterprise Context of an app running in Windows Information Protection (WIP)

From 64e05bcc73c458fc86362ecfa7ca37a543711efc Mon Sep 17 00:00:00 2001
From: "Andrea Bichsel (Aquent LLC)" <v-anbic@microsoft.com>
Date: Wed, 30 May 2018 09:37:04 -0700
Subject: [PATCH 13/53] Added Windows Server support

---
 .../attack-surface-reduction-exploit-guard.md               | 5 +++--
 .../audit-windows-defender-exploit-guard.md                 | 3 ++-
 .../collect-cab-files-exploit-guard-submission.md           | 3 ++-
 .../controlled-folders-exploit-guard.md                     | 6 +++---
 .../customize-attack-surface-reduction.md                   | 6 +++---
 .../customize-controlled-folders-exploit-guard.md           | 4 ++--
 .../customize-exploit-protection.md                         | 4 ++--
 .../enable-attack-surface-reduction.md                      | 6 +++---
 .../enable-controlled-folders-exploit-guard.md              | 4 ++--
 .../enable-exploit-protection.md                            | 4 ++--
 .../enable-network-protection.md                            | 6 +++---
 .../evaluate-attack-surface-reduction.md                    | 6 +++---
 .../evaluate-controlled-folder-access.md                    | 4 ++--
 .../evaluate-exploit-protection.md                          | 4 ++--
 .../evaluate-network-protection.md                          | 6 +++---
 .../evaluate-windows-defender-exploit-guard.md              | 4 ++--
 .../event-views-exploit-guard.md                            | 4 ++--
 .../exploit-protection-exploit-guard.md                     | 4 ++--
 .../network-protection-exploit-guard.md                     | 6 +++---
 .../windows-defender-exploit-guard/troubleshoot-asr.md      | 1 +
 .../troubleshoot-exploit-protection-mitigations.md          | 4 ++--
 .../windows-defender-exploit-guard.md                       | 4 ++--
 22 files changed, 51 insertions(+), 47 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
index 00c9b0bbaa..415271f891 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/17/2018
+ms.date: 05/30/2018
 ---
 
 
@@ -22,6 +22,7 @@ ms.date: 05/17/2018
 **Applies to:**
 
 - Windows 10, version 1709 and later
+- Windows Server 2016
 - Microsoft Office 365
 - Microsoft Office 2016
 - Microsoft Office 2013
@@ -42,7 +43,7 @@ ms.date: 05/17/2018
 - Configuration service providers for mobile device management
 
 
-Available in Windows 10 Enterprise E5, Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
+Supported in Windows 10 Enterprise E5, Attack surface reduction helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
 
 It is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md).
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
index 753f9fd8a3..f0f6e4ea2b 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/audit-windows-defender-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 05/30/2018
 ---
 
 
@@ -20,6 +20,7 @@ ms.date: 04/30/2018
 **Applies to:**
 
 - Windows 10, version 1709 and later
+- Windows Server 2016
 
 
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
index 19a6ecae33..21cec1e41c 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/collect-cab-files-exploit-guard-submission.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 ms.localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 05/30/2018
 ---
 
 # Collect diagnostic data for Windows Defender Exploit Guard file submissions
@@ -19,6 +19,7 @@ ms.date: 04/30/2018
 **Applies to:**
 
 - Windows 10, version 1709 and later
+- Windows Server 2016
 
 **Audience**
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
index 2ce348a33d..4ad70db2f1 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/controlled-folders-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 05/30/2018
 ---
 
 
@@ -22,7 +22,7 @@ ms.date: 04/30/2018
 **Applies to:**
 
 - Windows 10, version 1709 and later
-
+- Windows Server 2016
 
 
 **Audience**
@@ -51,7 +51,7 @@ All apps (any executable file, including .exe, .scr, .dll files and others) are
 
 This is especially useful in helping to protect your documents and information from [ransomware](https://www.microsoft.com/en-us/wdsi/threats/ransomware) that can attempt to encrypt your files and hold them hostage.
 
-A notification will appear on the machine where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
+A notification will appear on the computer where the app attempted to make changes to a protected folder. You can [customize the notification](customize-attack-surface-reduction.md#customize-the-notification) with your company details and contact information. You can also enable the rules individually to customize what techniques the feature monitors.
 
 The protected folders include common system folders, and you can [add additional folders](customize-controlled-folders-exploit-guard.md#protect-additional-folders). You can also [allow or whitelist apps](customize-controlled-folders-exploit-guard.md#allow-specific-apps-to-make-changes-to-controlled-folders) to give them access to the protected folders.
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
index 7f34a4b5d1..f8f6992650 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-attack-surface-reduction.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/17/2018
+ms.date: 05/30/2018
 ---
 
 # Customize Attack surface reduction
@@ -19,7 +19,7 @@ ms.date: 05/17/2018
 **Applies to:**
 
 - Windows 10 Enterprise edition, version 1709 and later
-
+- Windows Server 2016
 
 
 **Audience**
@@ -35,7 +35,7 @@ ms.date: 05/17/2018
 - Configuration service providers for mobile device management
 
 
-Available in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
+Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
 
 This topic describes how to customize Attack surface reduction by [excluding files and folders](#exclude-files-and-folders) or [adding custom text to the notification](#customize-the-notification) alert that appears on a user's computer.
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
index 031a513662..700eb382ef 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-controlled-folders-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/17/2018
+ms.date: 05/30/2018
 ---
 
 
@@ -22,7 +22,7 @@ ms.date: 05/17/2018
 **Applies to:**
 
 - Windows 10, version 1709 and later
-
+- Windows Server 2016
 
 
 **Audience**
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
index 34dc3e27f0..e444865096 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/customize-exploit-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 05/30/2018
 ---
 
 # Customize Exploit protection
@@ -19,7 +19,7 @@ ms.date: 04/30/2018
 **Applies to:**
 
 - Windows 10, version 1709 and later
-
+- Windows Server 2016
 
 
 **Audience**
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
index 0fb9cf5f6b..a945bdc331 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/17/2018
+ms.date: 05/30/2018
 ---
 
 
@@ -21,7 +21,7 @@ ms.date: 05/17/2018
 **Applies to:**
 
 - Windows 10, version 1709 and later
-
+- Windows Server 2016
 
 
 **Audience**
@@ -36,7 +36,7 @@ ms.date: 05/17/2018
 - Configuration service providers for mobile device management
 
 
-Available in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
+Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard. It helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines. 
 
 
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
index 3f1013add6..723db05106 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-controlled-folders-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 05/30/2018
 ---
 
 
@@ -22,7 +22,7 @@ ms.date: 04/30/2018
 **Applies to:**
 
 - Windows 10, version 1709 and later
-
+- Windows Server 2016
 
 
 **Audience**
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
index aa0862bcbc..4fff608788 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-exploit-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 05/30/2018
 ---
 
 
@@ -22,7 +22,7 @@ ms.date: 04/30/2018
 **Applies to:**
 
 - Windows 10, version 1709 and later
-
+- Windows Server 2016
 
 
 **Audience**
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
index b2abb2149e..c4326ff783 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/17/2018
+ms.date: 05/30/2018
 ---
 
 
@@ -21,7 +21,7 @@ ms.date: 05/17/2018
 **Applies to:**
 
 - Windows 10, version 1709 and later
-
+- Windows Server 2016
 
 
 **Audience**
@@ -36,7 +36,7 @@ ms.date: 05/17/2018
 - Configuration service providers for mobile device management
 
 
-Available in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
+Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
 
 This topic describes how to enable Network protection with Group Policy, PowerShell cmdlets, and configuration service providers (CSPs) for mobile device management (MDM).
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
index d601c3b522..63e4996970 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-attack-surface-reduction.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 05/30/2018
 ---
 
 
@@ -20,7 +20,7 @@ ms.date: 04/30/2018
 **Applies to:**
 
 - Windows 10, version 1709 and later
-
+- Windows Server 2016
 
 
 **Audience**
@@ -37,7 +37,7 @@ ms.date: 04/30/2018
 
 
 
-Available in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md). 
+Supported in Windows 10 Enterprise E5, Attack surface reduction is a feature that is part of Windows Defender Exploit Guard [that helps prevent actions and apps that are typically used by exploit-seeking malware to infect machines](attack-surface-reduction-exploit-guard.md). 
 
 This topic helps you evaluate Attack surface reduction. It explains how to demo the feature using a specialized tool, and how to enable audit mode so you can test the feature directly in your organization.
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
index cdb72f5af8..c9085137fe 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-controlled-folder-access.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 05/30/2018
 ---
 
 
@@ -20,7 +20,7 @@ ms.date: 04/30/2018
 **Applies to:**
 
 - Windows 10, version 1709 and later
-
+- Windows Server 2016
 
 
 **Audience**
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
index 4f08ee946e..9e2f73cee4 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-exploit-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 05/30/2018
 ---
 
 
@@ -21,7 +21,7 @@ ms.date: 04/30/2018
 **Applies to:**
 
 - Windows 10, version 1709 and later
-
+- Windows Server 2016
 
 
 **Audience**
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
index da2a8e6e8e..3cd65ac50a 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-network-protection.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/17/2018
+ms.date: 05/30/2018
 ---
 
 # Evaluate Network protection
@@ -21,7 +21,7 @@ ms.date: 05/17/2018
 **Applies to:**
 
 - Windows 10 Enterprise edition, version 1709 or later
-
+- Windows Server 2016
 
 
 **Audience**
@@ -36,7 +36,7 @@ ms.date: 05/17/2018
 
 
 
-Available in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). 
+Supported in Windows 10 Enterprise, Network protection is a feature that is part of [Windows Defender Exploit Guard](windows-defender-exploit-guard.md). 
 
 It helps to prevent employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet.
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
index 2b34248e48..da6ac7fe66 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/evaluate-windows-defender-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 05/30/2018
 ---
 
 
@@ -22,7 +22,7 @@ ms.date: 04/30/2018
 **Applies to:**
 
 - Windows 10, version 1709 and later
-
+- Windows Server 2016
 
 
 **Audience**
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
index a059876e54..24ff90fa5e 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
@@ -12,7 +12,7 @@ ms.date: 04/16/2018
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 05/30/2018
 ---
 
 
@@ -22,7 +22,7 @@ ms.date: 04/30/2018
 **Applies to:**
 
 - Windows 10, version 1709 and later
-
+- Windows Server 2016
 
 
 **Audience**
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
index 7ba0dd60c9..b191cca98e 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/exploit-protection-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/21/2018
+ms.date: 05/30/2018
 ---
 
 
@@ -22,7 +22,7 @@ ms.date: 05/21/2018
 **Applies to:**
 
 - Windows 10, version 1709 and later
-
+- Windows Server 2016
 
 
 **Audience**
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
index c928c75ee1..f4ebee4b64 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 05/17/2018
+ms.date: 05/30/2018
 ---
 
 
@@ -21,7 +21,7 @@ ms.date: 05/17/2018
 **Applies to:**
 
 - Windows 10, version 1709 or higher
-
+- Windows Server 2016
 
 
 **Audience**
@@ -36,7 +36,7 @@ ms.date: 05/17/2018
 - Configuration service providers for mobile device management
 
 
-Available in Windows 10 Enterprise, Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. 
+Supported in Windows 10 Enterprise, Network protection helps reduce the attack surface of your devices from Internet-based events. It prevents employees from using any application to access dangerous domains that may host phishing scams, exploits, and other malicious content on the Internet. 
 
 It expands the scope of [Windows Defender SmartScreen](../windows-defender-smartscreen/windows-defender-smartscreen-overview.md) to block all outbound HTTP(s) traffic that attempts to connect to low-reputation sources (based on the domain or hostname).
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
index 02be571b69..412c817281 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-asr.md
@@ -19,6 +19,7 @@ ms.date: 05/17/2018
 **Applies to:**
 
 - Windows 10, version 1709 or higher
+- Windows Server 2016
 
 **Audience**
 
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
index 250b4353fb..d055320c88 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/troubleshoot-exploit-protection-mitigations.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 05/30/2018
 ---
 
 
@@ -22,7 +22,7 @@ ms.date: 04/30/2018
 **Applies to:**
 
 - Windows 10, version 1709 and later
-
+- Windows Server 2016
 
 
 **Audience**
diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
index 996a0d79d9..a6bd278ab2 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard.md
@@ -11,7 +11,7 @@ ms.pagetype: security
 localizationpriority: medium
 author: andreabichsel
 ms.author: v-anbic
-ms.date: 04/30/2018
+ms.date: 05/30/2018
 ---
 
 
@@ -22,7 +22,7 @@ ms.date: 04/30/2018
 **Applies to:**
 
 - Windows 10, version 1709 and later
-
+- Windows Server 2016
 
 
 **Audience**

From faf618159a80b84103cdad2bbe36219fbb43111f Mon Sep 17 00:00:00 2001
From: Ben Origas <borigas@gmail.com>
Date: Wed, 30 May 2018 12:30:08 -0500
Subject: [PATCH 14/53] Fix wrong HKLM keys that were missing SOFTWARE at the
 root

---
 ...system-components-to-microsoft-services.md | 32 +++++++++----------
 1 file changed, 16 insertions(+), 16 deletions(-)

diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 7a736f508b..700f7222c7 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -957,7 +957,7 @@ To turn off **Location for this device**:
 
    -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+-   Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
     -or-
 
@@ -990,7 +990,7 @@ To turn off **Location**:
 
    -or-
 
--   Create a REG\_DWORD registry setting named **DisableLocation** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one).
+-   Create a REG\_DWORD registry setting named **DisableLocation** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one).
 
     -or-
 
@@ -1018,7 +1018,7 @@ To turn off **Let apps use my camera**:
 
    -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessCamera** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+-   Create a REG\_DWORD registry setting named **LetAppsAccessCamera** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
     -or-
 
@@ -1067,7 +1067,7 @@ To turn off **Let apps use my microphone**:
     
     -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
+-   Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
 
 To turn off **Choose apps that can use your microphone**:
 
@@ -1115,7 +1115,7 @@ To turn off **Let apps access my notifications**:
 
        -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
+-   Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
 
 ### <a href="" id="bkmk-priv-speech"></a>17.6 Speech, inking, & typing
 
@@ -1134,7 +1134,7 @@ To turn off the functionality:
 
        -or-
 
--   Create a REG\_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one).
+-   Create a REG\_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one).
 
    -or-
 
@@ -1269,7 +1269,7 @@ To turn off **Let apps access my call history**:
 
         -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+-   Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 ### <a href="" id="bkmk-priv-email"></a>17.11 Email
 
@@ -1295,7 +1295,7 @@ To turn off **Let apps access and send email**:
 
      -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+-   Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 ### <a href="" id="bkmk-priv-messaging"></a>17.12 Messaging
 
@@ -1351,7 +1351,7 @@ To turn off **Let apps make phone calls**:
 
      -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessPhone** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+-   Create a REG\_DWORD registry setting named **LetAppsAccessPhone** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 
 To turn off **Choose apps that can make phone calls**:
@@ -1382,7 +1382,7 @@ To turn off **Let apps control radios**:
 
      -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessRadios** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+-   Create a REG\_DWORD registry setting named **LetAppsAccessRadios** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 
 To turn off **Choose apps that can control radios**:
@@ -1412,7 +1412,7 @@ To turn off **Let apps automatically share and sync info with wireless devices t
    
      -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+-   Create a REG\_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
 
@@ -1453,7 +1453,7 @@ To change how frequently **Windows should ask for my feedback**:
 
    -or-
 
--   Create a REG\_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one).
+-   Create a REG\_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one).
 
    -or-
 
@@ -1572,7 +1572,7 @@ To turn off **Let Windows and your apps use your motion data and collect motion
     
     -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+-   Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 ### <a href="" id="bkmk-priv-tasks"></a>17.19 Tasks
 
@@ -1631,7 +1631,7 @@ For Windows 10:
 
    -or-
 
-- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
+- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
 
 For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core:
 
@@ -1639,7 +1639,7 @@ For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Co
 
    -or-
 
-- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
+- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
 
 The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
 
@@ -1663,7 +1663,7 @@ You can control if your settings are synchronized:
 
     -or-
 
--   Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one).
+-   Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one).
 
     -or-
 

From ea58a93052269a10bf5366f65574e32bf274c1ab Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Wed, 30 May 2018 11:06:21 -0700
Subject: [PATCH 15/53] add UK

---
 .../licensing-windows-defender-advanced-threat-protection.md    | 2 +-
 ...bleshoot-siem-windows-defender-advanced-threat-protection.md | 1 +
 2 files changed, 2 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
index 71573b1352..e64acc561c 100644
--- a/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/licensing-windows-defender-advanced-threat-protection.md
@@ -66,7 +66,7 @@ When accessing the [Windows Defender ATP portal](https://SecurityCenter.Windows.
 
 	You will need to set up your preferences for the Windows Defender ATP portal.
 
-3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in Europe or The United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
+3. When onboarding the service for the first time, you can choose to store your data in the Microsoft Azure datacenters in the United Kingdom, Europe, or The United States. Once configured, you cannot change the location where your data is stored. This provides a convenient way to minimize compliance risk by actively selecting the geographic locations where your data will reside. Microsoft will not transfer the data from the specified geolocation.
 
 	> [!WARNING]
 	> This option cannot be changed without completely offboarding from Windows Defender ATP and completing a new enrollment process.
diff --git a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
index 4d77042ae0..ba867a62e4 100644
--- a/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/troubleshoot-siem-windows-defender-advanced-threat-protection.md
@@ -65,6 +65,7 @@ If you encounter an error when trying to get a refresh token when using the thre
 5. Add the following URL:
    - For US:  `https://winatpmanagement-us.securitycenter.windows.com/UserAuthenticationCallback`.
    - For Europe: `https://winatpmanagement-eu.securitycenter.windows.com/UserAuthenticationCallback`
+   - For United Kingdom: `https://winatpmanagement-uk.securitycenter.windows.com/UserAuthenticationCallback`
 
 6. Click **Save**.
 

From 44790db4bdbc791e728141b347f4361cfaea2f9f Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Wed, 30 May 2018 11:09:09 -0700
Subject: [PATCH 16/53] add br

---
 ...roxy-internet-windows-defender-advanced-threat-protection.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
index 3e89ac6e0a..f66994565d 100644
--- a/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/configure-proxy-internet-windows-defender-advanced-threat-protection.md
@@ -90,7 +90,7 @@ If a proxy or firewall is blocking all traffic by default and allowing only spec
 
 Service location | Microsoft.com DNS record
 :---|:---
-Common URLs for all locations | ```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```ctldl.windowsupdate.com``` ```events.data.microsoft.com```
+Common URLs for all locations | ```*.blob.core.windows.net``` <br>```crl.microsoft.com```<br> ```ctldl.windowsupdate.com``` <br>```events.data.microsoft.com```
 US | ```us.vortex-win.data.microsoft.com```<br> ```us-v20.events.data.microsoft.com```<br>```winatp-gw-cus.microsoft.com``` <br>```winatp-gw-eus.microsoft.com```
 Europe | ```eu.vortex-win.data.microsoft.com```<br>```eu-v20.events.data.microsoft.com```<br>```winatp-gw-neu.microsoft.com```<br>```winatp-gw-weu.microsoft.com```
 UK | ```uk.vortex-win.data.microsoft.com``` <br>```uk-v20.events.data.microsoft.com```<br>```winatp-gw-uks.microsoft.com```<br>```winatp-gw-ukw.microsoft.com```

From b7f10aa8f56a50c27d41b32ab2f3440cbd3b01b6 Mon Sep 17 00:00:00 2001
From: arottem <amitai@amitairottem.com>
Date: Wed, 30 May 2018 11:30:25 -0700
Subject: [PATCH 17/53] Make clear LPS is not recommend for enteprise

---
 .../limited-periodic-scanning-windows-defender-antivirus.md    | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
index 18f934df2d..d0d4cfd9db 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/limited-periodic-scanning-windows-defender-antivirus.md
@@ -39,6 +39,7 @@ Limited periodic scanning is a special type of threat detection and remediation
 
 It can only be enabled in certain situations. See the [Windows Defender Antivirus compatibility](windows-defender-antivirus-compatibility.md) topic for more information on when limited periodic scanning can be enabled, and how Windows Defender Antivirus works with other AV products.
 
+**Microsoft does not recommend using this feature in enterprise environments. This is a feature primarily intended for consumers.** This feature only uses a very limited subset of the capabilities of Windows Defender Antivirus to detect malware, and will not be able to detect most malware and potentially unwanted software. Also, management and reporting capabilities will be limited. Microsoft recommends enterprises choose their primary antivirus solution and use it exclusively.
 
 ## How to enable limited periodic scanning
 
@@ -69,4 +70,4 @@ Sliding the swtich to **On** will show the standard Windows Defender AV options
 ## Related topics
 
 - [Configure behavioral, heuristic, and real-time protection](configure-protection-features-windows-defender-antivirus.md)
-- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
\ No newline at end of file
+- [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)

From d8ff2a5457af1058ff4b908c22b05e3678298764 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 30 May 2018 13:22:06 -0700
Subject: [PATCH 18/53] added fixmapi to list of enlightened apps

---
 .../enlightened-microsoft-apps-and-wip.md                       | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 10a6ed181f..19da22e4ad 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -93,6 +93,8 @@ You can add any or all of the enlightened Microsoft apps to your allowed apps li
 |Notepad |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** notepad.exe<br>**App Type:** Desktop app |
 |Microsoft Paint |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mspaint.exe<br>**App Type:** Desktop app |
 |Microsoft Remote Desktop |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** mstsc.exe<br>**App Type:** Desktop app |
+|Microsoft MAPI Repair Tool |**Publisher:** `O=Microsoft Corporation, L=Redmond, S=Washington, C=US`<br>**Binary Name:** fixmapi.exe<br>**App Type:** Desktop app |
+
 
 >[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Contributing to TechNet content](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file

From e26f3a74fdc37ac75352432ff74bb8e38e66aa8b Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Wed, 30 May 2018 13:31:04 -0700
Subject: [PATCH 19/53] add note on tags

---
 ...achines-windows-defender-advanced-threat-protection.md | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
index 7f17822158..8e85045713 100644
--- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/24/2018
+ms.date: 05/30/2018
 ---
 
 # Investigate machines in the Windows Defender ATP Machines list
@@ -164,6 +164,12 @@ You can add tags on machines using the following ways:
 ### Add machine tags by setting a registry key value
 Add tags on machines which can be used as a filter in Machines list view. You can limit the machines in the list by selecting the Tag filter on the Machines list.
 
+>[!NOTE]
+> Applicable only on the following:
+>- Windows 10, version 1709 and later
+>- Windows Server, version 1803
+>- Operations Management Suite (OMS) on Windows Server 2016 and Windows Server 2012 R2 
+
 Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. 
 
 Use the following registry key entry to add a tag on a machine:

From c35bd0a424448bcfcce2f0562a125b8b4970b9ee Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 30 May 2018 13:32:23 -0700
Subject: [PATCH 20/53] added fixmapi to list of enlightened apps

---
 .../enlightened-microsoft-apps-and-wip.md                       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
index 19da22e4ad..0bd2b3e912 100644
--- a/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+++ b/windows/security/information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: security
 author: eross-msft
 ms.localizationpriority: medium
-ms.date: 09/11/2017
+ms.date: 05/30/2018
 ---
 
 # List of enlightened Microsoft apps for use with Windows Information Protection (WIP)

From 9a94a763546ebab88579acbb77ebff27e03f4eb8 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Wed, 30 May 2018 13:52:45 -0700
Subject: [PATCH 21/53] copyedits

---
 .../create-wip-policy-using-intune-azure.md                     | 2 +-
 .../create-wip-policy-using-mam-intune-azure.md                 | 2 ++
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 0d38165e64..a9c46de01c 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -24,7 +24,7 @@ Microsoft Intune helps you create and deploy your Windows Information Protection
 
 This topic covers creating a Windows Information Protection (WIP) policy for organizations already managing devices by using Mobile Device Management (MDM) solutions. If your organization uses a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without managing devices, see [Create a Windows Information Protection (WIP) policy with MAM using the Azure portal for Microsoft Intune](create-wip-policy-using-mam-intune-azure.md). 
 
-If the same user and device are targeted for both MDM policy and MAM-only (without device enrollment) policy, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined, the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. 
+If the same user and device are targeted for both MDM policy and MAM-only (without device enrollment) policy, the MDM policy will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. 
 
 Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. 
 
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
index 3d0884267e..2d44748948 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-mam-intune-azure.md
@@ -29,7 +29,9 @@ By using Microsoft Intune with Mobile application management (MAM), organization
 ## Alternative steps if you already manage devices with MDM
 
 This topic covers creating a Windows Information Protection (WIP) policy for organizations using a mobile application management (MAM) solution to deploy your WIP policy to Intune apps without device enrollment. If you are already managing devices by using a Mobile Device Management (MDM) solution, see [Create a Windows Information Protection (WIP) with enrollment policy using the Azure portal for Microsoft Intune](create-wip-policy-using-intune-azure.md).
+
 If the same user and device are targeted for both MAM-only (without device enrollment) policy and MDM policy, the MDM policy (with device enrollement) will be applied to devices joined to Azure AD. For personal devices that are workplace-joined (that is, added by using **Settings** > **Email & accounts** > **Add a work or school account**), the MAM-only policy will be preferred but it's possible to upgrade the device management to MDM in **Settings**. 
+
 Windows Home edition only supports WIP for MAM-only; upgrading to MDM policy on Home edition will revoke WIP-protected data access. 
 
 ## Prerequisites to using MAM with Windows Information Protection (WIP)

From 210acb077363d318aae648d396e53957f65de322 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Wed, 30 May 2018 13:56:02 -0700
Subject: [PATCH 22/53] update list of machines for tagging

---
 ...chines-windows-defender-advanced-threat-protection.md | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
index 8e85045713..e94b8c1f80 100644
--- a/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/investigate-machines-windows-defender-advanced-threat-protection.md
@@ -165,10 +165,11 @@ You can add tags on machines using the following ways:
 Add tags on machines which can be used as a filter in Machines list view. You can limit the machines in the list by selecting the Tag filter on the Machines list.
 
 >[!NOTE]
-> Applicable only on the following:
->- Windows 10, version 1709 and later
->- Windows Server, version 1803
->- Operations Management Suite (OMS) on Windows Server 2016 and Windows Server 2012 R2 
+> Applicable only on the following machines:
+>- Windows 10, version 1709 or later
+>- Windows Server, version 1803 or later
+>- Windows Server 2016
+>- Windows Server 2012 R2 
 
 Machines with similar tags can be handy when you need to apply contextual action on a specific list of machines. 
 

From 78b25d3167df43f4470e94a4b0adf42460543981 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Wed, 30 May 2018 21:12:13 +0000
Subject: [PATCH 23/53] Merged PR 8630: Update instructions for Kiosk Browser

---
 ...change-history-for-configure-windows-10.md |  3 +-
 .../guidelines-for-assigned-access-app.md     | 70 ++++++++++++++++++-
 .../setup-kiosk-digital-signage.md            |  2 +-
 3 files changed, 70 insertions(+), 5 deletions(-)

diff --git a/windows/configuration/change-history-for-configure-windows-10.md b/windows/configuration/change-history-for-configure-windows-10.md
index 4e392ecf48..95e3da2dff 100644
--- a/windows/configuration/change-history-for-configure-windows-10.md
+++ b/windows/configuration/change-history-for-configure-windows-10.md
@@ -10,7 +10,7 @@ ms.localizationpriority: high
 author: jdeckerms
 ms.author: jdecker
 ms.topic: article
-ms.date: 05/25/2018
+ms.date: 05/31/2018
 ---
 
 # Change history for Configure Windows 10
@@ -23,6 +23,7 @@ New or changed topic | Description
 --- | ---
 [Manage Wi-Fi Sense in your company](manage-wifi-sense-in-enterprise.md) | Added note that Wi-Fi Sense is no longer available.
 Topics about Windows 10 diagnostic data | Moved to [Windows Privacy](https://docs.microsoft.com/windows/privacy/).
+[Guidelines for choosing an app for assigned access (kiosk mode)](guidelines-for-assigned-access-app.md) | Added information on Kiosk Browser settings and URL filtering.
 [Manage Windows 10 Start and taskbar layout](windows-10-start-layout-options-and-policies.md) | Added details of event log entries to check for when customization is not applied as expected.
 [Set up a kiosk or digital signage on Windows 10 Pro, Enterprise, or Education](setup-kiosk-digital-signage.md) | Added Active Directory domain account to provisioning method.
 
diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index 8e57f63ebd..ec9939ed8a 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -9,7 +9,7 @@ author: jdeckerms
 ms.localizationpriority: high
 ms.author: jdecker
 ms.topic: article
-ms.date: 04/30/2018
+ms.date: 05/31/2018
 ---
 
 # Guidelines for choosing an app for assigned access (kiosk mode)
@@ -45,8 +45,6 @@ Avoid selecting Windows apps that are designed to launch other apps as part of t
 
 In Windows 10, version 1803, you can install the **Kiosk Browser** app from Microsoft to use as your kiosk app. For digital signage scenarios, you can configure **Kiosk Browser** to navigate to a URL and show only that content -- no navigation buttons, no address bar, etc. For kiosk scenarios, you can configure additional settings, such as allowed and blocked URLs, navigation buttons, and end session buttons. For example, you could configure your kiosk to show the online catalog for your store, where customers can navigate between departments and items, but aren’t allowed to go to a competitor's website. 
 
->[!NOTE]
->Kiosk Browser app is coming soon to Microsoft Store for Business. 
 
 **Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education).
 
@@ -54,6 +52,72 @@ In Windows 10, version 1803, you can install the **Kiosk Browser** app from Micr
 2. [Deploy **Kiosk Browser** to kiosk devices.](https://docs.microsoft.com/microsoft-store/distribute-offline-apps)
 3. Configure policies using settings from the Policy Configuration Service Provider (CSP) for [KioskBrowser](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-kioskbrowser). These settings can be configured using your MDM service provider, or [in a provisioning package](provisioning-packages/provisioning-create-package.md).
 
+>[!NOTE]
+>If you configure the kiosk using a provisioning package, you must apply the provisioning package after the device completes the out-of-box experience (OOBE).
+
+#### Kiosk Browser settings
+
+Kiosk Browser settings | Use this setting to
+--- | ---
+Blocked URL Exceptions | Specify URLs that people can navigate to, even though the URL is in your blocked URL list. You can use wildcards.<br><br>For example, if you want people to be limited to `contoso.com` only, you would add `contoso.com` to blocked URL exception list and then block all other URLs.
+Blocked URLs | Specify URLs that people can't navigate to. You can use wildcards.<br><br>If you want to limit people to a specific site, add `https://*` to the blocked URL list, and then specify the site to be allowed in the blocked URL exceptions list.
+Default URL | Specify the URL that Kiosk Browser will open with. **Tip!** Make sure your blocked URLs don't include your default URL.
+Enable End Session Button | Show a button in Kiosk Browser that people can use to reset the browser. End Session will clear all browsing data and navigate back to the default URL.
+Enable Home Button | Show a Home button in Kiosk Browser. Home will return the browser to the default URL.
+Enable Navigation Buttons | Show forward and back buttons in Kiosk Browser.
+Restart on Idle Time | Specify when Kiosk Browser should restart in a fresh state after an amount of idle time since the last user interaction.
+
+>[!TIP]
+>To enable the **End Session** button for Kiosk Browser in Intune, you must [create a custom OMA-URI policy](https://docs.microsoft.com/intune/custom-settings-windows-10) with the following information:
+>- OMA-URI: ./Vendor/MSFT/Policy/Config/KioskBrowser/EnableEndSessionButton
+>- Data type: Integer
+>- Value: 1
+
+
+#### Rules for URLs in Kiosk Browser settings
+
+Kiosk Browser filtering rules are based on the [Chromium Project](https://www.chromium.org/Home).
+
+URLs can include:
+- A valid port value from 1 to 65,535.
+- The path to the resource.
+- Query parameters.
+
+Additional guidelines for URLs:
+
+- If a period precedes the host, the policy filters exact host matches only.
+- You cannot use user:pass fields.
+- When both blocked URL and blocked URL exceptions apply with the same path length, the exception takes precedence.
+- The policy searches wildcards (*) last.
+- The optional query is a set of key-value and key-only tokens delimited by '&'.
+- Key-value tokens are separated by '='.
+- A query token can optionally end with a '*' to indicate prefix match. Token order is ignored during matching.
+
+### Examples of blocked URLs and exceptions
+
+The following table describes the results for different combinations of blocked URLs and blocked URL exceptions.
+
+Blocked URL rule |	Block URL exception rule | Result
+--- | --- | ---
+`*` | `contoso.com`<br>`fabrikam.com` | All requests are blocked unless it is to contoso.com, fabrikam.com, or any of their subdomains.
+`contoso.com` | `mail.contoso.com`<br>`.contoso.com`<br>`.www.contoso.com` | Block all requests to contoso.com, except for the main page and its mail subdomain.
+`youtube.com` | `youtube.com/watch?v=v1`<br>`youtube.com/watch?v=v2` | Blocks all access to youtube.com except for the specified videos (v1 and v2).
+
+The following table gives examples for blocked URLs. 
+
+Entry |	Result
+--- | ---
+`contoso.com`	| Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com
+`https://*` | Blocks all HTTPS requests to any domain.
+`mail.contoso.com` |	Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com
+`.contoso.com` |	Blocks contoso.com but not its subdomains, like contoso.com/docs.
+`.www.contoso.com` |	Blocks www.contoso.com but not its subdomains.
+`*`	| Blocks all requests except for URLs in the Blocked URL Exceptions list. 
+`*:8080`	| Blocks all requests to port 8080.
+`contoso.com/stuff`	| Blocks all requests to contoso.com/stuff and its subdomains.
+`192.168.1.2`	| Blocks requests to 192.168.1.2.
+`youtube.com/watch?v=V1` | 	Blocks youtube video with id V1.
+
 ### Other browsers
 
 >[!NOTE]
diff --git a/windows/configuration/setup-kiosk-digital-signage.md b/windows/configuration/setup-kiosk-digital-signage.md
index ed4eb7c9ce..5d83e51050 100644
--- a/windows/configuration/setup-kiosk-digital-signage.md
+++ b/windows/configuration/setup-kiosk-digital-signage.md
@@ -38,7 +38,7 @@ Some desktop devices in an enterprise serve a special purpose, such as a PC in t
 >[!WARNING]
 >For kiosks in public-facing environments with auto sign-in enabled, you should use a user account with least privilege, such as a local standard user account.
 >
->Assigned access can be configured via Windows Mangement Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
+>Assigned access can be configured via Windows Management Instrumentation (WMI) or configuration service provider (CSP) to run its applications under a domain user or service account, rather than a local account. However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
 
 **Which edition of Windows 10 will the kiosk run?** All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home. 
 

From 9cd535b0045db3793fba0ce8a1f7e15c9b63af05 Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Wed, 30 May 2018 21:23:13 +0000
Subject: [PATCH 24/53] Merged PR 8627: Small title adjustment to enhanced
 fields and events

---
 ...ced-diagnostic-data-windows-analytics-events-and-fields.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
index 34d534863c..9d31869696 100644
--- a/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
+++ b/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields.md
@@ -13,11 +13,11 @@ ms.author: jaimeo
 ---
 
 
-# Windows 10, version 1709 enhanced diagnostic data events and fields used by Windows Analytics
+# Windows 10 enhanced diagnostic data events and fields used by Windows Analytics
 
  **Applies to**
 
-- Windows 10, version 1709 and later
+- Windows 10, version 1709 and newer
 
 Windows Analytics Device Health reports are powered by diagnostic data not included in the Basic level. This includes crash reports and certain OS diagnostic data events. Organizations sending Enhanced or Full level diagnostic data were able to participate in Device Health, but some organizations which required detailed event and field level documentation were unable to move from Basic to Enhanced. 
 

From 32dc8c7e3247d5a08145a32ca6574680851e128a Mon Sep 17 00:00:00 2001
From: Richard Zhang <zhangrupo2003@hotmail.com>
Date: Wed, 30 May 2018 14:49:47 -0700
Subject: [PATCH 25/53] Create apply-hotfix-for-mbam-25-sp1.md

---
 mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md | 28 +++++++++++++++++++
 1 file changed, 28 insertions(+)
 create mode 100644 mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md

diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
new file mode 100644
index 0000000000..ff7aab122d
--- /dev/null
+++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
@@ -0,0 +1,28 @@
+---
+title: Applying hotfixes on MBAM 2.5 SP1
+description: Applying hotfixes on MBAM 2.5 SP1
+author: ppriya-msft
+ms.assetid: 
+ms.pagetype: mdop, security
+ms.mktglfcycl: manage
+ms.sitesec: library
+ms.prod: w10
+ms.date: 5/30/2018
+---
+
+# Applying hotfixes on MBAM 2.5 SP1
+This topic describes the process for applying the hotfixes for Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1
+
+### Before you begin, download the latest hotfix of Microsoft BitLocker Administration and Monitoring (MBAM) Server 2.5 SP1
+[Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=56126)
+
+#### Steps to update the MBAM Server for existing MBAM environment 
+1. Remove MBAM server feature(do this by opening the MBAM Server Configuration Tool, then select Remove Features).
+2. Remove MDOP MBAM from Control Panel | Programs and Features.
+3. Install MBAM 2.5 SP1 RTM server components.
+4. Install lastest MBAM 2.5 SP1 hotfix rollup.
+5. Configure MBAM features using MBAM Server Configurator.
+
+#### Steps to install the new MBAM 2.5 SP1 server hotfix
+refer to the document for new server installation.
+https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/deploying-the-mbam-25-server-infrastructure

From f9f119a8b49c16ab6fd7ca94c4fe5f6dc9b3dfaf Mon Sep 17 00:00:00 2001
From: arottem <amitai@amitairottem.com>
Date: Wed, 30 May 2018 14:53:07 -0700
Subject: [PATCH 26/53] correct misleading av enabling

---
 .../windows-defender-antivirus-compatibility.md               | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
index fb71bda388..6d409e7449 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/windows-defender-antivirus-compatibility.md
@@ -73,7 +73,7 @@ Active mode | Windows Defender AV is used as the antivirus app on the machine. A
 
 Passive mode is enabled if you are enrolled in Windows Defender ATP because [the service requires common information sharing from the Windows Defender AV service](../windows-defender-atp/defender-compatibility-windows-defender-advanced-threat-protection.md) in order to properly monitor your devices and network for intrusion attempts and attacks. 
 
-Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product goes out of date, is not updated, or stops providing real-time protection from viruses, malware, and other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app.
+Automatic disabled mode is enabled so that if the protection offered by a third-party antivirus product expires or otherwise stops providing real-time protection from viruses, malware or other threats, Windows Defender AV will automatically enable itself to ensure antivirus protection is maintained on the endpoint. It also allows you to enable [limited periodic scanning](limited-periodic-scanning-windows-defender-antivirus.md), which uses the Windows Defender AV engine to periodically check for threats in addition to your main antivirus app.
     
 In passive and automatic disabled mode, you can still [manage updates for Windows Defender AV](manage-updates-baselines-windows-defender-antivirus.md), however you can't move Windows Defender AV into the normal active mode if your endpoints have an up-to-date third-party product providing real-time protection from malware.
 
@@ -90,4 +90,4 @@ In passive and automatic disabled mode, you can still [manage updates for Window
 ## Related topics
 
 - [Windows Defender Antivirus in Windows 10](windows-defender-antivirus-in-windows-10.md)
-- [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)
\ No newline at end of file
+- [Windows Defender Antivirus on Windows Server 2016](windows-defender-antivirus-on-windows-server-2016.md)

From 13eef01c20edb6bafd80b5e4397795268fb5dcf3 Mon Sep 17 00:00:00 2001
From: Richard Zhang <zhangrupo2003@hotmail.com>
Date: Wed, 30 May 2018 14:56:23 -0700
Subject: [PATCH 27/53] Update index.md

---
 mdop/mbam-v25/index.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/mdop/mbam-v25/index.md b/mdop/mbam-v25/index.md
index 2a9e37642f..05fa418076 100644
--- a/mdop/mbam-v25/index.md
+++ b/mdop/mbam-v25/index.md
@@ -58,6 +58,9 @@ To get the MBAM software, see [How Do I Get MDOP](https://go.microsoft.com/fwlin
 
     Get help in choosing a deployment method for MBAM, including step-by-step instructions for each method.
 
+-   [Apply Hotfixes on MBAM 2.5 SP1 Server](apply-hotfix-for-mbam-25-sp1.md)
+
+    View updated product information and known issues for MBAM 2.5
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).

From 38e192640893d06bddc54823eef8eabb635e5a66 Mon Sep 17 00:00:00 2001
From: Richard Zhang <zhangrupo2003@hotmail.com>
Date: Wed, 30 May 2018 15:04:06 -0700
Subject: [PATCH 28/53] Update index.md

---
 mdop/mbam-v25/index.md | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/mdop/mbam-v25/index.md b/mdop/mbam-v25/index.md
index 05fa418076..84fc7c8df0 100644
--- a/mdop/mbam-v25/index.md
+++ b/mdop/mbam-v25/index.md
@@ -60,7 +60,8 @@ To get the MBAM software, see [How Do I Get MDOP](https://go.microsoft.com/fwlin
 
 -   [Apply Hotfixes on MBAM 2.5 SP1 Server](apply-hotfix-for-mbam-25-sp1.md)
 
-    View updated product information and known issues for MBAM 2.5
+    Guide of how to apply MBAM 2.5 SP1 Server hotfixes
+    
 ## Got a suggestion for MBAM?
 - Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).

From 0edcc6034d449a53dffe08b83c6a53790f5e21f6 Mon Sep 17 00:00:00 2001
From: CelesteDG <celested@microsoft.com>
Date: Wed, 30 May 2018 15:32:35 -0700
Subject: [PATCH 29/53] Updated the Partner pivot to updthe first two URLs,
 text, and description - per request from the Education Partner team

---
 education/index.md | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/education/index.md b/education/index.md
index 72125c6a4c..424b52680d 100644
--- a/education/index.md
+++ b/education/index.md
@@ -447,7 +447,7 @@ ms.date: 10/30/2017
                                 </div>
                             </li>
                             <li>
-                                <a href="https://www.mepn.com" target="_blank">
+                                <a href="https://partner.microsoft.com/solutions/education" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -457,8 +457,8 @@ ms.date: 10/30/2017
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
-                                                    <h3>Microsoft Education Partner Network</h3>
-                                                    <p>Find out the latest news and announcements for Microsoft Education partners.</p>
+                                                    <h3>Microsoft Partner Network</h3>
+                                                    <p>Discover the latest news and resources for Microsoft Education products, solutions, licensing, and readiness.</p>
                                                 </div>
                                             </div>
                                         </div>
@@ -466,7 +466,7 @@ ms.date: 10/30/2017
                                 </a>
                             </li>
                             <li>
-                                <a href="https://www.mepn.com/MEPN/AEPHome.aspx" target="_blank">
+                                <a href="https://www.mepn.com" target="_blank">
                                     <div class="cardSize">
                                         <div class="cardPadding">
                                             <div class="card">
@@ -476,8 +476,8 @@ ms.date: 10/30/2017
                                                     </div>
                                                 </div>
                                                 <div class="cardText">
-                                                    <h3>Authorized Education Partner (AEP) home page</h3>
-                                                    <p>Access the essentials and find out what it takes to become an AEP.</p>
+                                                    <h3>Authorized Education Partner (AEP) program</h3>
+                                                    <p>Become authorized to purchase and resell academic priced offers and products to Qualified Educational Users (QEU).</p>
                                                 </div>
                                             </div>
                                         </div>

From f0b31bfd41a5b6bd547d17b0ee083535f25d2f03 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Thu, 31 May 2018 13:33:07 +0000
Subject: [PATCH 30/53] Merged PR 8645: fix example

---
 windows/configuration/guidelines-for-assigned-access-app.md | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index ec9939ed8a..91b729e5c8 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -110,7 +110,11 @@ Entry |	Result
 `contoso.com`	| Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com
 `https://*` | Blocks all HTTPS requests to any domain.
 `mail.contoso.com` |	Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com
+<<<<<<< HEAD
+`.contoso.com` |	Blocks contoso.com but not its subdomains, like subdomain.contoso.com.
+=======
 `.contoso.com` |	Blocks contoso.com but not its subdomains, like contoso.com/docs.
+>>>>>>> refs/remotes/origin/master
 `.www.contoso.com` |	Blocks www.contoso.com but not its subdomains.
 `*`	| Blocks all requests except for URLs in the Blocked URL Exceptions list. 
 `*:8080`	| Blocks all requests to port 8080.

From 30c3e33f650042ee4c5017ac4590fa0c42eca8e4 Mon Sep 17 00:00:00 2001
From: Patti Short <patti.short@microsoft.com>
Date: Thu, 31 May 2018 07:25:10 -0700
Subject: [PATCH 31/53] added the MDM settings for Do not sync browser settings

---
 browsers/edge/available-policies.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index 4994e63ed6..079e40df7a 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -451,6 +451,15 @@ This policy setting specifies whether you can use the Sync your Settings option
 
 This policy setting specifies whether a browser group can use the Sync your Settings options to sync their information to and from their device. Settings include information like History and Favorites. By default, this setting is disabled or not configured, which means the Sync your Settings options are turned on, letting browser groups pick what can sync on their device. If enabled, the Sync your Settings options are turned off so that browser groups are unable to sync their settings and info. You can use the Allow users to turn browser syncing on option to turn the feature off by default, but to let the employee change this setting.
 
+**MDM settings in Microsoft Intune** 
+|   |   |
+|---|---|
+|MDM name |Experience/DoNotSynBrowserSettings |
+|Supported devices |Desktop<br>Mobile  |
+|URI full path |./Vendor/MSFT/Policy/Config/Experience/DoNotSynBrowserSettings  |
+|Data type |Integer  |
+|Allowed values |<ul><li>**0** - Disable syncing.</li><li>**1 (default)** - Allow syncing.</li></ul> |
+
 ## Keep favorites in sync between Internet Explorer and Microsoft Edge
 >*Supported versions: Windows 10, version 1703 or later*
 

From d41e482b44dc41b16b7b60fbe104a0e96ad05562 Mon Sep 17 00:00:00 2001
From: Patti Short <patti.short@microsoft.com>
Date: Thu, 31 May 2018 07:42:28 -0700
Subject: [PATCH 32/53] more updates to the MDM settings

---
 browsers/edge/available-policies.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index 079e40df7a..7047cc4fc7 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -444,7 +444,7 @@ This policy setting specifies whether you can use the Sync your Settings option
 |URI full path |./Vendor/MSFT/Policy/Config/Experience/AllowSyncMySettings  |
 |Location |Computer Configuration\Administrative Templates\Windows Components\sync your settings\Do not sync |
 |Data type | Integer |
-|Allowed values |<ul><li>**0** - Employees cannot sync settings between PCs.</li><li>**1 (default)** - Employees can sync between PCs.</li></ul> |
+|Allowed values |<ul><li>**0** - Disable syncing between PCs.</li><li>**1 (default)** - Allow syncing between PCs.</li></ul> |
 
 ## Do not sync browser settings
 >*Supported versions: Windows 10*
@@ -458,7 +458,7 @@ This policy setting specifies whether a browser group can use the Sync your Sett
 |Supported devices |Desktop<br>Mobile  |
 |URI full path |./Vendor/MSFT/Policy/Config/Experience/DoNotSynBrowserSettings  |
 |Data type |Integer  |
-|Allowed values |<ul><li>**0** - Disable syncing.</li><li>**1 (default)** - Allow syncing.</li></ul> |
+|Allowed values |<ul><li>**0** - Disable browser syncing.</li><li>**1 (default)** - Allow browser syncing.</li></ul> |
 
 ## Keep favorites in sync between Internet Explorer and Microsoft Edge
 >*Supported versions: Windows 10, version 1703 or later*

From fcac972b9c37a7f57746fec282d396dec8d82683 Mon Sep 17 00:00:00 2001
From: Patti Short <patti.short@microsoft.com>
Date: Thu, 31 May 2018 07:44:22 -0700
Subject: [PATCH 33/53] more updates to the MDM settings

---
 browsers/edge/available-policies.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/browsers/edge/available-policies.md b/browsers/edge/available-policies.md
index 7047cc4fc7..2ba0d202e0 100644
--- a/browsers/edge/available-policies.md
+++ b/browsers/edge/available-policies.md
@@ -472,7 +472,7 @@ This policy setting specifies whether favorites are kept in sync between Interne
 |Supported devices |Desktop  |
 |URI full path |./Vendor/MSFT/Policy/Config/Browser/SyncFavoritesBetweenIEAndMicrosoftEdge  |
 |Data type | Integer |
-|Allowed values |<ul><li>**0 (default)** - Synchronization is turned off.</li><li>**1** - Synchronization is turned on.</li></ul> |
+|Allowed values |<ul><li>**0 (default)** - Turn off synchronization.</li><li>**1** - Turn on synchronization.</li></ul> |
 
 ## Prevent access to the about:flags page
 >*Supported versions: Windows 10, version 1607 or later*

From 6bf65f32102ba5813e9693155d5cd77c4c539bfc Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Thu, 31 May 2018 09:01:57 -0700
Subject: [PATCH 34/53] added best practice back

---
 .../domain-member-maximum-machine-account-password-age.md      | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
index d7cba5795f..54bd39472d 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
@@ -32,8 +32,9 @@ For more information, see [Machine Account Password Process](https://blogs.techn
 
 ### Best practices
 
-It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days.
+1. It is often advisable to set **Domain member: Maximum machine account password age** to about 30 days.
 Setting the value to fewer days can increase replication and impact domain controllers. For example, in Windows NT domains, machine passwords were changed every 7 days. The additional replication churn would impact domain controllers in large organizations with many computers or slow links between sites. 
+2. Some organizations pre-build computers and then store them for later use or ship them to remote locations. When a computer starts after being offline more than 30 days, the Netlogon service will notice the password age and initiate a secure channel to a domain controller to change it. If the secure channel cannot be established, the computer will not authenticate with the domain. For this reason, some organizations might want to create a special organizational unit (OU) for computers that are prebuilt, and configure the value for this policy setting to a larger number of days.
 
 ### Location
 

From 90ac253c7699441eaeff8bc80c2e699b78cce959 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Thu, 31 May 2018 09:06:00 -0700
Subject: [PATCH 35/53] added best practice back

---
 .../domain-member-maximum-machine-account-password-age.md       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
index 54bd39472d..c9cb9862fb 100644
--- a/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
+++ b/windows/security/threat-protection/security-policy-settings/domain-member-maximum-machine-account-password-age.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 04/19/2017
+ms.date: 05/31/2018
 ---
 
 # Domain member: Maximum machine account password age

From 549cbd571b1b80da79b711a50eada5ba3368b306 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Thu, 31 May 2018 16:07:17 +0000
Subject: [PATCH 36/53] Merged PR 8650: fix AD acct

fix AD acct
---
 windows/configuration/setup-kiosk-digital-signage.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/setup-kiosk-digital-signage.md b/windows/configuration/setup-kiosk-digital-signage.md
index 5d83e51050..a2b8efc53b 100644
--- a/windows/configuration/setup-kiosk-digital-signage.md
+++ b/windows/configuration/setup-kiosk-digital-signage.md
@@ -200,7 +200,7 @@ Clear-AssignedAccess
 >
 >OS edition: Windows 10 Pro (version 1709) for UWP only; Ent, Edu for both app types
 >
->Account type: Local standard user 
+>Account type: Local standard user, Active Directory 
 
 >[!IMPORTANT]
 >When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).

From bac61db6f13c172259675d6e8669bd00414e4398 Mon Sep 17 00:00:00 2001
From: Trudy Hakala <trudyha@microsoft.com>
Date: Thu, 31 May 2018 16:11:05 +0000
Subject: [PATCH 37/53] Merged PR 8652: what's new - 1805

---
 store-for-business/images/edu-icon.png        | Bin 0 -> 6872 bytes
 .../manage-private-store-settings.md          |   4 ++--
 ...tory-microsoft-store-business-education.md |   7 +++++-
 ...-new-microsoft-store-business-education.md |  21 +++++++++++++-----
 4 files changed, 23 insertions(+), 9 deletions(-)
 create mode 100644 store-for-business/images/edu-icon.png

diff --git a/store-for-business/images/edu-icon.png b/store-for-business/images/edu-icon.png
new file mode 100644
index 0000000000000000000000000000000000000000..49009f70851c7f60ed89ffdb1352499865065e4b
GIT binary patch
literal 6872
zcmdT}30zZG)<^5qDxziAx`jv^Tpr1L*#p56a6w2=WCxd*mlp_RBMA_|t+og#D1zWp
zfucZNC@u^NE}(w6RVXl^C<uyHzzwP*4whwZ*rXk;&Tr=HH(!2P?z{Kgv;NPy=e@)&
z6)Z9s|JiswJv{@b#g1-zdZP@$_}nL>!T0u%%&)-DIOSp=wVs~7vF<ZUZ_nPzdU~Jk
zkhptmy!kF1Od+#IMG7Hqt(7SOwVs~se6142f^iK&hzCgITw?p_5+Xq&;u5{+d<tLb
zfCowzN2>7Ukpg!tG8kivi1Y0TwptEgAj35%K`WEW)f_FC*w2>(#=2=Tk<d?~3FZ>*
zbpi?A{G|j3g$gIotr-vo(+~oaZ4EOhY=kzCfKXs2nZhK)REPp|C=3pjO&EL;fi#s!
z%yDyEI4BETafyK%jgmtqhlht-hf}Q;ssJ*~X0yo@gp42%pn%j7at*45<my>N92{{q
zrjjT%5`~<g<A@3sp&Bj`XgXkmOgYR}t{!v~a2Q#OD#@@lMQ2h!p)ydRQK$nI?;syu
z{>>&4Hq2ZZs*?6=EW*gR6qn(0jT+Fx!vcV7`TSw>x9TF34O6Q%3&MaIgAREswc0&G
ziId%MwIWo7;S0im#92eus5Nf*8-ISlc0fM7StAj@W3O)IHx9tHl6R2mR)$HH90wJS
zY7{DWg+e-nouxw_Cpb6|th^+0ks@3@TW7%_IqryRa4r$Rhy_s)@OFpkIv61UPb?0F
zGC;})z!aexbR;nyf|>3xlS2ov0~?udh!rA<IO4se!_nqAD5MG%Um*f|P>F;$^G*&9
zOH~T7L<$zvZi{#Xrv(lSn9X27h&4<kh%k;=p^~8>gc2DVfRmN-fPQuPe2$Y`twH4&
z?&QcN0$Z&m5)lVyi*O7PBM_U$#vp`6!yvXuOowO`oQY#X91+8;q5X~uEK~<C-Tr~}
z6e%#k<Bf7`zz(ATMhuwAfM_h55E9a1CPbyPa2AVAp|RQc5I0wq1XKuAI+CkSD-qy`
ziWyX}8HNyyia~TLjS8`08XICUXhJp}%u%Q`B0&cV4qyXRLUn1#B?1TZPkQUXDGeQ%
zWFi#sBE!1x!F8YatiM_IkV}9o5h6hctAU^_2Ne!DpFyWn>4Wo2C0bnS?I;1>QTHo?
zFxVrPd`2w6Y(!T=-Z;%2*J@nQ2wbHetW7*LU~nXrjEH<cjR2Ja*=^~?BQepxqGL0#
zLI%6Zx{@@&i2M#wZ>EPrU=P5d2Fda^MeN=laWS3BV!$jM5@J*u06dKbvBYdKBx1mH
z3c?g2Am#(gNG0!7>uvJ;s}^UmM5j;0pgWf1A#WVhU#K`JHV|Y?m*%*LNEn!wyannX
z2C9Mm;ej}S(;pOo0W!5htO-X|xP1V?;Csr8E-Jd9fSCSPbu}9H$BKjOW>Z)w6%wIB
z79^t5U<kz+B2a3?7;rnALcy>h!+)zd3@R7QL1-KV6taQJ^{*>Fs4f<W$^&q4l9P%5
zhAC7OXCOEz3rw5}A#9o$Vq*v!LWG!*L7|FKkqG4Q+hPDy-4U2WrE*{Zvp>NUOd$`$
zRU;s!L{%X7G$2j6M6pUCBcMv9RD$(a9&(smG<d`hXB9!CAiOET?{t|6S4l?1f25RQ
z6$t-9dGAFV3#VZsA(a798B97PWYZ8xNTa|I8=Mj>8k;U=3g3mcKRHD2HARex7)%yS
z0bL-I3Be42HWmY;LEuOdBN!dLso*&JXS5BU;uH=QB+kGo{-KGZD;guaih+F}l0C!m
z9@1$f82TYFj3*tq-h;n)XX%GS?mr{%y>X(UFwQ`!D1;z%(8q{rC?rI1284^nEQCpA
zQ(>BT$R{HU-2YLW-fIsg#u;K9h9NPF2JTL9U=Irwi@*q@GQs)J64B8=v}a`Z_}_rL
z_dxCcYpMIN=JyZk!~a^G`rEgGc8C1?PH5oTap2ros5^=JZ@M^d>v=vDiQq1b1Dg5a
z_I{`l|Ip0T?N|J}4gGN6I^x!PsAmNC>$>6ag930d{HOt!gRVpc9wZnXNwxvcEFL*I
z+PiD_K5bYlHEx-H?ioq&#8PHtWb~}@OCy55N%oxhS`U}MFs$rzAJ<8E`=;*MbmFTo
zEK=lqDzjv3GXo!4o+y?y%<=TK@b%D~`_99o@q`7>=cB_e3y+_1vl_?0;4Eo;($fU_
z-zRmYRRr9*^{S`)vO`<<nC_SA6BRA-8xzKwZdlf}H(f7rbnBSJs&Rz<#$PTZZHO1>
zO-a*3IHN?G(O3Q}7R(RMo6sGy;`-so0bV<QW^v8e*r!$-Z*W`UVfOKiRV$X||B@$N
zpW_zvpnG;qaD4{5(z~{+sCxO=ZcA_zscmb=G+UXs#loJCEP_JDaYD+hq9-rgGPN@9
zBNsEFBlOe0<gDXMV+{*f(Sjt)pLp>HKJRL^Y?96^jrC266Bu3LS#X)JKX%AG_80M;
z`I)Idf0z8tQO_&s`}y^EBoFnYPg>7i5x#y(LE+f6oAc6noT#xeAM1D91%*uF97|ZC
z6XjePXJE8UCt<7LUQ#QNaM4~PT!!ew`^*+qI+g96qZ1V`5Z>LSlP+m3H92VtG;{ir
zG@5A+2ICfxW-Uq4t=YFa&N9{QtFO9ho)u}autqqG)0Lsoagf@RBz{0j>DB5qZRV%5
zf{vB#Pt*RO8=O<8X^X%hE-r?XnHX3jOd^5bs%2ZO%55?~eQ^Lc*?sH94K_Ds%xj$A
z_4TUVL3T+;-J-VAxDf|#1#h>?j&x|MhH5wG*PNwpp(03`H0j|rt8aI$GWq4HP3`X1
zhwQoKwZ<2dgcG-1ZT(wG@+U!4#zpUHN)ZqbT#V(Fz3?O%l5O3((tf>$)mfGYWhQz*
zTkD$>e^tMGb?AeWJ5#eGArqlNS}7qrI5SaOc~u5twLZ1`V%}^o{piwd0(sOg4~_5m
z`361rS+}HyXAzc}TwfRUn(<_!=ZrvF-=1B;!I_^%Rb5rSY&f_=KiYD1T5GltGD%`-
zkUj1Pqj^RN0?{Sk8}sHE6h5TG`q2|6Y?_$1FY#t&oX^XKwG}gh4*6(zcJYmTw?y-Z
z7tjTk$C74#2LJp$-PEi&pXqjOH>vm(#*c71VX&&p@9wLf$OnHtMM{<TF7(I+&gu3k
z&Nz~0*hjOCep#B^bzkiT#iH<(OQ{7HpMQpwJugabzZKr(kZMxx?OImXQE=QPqq*97
zdc(;^+s51Vibv}d5wc@PH+6JQDvmf)l<#NkkVD3*H%poo(>1~+=(&?m8lCD&URT>B
zObr{`ULR&@U*K*1bFpj@u)p}Z{OisD&+-hnyDjVQ%<Ii|>1s-HiYV%BeYUmDuVR|S
zt8YEOtkL)0ysYBWuCrf$JL@SByl*{1uI+1xxL^Lnc(cI8*OO~+(|hSzYVT5Q>$b4#
zLT3xZ41-N~Ui%#mOWs3%?6uhOe#Dtv%H6|xlc#d+D3c?fc}I0<_qGc<J7a{AIgR!6
z3;RU%ogXD!vW;K&YF+)N6zXv#X8sqRu4L;8e?Rpr?+eA1Ypsr*<+m=5YFOJ-)3r6{
zanCFnUS#&d*jPU<u&Ao<e2I;@d%{#ky784Yt!?*qR%mvWEU36w=*&<=ZV&73$<K(b
z_hlJTv8?^M+t0kpTz5!6z^tC0-La5#oXnpcJ7Yr3|3p>z!$o7K2FDd7#-6NrWS(%V
zdi?#}@!`tbpU?gFz{9MU$y4`F(@1;(8zf>!w&{~cJ%ultvyyCL5_Y<lZ432kbR=!O
zut6cU59`n#Ex24a5vnnAwQ%^1ykc9MCDSHY5b{&e;WIG#ZlN<Jz&|hS%(LeS+OXi~
zi_7YkrFy>j#5gaVW;??X;~Ki}Xtj|Pns|{6_vb<<axE4@(=#NONoE&A5A9l18TVbQ
zpuGN<B?oV~%4|HRcy4j~v5`mgJrdNI;<d!IWvui}ie>?6<C=ztbCw)Dk-joYVddt0
z{d}KQ_Qn;AcK_L-4^9=I+Gx{JLWpm5Ow2gkM|w1MLh$ALJ7Rf6yW*Vo(tx(P(`>i4
zJX;C7-Hc${dj1H=j4Mmzr<>c7EGsMpbLYGaFg?0=*Lf`N+|1C|t4oi}INMV704Mhr
zG-X$d@1%tP`1(=OOfKbY(4k`EUG}6K{0v+1<yS3o|Lgbbe632YHAdv{8$657ea2CR
z-<yqh8pAO>;}IpfQ3GE$&G~75_z5%p=o<RUwNJlk-Y=fKNiZhn+q~(GA&;64?JK8K
z{r$ES@WR?kjxuki6#8Tvb6{L?G+0rYP_T5ds?uqKzX!<T<deni;X&!^uWddUY`)X%
zL9m^h>QwRlN$rfYy+;m<!%UY$h6d(OL4GGyIHYxJ&wq2dnC|QsTUB++d49ypS;-k5
zE-J|6p2-o-ag1No<-Gf^;kW%u@;kqt``Wl_|L2)z<3mzOoUV(T{{~Ge-zrJoGM!n{
z+i|B}K5^F_kYr0^r)I4u&CPkxe(RKD)VQZrX{_*wm+gI19(yu?>22G4)ArsxwOUZr
z9JEy|jm+z;2(W>qe^+``r52>*=Uh~pGj9kp6SwU-o!;Q(YB4UUIW0GD@{2lb3#3>X
zRg85hT>TnvUuZbnBy{cj(kh3)5n53(U3$|aAUj~!j^_3Z+v9=9!)&KbED6c&O2K41
zkGvuuo>%8i&DX41*|Dwshk3KFy}BHkmS=JL5hwh5=q2}S9apik_6%Oq7v;6d)cRC+
zmmB`sZC7h6Wb-3`J(Cl{-re3KJ;q46yvptc?}s&O-M63pp5(STDZ8s>3Mu8bA@`>C
z*&f&^yC$V#Y<O?>%F{8M$94KQ26?S$x$wO}zOI;Y)2McN>}u!Q=9XY{yU?V?Nwdqh
zomS=3OYU|t%Co0U%4o04tan(Jp0@MpF{LHr8+xg|q%qEum0Prrcg>(DIq|lk-OQQW
zyg|Lb9C6HeCuO;Qbm5pZmNW~1%A>W^G`_$p+p1L7TDpK(z~br$W_3NjumSpA8?xJc
zm3f|zdtLs4nuk7wl%whY)UKp9AJK2`TNJ!EiWS<l+)uo5M{0Ae-ze$%5c5C1%{ksT
Z+P^8&`1<azzSI5p<g`HGn8#ba@gEo(NhkmS

literal 0
HcmV?d00001

diff --git a/store-for-business/manage-private-store-settings.md b/store-for-business/manage-private-store-settings.md
index 1ffbe49b5b..6cc5e6ec35 100644
--- a/store-for-business/manage-private-store-settings.md
+++ b/store-for-business/manage-private-store-settings.md
@@ -98,9 +98,9 @@ We've recently made performance improvements for changes in the private store. T
 
 | Action                                                 | Estimated time |
 | ------------------------------------------------------ | -------------- |
-| Add a product to the private store <br> - Apps recently added to your inventory, including line-of-business (LOB) apps and new purchases, will take up to 36 hours to add to the private store. That time begins when the product is purchased, or added to your inventory. <br> - It will take an additional 36 hours for the product to be searchable in private store, even if you see the app available from the private store tab. | - 15 minutes: available on private store tab <br> - 36 hours: searchable in private store <br> - 36 hours: available on private store tab, if the product has just been added to inventory |
+| Add a product to the private store <br> - Apps recently added to your inventory, including line-of-business (LOB) apps and new purchases, will take up to 36 hours to add to the private store. That time begins when the product is purchased, or added to your inventory. <br> - It will take an additional 36 hours for the product to be searchable in private store, even if you see the app available from the private store tab. | - 15 minutes: available on private store tab <br> - 36 hours: searchable in private store <br> - 36 hours: searchable in private store tab |
 | Remove a product from private store |  - 15 minutes: private store tab <br> - 36 hours: searchable in private store | 
-| Accept a new LOB app into your inventory (under **Products & services)**) | 36 hours |
+| Accept a new LOB app into your inventory (under **Products & services)**) | - 15 minutes: available on private store tab <br> - 36 hours: searchable in private store |
 | Create a new collection | 15 minutes|
 | Edit or remove a collection | 15 minutes |
 | Create private store tab | 4-6 hours |
diff --git a/store-for-business/release-history-microsoft-store-business-education.md b/store-for-business/release-history-microsoft-store-business-education.md
index 59e3fc2354..d7484344ae 100644
--- a/store-for-business/release-history-microsoft-store-business-education.md
+++ b/store-for-business/release-history-microsoft-store-business-education.md
@@ -8,7 +8,7 @@ ms.pagetype: store
 author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
-ms.date: 4/26/2018
+ms.date: 5/31/2018
 ---
 
 # Microsoft Store for Business and Education release history
@@ -17,6 +17,11 @@ Microsoft Store for Business and Education regularly releases new and improved f
 
 Looking for info on the latest release? Check out [What's new in Microsoft Store for Business and Education](whats-new-microsoft-store-business-education.md) 
 
+## April 2018
+- **Assign apps to larger groups** - We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We’ll figure out who’s in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we’ll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses.
+- **Change collection order in private store** - Private store collections make it easy for groups of people to find the apps that they need. Now, you can customize the order of your private store collections. 
+- **Office 365 subscription management** -  We know that sometimes customers need to cancel a subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period.
+
 ## March 2018
 - **Performance improvements in private store** - We've made it significantly faster for you to udpate the private store. Many changes to the private store are available immediately after you make them. [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance)
 - **Private store collection updates** - We’ve made it easier to find apps when creating private store collections – now you can search and filter results. 
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index 2849a71cfc..fc29d300b3 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -8,7 +8,7 @@ ms.pagetype: store
 author: TrudyHa
 ms.author: TrudyHa
 ms.topic: conceptual
-ms.date: 4/26/2018
+ms.date: 5/31/2018
 ---
 
 # What's new in Microsoft Store for Business and Education
@@ -17,15 +17,19 @@ Microsoft Store for Business and Education regularly releases new and improved f
 
 ## Latest updates for Store for Business and Education
 
-**April 2018**
+**May 2018**
 
 |  |  |
 |--------------------------------------|---------------------------------|
-| ![License assign icon](images/license-assign-icon.png) |**Assign apps to larger groups**<br /><br /> We're making it easier for admins to assign apps to groups of people. Admins can assign licenses to groups of any size, and include subgroups within those groups. We’ll figure out who’s in those groups, and assign licenses to people in the groups (skipping people who already have licenses). Along the way, we’ll let you know how many licenses are needed, and provide an estimate on the time required to assign licenses.<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
-| ![Private store icon](images/private-store-icon.png) |**Change collection order in private store**<br /><br /> Private store collections make it easy for groups of people to find the apps that they need. Now, you can customize the order of your private store collections. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
-| ![Office logo icon](images/office-logo.png) |**Office 365 subscription management**<br /><br /> We know that sometimes customers need to cancel subscription. While we don't want to lose a customer, we want the process for managing subscriptions to be easy. Now, you can delete your Office 365 subscription without calling Support. From Microsoft Store for Business and Education, you can request to delete an Office 365 subscription. We'll wait three days before permanently deleting the subscription. In case of a mistake, customers are welcome to reactivate subscriptions during the three-day period. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
-
+| ![performance icon](images/edu-icon.png) |**Immersive Reader app in Microsoft Store for Education**<br /><br /> Microsoft Immersive Reader is now available for education organizations using Microsoft Store for Education. This app is a free tool that uses proven techniques to improve reading and writing for people regardless of their age or ability. You can add the app to your private store, so students can easily install and use it. Check out and download [Immersive Reader](https://educationstore.microsoft.com/en-us/store/details/immersive-reader/9PJZQZ821DQ2). <br /><br /> **Applies to**:<br /> Microsoft Store for Education |
 
+<!---
+|  |  |
+|--------------------------------------|---------------------------------|
+| ![Private store icon](images/private-store-icon.png) |**Change order within private store collection**<br /><br /> Following last month's update to customize the order of your private store collections, now you can customize the order of products in each collection. <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
+| ![performance icon](images/perf-improvement-icon.png) |**Performance improvements in private store**<br /><br /> We continue to work on performance improvements in the private store. Now, most products new to your inventory are available in your private store within 15 minutes of adding them. <br /><br /> [Get more info](https://docs.microsoft.com/microsoft-store/manage-private-store-settings#private-store-performance) <br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
+-->
+ 
 <!---
 We’ve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new features!
 |  |  |
@@ -38,6 +42,11 @@ We’ve been working on bug fixes and performance improvements to provide you a
 
 ## Previous releases and updates
 
+[April 2018](release-history-microsoft-store-business-education.md#april-2018)
+- Assign apps to larger groups
+- Change collection order in private store
+- Office 365 subscription management
+
 [March 2018](release-history-microsoft-store-business-education.md#march-2018)
 - Performance improvements in private store
 - Private store collection updates

From 16ecc9634818334f29b5b00766e6416a2fd2033a Mon Sep 17 00:00:00 2001
From: Dani Halfin <daniha@microsoft.com>
Date: Thu, 31 May 2018 17:12:25 +0000
Subject: [PATCH 38/53] Merged PR 8654: Fixing some content bugs

---
 ...system-components-to-microsoft-services.md | 66 +++++++++----------
 1 file changed, 33 insertions(+), 33 deletions(-)

diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 700f7222c7..8c98fdf633 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -957,7 +957,7 @@ To turn off **Location for this device**:
 
    -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+-   Create a REG\_DWORD registry setting named **LetAppsAccessLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
     -or-
 
@@ -990,7 +990,7 @@ To turn off **Location**:
 
    -or-
 
--   Create a REG\_DWORD registry setting named **DisableLocation** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one).
+-   Create a REG\_DWORD registry setting named **DisableLocation** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\LocationAndSensors** with a value of 1 (one).
 
     -or-
 
@@ -1018,7 +1018,7 @@ To turn off **Let apps use my camera**:
 
    -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessCamera** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+-   Create a REG\_DWORD registry setting named **LetAppsAccessCamera** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
     -or-
 
@@ -1067,7 +1067,7 @@ To turn off **Let apps use my microphone**:
     
     -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
+-   Create a REG\_DWORD registry setting named **LetAppsAccessMicrophone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
 
 To turn off **Choose apps that can use your microphone**:
 
@@ -1105,7 +1105,7 @@ To turn off **Let apps access my notifications**:
 
     -   Set the **Select a setting** box to **Force Deny**.
 
-        -or-
+    -or-
 
 -    Apply the Privacy/LetAppsAccessNotifications MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessnotifications), where:
 
@@ -1113,9 +1113,9 @@ To turn off **Let apps access my notifications**:
     -   **1**. Force allow
     -   **2**. Force deny
 
-       -or-
+    -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
+-   Create a REG\_DWORD registry setting named **LetAppsAccessNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two)
 
 ### <a href="" id="bkmk-priv-speech"></a>17.6 Speech, inking, & typing
 
@@ -1134,15 +1134,15 @@ To turn off the functionality:
 
        -or-
 
--   Create a REG\_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one).
+-   Create a REG\_DWORD registry setting named **RestrictImplicitInkCollection** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\InputPersonalization** with a value of 1 (one).
 
    -or-
 
--   Create a REG\_DWORD registry setting named **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\Personalization\\Settings** with a value of 0 (zero).
+-   Create a REG\_DWORD registry setting named **AcceptedPrivacyPolicy** in **HKEY\_CURRENT\_USER\\Software\\Microsoft\\Personalization\\Settings** with a value of 0 (zero).
 
    -and-
 
--  Create a REG\_DWORD registry setting named **HarvestContacts** in **HKEY\_CURRENT\_USER\\SOFTWARE\\Microsoft\\InputPersonalization\\TrainedDataStore** with a value of 0 (zero).
+-  Create a REG\_DWORD registry setting named **HarvestContacts** in **HKEY\_CURRENT\_USER\\Software\\Microsoft\\InputPersonalization\\TrainedDataStore** with a value of 0 (zero).
 
 If you're running at least Windows 10, version 1703, you can turn off updates to the speech recognition and speech synthesis models:
 
@@ -1203,15 +1203,15 @@ To turn off **Choose apps that can access contacts**:
 
     -   Set the **Select a setting** box to **Force Deny**.
 
-    -or-
+   -or-
 
--    Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where:
+-    Apply the Privacy/LetAppsAccessContacts MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccesscontacts), where:   
+  
+     -   **0**. User in control
+     -   **1**. Force allow
+     -   **2**. Force deny
 
-    -   **0**. User in control
-    -   **1**. Force allow
-    -   **2**. Force deny
-
-    -or-
+   -or-
 
 - Create a REG\_DWORD registry setting named **LetAppsAccessContacts** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
@@ -1237,7 +1237,7 @@ To turn off **Let apps access my calendar**:
     -   **1**. Force allow
     -   **2**. Force deny
     
-    -or-
+   -or-
 
 - Create a REG\_DWORD registry setting named **LetAppsAccessCalendar** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
@@ -1269,7 +1269,7 @@ To turn off **Let apps access my call history**:
 
         -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+-   Create a REG\_DWORD registry setting named **LetAppsAccessCallHistory** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 ### <a href="" id="bkmk-priv-email"></a>17.11 Email
 
@@ -1295,7 +1295,7 @@ To turn off **Let apps access and send email**:
 
      -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+-   Create a REG\_DWORD registry setting named **LetAppsAccessEmail** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 ### <a href="" id="bkmk-priv-messaging"></a>17.12 Messaging
 
@@ -1313,13 +1313,13 @@ To turn off **Let apps read or send messages (text or MMS)**:
 
     -or-
 
--    Apply the Privacy/LetAppsAccess<Messaging MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmessaging), where:
+-    Apply the Privacy/LetAppsAccessMessaging MDM policy from the [Policy CSP](https://msdn.microsoft.com/windows/hardware/commercialize/customize/mdm/policy-configuration-service-provider#privacy-letappsaccessmessaging), where:
 
     -   **0**. User in control
     -   **1**. Force allow
     -   **2**. Force deny
 
-     -or-
+    -or-
 
 -   Create a REG\_DWORD registry setting named **LetAppsAccessMessaging** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
@@ -1349,9 +1349,9 @@ To turn off **Let apps make phone calls**:
     -   **1**. Force allow
     -   **2**. Force deny
 
-     -or-
+    -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessPhone** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+-   Create a REG\_DWORD registry setting named **LetAppsAccessPhone** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 
 To turn off **Choose apps that can make phone calls**:
@@ -1380,9 +1380,9 @@ To turn off **Let apps control radios**:
     -   **1**. Force allow
     -   **2**. Force deny
 
-     -or-
+    -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessRadios** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+-   Create a REG\_DWORD registry setting named **LetAppsAccessRadios** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 
 To turn off **Choose apps that can control radios**:
@@ -1412,7 +1412,7 @@ To turn off **Let apps automatically share and sync info with wireless devices t
    
      -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+-   Create a REG\_DWORD registry setting named **LetAppsSyncWithDevices** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 To turn off **Let your apps use your trusted devices (hardware you've already connected, or comes with your PC, tablet, or phone)**:
 
@@ -1453,7 +1453,7 @@ To change how frequently **Windows should ask for my feedback**:
 
    -or-
 
--   Create a REG\_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one).
+-   Create a REG\_DWORD registry setting named **DoNotShowFeedbackNotifications** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\DataCollection** with a value of 1 (one).
 
    -or-
 
@@ -1570,9 +1570,9 @@ To turn off **Let Windows and your apps use your motion data and collect motion
     -   **1**. Force allow
     -   **2**. Force deny
     
-    -or-
+   -or-
 
--   Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
+-   Create a REG\_DWORD registry setting named **LetAppsAccessMotion** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\AppPrivacy** with a value of 2 (two).
 
 ### <a href="" id="bkmk-priv-tasks"></a>17.19 Tasks
 
@@ -1631,7 +1631,7 @@ For Windows 10:
 
    -or-
 
-- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
+- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
 
 For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Core:
 
@@ -1639,7 +1639,7 @@ For Windows Server 2016 with Desktop Experience or Windows Server 2016 Server Co
 
    -or-
 
-- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
+- Create a REG\_DWORD registry setting named **NoGenTicket** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows NT\\CurrentVersion\\Software Protection Platform** with a value of 1 (one).
 
 The Windows activation status will be valid for a rolling period of 180 days with weekly activation status checks to the KMS.
 
@@ -1663,7 +1663,7 @@ You can control if your settings are synchronized:
 
     -or-
 
--   Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one).
+-   Create a REG\_DWORD registry setting named **DisableSettingSync** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 2 (two) and another named **DisableSettingSyncUserOverride** in **HKEY\_LOCAL\_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SettingSync** with a value of 1 (one).
 
     -or-
 

From f12d3f116abfb7db7dfd0f90d1c66fa1df23081b Mon Sep 17 00:00:00 2001
From: jaimeo <jaimeo@microsoft.com>
Date: Thu, 31 May 2018 10:26:12 -0700
Subject: [PATCH 39/53] tweaks from Marc

---
 .../deployment/upgrade/upgrade-readiness-target-new-OS.md   | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md
index a357be01c6..a44c405280 100644
--- a/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md
+++ b/windows/deployment/upgrade/upgrade-readiness-target-new-OS.md
@@ -3,7 +3,7 @@ title: Upgrade Readiness - Targeting a new operating system version
 description: Explains how to run Upgrade Readiness again to target a different operating system version or bulk-approve all apps from a given vendor
 ms.prod: w10
 author: jaimeo
-ms.date: 05/22/2018
+ms.date: 05/31/2018
 ---
 
 # Targeting a new operating system version
@@ -31,10 +31,10 @@ If you want to reset them, keep these important points in mind:
  
 To do this, type the following query in **Log Search**:
  
-`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and Importance <> "Ignore" and Importance <> "Low install count"` 
+`search in (UAApp) IsRollup == true and RollupLevel == "Granular" and Importance <> "Ignore" and Importance <> "Low install count" and UpgradeDecision == "Ready to upgrade"` 
 
 >[!NOTE]
->You can also append `'and UpgradeDecision="Ready to upgrade"'`, for example, if you just want to reset apps that were previously marked **Ready**.
+>If you just want to reset all **UpgradeDecision** values, you can simply remove `'and UpgradeDecision == "Ready to upgrade"` from the query.
 
 After a short period of time, you will see the "user input" perspective render, which will let you bulk-edit the results. Select the check box in the table header, click the **bulk edit** button, and then set the **UpgradeDecision** to *Not reviewed*. Leave all other fields as they are.
  

From 03be5c917707bed4ab5f00626aabf9c0ca42ec15 Mon Sep 17 00:00:00 2001
From: Richard Zhang <zhangrupo2003@hotmail.com>
Date: Thu, 31 May 2018 10:50:04 -0700
Subject: [PATCH 40/53] Update apply-hotfix-for-mbam-25-sp1.md

---
 mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
index ff7aab122d..fc62e10abf 100644
--- a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
+++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
@@ -24,5 +24,4 @@ This topic describes the process for applying the hotfixes for Microsoft BitLock
 5. Configure MBAM features using MBAM Server Configurator.
 
 #### Steps to install the new MBAM 2.5 SP1 server hotfix
-refer to the document for new server installation.
-https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/deploying-the-mbam-25-server-infrastructure
+[New server installation](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/deploying-the-mbam-25-server-infrastructure)

From b0729914ccd9ce5a5005cbdbb957418b645787bd Mon Sep 17 00:00:00 2001
From: jaimeo <jaimeo@microsoft.com>
Date: Thu, 31 May 2018 10:57:44 -0700
Subject: [PATCH 41/53] also fixed bad links about data sharing

---
 .../upgrade/upgrade-readiness-deployment-script.md  | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
index 5ead8a22d0..0c431543e3 100644
--- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
+++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
@@ -5,8 +5,8 @@ ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
-author: greg-lindsay
-ms.date: 10/11/2017
+author: jaimeo
+ms.date: 05/31/2018
 ---
 
 # Upgrade Readiness deployment script
@@ -146,20 +146,19 @@ The deployment script displays the following exit codes to let you know if it wa
         <td>**Http Get** on the end points did not return a success exit code.<BR>
         For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive.<BR>
         For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive.  
-        <BR>If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).</td>
-    </tr>
+        <BR>If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enroll devices in Windows Analytics](../update/windows-analytics-get-started.md)
     <tr>
         <td>13 - Can’t connect to Microsoft - setting. </td>
-        <td>An error occurred connecting to  https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. 
+        <td>An error occurred connecting to  https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. 
 14 </td>
     </tr>
     <tr>
         <td>14 - Can’t connect to Microsoft - compatexchange.</td>
-        <td>An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing).</td>
+        <td>An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enroll devices in Windows Analytics](../update/windows-analytics-get-started.md).</td>
     </tr>
     <tr>
         <td>15 - Function CheckVortexConnectivity failed with an unexpected exception.</td>
-        <td>This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enable data sharing](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Check the logs for the exception message and the HResult.</td>
+        <td>This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enroll devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult.</td>
     </tr>
     <tr>
         <td>16 - The computer requires a reboot before running the script.</td>

From f634aebe8eea73e4530f86b06057d7c2ec2fa5d5 Mon Sep 17 00:00:00 2001
From: Patti Short <patti.short@microsoft.com>
Date: Thu, 31 May 2018 11:01:04 -0700
Subject: [PATCH 42/53] updated the ms.author and author metadata

---
 .../system-requirements-and-language-support-for-ie11.md    | 2 +-
 mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md               | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
index c756e654f2..932eb43359 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/system-requirements-and-language-support-for-ie11.md
@@ -24,7 +24,7 @@ ms.date: 07/27/2017
 Internet Explorer 11 is available for a number of systems and languages. This topic provides info about the minimum system requirements and language support.
 
 ## Minimum system requirements for IE11
-IE11 is pre-installed on Windows 8.1 and Windows Server 2012 R2 and is listed here for reference. It's also supported on Windows 10, but isn't pre-installed. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/library/mt156988.aspx).
+IE11 is pre-installed on Windows 8.1, Windows 10, and Windows Server 2012 R2 and is listed here for reference. For more info about IE11 on Windows 10, see [Browser: Microsoft Edge and Internet Explorer 11](https://technet.microsoft.com/library/mt156988.aspx).
 
 **Important**<br> 
 IE11 isn't supported on Windows 8 or Windows Server 2012.
diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
index ff7aab122d..a4155a14ef 100644
--- a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
+++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
@@ -1,7 +1,8 @@
 ---
 title: Applying hotfixes on MBAM 2.5 SP1
 description: Applying hotfixes on MBAM 2.5 SP1
-author: ppriya-msft
+ms.author: ppriya-msft
+author: intothedarkness 
 ms.assetid: 
 ms.pagetype: mdop, security
 ms.mktglfcycl: manage
@@ -24,5 +25,4 @@ This topic describes the process for applying the hotfixes for Microsoft BitLock
 5. Configure MBAM features using MBAM Server Configurator.
 
 #### Steps to install the new MBAM 2.5 SP1 server hotfix
-refer to the document for new server installation.
-https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/deploying-the-mbam-25-server-infrastructure
+Refer to the document for new [server installation](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/deploying-the-mbam-25-server-infrastructure).

From 1e72dc85edbc4c91eb912a360ceb2961da912f73 Mon Sep 17 00:00:00 2001
From: Patti Short <patti.short@microsoft.com>
Date: Thu, 31 May 2018 11:12:05 -0700
Subject: [PATCH 43/53] updated the ms.author and author metadata

---
 mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
index a4155a14ef..4f713f3468 100644
--- a/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
+++ b/mdop/mbam-v25/apply-hotfix-for-mbam-25-sp1.md
@@ -18,11 +18,11 @@ This topic describes the process for applying the hotfixes for Microsoft BitLock
 [Desktop Optimization Pack](https://www.microsoft.com/en-us/download/details.aspx?id=56126)
 
 #### Steps to update the MBAM Server for existing MBAM environment 
-1. Remove MBAM server feature(do this by opening the MBAM Server Configuration Tool, then select Remove Features).
+1. Remove MBAM server feature (do this by opening the MBAM Server Configuration Tool, then selecting Remove Features).
 2. Remove MDOP MBAM from Control Panel | Programs and Features.
 3. Install MBAM 2.5 SP1 RTM server components.
 4. Install lastest MBAM 2.5 SP1 hotfix rollup.
 5. Configure MBAM features using MBAM Server Configurator.
 
 #### Steps to install the new MBAM 2.5 SP1 server hotfix
-Refer to the document for new [server installation](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/deploying-the-mbam-25-server-infrastructure).
+Refer to the document for [new server installation](https://docs.microsoft.com/en-us/microsoft-desktop-optimization-pack/mbam-v25/deploying-the-mbam-25-server-infrastructure).

From b08d3ba242fcc1ff60890f274f79b12b0ab69dd1 Mon Sep 17 00:00:00 2001
From: jaimeo <jaimeo@microsoft.com>
Date: Thu, 31 May 2018 11:15:23 -0700
Subject: [PATCH 44/53] fixing typo in link

---
 .../upgrade/upgrade-readiness-deployment-script.md          | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
index 0c431543e3..c28763cabf 100644
--- a/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
+++ b/windows/deployment/upgrade/upgrade-readiness-deployment-script.md
@@ -146,7 +146,7 @@ The deployment script displays the following exit codes to let you know if it wa
         <td>**Http Get** on the end points did not return a success exit code.<BR>
         For Windows 10, connectivity is verified by connecting to https://v10.vortex-win.data.microsoft.com/health/keepalive.<BR>
         For previous operating systems, connectivity is verified by connecting to https://vortex-win.data.microsoft.com/health/keepalive.  
-        <BR>If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enroll devices in Windows Analytics](../update/windows-analytics-get-started.md)
+        <BR>If there is an error verifying connectivity, this will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md)
     <tr>
         <td>13 - Can’t connect to Microsoft - setting. </td>
         <td>An error occurred connecting to  https://settings.data.microsoft.com/qos. This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](https://technet.microsoft.com/en-us/itpro/windows/deploy/upgrade-readiness-get-started#enable-data-sharing). Verify that the required endpoints are whitelisted correctly. See Whitelist select endpoints for more details. 
@@ -154,11 +154,11 @@ The deployment script displays the following exit codes to let you know if it wa
     </tr>
     <tr>
         <td>14 - Can’t connect to Microsoft - compatexchange.</td>
-        <td>An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enroll devices in Windows Analytics](../update/windows-analytics-get-started.md).</td>
+        <td>An error occurred connecting to [CompatibilityExchangeService.svc](https://compatexchange1.trafficmanager.net/CompatibilityExchangeService.svc). This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md).</td>
     </tr>
     <tr>
         <td>15 - Function CheckVortexConnectivity failed with an unexpected exception.</td>
-        <td>This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enroll devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult.</td>
+        <td>This error will prevent the collected data from being sent to Upgrade Readiness. To resolve this issue, verify that the required endpoints are correctly whitelisted. For more information, see [Enrolling devices in Windows Analytics](../update/windows-analytics-get-started.md). Check the logs for the exception message and the HResult.</td>
     </tr>
     <tr>
         <td>16 - The computer requires a reboot before running the script.</td>

From 90a6e463996553611b995256514000eca7e30ed0 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Thu, 31 May 2018 20:59:23 +0000
Subject: [PATCH 45/53] Merged PR 8667: fix merge conflict

---
 windows/configuration/guidelines-for-assigned-access-app.md | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/windows/configuration/guidelines-for-assigned-access-app.md b/windows/configuration/guidelines-for-assigned-access-app.md
index 91b729e5c8..9e2edfd8e0 100644
--- a/windows/configuration/guidelines-for-assigned-access-app.md
+++ b/windows/configuration/guidelines-for-assigned-access-app.md
@@ -110,11 +110,7 @@ Entry |	Result
 `contoso.com`	| Blocks all requests to contoso.com, www.contoso.com, and sub.www.contoso.com
 `https://*` | Blocks all HTTPS requests to any domain.
 `mail.contoso.com` |	Blocks requests to mail.contoso.com but not to www.contoso.com or contoso.com
-<<<<<<< HEAD
 `.contoso.com` |	Blocks contoso.com but not its subdomains, like subdomain.contoso.com.
-=======
-`.contoso.com` |	Blocks contoso.com but not its subdomains, like contoso.com/docs.
->>>>>>> refs/remotes/origin/master
 `.www.contoso.com` |	Blocks www.contoso.com but not its subdomains.
 `*`	| Blocks all requests except for URLs in the Blocked URL Exceptions list. 
 `*:8080`	| Blocks all requests to port 8080.

From d4c80c969d9289c20c4c37a2b5572ed7afe0a957 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Thu, 31 May 2018 15:31:10 -0700
Subject: [PATCH 46/53] fixed link

---
 windows/security/index.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/index.yml b/windows/security/index.yml
index a465944d46..d980430450 100644
--- a/windows/security/index.yml
+++ b/windows/security/index.yml
@@ -251,7 +251,7 @@ sections:
     - html: <a href="/windows/security/identity-protection/windows-firewall/windows-firewall-with-advanced-security">Windows Defender Firewall</a>
     - html: <a href="/windows/security/threat-protection/windows-defender-exploit-guard/windows-defender-exploit-guard">Windows Defender Exploit Guard</a>
     - html: <a href="/windows/security/identity-protection/credential-guard/credential-guard">Windows Defender Credential Guard</a>
-    - html: <a href="/windows/security/threat-protection/windows-defender-device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control">Windows Defender Device Guard</a>  
+    - html: <a href="/windows/security/threat-protection/windows-defender-application-control/windows-defender-application-control">Windows Defender Application Control</a>  
     - html: <a href="/windows/security/threat-protection/windows-defender-application-guard/wd-app-guard-overview">Windows Defender Application Guard</a>
     - html: <a href="/windows/security/threat-protection/windows-defender-smartscreen/windows-defender-smartscreen-overview">Windows Defender SmartScreen</a>  
     - html: <a href="/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center">Windows Defender Security Center</a>

From a2b503764c33feb777ae6f3adfa4ca1f6cf0e5ea Mon Sep 17 00:00:00 2001
From: Greg Lindsay <Greg.Lindsay@microsoft.com>
Date: Thu, 31 May 2018 22:49:35 +0000
Subject: [PATCH 47/53] Merged PR 8675: SetupDiag v1.2

v1.2 updates
---
 windows/deployment/upgrade/setupdiag.md | 47 +++++++++++++++++--------
 1 file changed, 33 insertions(+), 14 deletions(-)

diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index 32654c3c19..e32dd8bf17 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
-ms.date: 05/02/2018
+ms.date: 05/30/2018
 ms.localizationpriority: high
 ---
 
@@ -312,38 +312,57 @@ Each rule name and its associated unique rule identifier are listed with a descr
     - Detects a migration unit failure that caused the update to fail.  This rule will output the name of the migration plug-in as well as the error code it produced for diagnostic purposes.
 24.	FindMigGatherUnitFailure - D04C064B-CD77-4E64-96D6-D26F30B4EE29
     - Detects a migration gather unit failure that caused the update to fail.  This rule will output the name of the gather unit/plug-in as well as the error code it produced for diagnostic purposes.
-25.	OptionalComponentInstallFailure - D012E2A2-99D8-4A8C-BBB2-088B92083D78
-    - This rule detects an optional component installation failure that caused the update to fail.  It will output the optional component name and error code its installation resulted in for diagnostic purposes.
-26.	CriticalSafeOSDUFailure - 73566DF2-CA26-4073-B34C-C9BC70DBF043
+25.	CriticalSafeOSDUFailure - 73566DF2-CA26-4073-B34C-C9BC70DBF043
     - This rule indicates a failure occurred while updating the SafeOS image with a critical dynamic update.  It will indicate the phase and error code that occurred while attempting to update the SafeOS image for diagnostic purposes.
-27.	UserProfileCreationFailureDuringOnlineApply - 678117CE-F6A9-40C5-BC9F-A22575C78B14
+26.	UserProfileCreationFailureDuringOnlineApply - 678117CE-F6A9-40C5-BC9F-A22575C78B14
     - Indicates there was a critical failure while creating or modifying a User Profile during the online apply phase of the update.  It will indicate the operation and error code associated with the failure for diagnostic purposes.
-28.	WimMountFailure - BE6DF2F1-19A6-48C6-AEF8-D3B0CE3D4549
+27.	WimMountFailure - BE6DF2F1-19A6-48C6-AEF8-D3B0CE3D4549
     - This rule indicates the update failed to mount a wim file.  It will show the name of the wim file as well as the error message and error code associated with the failure for diagnostic purposes.
-29.	FindSuccessfulUpgrade - 8A0824C8-A56D-4C55-95A0-22751AB62F3E
+28.	FindSuccessfulUpgrade - 8A0824C8-A56D-4C55-95A0-22751AB62F3E
     - Determines if the given setup was a success or not based off the logs.
-30.	FindSetupHostReportedFailure - 6253C04F-2E4E-4F7A-B88E-95A69702F7EC
+29.	FindSetupHostReportedFailure - 6253C04F-2E4E-4F7A-B88E-95A69702F7EC
     - Gives information about failures surfaced early in the upgrade process by setuphost.exe
-31.	FindDownlevelFailure - 716334B7-F46A-4BAA-94F2-3E31BC9EFA55
+30.	FindDownlevelFailure - 716334B7-F46A-4BAA-94F2-3E31BC9EFA55
     - Gives failure information surfaced by SetupPlatform, later in the down-level phase.
-32.	FindAbruptDownlevelFailure - 55882B1A-DA3E-408A-9076-23B22A0472BD
+31.	FindAbruptDownlevelFailure - 55882B1A-DA3E-408A-9076-23B22A0472BD
     - Gives last operation failure information when the system fails in the down-level, but the log just ends abruptly.
-33.	FindSetupPlatformFailedOperationInfo - 307A0133-F06B-4B75-AEA8-116C3B53C2D1
+32.	FindSetupPlatformFailedOperationInfo - 307A0133-F06B-4B75-AEA8-116C3B53C2D1
     - Gives last phase and error information when SetupPlatform indicates a critical failure.  This rule will indicate the operation and error associated with the failure for diagnostic purposes.
-34.	FindRollbackFailure - 3A43C9B5-05B3-4F7C-A955-88F991BB5A48
+33.	FindRollbackFailure - 3A43C9B5-05B3-4F7C-A955-88F991BB5A48
     - Gives last operation, failure phase and error information when a rollback occurs.
+34. AdvancedInstallerGenericFailure – 4019550D-4CAA-45B0-A222-349C48E86F71
+    - A rule to match AdvancedInstaller read/write failures in a generic sense.  Will output the executable being called as well as the error code and exit code reported.
+35. OptionalComponentFailedToGetOCsFromPackage – D012E2A2-99D8-4A8C-BBB2-088B92083D78  (NOTE:  This rule replaces the OptionalComponentInstallFailure rule present in v1.10.
+    - This matches a specific Optional Component failure when attempting to enumerate components in a package.  Will output the package name and error code.
+36. OptionalComponentOpenPackageFailed – 22952520-EC89-4FBD-94E0-B67DF88347F6
+    - Matches a specific Optional Component failure when attempting to open an OC package.  Will output the package name and error code.
+37. OptionalComponentInitCBSSessionFailed – 63340812-9252-45F3-A0F2-B2A4CA5E9317
+    - Matches a specific failure where the advanced installer service or components aren’t operating or started on the system.  Will output the error code.
+38. UserProfileCreationFailureDuringFinalize – C6677BA6-2E53-4A88-B528-336D15ED1A64
+    - Matches a specific User Profile creation error during the finalize phase of setup.  Will output the failure code.
+39. WimApplyExtractFailure – 746879E9-C9C5-488C-8D4B-0C811FF3A9A8
+    - Matches a wim apply failure during wim extraction phases of setup.  Will output the extension, path and error code.
+40. UpdateAgentExpanderFailure – 66E496B3-7D19-47FA-B19B-4040B9FD17E2
+    - Matches DPX expander failures in the down-level phase of update from WU.  Will output the package name, function, expression and error code.
+41. FindFatalPluginFailure – E48E3F1C-26F6-4AFB-859B-BF637DA49636
+    - Matches any plug in failure that setupplatform decides is fatal to setup.  Will output the plugin name, operation and error code.
 
 
 ## Release notes
 
-05/02/2018 - SetupDiag v1.1 is released with 34 rules, as a standalone tool available from the Download Center.
+05/30/2018 - SetupDiag v1.20 is released with 41 rules, as a standalone tool available from the Download Center.
+   - Fixed a bug in device install failure detection in online mode.
+   - Changed SetupDiag to work without an instance of setupact.log. Previously, SetupDiag required at least one setupact.log to operate.  This change enables the tool to analyze update failures that occur prior to calling SetupHost.
+   - Telemetry is refactored to only send the rule name and GUID (or “NoRuleMatched” if no rule is matched) and the Setup360 ReportId. This change assures data privacy during rule processing.
+
+05/02/2018 - SetupDiag v1.10 is released with 34 rules, as a standalone tool available from the Download Center.
    - A performance enhancment has been added to result in faster rule processing.
    - Rules output now includes links to support articles, if applicable.
    - SetupDiag now provides the path and name of files that it is processing.
    - You can now run SetupDiag by simply clicking on it and then examining the output log file.
    - An output log file is now always created, whether or not a rule was matched.
 
-03/30/2018 - SetupDiag v1.0 is released with 26 rules, as a standalone tool available from the Download Center.
+03/30/2018 - SetupDiag v1.00 is released with 26 rules, as a standalone tool available from the Download Center.
 
 ## Related topics
 

From c5bd3b4ee96cb21153943603dd18a46a527e5816 Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Fri, 1 Jun 2018 17:26:57 +0000
Subject: [PATCH 48/53] Merged PR 8690: add instructions for anonymous email/IM
 on Surface Hub

---
 .../surface-hub/change-history-surface-hub.md |  9 +++-
 ...-deployment-surface-hub-device-accounts.md | 51 +++++++++++++++++--
 ...ses-deployment-surface-hub-multi-forest.md | 46 ++++++++++++++++-
 3 files changed, 99 insertions(+), 7 deletions(-)

diff --git a/devices/surface-hub/change-history-surface-hub.md b/devices/surface-hub/change-history-surface-hub.md
index e5ecc34139..3d35042b08 100644
--- a/devices/surface-hub/change-history-surface-hub.md
+++ b/devices/surface-hub/change-history-surface-hub.md
@@ -9,7 +9,7 @@ ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
 ms.topic: article
-ms.date: 05/22/2018
+ms.date: 06/01/2018
 ms.localizationpriority: medium
 ---
 
@@ -17,6 +17,12 @@ ms.localizationpriority: medium
 
 This topic lists new and updated topics in the [Surface Hub Admin Guide]( surface-hub-administrators-guide.md).
 
+## June 2018
+
+New or changed topic | Description
+--- | ---
+[On-premises deployment (single forest)](on-premises-deployment-surface-hub-device-accounts.md) and [On-premises deployment (multiple forests)](on-premises-deployment-surface-hub-multi-forest.md) | Added (prerelease) instructions for disabling anonymous email and IM.
+
 ## May 2018
 
 New or changed topic | Description
@@ -29,6 +35,7 @@ New or changed topic | Description
 --- | ---
 [Hybrid deployment](hybrid-deployment-surface-hub-device-accounts.md) | Updated instructions for Skype for Business Hybrid.
 
+
 ## March 2018
 
 New or changed topic | Description
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
index 6b3031daf5..aadc1fa22e 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-device-accounts.md
@@ -9,8 +9,7 @@ ms.sitesec: library
 ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
-ms.topic: article
-ms.date: 04/13/2018
+ms.date: 06/01/2018
 ms.localizationpriority: medium
 ---
 
@@ -105,10 +104,54 @@ If you have a single-forest on-premises deployment with Microsoft Exchange 2013
     Set-CsMeetingRoom  -Identity HUB01 -DomainController DC-ND-001.contoso.com -LineURI “tel:+14255550555;ext=50555"  -EnterpriseVoiceEnabled $true
     ```
 
-    Again, you'll need to replace the provided domain controller and phone number examples with your own information. The parameter value `$true` stays the same.
+    Again, you need to replace the provided domain controller and phone number examples with your own information. The parameter value `$true` stays the same.
     
 
- 
+ ## Disable anonymous email and IM
+
+
+>[!WARNING]
+>This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Surface Hub uses a device account to provide email and collaboration services (IM, video, voice). This device account is used as the originating identity (the “from” party) when sending email, IM, and placing calls. As this account is not coming from an individual, identifiable user, it is deemed “anonymous” because it originated from the Surface Hub's device account.  
+
+Assume you have a per-user client policy assigned to each meeting room device with an identity of **SurfaceHubPolicy**. To disable anonymous email and messaging, you add a clientPolicyEntry to this client policy by using the following commands.
+
+```
+$policyEntry = New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $false
+$clientPolicy = Get-CsClientPolicy -Identity SurfaceHubPolicy
+$clientPolicy.PolicyEntry.Add($policyEntry)
+Set-CsClientPolicy -Instance $clientPolicy
+```
+
+To verify that the policy has been set:
+
+```
+Select-Object -InputObject $clientPolicy -Property PolicyEntry
+```
+
+The output should be:
+
+```
+PolicyEntry
+-----------
+{Name=AllowResourceAccountSendMessage;Value=False}
+```
+	
+	
+To change the policy entry:
+
+```
+$policyEntry =  New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $true
+$clientPolicy | Set-CsClientPolicy -PolicyEntry @{Replace = $policyEntry}
+```	
+	
+To remove the policy entry:
+
+```
+$policyEntry = New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $true
+$clientPolicy | Set-CsClientPolicy -PolicyEntry @{Remove = $policyEntry}
+```
 
  
 
diff --git a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
index dd4e285e06..3c92823a8b 100644
--- a/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
+++ b/devices/surface-hub/on-premises-deployment-surface-hub-multi-forest.md
@@ -8,8 +8,7 @@ ms.sitesec: library
 ms.pagetype: surfacehub
 author: jdeckerms
 ms.author: jdecker
-ms.topic: article
-ms.date: 07/27/2017
+ms.date: 06/01/2018
 ms.localizationpriority: medium
 ---
 
@@ -98,7 +97,50 @@ If you have a multi-forest on-premises deployment with Microsoft Exchange 2013 o
     You'll need to use the Session Initiation Protocol (SIP) address and domain controller for the Surface Hub, along with your own Skype for Business Server pool identifier and user identity.
 
 
+## Disable anonymous email and IM
 
+>[!WARNING]
+>This information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+
+Surface Hub uses a device account to provide email and collaboration services (IM, video, voice). This device account is used as the originating identity (the “from” party) when sending email, IM, and placing calls. As this account is not coming from an individual, identifiable user, it is deemed “anonymous” because it originated from the Surface Hub's device account.  
+
+Assume you have a per-user client policy assigned to each meeting room device with an identity of **SurfaceHubPolicy**. To disable anonymous email and messaging, you add a clientPolicyEntry to this client policy by using the following commands.
+
+```
+$policyEntry = New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $false
+$clientPolicy = Get-CsClientPolicy -Identity SurfaceHubPolicy
+$clientPolicy.PolicyEntry.Add($policyEntry)
+Set-CsClientPolicy -Instance $clientPolicy
+```
+
+To verify that the policy has been set:
+
+```
+Select-Object -InputObject $clientPolicy -Property PolicyEntry
+```
+
+The output should be:
+
+```
+PolicyEntry
+-----------
+{Name=AllowResourceAccountSendMessage;Value=False}
+```
+	
+	
+To change the policy entry:
+
+```
+$policyEntry =  New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $true
+$clientPolicy | Set-CsClientPolicy -PolicyEntry @{Replace = $policyEntry}
+```	
+	
+To remove the policy entry:
+
+```
+$policyEntry = New-CsClientPolicyEntry -Name AllowResourceAccountSendMessage -value $true
+$clientPolicy | Set-CsClientPolicy -PolicyEntry @{Remove = $policyEntry}
+```
  
 
 

From a3fe35121ad584b1eae08fe781c87478e023f1e0 Mon Sep 17 00:00:00 2001
From: jaimeo <jaimeo@microsoft.com>
Date: Fri, 1 Jun 2018 11:54:44 -0700
Subject: [PATCH 49/53] added notes about diagdata requirements for semi-annual
 channel

---
 .../update/device-health-get-started.md       |  8 ++++----
 .../deployment/update/waas-configure-wufb.md  | 15 ++++++++------
 .../update/waas-manage-updates-wufb.md        | 20 +++++++++----------
 windows/deployment/update/waas-overview.md    |  9 +++++++--
 .../update/windows-analytics-get-started.md   |  6 ++++++
 5 files changed, 36 insertions(+), 22 deletions(-)

diff --git a/windows/deployment/update/device-health-get-started.md b/windows/deployment/update/device-health-get-started.md
index 4a72395427..b1dd75c4e5 100644
--- a/windows/deployment/update/device-health-get-started.md
+++ b/windows/deployment/update/device-health-get-started.md
@@ -26,9 +26,9 @@ Steps are provided in sections that follow the recommended setup process:
 
 Device Health is offered as a solution in the Microsoft Operations Management Suite (OMS), a collection of cloud-based servicing for monitoring and automating your on-premise and cloud environments. For more information about OMS, see [Operations Management Suite overview](https://azure.microsoft.com/en-us/documentation/articles/operations-management-suite-overview/). 
 
-**If you are already using OMS**, you’ll find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)  and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already.
+**If you are already using Windows Analytics**, you should use the same Azure Log Analytics workspace you're already using. find Device Health in the Solutions Gallery. Select the **Device Health** tile in the gallery and then click **Add** on the solution's details page. Device Health is now visible in your workspace. While you're in the Solutions Gallery, you should consider installing the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md)  and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already.
 
-**If you are not yet using OMS**, use the following steps to subscribe to OMS Device Health:
+**If you are not yet using Windows Analytics or Azure Log Analytics**, use the following steps to subscribe:
 
 1.	Go to [Operations Management Suite](https://www.microsoft.com/en-us/cloud-platform/operations-management-suite) on Microsoft.com and click **Sign in**.
    [![Operations Management Suite bar with sign-in button](images/uc-02a.png)](images/uc-02.png)
@@ -50,11 +50,11 @@ Device Health is offered as a solution in the Microsoft Operations Management Su
 
     [![OMS dialog to link existing Azure subscription or create a new one](images/uc-06a.png)](images/uc-06.png)
 
-6.	To add Device Health to your workspace, go to the Solution Gallery, Select the **Device Health** tile and then select **Add** on the solution's detail page. While you have this dialog open, you should also consider adding the [Upgrade Readiness](../upgrade/use-upgrade-readiness-to-manage-windows-upgrades.md) and [Update Compliance](update-compliance-monitor.md) solutions as well, if you haven't already. To do so, just select the check boxes for those solutions.
+6.	To add Update Readiness to your workspace, go to the Solution Gallery, Select the **Update Readiness** tile and then select **Add** on the solution's detail page.
 
     [![Windows Analytics details page in Solutions Gallery](images/solution-bundle.png)](images/solution-bundle.png)
 
-7.	Click the **Device Health** tile to configure the solution. The **Settings Dashboard** opens. In this example, both Upgrade Readiness and Device Health solutions have been added.
+7.	Click the **Update Readiness** tile to configure the solution. The **Settings Dashboard** opens. In this example, both Upgrade Readiness and Device Health solutions have been added.
 
     [![OMS Settings Dashboard showing Device Health and Upgrade Readiness tiles](images/OMS-after-adding-solution.jpg)](images/OMS-after-adding-solution.jpg)
 
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index b6260dbd6d..f9c3e0a5d1 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -4,10 +4,10 @@ description: You can use Group Policy or your mobile device management (MDM) ser
 ms.prod: w10
 ms.mktglfcycl: deploy
 ms.sitesec: library
-author: DaniHalfin
+author: jaimeo
 ms.localizationpriority: high
-ms.author: daniha
-ms.date: 10/13/2017
+ms.author: jaimeo
+ms.date: 06/01/2018
 ---
 
 # Configure Windows Update for Business
@@ -21,14 +21,14 @@ ms.date: 10/13/2017
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
 >[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still appear in some of our products.
 >
 >In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel.
 
 You can use Group Policy or your mobile device management (MDM) service to configure Windows Update for Business settings for your devices. The sections in this topic provide the Group Policy and MDM policies for Windows 10, version 1511 and above. The MDM policies use the OMA-URI setting from the [Policy CSP](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx).  
 
 >[!IMPORTANT]
->For Windows Update for Business policies to be honored, the Diagnostic Data level of the device must be set to **1 (Basic)** or higher.  If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
+>For Windows Update for Business policies to be honored, the diagnostic data level of the device must be set to **1 (Basic)** or higher. If it is set to **0 (Security)**, Windows Update for Business policies will have no effect. For instructions, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
 
 Some Windows Update for Business policies are not applicable or behave differently for devices running Windows 10 Mobile Enterprise. Specifically, policies pertaining to Feature Updates will not be applied to Windows 10 Mobile Enterprise. All Windows 10 Mobile updates are recognized as Quality Updates, and can only be deferred or paused using the Quality Update policy settings. Additional information is provided in this topic and in [Deploy updates for Windows 10 Mobile Enterprise and Windows 10 IoT Mobile](waas-mobile-updates.md).
 
@@ -42,7 +42,7 @@ By grouping devices with similar deferral periods, administrators are able to cl
 <span id="configure-devices-for-current-branch-or-current-branch-for-business"/>
 ## Configure devices for Current Branch (CB) or Current Branch for Business (CBB)
 
-With Windows Update for Business, you can set a device to be on either the Current Branch (CB) or the Current Branch for Business (CBB) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). 
+With Windows Update for Business, you can set a device to be on either the Current Branch (CB) (now called Semi-Annual Channel (Targeted)) or the Current Branch for Business (CBB) (now called Semi-Annual Channel) servicing branch. For more information on this servicing model, see [Windows 10 servicing options](waas-overview.md#servicing-channels). 
 
 **Release branch policies**
 
@@ -60,6 +60,9 @@ Starting with version 1703, users are able to configure their device's branch re
 >[!NOTE]
 >Users will not be able to change this setting if it was configured by policy.
 
+>[!IMPORTANT]
+>Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
+
 ## Configure when devices receive Feature Updates
 
 After you configure the servicing branch (CB or CBB), you can then define if, and for how long, you would like to defer receiving Feature Updates following their availability from Microsoft on Windows Update.  You can defer receiving these Feature Updates for a period of up to 365 days from their release by setting the `DeferFeatureUpdatesPeriodinDays` value.  
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 88a40b5473..4a3d26fe3b 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -4,10 +4,10 @@ description: Windows Update for Business lets you manage when devices received u
 ms.prod: w10
 ms.mktglfcycl: manage
 ms.sitesec: library
-author: DaniHalfin
+author: jaimeo
 ms.localizationpriority: high
-ms.author: daniha
-ms.date: 10/13/2017
+ms.author: jaimeo
+ms.date: 06/01/2018
 ---
 
 # Deploy updates using Windows Update for Business
@@ -21,11 +21,11 @@ ms.date: 10/13/2017
 > **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq) 
 
 >[!IMPORTANT]
->Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB and LTSB may still be displayed in some of our products.
+>Due to [naming changes](waas-overview.md#naming-changes), older terms like CB,CBB, and LTSB might still apear in some of our products.
 >
->In the following settings CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. 
+>In the following settings, CB refers to Semi-Annual Channel (Targeted), while CBB refers to Semi-Annual Channel. 
 
-Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service.  You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices.  
+Windows Update for Business enables information technology administrators to keep the Windows 10 devices in their organization always up to date with the latest security defenses and Windows features by directly connecting these systems to Windows Update service. You can use Group Policy or MDM solutions such as Intune to configure the Windows Update for Business settings that control how and when Windows 10 devices are updated. In addition, by using Intune, organizations can manage devices that are not joined to a domain at all or are joined to Microsoft Azure Active Directory (Azure AD) alongside your on-premises domain-joined machines. Windows Update for Business leverages diagnostic data to provide reporting and insights into an organization's Windows 10 devices. 
 
 Specifically, Windows Update for Business allows for: 
 
@@ -45,7 +45,7 @@ Windows Update for Business is a free service that is available for Windows Pro,
 Windows Update for Business provides three types of updates to Windows 10 devices:
 
 - **Feature Updates**: previously referred to as *upgrades*, Feature Updates contain not only security and quality revisions, but also significant feature additions and changes; they are released semi-annually.
-- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time).  These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates.
+- **Quality Updates**: these are traditional operating system updates, typically released the second Tuesday of each month (though they can be released at any time). These include security, critical, and driver updates. Windows Update for Business also treats non-Windows updates (such as those for Microsoft Office or Visual Studio) as Quality Updates. These non-Windows Updates are known as *Microsoft Updates* and devices can be optionally configured to receive such updates along with their Windows Updates.
 - **Non-deferrable updates**: Currently, antimalware and antispyware Definition Updates from Windows Update cannot be deferred.
  
 Both Feature and Quality Updates can be deferred from deploying to client devices by a Windows Update for Business administrator within a bounded range of time from when those updates are first made available on the Windows Update Service. This deferral capability allows administrators to validate deployments as they are pushed to all client devices configured for Windows Update for Business.
@@ -102,10 +102,10 @@ The pause period is now calculated starting from the set start date. For additio
 
 ## Comparing Windows Update for Business in Windows 10, version 1511 and version 1607
 
-Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior.   
+Windows Update for Business was first made available in Windows 10, version 1511. In Windows 10, version 1607 (also known as the Anniversary Update), there are several new or changed capabilities provided as well as updated behavior.  
 
 >[!NOTE]
->For more information on Current Branch and Current Branch for Business, see [Windows 10 servicing options](waas-overview.md#servicing-channels).
+>For more information on Current Branch (Semi-Annual Channel (Targeted)) and Current Branch for Business (Semi-Annual Channel), see [Windows 10 servicing options](waas-overview.md#servicing-channels).
 
 <table>
     <thead>
@@ -113,7 +113,7 @@ Windows Update for Business was first made available in Windows 10, version 1511
         </tr>
     </thead>
     <tbody>
-        <tr><td><p>Select Servicing Options: CB or CBB</p></td><td><p>Not available.  To defer updates, all systems must be on the Current Branch for Business (CBB)</p></td><td><p>Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB).</p></td></tr>
+        <tr><td><p>Select servicing options: CB or CBB</p></td><td><p>Not available. To defer updates, all systems must be on the Current Branch for Business (CBB)</p></td><td><p>Ability to set systems on the Current Branch (CB) or Current Branch for Business (CBB).</p></td></tr>
 <tr><td><p>Quality Updates</p></td><td><p>Able to defer receiving Quality Updates:</p><ul><li>Up to 4 weeks</li><li>In weekly increments</li></ul></td><td><p>Able to defer receiving Quality Updates:</p><ul><li>Up to 30 days</li><li>In daily increments</li></ul></td></tr>
 <tr><td><p>Feature Updates</p></td><td><p>Able to defer receiving Feature Updates:</p><ul><li>Up to 8 months</li><li>In monthly increments</li></ul></td><td><p>Able to defer receiving Feature Updates:</p><ul><li>Up to 180 days</li><li>In daily increments</li></ul></td></tr>
 <tr><td><p>Pause updates</p></td><td><ul><li>Feature Updates and Quality Updates paused together</li><li>Maximum of 35 days</li></ul></td><td><p>Features and Quality Updates can be paused separately.</p><ul><li>Feature Updates: maximum 60 days</li><li>Quality Updates: maximum 35 days</li></ul></td></tr>
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index a3a8becf16..11d7d0c708 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -7,7 +7,7 @@ ms.sitesec: library
 author: Jaimeo
 ms.localizationpriority: high
 ms.author: jaimeo
-ms.date: 02/09/2018
+ms.date: 06/01/2018
 ---
 
 # Overview of Windows as a service
@@ -72,11 +72,16 @@ As part of the alignment with Windows 10 and Office 365 ProPlus, we are adopting
 * Semi-Annual Channel - We will be referreing to Current Branch (CB) as "Semi-Annual Channel (Targeted)", while Current Branch for Business (CBB) will simply be referred to as "Semi-Annual Channel". 
 * Long-Term Servicing Channel -  The Long-Term Servicing Branch (LTSB) will be referred to as Long-Term Servicing Channel (LTSC).
 
+>[!IMPORTANT]
+>With each Semi-Annual Channel release, we recommend beginning deployment right away to devices selected for early adoption (targeted validation) and ramp up to full deployment at your discretion, regardless of the "Targeted" designation. This will enable you to gain access to new features, experiences, and integrated security as soon as possible. For nmore information, see the blog post [Windows 10 and the "disappearing" SAC-T](https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747).
+
 >[!NOTE]
 >For additional information, see the section about [Servicing Channels](#servicing-channels). 
 >
->You can also read [this blog post](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/), with details on this change. 
+>You can also read the blog post [Waas simplified and aligned](https://blogs.technet.microsoft.com/windowsitpro/2017/07/27/waas-simplified-and-aligned/), with details on this change. 
 
+>[!IMPORTANT]
+>Devices on the Semi-Annual Channel (formerly called Current Branch for Business) must have their diagnostic data set to **1 (Basic)** or higher, in order to ensure that the service is performing at the expected quality. If diagnostic data is set to **0**, the device will be treated as if it were in the Semi-Annual Channel (Targeted)(formerly called Current Branch or CB) branch. For instructions to set the diagnostic data level, see [Configure the operating system diagnostic data level](https://docs.microsoft.com/windows/configuration/configure-windows-diagnostic-data-in-your-organization#diagnostic-data-levels).
 
 ### Feature updates
 
diff --git a/windows/deployment/update/windows-analytics-get-started.md b/windows/deployment/update/windows-analytics-get-started.md
index 03892db937..143925ed43 100644
--- a/windows/deployment/update/windows-analytics-get-started.md
+++ b/windows/deployment/update/windows-analytics-get-started.md
@@ -90,6 +90,12 @@ If you are planning to enable IE Site Discovery in Upgrade Readiness, you will n
 |----------------------|-----------------------------------------------------------------------------|
 | [Review site discovery](../upgrade/upgrade-readiness-additional-insights.md#site-discovery)         | [KB3080149](http://www.catalog.update.microsoft.com/Search.aspx?q=3080149)<br>Updates the Diagnostic and Telemetry tracking service to existing devices. This update is only necessary on Windows 7 and Windows 8.1 devices. <br>For more information about this update, see <https://support.microsoft.com/kb/3150513><br><br>Install the latest [Windows Monthly Rollup](http://catalog.update.microsoft.com/v7/site/Search.aspx?q=security%20monthly%20quality%20rollup). This functionality has been included in Internet Explorer 11 starting with the July 2016 Cumulative Update.  |
 
+## Set diagnostic data levels
+
+You can set the diagnostic data level used by monitored devices either with the Update Readiness deployment script or by policy (by using Group Policy or Mobile Device Management).
+
+The basic functionality of Update Readiness will work at the Basic diagnostic data level, you won't get usage or health data for your updated devices without enabling the Enhanced level. This means you won't get information about health regressions on updated devices. So it is best to enable the Enhanced diagnostic data level, at least on devices running Windows 10, version 1709 (or later) where the Enhanced diagnostic data setting can be paired with "limited enhanced" data level (see [Windows 10 enhanced diagnostic data events and fields used by Windows Analytics](https://docs.microsoft.com/windows/privacy/enhanced-diagnostic-data-windows-analytics-events-and-fields)). For more information, see [Windows Analytics and privacy](https://docs.microsoft.com/windows/deployment/update/windows-analytics-privacy).
+
 ## Enroll a few pilot devices
 
 You can use the Upgrade Readiness deployment script to automate and verify your deployment. We always recommend manually running this script on a few representative devices to verify things are properly configured and the device can connect to the diagnostic data endpoints. Make sure to run the pilot version of the script, which will provide extra diagnostics.

From 0c0814698d9f396d7654630c0df886c03cec3989 Mon Sep 17 00:00:00 2001
From: Joey Caparas <macapara@microsoft.com>
Date: Fri, 1 Jun 2018 15:21:18 -0700
Subject: [PATCH 50/53] udpate refs

---
 ...ows-defender-advanced-threat-protection.md | 134 +++++++++---------
 1 file changed, 66 insertions(+), 68 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
index 4510f2dbe7..5919dad684 100644
--- a/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-atp/advanced-hunting-reference-windows-defender-advanced-threat-protection.md
@@ -10,7 +10,7 @@ ms.pagetype: security
 ms.author: macapara
 author: mjcaparas
 ms.localizationpriority: high
-ms.date: 04/24/2018
+ms.date: 06/01/2018
 ---
 
 # Advanced hunting reference in Windows Defender ATP
@@ -35,75 +35,73 @@ Use the following table to understand what the columns represent, its data type,
 
 | Column name | Data type | Description
 :---|:--- |:---                                                            
-| AccountDomain                       | string      | Domain of the account.                                                                                                                                                                                                                                         |
-| AccountName                         | string      | User name of the account.                                                                                                                                                                                                                                      |
-| AccountSid                          | string      | Security Identifier (SID) of the account.                                                                                                                                                                                                                      |
-| ActionType                          | string      | Type of activity that triggered the event.                                                                                                                                                                                                                     |
-| AdditionalFields                    | string      | Additional information about the event in JSON array format.                                                                                                                                                                                                   |
-| AlertId                             | string      | Unique identifier for the alert.                                                                                                                                                                                                                               |
-| ComputerName                        | string      | Fully qualified domain name (FQDN) of the machine.                                                                                                                                                                                                             |
-| RemoteComputerName                  | string      | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information.                      | 
-| EventId                             | int         | Unique identifier used by Event Tracing for Windows (ETW) for the event type.                                                                                                                                                                                  |
-| EventTime                           | datetime    | Date and time when the event was recorded.                                                                                                                                                                                                                     |
-| EventType                           | string      | Table where the record is stored.                                                                                                                                                                                                                              |
-| FileName                            | string      | Name of the file that the recorded action was applied to.                                                                                                                                                                                                      |
-| FileOriginIp                        | string      | IP address where the file was downloaded from.                                                                                                                                                                                                                 |
-| FileOriginReferrerUrl               | string      | URL of the web page that links to the downloaded file.                                                                                                                                                                                                         |
-| FileOriginUrl                       | string      | URL where the file was downloaded from.                                                                                                                                                                                                                        |
-| FolderPath                          | string      | Folder containing the file that the recorded action was applied to.                                                                                                                                                                                            |
-| InitiatingProcessAccountDomain      | string      | Domain of the account that ran the process responsible for the event.                                                                                                                                                                                          |
-| InitiatingProcessAccountName        | string      | User name of the account that ran the process responsible for the event.                                                                                                                                                                                       |
-| InitiatingProcessAccountSid         | string      | Security Identifier (SID) of the account that ran the process responsible for the event.                                                                                                                                                                       |
-| InitiatingProcessLogonId            | string      | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts.                                                                                                                   |
-| InitiatingProcessCommandLine        | string      | Command line used to run the process that initiated the event.                                                                                                                                                                              |
-| InitiatingProcessCreationTime       | datetime    | Date and time when the process that initiated the event was started.                                                                                                                                                                                           |
-| InitiatingProcessFileName           | string      | Name of the process that initiated the event.                                                                                                                                                                                                                  |
-| InitiatingProcessFolderPath         | string      | Folder containing the process (image file) that initiated the event.                                                                                                                                                                                           |
-| InitiatingProcessId                 | int         | Process ID (PID) of the process that initiated the event.                                                                                                                                                                                                      |
-| InitiatingProcessIntegrityLevel     | string      | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |
-| InitiatingProcessMd5                | string      | MD5 hash of the process (image file) that initiated the event.                                                                                                                                                                                                 |
-| InitiatingProcessParentCreationTime | datetime    | Date and time when the parent of the process responsible for the event was started.                                                                                                                                                                  |
-| InitiatingProcessParentId           | int         | Process ID (PID) of the parent process that spawned the process responsible for the event.                                                                                                                                                                     |
-| InitiatingProcessParentName         | string      | Name of the parent process that spawned the process responsible for the event.                                                                                                                                                                                 |
-| InitiatingProcessSha1               | string      | SHA-1 of the process (image file) that initiated the event.                                                                                                                                                                                                    |
-| InitiatingProcessSha256             | string      | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available.                                                                                                                                                                                                |
-| InitiatingProcessTokenElevation     | string      | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event.                                                                                                                |
-| IsAzureADJoined                     | boolean     | Boolean indicator of whether machine is joined to the Azure Active Directory.                                                                                                                                                                                  |
-| LocalIP                             | string      | IP address assigned to the local machine used during communication.                                                                                                                                                                                            |
-| LocalPort                           | int         | TCP port on the local machine used during communication.                                                                                                                                                                                                       |
-| LoggedOnUsers                       | string      | List of all users that are logged on the machine at the time of the event in JSON array format.                                                                                                                                                                |
-| LogonType                           | string      | Type of logon session, specifically: <br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen.<br> <br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients. <br><br>  - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed. <br><br> - **Batch** - Session initiated by scheduled tasks. <br><br> - **Service** - Session initiated by services as they start. <br> 
-| MachineGroup                        | string      | Machine group of the machine. This group is used by role-based access control to determine access to the machine.                                                                                                                                              |
-| MachineId                           | string      | Unique identifier for the machine in the service.                                                                                                                                                                                                              |
-| MD5                                 | string      | MD5 hash of the file that the recorded action was applied to.                                                                                                                                                                                                  |
-| NetworkCardIPs                      | string      | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format.                                                                                                                                    |
-| OSArchitecture                      | string      | Architecture of the operating system running on the machine.                                                                                                                                                                                                   |
-| OSBuild                             | string      | Build version of the operating system running on the machine.                                                                                                                                                                                                  |
-| OSPlatform                          | string      | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7.                                                                                |
-| PreviousRegistryKey                 | string      | Original registry key of the registry value before it was modified.                                                                                                                                                                                            |
-| PreviousRegistryValueData           | string      | Original data of the registry value before it was modified.                                                                                                                                                                                                    |
-| PreviousRegistryValueName           | string      | Original name of the registry value before it was modified.                                                                                                                                                                                                    |
-| PreviousRegistryValueType           | string      | Original data type of the registry value before it was modified.                                                                                                                                                                                               |
-| ProcessCommandline                  | string      | Command line used to create the new process.                                                                                                                                                                                                |
-| ProcessCreationTime                 | datetime    | Date and time the process was created.                                                                                                                                                                                                                         |
-| ProcessId                           | int         | Process ID (PID) of the newly created process.                                                                                                                                                                                                                 |
-| ProcessIntegrityLevel               | string      | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources.            |
-| ProcessTokenElevation               | string      | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process.                                                                                                                           |
-| ProviderId                          | string      | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log.                                                                                                                                                               |
-| RegistryKey                         | string      | Registry key that the recorded action was applied to.                                                                                                                                                                                                          |
-| RegistryValueData                   | string      | Data of the registry value that the recorded action was applied to.                                                                                                                                                                                            |
-| RegistryValueName                   | string      | Name of the registry value that the recorded action was applied to.                                                                                                                                                                                            |
-| RegistryValueType                   | string      | Data type, such as binary or string, of the registry value that the recorded action was applied to.                                                                                                                                                            |
-| RemoteIP                            | string      | IP address that was being connected to.                                                                                                                                                                                                                        |
-| RemotePort                          | int         | TCP port on the remote device that was being connected to.                                                                                                                                                                                                     |
-| RemoteUrl                           | string      | URL or fully qualified domain name (FQDN) that was being connected to.                                                                                                                                                                                         |
-| ReportIndex                         | long        | Event identifier that is unique among the same event type.                                                                                                                                                                                                     |
-| SHA1                                | string      | SHA-1 of the file that the recorded action was applied to.                                                                                                                                                                                                     |
-| SHA256                              | string      | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available.                                                                                     
+| AccountDomain | string | Domain of the account |
+| AccountName | string | User name of the account |
+| AccountSid | string | Security Identifier (SID) of the account |
+| ActionType | string | Type of activity that triggered the event |
+| AdditionalFields | string | Additional information about the event in JSON array format |
+| AlertId | string | Unique identifier for the alert |
+| ComputerName | string | Fully qualified domain name (FQDN) of the machine |
+| EventTime | datetime | Date and time when the event was recorded |
+| EventType | string | Table where the record is stored |
+| FileName | string | Name of the file that the recorded action was applied to |
+| FileOriginIp | string | IP address where the file was downloaded from |
+| FileOriginReferrerUrl | string | URL of the web page that links to the downloaded file |
+| FileOriginUrl | string | URL where the file was downloaded from |
+| FolderPath | string | Folder containing the file that the recorded action was applied to |
+| InitiatingProcessAccountDomain | string | Domain of the account that ran the process responsible for the event |
+| InitiatingProcessAccountName | string | User name of the account that ran the process responsible for the event |
+| InitiatingProcessAccountSid | string | Security Identifier (SID) of the account that ran the process responsible for the event |
+| InitiatingProcessCommandLine | string | Command line used to run the process that initiated the event |
+| InitiatingProcessCreationTime | datetime | Date and time when the process that initiated the event was started |
+| InitiatingProcessFileName | string | Name of the process that initiated the event |
+| InitiatingProcessFolderPath | string | Folder containing the process (image file) that initiated the event |
+| InitiatingProcessId | int | Process ID (PID) of the process that initiated the event |
+| InitiatingProcessIntegrityLevel | string | Integrity level of the process that initiated the event. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet download. These integrity levels influence permissions to resources. |
+| InitiatingProcessLogonId | string | Identifier for a logon session of the process that initiated the event. This identifier is unique on the same machine only between restarts. |
+| InitiatingProcessMd5 | string | MD5 hash of the process (image file) that initiated the event |
+| InitiatingProcessParentCreationTime | datetime | Date and time when the parent of the process responsible for the event was started |
+| InitiatingProcessParentId | int | Process ID (PID) of the parent process that spawned the process responsible for the event |
+| InitiatingProcessParentName | string | Name of the parent process that spawned the process responsible for the event |
+| InitiatingProcessSha1 | string | SHA-1 of the process (image file) that initiated the event |
+| InitiatingProcessSha256 | string | SHA-256 of the process (image file) that initiated the event. This field is usually not populated—use the SHA1 column when available. |
+| InitiatingProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the process that initiated the event |
+| IsAzureADJoined | boolean | Boolean indicator of whether machine is joined to the Azure Active Directory |
+| LocalIP | string | IP address assigned to the local machine used during communication |
+| LocalPort | int | TCP port on the local machine used during communication |
+| LoggedOnUsers | string | List of all users that are logged on the machine at the time of the event in JSON array format |
+| LogonType | string | Type of logon session, specifically: <br><br> - **Interactive** - User physically interacts with the machine using the local keyboard and screen.<br> <br> - **Remote interactive (RDP) logons** - User interacts with the machine remotely using Remote Desktop, Terminal Services, Remote Assistance, or other RDP clients. <br><br> - **Network** - Session initiated when the machine is accessed using PsExec or when shared resources on the machine, such as printers and shared folders, are accessed. <br><br> - **Batch** - Session initiated by scheduled tasks. <br><br> - **Service** - Session initiated by services as they start. <br> 
+| MachineGroup | string | Machine group of the machine. This group is used by role-based access control to determine access to the machine. |
+| MachineId | string | Unique identifier for the machine in the service |
+| MD5 | string | MD5 hash of the file that the recorded action was applied to |
+| NetworkCardIPs | string | List of all network adapters on the machine, including their MAC addresses and assigned IP addresses, in JSON array format |
+| OSArchitecture | string | Architecture of the operating system running on the machine |
+| OSBuild | string | Build version of the operating system running on the machine |
+| OSPlatform | string | Platform of the operating system running on the machine. This indicates specific operating systems, including variations within the same family, such as Windows 10 and Windows 7. |
+| PreviousRegistryKey | string | Original registry key of the registry value before it was modified |
+| PreviousRegistryValueData | string | Original data of the registry value before it was modified |
+| PreviousRegistryValueName | string | Original name of the registry value before it was modified |
+| PreviousRegistryValueType | string | Original data type of the registry value before it was modified |
+| ProcessCommandline | string | Command line used to create the new process |
+| ProcessCreationTime | datetime | Date and time the process was created |
+| ProcessId | int | Process ID (PID) of the newly created process |
+| ProcessIntegrityLevel | string | Integrity level of the newly created process. Windows assigns integrity levels to processes based on certain characteristics, such as if they were launched from an internet downloaded. These integrity levels influence permissions to resources. |
+| ProcessTokenElevation | string | Token type indicating the presence or absence of User Access Control (UAC) privilege elevation applied to the newly created process |
+| ProviderId | string | Unique identifier for the Event Tracing for Windows (ETW) provider that collected the event log |
+| RemoteComputerName | string | Name of the machine that performed a remote operation on the affected machine. Depending on the event being reported, this name could be a fully-qualified domain name (FQDN), a NetBIOS name, or a host name without domain information. | |
+| RegistryKey | string | Registry key that the recorded action was applied to |
+| RegistryValueData | string | Data of the registry value that the recorded action was applied to |
+| RegistryValueName | string | Name of the registry value that the recorded action was applied to |
+| RegistryValueType | string | Data type, such as binary or string, of the registry value that the recorded action was applied to |
+| RemoteIP | string | IP address that was being connected to |
+| RemotePort | int | TCP port on the remote device that was being connected to |
+| RemoteUrl | string | URL or fully qualified domain name (FQDN) that was being connected to |
+| SHA1 | string | SHA-1 of the file that the recorded action was applied to |
+| ReportId | long | Event identifier based on a repeating counter. To identify unique events, this column must be used in conjunction with the ComputerName and EventTime columns. |
+| SHA256 | string | SHA-256 of the file that the recorded action was applied to. This field is usually not populated—use the SHA1 column when available. |
 
 >Want to experience Windows Defender ATP? [Sign up for a free trial.](https://www.microsoft.com/en-us/WindowsForBusiness/windows-atp?ocid=docs-wdatp-advancedhuntingref-belowfoldlink)        
 
 ## Related topic
 - [Query data using Advanced hunting](advanced-hunting-windows-defender-advanced-threat-protection.md)
-- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
-
+- [Advanced hunting query language best practices](/advanced-hunting-best-practices-windows-defender-advanced-threat-protection.md)
\ No newline at end of file

From 545138eb1a3beeae802f0f8eebb38146182e58ac Mon Sep 17 00:00:00 2001
From: Liza Poggemeyer <elizapo@microsoft.com>
Date: Fri, 1 Jun 2018 22:23:48 +0000
Subject: [PATCH 51/53] Merged PR 8714: Removed conversations item from removed
 features list

removed conversations item
---
 .../deployment/planning/windows-10-1803-removed-features.md    | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/windows/deployment/planning/windows-10-1803-removed-features.md b/windows/deployment/planning/windows-10-1803-removed-features.md
index 87631ec626..48f9beb9c1 100644
--- a/windows/deployment/planning/windows-10-1803-removed-features.md
+++ b/windows/deployment/planning/windows-10-1803-removed-features.md
@@ -7,7 +7,7 @@ ms.localizationpriority: high
 ms.sitesec: library
 author: lizap
 ms.author: elizapo
-ms.date: 05/03/2018
+ms.date: 06/01/2018
 ---
 # Features removed or planned for replacement starting with Windows 10, version 1803
 
@@ -32,7 +32,6 @@ We've removed the following features and functionalities from the installed prod
 |Language control in the Control Panel|	Use the Settings app to change your language settings.|
 |HomeGroup|We are removing [HomeGroup](https://support.microsoft.com/help/17145) but not your ability to share printers, files, and folders.<br><br>When you update to Windows 10, version 1803, you won't see HomeGroup in File Explorer, the Control Panel, or Troubleshoot (**Settings > Update & Security > Troubleshoot**). Any printers, files, and folders that you shared using HomeGroup **will continue to be shared**.<br><br>Instead of using HomeGroup, you can now share printers, files and folders by using features that are built into Windows 10: <br>- [Share your network printer](https://www.bing.com/search?q=share+printer+windows+10) <br>- [Share files in File Explorer](https://support.microsoft.com/help/4027674/windows-10-share-files-in-file-explorer) |
 |**Connect to suggested open hotspots** option in Wi-Fi settings |We previously [disabled the **Connect to suggested open hotspots** option](https://privacy.microsoft.com/windows-10-open-wi-fi-hotspots) and are now removing it from the Wi-Fi settings page. You can manually connect to free wireless hotspots with **Network & Internet** settings, from the taskbar or Control Panel, or by using Wi-Fi Settings (for mobile devices).|
-|**Conversations** in the People app when you're offline or if you're using a non-Office 365 mail account|In Windows 10, the People app shows mail from Office 365 contacts and contacts from your school or work organization under **Conversations**. After you update to Windows 10, version 1803, in order to see new mail in the People app from these specific contacts, you need to be online, and you need to have signed in with either an Office 365 account or, for work or school organization accounts, through the [Mail](https://support.microsoft.com/help/17198/windows-10-set-up-email), [People](https://support.microsoft.com/help/14103/windows-people-app-help), or [Calendar](https://support.office.com/article/Mail-and-Calendar-for-Windows-10-FAQ-4ebe0864-260f-4d3a-a607-7b9899a98edc) apps. Please be aware that you’ll only see mail for work and school organization accounts and some Office 365 accounts.|
 |XPS Viewer|We're changing the way you get XPS Viewer. In Windows 10, version 1709 and earlier versions, the app is included in the installation image. If you have XPS Viewer and you update to Windows 10, version 1803, there's no action required. You'll still have XPS Viewer. <br><br>However, if you install Windows 10, version 1803, on a new device (or as a clean installation), you may need to [install XPS Viewer from **Apps and Features** in the Settings app](https://docs.microsoft.com/windows/application-management/add-apps-and-features) or through [Features on Demand](https://docs.microsoft.com/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities). If you had XPS Viewer in Windows 10, version 1709, but manually removed it before updating, you'll need to manually reinstall it.|
 
 ## Features we’re no longer developing

From 880adfa4956eba72241903fb6ad15a6ab710994b Mon Sep 17 00:00:00 2001
From: Jeanie Decker <jdecker@microsoft.com>
Date: Mon, 4 Jun 2018 14:34:16 +0000
Subject: [PATCH 52/53] Merged PR 8733: fix broken link (SH) and clarify PIN
 for HL

---
 devices/hololens/change-history-hololens.md     |  8 +++++++-
 devices/hololens/hololens-requirements.md       | 12 ++++++++++--
 devices/surface-hub/device-reset-surface-hub.md |  2 +-
 3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/devices/hololens/change-history-hololens.md b/devices/hololens/change-history-hololens.md
index b4fd1b6043..312d0a523b 100644
--- a/devices/hololens/change-history-hololens.md
+++ b/devices/hololens/change-history-hololens.md
@@ -10,13 +10,19 @@ author: jdeckerms
 ms.author: jdecker
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 05/22/2018
+ms.date: 06/04/2018
 ---
 
 # Change history for Microsoft HoloLens documentation
 
 This topic lists new and updated topics in the [Microsoft HoloLens documentation](index.md).
 
+## June 2018
+
+New or changed topic | Description
+--- | ---
+[HoloLens in the enterprise: requirements and FAQ](hololens-requirements.md#pin) | Added instructions for creating a sign-in PIN. 
+
 ## May 2018
 
 New or changed topic | Description
diff --git a/devices/hololens/hololens-requirements.md b/devices/hololens/hololens-requirements.md
index d9d44b45ba..7120c2c082 100644
--- a/devices/hololens/hololens-requirements.md
+++ b/devices/hololens/hololens-requirements.md
@@ -9,7 +9,7 @@ author: jdeckerms
 ms.author: jdecker
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 06/04/2018
 ---
 
 # Microsoft HoloLens in the enterprise: requirements and FAQ
@@ -47,9 +47,17 @@ When you develop for HoloLens, there are [system requirements and tools](https:/
 
 ## FAQ for HoloLens
 
+<span id="pin"/>
 #### Is Windows Hello for Business supported on HoloLens?
 
-Hello for Business (using a PIN to sign in) is supported for HoloLens. It must be configured [using MDM](hololens-enroll-mdm.md).
+Windows Hello for Business (using a PIN to sign in) is supported for HoloLens. To allow Windows Hello for Business PIN sign-in on HoloLens:
+
+1. The HoloLens device must be [managed by MDM](hololens-enroll-mdm.md).
+2. You must enable Windows Hello for Business for the device. ([See instructions for Microsoft Intune.](https://docs.microsoft.com/intune/windows-hello))
+3. On HoloLens, the user can then set up a PIN from **Settings** > **Sign-in Options** > **Add PIN**.
+
+>[!NOTE]
+>Users who sign in with a Microsoft account can also set up a PIN in **Settings** > **Sign-in Options** > **Add PIN**. This PIN is associated with [Windows Hello](https://support.microsoft.com/help/17215/windows-10-what-is-hello), rather than [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-overview).
 
 #### Does the type of account change the sign-in behavior?
 
diff --git a/devices/surface-hub/device-reset-surface-hub.md b/devices/surface-hub/device-reset-surface-hub.md
index bf70666e38..281dc1b880 100644
--- a/devices/surface-hub/device-reset-surface-hub.md
+++ b/devices/surface-hub/device-reset-surface-hub.md
@@ -78,7 +78,7 @@ If the device account gets into an unstable state or the Admin account is runnin
 
 On rare occasions, a Surface Hub may encounter an error while cleaning up user and app data at the end of a session. When this happens, the device will automatically reboot and try again. But if this operation fails repeatedly, the device will be automatically locked to protect user data. To unlock it, you must reset or recover the device from [Windows RE](https://technet.microsoft.com/library/cc765966.aspx). 
 
-1.  From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide](https://www.microsoft.com/surface/support/surface-hub/surface-hub-site-readiness-guide) for help with locating the power switch. 
+1.  From the welcome screen, toggle the Surface Hub's power switch 3 times. Wait a few seconds between each toggle. See the [Surface Hub Site Readiness Guide (PDF)](http://download.microsoft.com/download/3/8/8/3883E991-DFDB-4E70-8D28-20B26045FC5B/Surface-Hub-Site-Readiness-Guide_EN.pdf) for help with locating the power switch. 
 2. The device should automatically boot into Windows RE. 
 3. After the Surface Hub enters Windows RE, select **Recover from the cloud**. (Optionally, you can choose **Reset**, however **Recover from the cloud** is the recommended approach.)
     

From 68f108e059caac95c5682ac6e3099aedf6c6e903 Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Mon, 4 Jun 2018 08:04:44 -0700
Subject: [PATCH 53/53] c\copyedits

---
 ...dows-defender-application-control-policies-using-intune.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 8031bc1bbf..2012791205 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -19,13 +19,13 @@ ms.date: 05/17/2018
 
 You can use Microsoft Intune to configure Windows Defender Application Control (WDAC). You can configure Windows 10 client computers to only run Windows components and Microsoft Store apps, or let them also run reputable apps defined by the Intelligent Security Graph.   
 
-1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Creae profile**.
+1. Open the Microsoft Intune portal and click **Device configuration** > **Profiles** > **Create profile**.
 
 3. Type a name for the new profile, select **Windows 10 and later** as the **Platform** and **Endpoint protection** as the **Profile type**.  
 
    ![Configure profile](images\wdac-intune-create-profile-name.png)
 
-4. Click **Configure** > **Windows Defender Application Control**.  for the following settings and then click **OK**:
+4. Click **Configure** > **Windows Defender Application Control**, choose from the following settings and then click **OK**:
 
    - **Application control code intergity policies**: Select **Audit only** to log events but not block any apps from running or select **Enforce** to allow only Windows components and Store apps to run.  
    - **Trust apps with good reputation**: Select **Enable** to allow reputable apps as defined by the Intelligent Security Graph to run in addition to Windows components and Store apps.