Merge remote-tracking branch 'refs/remotes/origin/master' into jdsb

store-for-business/roles-and-permissions-microsoft-store-for-business.md

@@ -81,6 +81,6 @@ This table lists the roles and their permissions.
     >You need to be a Global Administrator, or have the Billing account owner role to access **Permissions**. 
     
 2.  Select **Manage**, and then select **Permissions**.
-3.  On **Roles**, or **Purchasing roles**, select **Assing roles**. 
+3.  On **Roles**, or **Purchasing roles**, select **Assign roles**. 
 4.  Enter a name, choose the role you want to assign, and select **Save**.
     If you don't find the name you want, you might need to add people to your Azure AD directory. For more information, see [Manage user accounts](manage-users-and-groups-microsoft-store-for-business.md).

store-for-business/settings-reference-microsoft-store-for-business.md

@@ -24,8 +24,8 @@ The Microsoft Store for Business and Education has a group of settings that admi
 | Private store | Update the name for your private store. The new name will be displayed on a tab in the Store. For more information, see [Manage private store settings](manage-private-store-settings.md). | **Settings - Distribute** |
 | Offline licensing  | Configure whether or not to make offline-licensed apps available in the Microsoft Store for Business and Education. For more information, see [Distribute offline apps](distribute-offline-apps.md). | **Settings - Shop** |
 | Allow users to shop  | Configure whether or not people in your organization or school can see and use the shop function in Store for Business or Store for Education. For more information, see [Allow users to shop](acquire-apps-microsoft-store-for-business.md#allow-users-to-shop). | **Settings - Shop** |
-| Make everyone a Basic Purchaser  | Allow everyone in your organization to automatically become a Basic Purchaser. This allows them to purchase apps and manage them. For more information, see [Make everyone a Basic Purchaser](https://docs.microsoft.com/education/windows/education-scenarios-store-for-business#basic-purchaser-role). </br> **Make everyone a Basic Purchaser** is only available in Microsoft Store for Education.  | **Settings - Shop** |
-| App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-microsoft-store-for-business.md). | **Settings - Distribute** |
+| Make everyone a Basic Purchaser  | Allow everyone in your organization to automatically become a Basic Purchaser. This allows them to purchase apps and manage them. For more information, see [Make everyone a Basic Purchaser](https://docs.microsoft.com/education/windows/education-scenarios-store-for-business#basic-purchaser-role). | **Settings - Shop** |
+| App request | Configure whether or not people in your organization can request apps for admins to purchase. For more information, see [Distribute offline apps](acquire-apps-microsoft-store-for-business.md). | **Settings - Shop** |
 | Management tools | Management tools that are synced with Azure AD are listed on this page. You can choose one to use for managing app updates and distribution. For more information, see [Configure MDM provider](configure-mdm-provider-microsoft-store-for-business.md). | **Settings - Distribute** |
 | Device Guard signing | Use the Device Guard signing portal to add unsigned apps to a code integrity policy, or to sign code integrity policies. For more information, see [Device Guard signing portal](device-guard-signing-portal.md). | **Settings - Devices**  |
 | Permissions   | Manage permissions for your employees. For more information, see [Roles and permissions in the Microsoft Store for Business and Education](roles-and-permissions-microsoft-store-for-business.md). | **Permissions - Roles**, **Permissions - Purchasing roles**, and **Permissions - Blocked basic purchasers** |

windows/client-management/connect-to-remote-aadj-pc.md

@@ -41,7 +41,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
   >[!NOTE]
   >You can specify individual Azure AD accounts for remote connections by having the user sign in to the remote device at least once and then running the following PowerShell cmdlet:
   >
-  >`net localgroup "Remote Desktop Users" /add "AzureAD\FirstnameLastname"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD.
+  >`net localgroup "Remote Desktop Users" /add "AzureAD\the-UPN-attribute-of-your-user"`, where *FirstnameLastname* is the name of the user profile in C:\Users\, which is created based on DisplayName attribute in Azure AD.
   >
   >In Windows 10, version 1709, the user does not have to sign in to the remote device first.
   >
@@ -50,7 +50,7 @@ From its release, Windows 10 has supported remote connections to PCs that are jo
   4. Enter **Authenticated Users**, then click **Check Names**. If the **Name Not Found** window opens, click **Locations** and select this PC.
 
   >[!TIP]
-  >When you connect to the remote PC, enter your account name in this format: `AzureADName\YourAccountName`.
+  >When you connect to the remote PC, enter your account name in this format: `AzureAD UPN`. The local PC must either be domain-joined or Azure AD-joined. The local PC and remote PC must be in the same Azure AD tenant.
 
  
 ## Supported configurations

windows/client-management/mdm/assignedaccess-csp.md

@@ -895,6 +895,7 @@ Status Get
             <xs:enumeration value="RestartShell" />
             <xs:enumeration value="RestartDevice" />
             <xs:enumeration value="ShutdownDevice" />
+            <xs:enumeration value="DoNothing" />
         </xs:restriction>
     </xs:simpleType>
 

windows/client-management/mdm/policy-csp-restrictedgroups.md

@@ -50,6 +50,12 @@ ms.date: 03/15/2018
 	<td></td>
 </tr>
 </table>
+Footnote:
+
+-   1 - Added in Windows 10, version 1607.
+-   2 - Added in Windows 10, version 1703.
+-   3 - Added in Windows 10, version 1709.
+-   4 - Added in Windows 10, version 1803.
 
 <!--/SupportedSKUs-->
 <!--Scope-->
@@ -132,15 +138,7 @@ Here is an example:
 <hr/>
 
 Take note:
-* You must include the local administrator in the administrators group or the policy will fail
+* You should include the local administrator while modifying the administrators group to prevent accidental loss of access
 * Include the entire UPN after AzureAD
 
-Footnote:
-
--   1 - Added in Windows 10, version 1607.
--   2 - Added in Windows 10, version 1703.
--   3 - Added in Windows 10, version 1709.
--   4 - Added in Windows 10, version 1803.
-
-<!--/Policies-->
 

windows/client-management/mdm/policy-csp-storage.md

@@ -33,6 +33,9 @@ ms.date: 01/14/2019
   <dd>
     <a href="#storage-configstoragesensecloudcontentdehydrationthreshold">Storage/ConfigStorageSenseCloudContentDehydrationThreshold</a>
   </dd>
+  <dd>
+    <a href="#storage-configstoragesensedownloadscleanupthreshold">Storage/ConfigStorageSenseDownloadsCleanupThreshold</a>
+  </dd>
   <dd>
     <a href="#storage-configstoragesenseglobalcadence">Storage/ConfigStorageSenseGlobalCadence</a>
   </dd>
@@ -160,7 +163,7 @@ If you do not configure this policy setting, Storage Sense is turned off by defa
 ADMX Info:  
 -   GP English name: *Allow Storage Sense*
 -   GP name: *SS_AllowStorageSenseGlobal*
--   GP path: *SOFTWARE/Policies/Microsoft/Windows/StorageSense*
+-   GP path: *System/Storage Sense*
 -   GP ADMX file name: *StorageSense.admx*
 
 <!--/ADMXMapped-->
@@ -350,11 +353,11 @@ ADMX Info:
 
 <!--/Scope-->
 <!--Description-->
-When Storage Sense runs, it can delete files in the user’s Downloads folder if they have been there for over a certain amount of days.
+When Storage Sense runs, it can delete files in the user’s Downloads folder if they haven’t been opened for more than a certain number of days.
 
 If the Storage/AllowStorageSenseGlobal policy is disabled, then this policy does not have any effect.
 
-If you enable this policy setting, you must provide the minimum age threshold (in days) of a file in the Downloads folder before Storage Sense will delete it. Supported values are: 0–365.
+If you enable this policy setting, you must provide the number of days since a file in the Downloads folder has been opened before Storage Sense will delete it. Supported values are: 0–365.
 
 If you set this value to zero, Storage Sense will not delete files in the user’s Downloads folder. The default is 0, or never deleting files in the Downloads folder.
 
@@ -438,8 +441,8 @@ If you do not configure this policy setting, then the Storage Sense cadence is s
 <!--ADMXMapped-->
 ADMX Info:  
 -   GP English name: *Configure Storage Sense cadence*
--   GP name: *RemovableDisks_DenyWrite_Access_2*
--   GP path: *SOFTWARE/Policies/Microsoft/Windows/StorageSense*
+-   GP name: *SS_ConfigStorageSenseGlobalCadence*
+-   GP path: *System/Storage Sense*
 -   GP ADMX file name: *StorageSense.admx*
 
 <!--/ADMXMapped-->

windows/client-management/mdm/policy-csp-system.md

@@ -681,11 +681,13 @@ ADMX Info:
 
 <!--/Scope-->
 <!--Description-->
-Specifies whether to allow the user to factory reset the phone by using control panel and hardware key combination.
+Specifies whether to allow the user to factory reset the device by using control panel and hardware key combination.
 
 Most restricted value is 0.
 
 <!--/Description-->
+> [!TIP]
+> This policy is also applicable to Windows 10 and not exclusive to phone.
 <!--SupportedValues-->
 The following list shows the supported values:
 orted values:

windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md

@@ -47,6 +47,9 @@ When the ADMX policies are imported, the registry keys to which each policy is w
 - software\policies\microsoft\vba\security\
 - software\microsoft\onedrive 
 
+> [!Warning]
+> Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined.
+
 ## <a href="" id="ingesting-an-app-admx-file"></a>Ingesting an app ADMX file
 
 The following ADMX file example shows how to ingest a Win32 or Desktop Bridge app ADMX file and set policies from the file. The ADMX file defines eight policies.

windows/configuration/guidelines-for-assigned-access-app.md

@@ -49,6 +49,8 @@ In Windows 10, version 1803 and later, you can install the **Kiosk Browser** app
 
 >[!NOTE]
 >Kiosk Browser supports a single tab. If a website has links that open a new tab, those links will not work with Kiosk Browser. Kiosk Browser does not support .pdfs.
+>
+>Kiosk Browser cannot access intranet websites.
 
 
 **Kiosk Browser** must be downloaded for offline licensing using Microsoft Store For Business. You can deploy **Kiosk Browser** to devices running Windows 10, version 1803 (Pro, Business, Enterprise, and Education).

windows/deployment/deploy-m365.md

@@ -34,10 +34,10 @@ For Windows 10 deployment, Microsoft 365 includes a fantastic deployment advisor
 
 You can check out the Microsoft 365 deployment advisor and other resources for free! Just follow the steps below. 
 
-1. Obtain a free EMS 90-day trial by visiting the following link. Provide your email address and answer a few simple questions.
-
-    [Free Trial - Enterprise Mobility + Security](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-trial)
+>[!NOTE]
+>If you have not run a setup guide before, you will see the **Prepare your environment** guide first. This is to make sure you have basics covered like domain verification and a method for adding users. At the end of the "Prepare your environment" guide, there will be a **Ready to continue** button that sends you to the original guide that was selected.
 
+1. [Obtain a free M365 trial](https://docs.microsoft.com/office365/admin/try-or-buy-microsoft-365).
 2. Check out the [Microsoft 365 deployment advisor](https://portal.office.com/onboarding/Microsoft365DeploymentAdvisor#/).
 3. Also check out the [Windows Analytics deployment advisor](https://portal.office.com/onboarding/WindowsAnalyticsDeploymentAdvisor#/). This advisor will walk you through deploying [Upgrade Readiness](https://docs.microsoft.com/windows/deployment/upgrade/manage-windows-upgrades-with-upgrade-readiness), [Update Compliance](https://docs.microsoft.com/windows/deployment/update/update-compliance-monitor), and [Device Health](https://docs.microsoft.com/windows/deployment/update/device-health-monitor). 
 

windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md

@@ -48,7 +48,7 @@ These steps assume that you have the MDT01 member server installed and configure
     3.  User State Migration Tool (USMT)
 
     >[!IMPORTANT]
-    >Starting with Windows 10, version 1809, Windows PE is released separately from the AFK. See [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) for more information.
+    >Starting with Windows 10, version 1809, Windows PE is released separately from the ADK. See [Download and install the Windows ADK](https://docs.microsoft.com/windows-hardware/get-started/adk-install) for more information.
 
 ## <a href="" id="sec03"></a>Install MDT
 

windows/deployment/update/waas-morenews.md

@@ -14,7 +14,28 @@ ms.topic: article
 Here's more news about [Windows as a service](windows-as-a-service.md):
 
 <ul>
-
+<li><a href="https://blogs.windows.com/windowsexperience/2018/12/19/driver-quality-in-the-windows-ecosystem/#ktuodfovWAMAkssM.97">Driver quality in the Windows ecosystem</a> - December 19, 2018</li>
+<li><a href="http://m365mdp.mpsn.libsynpro.com/001-windows-10-monthly-quality-updates">Modern Desktop Podcast - Episode 001 – Windows 10 Monthly Quality Updates</a> - December 18, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Measuring-Delivery-Optimization-and-its-impact-to-your-network/ba-p/301809#M409">Measuring Delivery Optimization and its impact to your network</a> - December 13, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181">LTSC: What is it, and when should it be used?</a> - November 29, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Local-Experience-Packs-What-are-they-and-when-should-you-use/ba-p/286841">Local Experience Packs: What are they and when should you use them?</a> - November 14, 2018</li>
+<li><a href="https://blogs.windows.com/windowsexperience/2018/11/13/resuming-the-rollout-of-the-windows-10-october-2018-update/#amAFU5YS1igMQRoB.97">Resuming the Rollout of the Windows 10 October 2018 Update</a> - November 13, 2018</li>
+<li><a href="https://blogs.windows.com/windowsexperience/2018/11/13/windows-10-quality-approach-for-a-complex-ecosystem/#9VlPpT2qGIlPAg5a.97">Windows 10 Quality Approach for a Complex Ecosystem</a> - November 13, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Delivery-Optimization-Scenarios-and-configuration-options/ba-p/280195">Delivery Optimization: Scenarios and Configuration Options</a> - October 30, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Language-pack-acquisition-and-retention-for-enterprise-devices/ba-p/275404">Language Pack Acquisition and Retention for Enterprise Devices</a> - October 18, 2018</li>
+<li><a href="https://blogs.windows.com/windowsexperience/2018/10/09/updated-version-of-windows-10-october-2018-update-released-to-windows-insiders/#MDZYGkj6ZehHyF1g.97">Updated Version of Windows 10 October 2018 Update Released to Windows Insiders</a> - October 9, 2018</li>
+<li><a href="https://blogs.windows.com/windowsexperience/2018/10/02/how-to-get-the-windows-10-october-2018-update/#T4LJQ3OzDkCR72em.97">How to get the Windows 10 October 2018 Update</a> - October 2, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Reduced-Windows-10-package-size-downloads-for-x64-systems/ba-p/262386">Reducing Windows 10 Package Size Downloads for x64 Systems</a> - September 26, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434">Windows 7 Servicing Stack Updates: Managing Change and Appreciating Cumulative Updates</a> - September 21, 2018</li>
+<li><a href="https://www.microsoft.com/en-us/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/">Helping customers shift to a modern desktop</a> - September 6, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-amp-Windows-Analytics-a-real-world/ba-p/242417#M228">Windows Update for Business & Windows Analytics: a real-world experience</a> - September 5, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-next-for-Windows-10-and-Windows-Server-quality-updates/ba-p/229461">What's next for Windows 10 and Windows Server quality updates</a> - August 16, 2018</li>
+<li><a href="https://www.youtube-nocookie.com/watch/BwB10v55WSk">Windows 10 monthly updates</a> - August 1, 2018 (**video**)</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376">Windows 10 update servicing cadence</a> - August 1, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-quality-updates-explained-amp-the-end-of-delta/ba-p/214426">Windows 10 quality updates explained and the end of delta updates</a> - July 11, 2018</li>
+<li><a href="https://blogs.windows.com/windowsexperience/2018/06/14/ai-powers-windows-10-april-2018-update-rollout/#67LrSyWdwgTyciSG.97">AI Powers Windows 10 April 2018 Update Rollout</a> - June 14, 2018</li>
+<li><a href="https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/">Windows Server 2008 SP2 Servicing Changes</a> - June 12, 2018</li>
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-Enhancements-diagnostics/ba-p/201978">Windows Update for Business - Enhancements, diagnostics, configuration</a> - June 7, 2018</li>
 <li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747">Windows 10 and the disappearing SAC-T</a> - May 31, 2018
 <li><a href="https://www.youtube.com/watch?v=EVzFIg_MhaE&t=5s">Manage update download size using Windows as a service</a> - March 30, 2018</li>
 </ul>

windows/deployment/update/waas-servicing-differences.md

@@ -53,7 +53,7 @@ This cumulative update model for Windows 10 has helped provide the Windows ecosy
 - [Updates for the .NET Framework](https://blogs.msdn.microsoft.com/dotnet/2016/10/11/net-framework-monthly-rollups-explained/) are NOT included in the Windows 10 LCU. They are separate packages with different behaviors depending on the version of .NET Framework being updated, and on which OS. As of October 2018, .NET Framework updates for Windows 10 will be separate and have their own cumulative update model.
 - For Windows 10, available update types vary by publishing channel: 
    - For customers using Windows Server Update Services (WSUS) and for the Update Catalog, several different updates types for Windows 10 are rolled together for the core OS in a single LCU package, with exception of Servicing Stack Updates.
-   - Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS, but will not be automatically synced. (See this example for Windows 10, version 1709)   For more information on Servicing Stack Updates, please see this blog.
+   - Servicing Stack Updates (SSU) are available for download from the Update Catalog and can be imported through WSUS. Servicing Stack Updates (SSU) will be synced automatically (See this example for Windows 10, version 1709). Learn more about [Servicing Stack Updates](https://docs.microsoft.com/windows/deployment/update/servicing-stack-updates).
    - For customers connecting to Windows Update, the new cloud update architecture uses a database of updates which break out all the different update types, including Servicing Stack Updates (SSU) and Dynamic Updates (DU). The update scanning in the Windows 10 servicing stack on the client automatically takes only the updates that are needed by the device to be completely up to date.
 - Windows 7 and other legacy operating systems have cumulative updates that operate differently than in Windows 10 (see next section).
 

windows/deployment/update/windows-analytics-get-started.md

@@ -151,7 +151,7 @@ When you run the deployment script, it initiates a full scan. The daily schedule
 
 ### Distribute the deployment script at scale
 
-Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see [New version of the Upgrade Analytics Deployment Script available](https://blogs.technet.microsoft.com/upgradeanalytics/2016/09/20/new-version-of-the-upgrade-analytics-deployment-script-available/) on the Upgrade Readiness blog. For information on how to deploy PowerShell scripts by using Windows Intune, see [Manage PowerShell scripts in Intune for Windows 10 devices](https://docs.microsoft.com/intune/intune-management-extension).
+Use a software distribution system such as System Center Configuration Manager to distribute the Upgrade Readiness deployment script at scale. For more information, see [Upgrade Readiness deployment script](https://docs.microsoft.com/windows/deployment/upgrade/upgrade-readiness-deployment-script). For information on how to deploy PowerShell scripts by using Windows Intune, see [Manage PowerShell scripts in Intune for Windows 10 devices](https://docs.microsoft.com/intune/intune-management-extension).
 
 ### Distributing policies at scale
 There are a number of policies that can be centrally managed to control Windows Analytics device configuration. All of these policies have *preference* registry key equivalents that can be set by using the deployment script. Policy settings override preference settings if both are set.

windows/deployment/update/windows-as-a-service.md

@@ -25,34 +25,12 @@ Everyone wins when transparency is a top priority. We want you to know when upda
 
 The latest news:
 <ul compact style="list-style: none"> 
+<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-version-1809-designated-for-broad-deployment/ba-p/389540">Windows 10, version 1809 designated for broad deployment</a> - March 28, 2019</li>
 <li><a href="https://blogs.windows.com/windowsexperience/2019/03/06/data-insights-and-listening-to-improve-the-customer-experience">Data, insights and listening to improve the customer experience</a> - March 6, 2019</li>
 <li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Getting-to-know-the-Windows-update-history-pages/ba-p/355079">Getting to know the Windows update history pages</a> - February 21, 2019</li>
 <li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-and-the-retirement-of-SAC-T/ba-p/339523">Windows Update for Business and the retirement of SAC-T</a> - February 14, 2019</li>
 <li><a href="https://blogs.windows.com/windowsexperience/2019/01/15/application-compatibility-in-the-windows-ecosystem/#A8urpp1QEp6DHzmP.97">Application compatibility in the Windows ecosystem</a> - January 15, 2019</li>
 <li><a href="https://blogs.windows.com/windowsexperience/2018/12/10/windows-monthly-security-and-quality-updates-overview/#UJJpisSpvyLokbHm.97">Windows monthly security and quality updates overview</a> - January 10, 2019</li>
-<li><a href="https://blogs.windows.com/windowsexperience/2018/12/19/driver-quality-in-the-windows-ecosystem/#ktuodfovWAMAkssM.97">Driver quality in the Windows ecosystem</a> - December 19, 2018</li>
-<li><a href="http://m365mdp.mpsn.libsynpro.com/001-windows-10-monthly-quality-updates">Modern Desktop Podcast - Episode 001 – Windows 10 Monthly Quality Updates</a> - December 18, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Measuring-Delivery-Optimization-and-its-impact-to-your-network/ba-p/301809#M409">Measuring Delivery Optimization and its impact to your network</a> - December 13, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/LTSC-What-is-it-and-when-should-it-be-used/ba-p/293181">LTSC: What is it, and when should it be used?</a> - November 29, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Local-Experience-Packs-What-are-they-and-when-should-you-use/ba-p/286841">Local Experience Packs: What are they and when should you use them?</a> - November 14, 2018</li>
-<li><a href="https://blogs.windows.com/windowsexperience/2018/11/13/resuming-the-rollout-of-the-windows-10-october-2018-update/#amAFU5YS1igMQRoB.97">Resuming the Rollout of the Windows 10 October 2018 Update</a> - November 13, 2018</li>
-<li><a href="https://blogs.windows.com/windowsexperience/2018/11/13/windows-10-quality-approach-for-a-complex-ecosystem/#9VlPpT2qGIlPAg5a.97">Windows 10 Quality Approach for a Complex Ecosystem</a> - November 13, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Delivery-Optimization-Scenarios-and-configuration-options/ba-p/280195">Delivery Optimization: Scenarios and Configuration Options</a> - October 30, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Language-pack-acquisition-and-retention-for-enterprise-devices/ba-p/275404">Language Pack Acquisition and Retention for Enterprise Devices</a> - October 18, 2018</li>
-<li><a href="https://blogs.windows.com/windowsexperience/2018/10/09/updated-version-of-windows-10-october-2018-update-released-to-windows-insiders/#MDZYGkj6ZehHyF1g.97">Updated Version of Windows 10 October 2018 Update Released to Windows Insiders</a> - October 9, 2018</li>
-<li><a href="https://blogs.windows.com/windowsexperience/2018/10/02/how-to-get-the-windows-10-october-2018-update/#T4LJQ3OzDkCR72em.97">How to get the Windows 10 October 2018 Update</a> - October 2, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Reduced-Windows-10-package-size-downloads-for-x64-systems/ba-p/262386">Reducing Windows 10 Package Size Downloads for x64 Systems</a> - September 26, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-7-servicing-stack-updates-managing-change-and/ba-p/260434">Windows 7 Servicing Stack Updates: Managing Change and Appreciating Cumulative Updates</a> - September 21, 2018</li>
-<li><a href="https://www.microsoft.com/en-us/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop/">Helping customers shift to a modern desktop</a> - September 6, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-amp-Windows-Analytics-a-real-world/ba-p/242417#M228">Windows Update for Business & Windows Analytics: a real-world experience</a> - September 5, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/What-s-next-for-Windows-10-and-Windows-Server-quality-updates/ba-p/229461">What's next for Windows 10 and Windows Server quality updates</a> - August 16, 2018</li>
-<li><a href="https://www.youtube-nocookie.com/watch/BwB10v55WSk">Windows 10 monthly updates</a> - August 1, 2018 (**video**)</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-update-servicing-cadence/ba-p/222376">Windows 10 update servicing cadence</a> - August 1, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-quality-updates-explained-amp-the-end-of-delta/ba-p/214426">Windows 10 quality updates explained and the end of delta updates</a> - July 11, 2018</li>
-<li><a href="https://blogs.windows.com/windowsexperience/2018/06/14/ai-powers-windows-10-april-2018-update-rollout/#67LrSyWdwgTyciSG.97">AI Powers Windows 10 April 2018 Update Rollout</a> - June 14, 2018</li>
-<li><a href="https://cloudblogs.microsoft.com/windowsserver/2018/06/12/windows-server-2008-sp2-servicing-changes/">Windows Server 2008 SP2 Servicing Changes</a> - June 12, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-Update-for-Business-Enhancements-diagnostics/ba-p/201978">Windows Update for Business - Enhancements, diagnostics, configuration</a> - June 7, 2018</li>
-<li><a href="https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-and-the-disappearing-SAC-T/ba-p/199747">Windows 10 and the “disappearing” SAC-T</a> - May 31, 2018</li>
 </ul>
 
 [See more news](waas-morenews.md). You can also check out the [Windows 10 blog](https://techcommunity.microsoft.com/t5/Windows-10-Blog/bg-p/Windows10Blog).

windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md

@@ -28,7 +28,7 @@ In this topic you'll learn how to set-up a Windows Autopilot deployment for a Vi
 ## Prerequisites
 
 These are the thing you'll need on your device to get started:
-* Installation media for the latest version of Windows 10 Professional or Enterprise (ISO file)
+* Installation media for the [latest version of Windows 10 Professional or Enterprise (ISO file)](https://www.microsoft.com/software-download/windows10)
 * Internet access (see [Network connectivity requirements](https://docs.microsoft.com/windows/deployment/windows-autopilot/windows-autopilot#network-connectivity-requirements))
 * Hypervisor needs to be unoccupied, or used by Hyper-V, as we will be using Hyper-V to create the Virtual Machine
 

windows/deployment/windows-autopilot/enrollment-status.md

@@ -62,7 +62,7 @@ The following types of policies and installations are not tracked:
 ## More information
 
 For more information on configuring the Enrollment Status page, see the [Microsoft Intune documentation](https://docs.microsoft.com/intune/windows-enrollment-status).<br>
-For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP docuementation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).<br>
+For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP documentation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).<br>
 For more information about blocking for app installation:
 - [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/).
 - [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514).

windows/deployment/windows-autopilot/troubleshooting.md

@@ -85,10 +85,12 @@ On Windows 10 version 1703 and above, ETW tracing can be used to capture detaile
 
 The most common issue joining a device to Azure AD is related to Azure AD permissions.  Ensure [the correct configuration is in place](windows-autopilot-requirements-configuration.md) to allow users to join devices to Azure AD.  Errors can also happen if the user has exceeded the number of devices that they are allowed to join, as configured in Azure AD.
 
-Error code 801C0003 will typically be reported on an error page titled "Something went wrong."  This error means that the Azure AD join failed.
+Error code 801C0003 will typically be reported on an error page titled "Something went wrong".  This error means that the Azure AD join failed.
 
 ### Troubleshooting Intune enrollment issues
 
 See [this knowledge base article](https://support.microsoft.com/help/4089533/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for assistance with Intune enrollment issues.  Common issues include incorrect or missing licenses assigned to the user or too many devices enrolled for the user.
 
-Error code 80180018 will typiclaly be reported on an error page titled "Something went wrong."  This error means that the MDM enrollment failed.
+Error code 80180018 will typically be reported on an error page titled "Something went wrong".  This error means that the MDM enrollment failed.
+
+If Autopilot Reset fails immediately with an error "Ran into trouble. Please sign in with an administrator account to see why and reset manually," see [Troubleshoot Autopilot Reset](https://docs.microsoft.com/education/windows/autopilot-reset#troubleshoot-autopilot-reset) for more help.

windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md

@@ -26,7 +26,12 @@ Windows Autopilot depends on a variety of internet-based services; access to the
 
 In environments that have more restrictive internet access, or for those that require authentication before internet access can be obtained, additional configuration may be required to whitelist access to the needed services. For additional details about each of these services and their specific requirements, review the following details:
 
--   **Windows Autopilot Deployment Service (and Windows Activation).**  After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service using the same services used for Windows Activation. See the following link for details:
+-   **Windows Autopilot Deployment Service (and Windows Activation).**  After a network connection is in place, each Windows 10 device will contact the Windows Autopilot Deployment Service.  With Windows 10 builds 18204 and above, the following URLs are used:
+
+    -   https://ztd.dds.microsoft.com
+    -   https://cs.dds.microsoft.com
+    
+    For all supported Windows 10 releases, Windows Autopilot also uses Windows Activation services. See the following link for details:
 
     -   <https://support.microsoft.com/help/921471/windows-activation-or-validation-fails-with-error-code-0x8004fe33>
 

windows/security/identity-protection/credential-guard/credential-guard-manage.md

@@ -177,6 +177,9 @@ To disable Windows Defender Credential Guard, you can use the following set of p
 > [!NOTE]
 > The PC must have one-time access to a domain controller to decrypt content, such as files that were encrypted with EFS. If you want to turn off both Windows Defender Credential Guard and virtualization-based security, run the following bcdedit command after turning off all virtualization-based security Group Policy and registry settings: bcdedit /set {0cb3b571-2f2e-4343-a879-d86a476d7215} loadoptions DISABLE-LSA-ISO,DISABLE-VBS
 
+> [!NOTE]
+> Credential Guard and Device Guard are not currently supported when using Azure IaaS VMs. These options will be made available with future Gen 2 VMs.
+
 For more info on virtualization-based security and Windows Defender Device Guard, see [Windows Defender Device Guard deployment guide](/windows/device-security/device-guard/device-guard-deployment-guide).
 
 <span id="turn-off-with-hardware-readiness-tool" />

windows/security/identity-protection/credential-guard/credential-guard-requirements.md

@@ -39,7 +39,7 @@ To provide basic protections against OS level attempts to read Credential Manage
 The Virtualization-based security requires:
 - 64-bit CPU
 - CPU virtualization extensions plus extended page tables
-- Windows hypervisor
+- Windows hypervisor (does not require Hyper-V Windows Feature to be installed)
 
 ### Windows Defender Credential Guard deployment in virtual machines
 

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md

@@ -131,9 +131,9 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
 5. In the content pane, right-click the **NDES Service Rights** Group Policy object and click **Edit**.
 6. In the navigation pane, expand **Policies** under **Computer Configuration**.
 7. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**.
-8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings**. and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** twice.
-9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings**. and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** twice.
-10. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings**. and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** three times.
+8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** twice.
+9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** twice.
+10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and click **OK**.  Click **Add User or Group...**.  In the **Add User or Group** dialog box, click **Browse**.  In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**.  Click **OK** three times.
 11. Close the **Group Policy Management Editor**. 
 
 ### Configure security for the NDES Service User Rights Group Policy object

windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso.md

@@ -30,7 +30,7 @@ Enterprises can use either a key or a certificate to provide single-sign on for
 
 When using a key, the on-premises environment needs an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment.  Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
-When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement.  However, single-sign on using a key requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business.  Azure AD joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM).  Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector.
+When using a certificate, the on-premises environment can use Windows Server 2008 R2 and later domain controllers, which removes the Windows Server 2016 domain controller requirement.  However, single-sign on using a certificate requires additional infrastructure to issue a certificate when the user enrolls for Windows Hello for Business.  Azure AD joined devices enroll certificates using Microsoft Intune or a compatible Mobile Device Management (MDM).  Microsoft Intune and Windows Hello for Business use the Network Device Enrollment Services (NDES) role and support Microsoft Intune connector.
 
 To deploy single sign-on for Azure AD joined devices using keys, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md).
 To deploy single sign-on for Azure AD joined devices using certificates, read and follow [Configure Azure AD joined devices for On-premises Single-Sign On using Windows Hello for Business](hello-hybrid-aadj-sso-base.md) and then [Using Certificates for AADJ On-premises Single-sign On](hello-hybrid-aadj-sso-cert.md).

windows/security/identity-protection/hello-for-business/hello-planning-guide.md

@@ -75,9 +75,9 @@ It’s fundamentally important to understand which deployment model to use for a
 
 A deployment's trust type defines how each Windows Hello for Business client authenticates to the on-premises Active Directory.  There are two trust types: key trust and certificate trust. 
   
-The key trust type does not require issuing authentication certificates to end users.  Users authenticate using a hardware-bound key created during an in-box provisioning experience, which requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment.  Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
+The key trust type does not require issuing authentication certificates to end users. Users authenticate using a hardware-bound key created during the built-in provisioning experience. This requires an adequate distribution of Windows Server 2016 domain controllers relative to your existing authentication and the number of users included in your Windows Hello for Business deployment. Read the [Planning an adequate number of Windows Server 2016 Domain Controllers for Windows Hello for Business deployments](hello-adequate-domain-controllers.md) to learn more.
 
-The certificate trust type issues authentication certificates to end users.  Users authenticate using a certificate requested using a hardware-bound key created during the in-box provisioning experience.  Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers.  Users can authenticate using their certificate to any Windows Server 2008 R2 or later domain controller.
+The certificate trust type issues authentication certificates to end users.  Users authenticate using a certificate requested using a hardware-bound key created during the built-in provisioning experience.  Unlike key trust, certificate trust does not require Windows Server 2016 domain controllers.  Users can authenticate using their certificate to any Windows Server 2008 R2 or later domain controller.
 
 #### Device registration
 
@@ -85,11 +85,11 @@ All devices included in the Windows Hello for Business deployment must go throug
 
 #### Key registration
 
-The in-box Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user’s credentials. The private key is protected by the device’s security modules; however, the credential is a user key (not a device key).  The provisioning experience registers the user’s public key with the identity provider.  For cloud only and hybrid deployments, the identity provider is Azure Active Directory.  For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role.
+The built-in Windows Hello for Business provisioning experience creates a hardware bound asymmetric key pair as their user’s credentials. The private key is protected by the device’s security modules; however, the credential is a user key (not a device key).  The provisioning experience registers the user’s public key with the identity provider.  For cloud only and hybrid deployments, the identity provider is Azure Active Directory.  For on-premises deployments, the identity provider is the on-premises server running Windows Server 2016 Active Directory Federation Services (AD FS) role.
 
 #### Multifactor authentication
 
-The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication.  The in-box provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.  
+The goal of Windows Hello for Business is to move organizations away from passwords by providing them a strong credential that provides easy two-factor authentication.  The built-in provisioning experience accepts the user’s weak credentials (username and password) as the first factor authentication; however, the user must provide a second factor of authentication before Windows provisions a strong credential.  
 
 Cloud only and hybrid deployments provide many choices for multi-factor authentication.  On-premises deployments must use a multi-factor authentication that provides an AD FS multi-factor adapter to be used in conjunction with the on-premises Windows Server 2016 AD FS server role. Organizations can use the on-premises Azure Multi-factor Authentication server, or choose from several third parties (Read [Microsoft and third-party additional authentication methods](https://docs.microsoft.com/windows-server/identity/ad-fs/operations/configure-additional-authentication-methods-for-ad-fs#microsoft-and-third-party-additional-authentication-methods) for more information).
 >[!NOTE]
@@ -105,7 +105,7 @@ Cloud only and hybrid deployments provide many choices for multi-factor authenti
 
 #### Directory synchronization
 
-Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose.  Hybrid deployments use Azure Active Directory Connect to synchronize Active Directory identities or credentials between itself and Azure Active Directory. This helps enable single sign-on to Azure Active Directory and its federated components.
+Hybrid and on-premises deployments use directory synchronization, however, each for a different purpose.  Hybrid deployments use Azure Active Directory Connect to synchronize Active Directory identities or credentials between itself and Azure Active Directory. This helps enable single sign-on to Azure Active Directory and its federated components. On-premises deployments use directory synchronization to import users from Active Directory to the Azure MFA Server, which sends data to the Azure MFA cloud service to perform the verification.
 
 ### Management
 

windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md

@@ -13,7 +13,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 02/28/2019
+ms.date: 04/02/2019
 ---
 
 # BitLocker Group Policy settings
@@ -1167,7 +1167,8 @@ This policy controls how BitLocker reacts to systems that are equipped with encr
 </tr>
 <tr class="even">
 <td align="left"><p><strong>When not configured</strong></p></td>
-<td align="left"><p>BitLocker uses hardware-based encryption with the encryption algorithm that is set for the drive. If hardware-based encryption is not available, BitLocker software-based encryption is used instead.</p></td>
+<td align="left"><p>BitLocker software-based encryption is used irrespective of hardware-based encryption ability. 
+</p></td>
 </tr>
 </tbody>
 </table>
@@ -1221,7 +1222,7 @@ This policy controls how BitLocker reacts when encrypted drives are used as oper
 </tr>
 <tr class="even">
 <td align="left"><p><strong>When not configured</strong></p></td>
-<td align="left"><p>BitLocker uses hardware-based encryption with the encryption algorithm that is set for the drive. If hardware-based encryption is not available, BitLocker software-based encryption is used instead.</p></td>
+<td align="left"><p>BitLocker software-based encryption is used irrespective of hardware-based encryption ability. </p></td>
 </tr>
 </tbody>
 </table>
@@ -1277,7 +1278,7 @@ This policy controls how BitLocker reacts to encrypted drives when they are used
 </tr>
 <tr class="even">
 <td align="left"><p><strong>When not configured</strong></p></td>
-<td align="left"><p>BitLocker uses hardware-based encryption with the encryption algorithm that is set for the drive. If hardware-based encryption is not available, BitLocker software-based encryption is used instead.</p></td>
+<td align="left"><p>BitLocker software-based encryption is used irrespective of hardware-based encryption ability. </p></td>
 </tr>
 </tbody>
 </table>

windows/security/information-protection/encrypted-hard-drive.md

@@ -7,28 +7,28 @@ ms.mktglfcycl: deploy
 ms.sitesec: library
 ms.pagetype: security
 author: brianlic-msft
-ms.date: 04/19/2017
-ms.topic: article
+ms.date: 04/02/2019
 ---
 
 # Encrypted Hard Drive
 
 **Applies to**
 - Windows 10
+- Windows Server 2019
 - Windows Server 2016
 
 Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
 
 By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
 
-Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. In Windows 8, Windows Server 2012, and later you can install to these devices without additional modification.
+Encrypted Hard Drives are a new class of hard drives that are self-encrypting at a hardware level and allow for full disk hardware encryption. You can install Windows to Encrypted Hard Drives without additional modification beginning with Windows 8 and Windows Server 2012.
 
-Some of the benefits of Encrypted Hard Drives include:
+Encrypted Hard Drives provide:
 
 -   **Better performance**: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
 -   **Strong security based in hardware**: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system
--   **Ease of use**: Encryption is transparent to the user because it is on by default. There is no user interaction needed to enable encryption. Encrypted Hard Drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
--   **Lower cost of ownership**: There is no need for new infrastructure to manage encryption keys, since BitLocker leverages your Active Directory Domain Services infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process.
+-   **Ease of use**: Encryption is transparent to the user, and the user doesn't need to enable it. Encrypted Hard Drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
+-   **Lower cost of ownership**: There is no need for new infrastructure to manage encryption keys, since BitLocker leverages your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process.
 
 Encrypted Hard Drives are supported natively in the operating system through the following mechanisms:
 
@@ -38,20 +38,21 @@ Encrypted Hard Drives are supported natively in the operating system through the
 -   **API**: API support for applications to manage Encrypted Hard Drives independently of BitLocker Drive Encryption (BDE)
 -   **BitLocker support**: Integration with the BitLocker Control Panel provides a seamless BitLocker end user experience.
 
->**Warning:**  Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for Windows when planning for deployment.
+>[!WARNING]  
+>Self-Encrypting Hard Drives and Encrypted Hard Drives for Windows are not the same type of device. Encrypted Hard Drives for Windows require compliance for specific TCG protocols as well as IEEE 1667 compliance; Self-Encrypting Hard Drives do not have these requirements. It is important to confirm the device type is an Encrypted Hard Drive for Windows when planning for deployment.
  
 If you are a storage device vendor who is looking for more info on how to implement Encrypted Hard Drive, see the [Encrypted Hard Drive Device Guide](https://msdn.microsoft.com/library/windows/hardware/dn653989.aspx).
 
 ## System Requirements
 
-To use Encrypted Hard Drive, the following system requirements apply:
+To use Encrypted Hard Drives, the following system requirements apply:
 
-For Encrypted Hard Drives used as **data drives**:
+For an Encrypted Hard Drive used as a **data drive**:
 
 -   The drive must be in an uninitialized state.
 -   The drive must be in a security inactive state.
 
-For Encrypted Hard Drives used as **startup drives**:
+For an Encrypted Hard Drive used as a **startup drive**:
 
 -   The drive must be in an uninitialized state.
 -   The drive must be in a security inactive state.
@@ -59,7 +60,8 @@ For Encrypted Hard Drives used as **startup drives**:
 -   The computer must have the Compatibility Support Module (CSM) disabled in UEFI.
 -   The computer must always boot natively from UEFI.
 
->**Warning:**  All Encrypted Hard Drives must be attached to non-RAID controllers to function properly.
+>[!WARNING]  
+>All Encrypted Hard Drives must be attached to non-RAID controllers to function properly.
  
 ## Technical overview
 
@@ -74,7 +76,15 @@ Configuration of Encrypted Hard Drives as startup drives is done using the same
 -   **Deploy from server**: This deployment method involves PXE booting a client with Encrypted Hard Drives present. Configuration of Encrypted Hard Drives happens automatically in this environment when the Enhanced Storage component is added to the PXE boot image. During deployment, the [TCGSecurityActivationDisabled](https://msdn.microsoft.com/library/windows/hardware/dn923247.aspx) setting in unattend.xml controls the encryption behavior of Encrypted Hard Drives.
 -   **Disk Duplication**: This deployment method involves use of a previously configured device and disk duplication tools to apply a Windows image to an Encrypted Hard Drive. Disks must be partitioned using at least Windows 8 or Windows Server 2012 for this configuration to work. Images made using disk duplicators will not work.
 
-### Encrypted Hard Drive Architecture
+## Configuring hardware-based encryption with Group Policy
+
+There are three related Group Policy settings that help you manage how BitLocker uses hardware-based envryption and which encryption algorithms to use. If these settings are not configured or disabled on systems that are equipped with encrypted drives, BitLocker uses software-based encryption: 
+
+- [Configure use of hardware-based encryption for fixed data drives](bitlocker/bitlocker-group-policy-settings.md#a-href-idbkmk-hdefxdaconfigure-use-of-hardware-based-encryption-for-fixed-data-drives)  
+- [Configure use of hardware-based encryption for removable data drives](bitlocker/bitlocker-group-policy-settings.md#a-href-idbkmk-hderddaconfigure-use-of-hardware-based-encryption-for-removable-data-drives)
+- [Configure use of hardware-based encryption for operating system drives](bitlocker/bitlocker-group-policy-settings.md#a-href-idbkmk-hdeosdaconfigure-use-of-hardware-based-encryption-for-operating-system-drives)
+
+## Encrypted Hard Drive Architecture
 
 Encrypted Hard Drives utilize two encryption keys on the device to control the locking and unlocking of data on the drive. These are the Data Encryption Key (DEK) and the Authentication Key (AK).
 

windows/security/threat-protection/TOC.md

@@ -343,6 +343,7 @@
 ##### Reporting
 ###### [Create and build Power BI reports using Windows Defender ATP data](windows-defender-atp/powerbi-reports-windows-defender-advanced-threat-protection.md)
 ###### [Threat protection reports](windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md)
+###### [Machine health and compliance reports](windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md)
 
 ##### Role-based access control
 ###### [Manage portal access using RBAC](windows-defender-atp/rbac-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/intelligence/coinminer-malware.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Coin miners
 

windows/security/threat-protection/intelligence/criteria.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 
 # How Microsoft identifies malware and potentially unwanted applications

windows/security/threat-protection/intelligence/exploits-malware.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Exploits and exploit kits
 

windows/security/threat-protection/intelligence/fileless-threats.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 
 # Fileless threats

windows/security/threat-protection/intelligence/macro-malware.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Macro malware
 

windows/security/threat-protection/intelligence/malware-naming.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Malware names
 

windows/security/threat-protection/intelligence/phishing.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 
 # Phishing

windows/security/threat-protection/intelligence/prevent-malware-infection.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Prevent malware infection
 

windows/security/threat-protection/intelligence/ransomware-malware.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Ransomware
 

windows/security/threat-protection/intelligence/rootkits-malware.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Rootkits
 

windows/security/threat-protection/intelligence/safety-scanner-download.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Microsoft Safety Scanner
 

windows/security/threat-protection/intelligence/submission-guide.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 
 # Submit files for analysis

windows/security/threat-protection/intelligence/supply-chain-malware.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 
 # Supply chain attacks

windows/security/threat-protection/intelligence/support-scams.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Tech support scams
 

windows/security/threat-protection/intelligence/top-scoring-industry-antivirus-tests.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 
 # Top scoring in industry tests
@@ -40,9 +41,13 @@ Windows Defender Antivirus is  part of the  [next generation](https://www.youtub
 
 The AV-TEST Product Review and Certification Report tests on three categories: protection, performance, and usability. The scores listed below are for the Protection category which has two scores: Real-World Testing and the AV-TEST reference set (known as "Prevalent Malware").
 
-- November - December 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWusR9) <sup>**Latest**</sup>
+- January - February 2019 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) <sup>**Latest**</sup>
 
-    Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 19,956 malware samples. This is the fourth consecutive cycle that Windows Defender Antivirus achieved a perfect score.
+    Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, with 19,956 malware samples used. This is the fifth consecutive cycle that Windows Defender Antivirus achieved a perfect score.
+
+- November - December 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/december-2018/microsoft-windows-defender-antivirus-4.18-185074/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWusR9)
+
+    Windows Defender Antivirus achieved an overall Protection score of 6.0/6.0, detecting 100% of 19,956 malware samples.
 
 - September - October 2018 AV-TEST Business User test: [Protection score 6.0/6.0](https://www.av-test.org/en/antivirus/business-windows-client/windows-10/october-2018/microsoft-windows-defender-antivirus-4.18-184174/) | [Analysis](https://query.prod.cms.rt.microsoft.com/cms/api/am/binary/RWqOqD)
 

windows/security/threat-protection/intelligence/trojans-malware.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 
 # Trojans

windows/security/threat-protection/intelligence/understanding-malware.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: conceptual
+search.appverid: met150
 ---
 # Understanding  malware & other threats
 

windows/security/threat-protection/intelligence/unwanted-software.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 # Unwanted software
 

windows/security/threat-protection/intelligence/worms-malware.md

@@ -12,6 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance  
 ms.topic: article
+search.appverid: met150
 ---
 
 # Worms

windows/security/threat-protection/windows-defender-antivirus/microsoft-defender-atp-mac.md

@@ -34,16 +34,24 @@ You should also have access to Windows Defender Security Center.
 Microsoft Defender ATP for Mac system requirements:
 - macOS version: 10.14 (Mojave), 10.13 (High Sierra), 10.12 (Sierra)
 - Disk space during preview: 1GB 
-- The following URLs must be accessible from the Mac device:
-  - ```https://cdn.x.cp.wd.microsoft.com/ ```<br>
-  - ```https://eu-cdn.x.cp.wd.microsoft.com/ ```<br>
-  - ```https://wu-cdn.x.cp.wd.microsoft.com/ ``` <br>
-  - ```https://x.cp.wd.microsoft.com/ ``` <br>
-  - ```https://asia.x.cp.wd.microsoft.com/ ``` <br>
-  - ```https://australia.x.cp.wd.microsoft.com/ ``` <br>
-  - ```https://europe.x.cp.wd.microsoft.com/ ``` <br>
-  - ```https://unitedkingdom.x.cp.wd.microsoft.com/ ``` <br>
-  - ```https://unitedstates.x.cp.wd.microsoft.com/ ``` <br>
+
+After you've enabled the service, you may need to configure your network or firewall to allow outbound connections between it and your endpoints.
+
+The following table lists the services and their associated URLs that your network must be able to connect to. You should ensure there are no firewall or network filtering rules that would deny access to these URLs, or you may need to create an **allow** rule specifically for them:
+
+| Service        | Description                          | URL                                                                  |
+| -------------- |:------------------------------------:| --------------------------------------------------------------------:|
+| ATP            | Advanced threat protection service   | `https://x.cp.wd.microsoft.com/`, `https://*.x.cp.wd.microsoft.com/` |
+
+To test that a connection is not blocked, open `https://x.cp.wd.microsoft.com/api/report` and `https://wu-cdn.x.cp.wd.microsoft.com/` in a browser, or run the following command in Terminal:
+
+```
+    mavel-mojave:~ testuser$ curl 'https://x.cp.wd.microsoft.com/api/report'
+    OK
+```
+
+We recommend to keep [System Integrity Protection](https://support.apple.com/en-us/HT204899) ([Wiki](https://en.wikipedia.org/wiki/System_Integrity_Protection)) enabled (default setting) on client machines. 
+SIP is a built-in macOS security feature that prevents low-level tampering with the OS.
 
 ## Installation and configuration overview
 There are various methods and deployment tools that you can use to install and configure Microsoft Defender ATP for Mac. 
@@ -54,17 +62,6 @@ In general you'll need to take the following steps:
   - [JAMF based deployment](#jamf-based-deployment)
   - [Manual deployment](#manual-deployment)
 
-## Register macOS devices
-To onboard your devices for Microsoft Defender ATP for Mac, you must register the devices with Windows Defender ATP and provide consent to submit telemetry.
-
-Use the following URL to give consent to submit telemetry: ```https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=f9eb614c-7a8e-422a-947d-2059e657d855&response_type=code&sso_reload=true```
-
-> [!NOTE]
-> You may get an error that a page on ```https://ppe.fresno.wd.microsoft.com``` cannot be opened. Disregard the error as it does not affect the onboarding process.
-
-
-![App registration permission screenshot](images/MDATP_1_RegisterApp.png)
-
 ## Deploy Microsoft Defender ATP for Mac
 Use any of the supported methods to deploy Microsoft Defender ATP for Mac
 
@@ -74,8 +71,8 @@ Use any of the supported methods to deploy Microsoft Defender ATP for Mac
 Download the installation and onboarding packages from Windows Defender Security Center:
 1.  In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
 2.  In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
-3.	In Section 2 of the page, click **Download installation package**. Save it as wdav.pkg to a local directory.
-4.	In Section 2 of the page, click **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
+3.  In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
+4.  In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
 5.  Download IntuneAppUtil from https://docs.microsoft.com/en-us/intune/lob-apps-macos.
 
     ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
@@ -124,10 +121,12 @@ You need no special provisioning for a Mac machine beyond a standard [Company Po
 
 ![Confirm device management screenshot](images/MDATP_3_ConfirmDeviceMgmt.png)
 
-2. Click the **Continue** button, and your Management Profile is displayed as verified:
+Select Open System Preferences, locate Management Profile on the list and select the **Approve...** button. Your Management Profile would be displayed as **Verified**:
 
 ![Management profile screenshot](images/MDATP_4_ManagementProfile.png)
 
+2. Select the **Continue** button and complete the enrollment.
+
 You can enroll additional machines. Optionally, you can do it later, after system configuration and application package are provisioned.
 
 3. In Intune, open the **Manage > Devices > All devices** blade. You'll see your machine:
@@ -135,17 +134,17 @@ You can enroll additional machines. Optionally, you can do it later, after syste
 ![Add Devices screenshot](images/MDATP_5_allDevices.png)
 
 ### Create System Configuration profiles
-1.	In Intune open the **Manage > Device configuration** blade. Click **Manage > Profiles > Create Profile**.
-2.	Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Click **Configure**.
+1.  In Intune open the **Manage > Device configuration** blade. Select **Manage > Profiles > Create Profile**.
+2.  Choose a name for the profile. Change **Platform=macOS**, **Profile type=Custom**. Select **Configure**.
 3.  Open the configuration profile and upload intune/kext.xml. This file was created during the Generate settings step above.
-4.	Click **OK**.
+4.  Select **OK**.
 
     ![System configuration profiles screenshot](images/MDATP_6_SystemConfigurationProfiles.png)
 
-5. **Click Manage > Assignments**. In the **Include** tab, click **Assign to All Users & All devices**.
+5.  Select **Manage > Assignments**. In the **Include** tab, select **Assign to All Users & All devices**.
 7.  Repeat these steps with the second profile.  
 8.  Create Profile one more time, give it a name, upload the intune/WindowsDefenderATPOnboarding.xml file. 
-9.	Click **Manage > Assignments**.  In the Include tab, click **Assign to All Users & All devices**.
+9.  Select **Manage > Assignments**.  In the Include tab, select **Assign to All Users & All devices**.
 
 After Intune changes are propagated to the enrolled machines, you'll see it on the **Monitor > Device status** blade:
 
@@ -153,24 +152,24 @@ After Intune changes are propagated to the enrolled machines, you'll see it on t
 
 ### Publish application
 
-1.	In Intune, open the **Manage > Client apps** blade. Click **Apps > Add**.
+1.  In Intune, open the **Manage > Client apps** blade. Select **Apps > Add**.
 2.  Select **App type=Other/Line-of-business app**.
-3.	Select **file=wdav.pkg.intunemac**. Click **OK** to upload.
-4.	Click **Configure** and add the required information.
+3.  Select **file=wdav.pkg.intunemac**. Select **OK** to upload.
+4.  Select **Configure** and add the required information.
 5.  Use **macOS Sierra 10.12** as the minimum OS. Other settings can be any other value.
 
     ![Device status blade screenshot](images/MDATP_8_IntuneAppInfo.png)
 
-6. Click **OK** and **Add**.
+6. Select **OK** and **Add**.
  
     ![Device status blade screenshot](images/MDATP_9_IntunePkgInfo.png)
 
-7. It will take a while to upload the package. After it's done, click the name and then go to **Assignments** and **Add group**.
+7. It will take a while to upload the package. After it's done, select the name and then go to **Assignments** and **Add group**.
 
     ![Client apps screenshot](images/MDATP_10_ClientApps.png)
 
 8. Change **Assignment type=Required**.
-9.	Click **Included Groups**. Select **Make this app required for all devices=Yes**. Click **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
+9. Select **Included Groups**. Select **Make this app required for all devices=Yes**. Select **Select group to include** and add a group that contains the users you want to target. Select **OK** and **Save**.
 
     ![Intune assignments info screenshot](images/MDATP_11_Assignments.png)
 
@@ -202,8 +201,8 @@ You need to be familiar with JAMF administration tasks, have a JAMF tenant, and
 Download the installation and onboarding packages from Windows Defender Security Center:
 1.  In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
 2.  In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
-3.	In Section 2 of the page, click **Download installation package**. Save it as wdav.pkg to a local directory.
-4.	In Section 2 of the page, click **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
+3.  In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
+4.  In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
 
     ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
 
@@ -244,7 +243,7 @@ The configuration profile contains one custom settings payload that includes:
 #### Approved Kernel Extension
 
 To approve the kernel extension:
-1.	In **Computers > Configuration Profiles** click **Options > Approved Kernel Extensions**.
+1.  In **Computers > Configuration Profiles** select **Options > Approved Kernel Extensions**.
 2.  Use **UBF8T346G9** for Team Id.
 
 ![Approved kernel extensions screenshot](images/MDATP_17_approvedKernelExtensions.png)
@@ -252,7 +251,7 @@ To approve the kernel extension:
 #### Configuration Profile's Scope 
 Configure the appropriate scope to specify the machines that will receive this configuration profile.
 
-In the Configuration Profiles, click **Scope > Targets**. Select the appropriate Target computers. 
+Open Computers -> Configuration Profiles, select **Scope > Targets**. Select the appropriate Target computers. 
 
 ![Configuration profile scope screenshot](images/MDATP_18_ConfigurationProfilesScope.png)
 
@@ -283,7 +282,7 @@ You need no special provisioning for a macOS computer beyond the standard JAMF E
 > [!NOTE]
 >  After a computer is enrolled, it will show up in the Computers inventory (All Computers). 
 
-1.	Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and click **Approve** on the MDM Profile.
+1.  Open the machine details, from **General** tab, and make sure that **User Approved MDM** is set to **Yes**. If it's set to No, the user needs to open **System Preferences > Profiles** and select **Approve** on the MDM Profile.
 
 ![MDM approve button screenshot](images/MDATP_21_MDMProfile1.png)
 ![MDM screenshot](images/MDATP_22_MDMProfileApproved.png)
@@ -385,9 +384,9 @@ This script returns 0 if Microsoft Defender ATP is registered with the Windows D
 ### Download installation and onboarding packages
 Download the installation and onboarding packages from Windows Defender Security Center:
 1.  In Windows Defender Security Center, go to **Settings > Machine Management > Onboarding**.
-2.	In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Mobile Device Management / Microsoft Intune**.
-3.	In Section 2 of the page, click **Download installation package**. Save it as wdav.pkg to a local directory.
-4.	In Section 2 of the page, click **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
+2.  In Section 1 of the page, set operating system to **Linux, macOS, iOS or Android** and Deployment method to **Local script**.
+3.  In Section 2 of the page, select **Download installation package**. Save it as wdav.pkg to a local directory.
+4.  In Section 2 of the page, select **Download onboarding package**. Save it as WindowsDefenderATPOnboardingPackage.zip to the same directory.
 
     ![Windows Defender Security Center screenshot](images/MDATP_2_IntuneAppUtil.png)
 
@@ -407,13 +406,11 @@ Download the installation and onboarding packages from Windows Defender Security
 ### Application installation
 To complete this process, you must have admin privileges on the machine.
 
-1. Download the wdav.pkg from: https://fresno.blob.core.windows.net/preview/macos/wdav.pkg.
-
-2. Navigate to the downloaded wdav.pkg in Finder and open it.
+1. Navigate to the downloaded wdav.pkg in Finder and open it.
 
     ![App install screenshot](images/MDATP_28_AppInstall.png)
 
-3. Click **Continue**, agree with the License terms, and enter the password when prompted.
+2. Select **Continue**, agree with the License terms, and enter the password when prompted.
 
     ![App install screenshot](images/MDATP_29_AppInstallLogin.png)
 
@@ -422,7 +419,7 @@ To complete this process, you must have admin privileges on the machine.
 
    ![App install screenshot](images/MDATP_30_SystemExtension.png)
 
-4. Click **Open Security Preferences**  or **Open System Preferences > Security & Privacy**. Click **Allow**:
+3. Select **Open Security Preferences**  or **Open System Preferences > Security & Privacy**. Select **Allow**:
 
     ![Security and privacy window screenshot](images/MDATP_31_SecurityPrivacySettings.png)
 
@@ -430,7 +427,7 @@ To complete this process, you must have admin privileges on the machine.
 The installation will proceed.
 
 > [!NOTE]
-> If you don't click **Allow**, the installation will fail after 5 minutes. You can restart it again at any time.
+> If you don't select **Allow**, the installation will fail after 5 minutes. You can restart it again at any time.
 
 ### Client configuration
 1.  Copy wdav.pkg and WindowsDefenderATPOnboarding.py to the machine where you deploy Microsoft Defender ATP for Mac.
@@ -472,17 +469,45 @@ Or, from a command line:
 
 ## Known issues
 - Microsoft Defender ATP is not yet optimized for performance or disk space.
-- Centrally managed uninstall using Intune/JAMF is still in development. To uninstall (as a workaround) an uninstall action has to be completed on each client device).
+- Centrally managed uninstall using Intune is still in development. To uninstall (as a workaround) a manual uninstall action has to be completed on each client device).
 - Geo preference for telemetry traffic is not yet supported. Cloud traffic (definition updates) routed to US only.
 - Full Windows Defender ATP integration is not yet available
 - Not localized yet
 - There might be accessibility issues 
 
+## Collecting diagnostic information
+If you can reproduce a problem, please increase the logging level, run the system for some time, and restore the logging level to the default.
+
+1) Increase logging level:
+```
+    mavel-mojave:~ testuser$ mdatp log-level --verbose
+    Creating connection to daemon
+    Connection established
+    Operation succeeded
+```
+
+2) Reproduce the problem
+
+3) Run `mdatp --diagnostic` to backup Defender ATP's logs. The command will print out location with generated zip file.
+
+    ```
+    mavel-mojave:~ testuser$ mdatp --diagnostic
+    Creating connection to daemon
+    Connection established
+    "/Library/Application Support/Microsoft/Defender/wdavdiag/d85e7032-adf8-434a-95aa-ad1d450b9a2f.zip"
+    ```    
+   
+4) Restore logging level:
+```
+    mavel-mojave:~ testuser$ mdatp log-level --info
+    Creating connection to daemon
+    Connection established
+    Operation succeeded
+```
+
+   
 ### Installation issues
 If an error occurs during installation, the installer will only report a general failure. The detailed log is saved to /Library/Logs/Microsoft/wdav.install.log. If you experience issues during installation, send us this file so we can help diagnose the cause. You can also contact _**xplatpreviewsupport@microsoft.com**_ for support on onboarding issues. 
 
  
 For feedback on the preview, contact: _**mdatpfeedback@microsoft.com**_.
-
-
-

windows/security/threat-protection/windows-defender-antivirus/scheduled-catch-up-scans-windows-defender-antivirus.md

@@ -75,7 +75,7 @@ Location | Setting | Description | Default setting (if not configured)
 Scan | Specify the scan type to use for a scheduled scan | Quick scan
 Scan | Specify the day of the week to run a scheduled scan | Specify the day (or never) to run a scan. | Never
 Scan | Specify the time of day to run a scheduled scan | Specify the number of minutes after midnight (for example, enter **60** for 1 am). | 2 am
-Root | Randomize scheduled task times | Randomize the start time of the scan to any interval from 0 to 4 hours, or to any interval plus or minus 30 minutes for non-Windows Defender Antivirus scans. This can be useful in VM or VDI deployments. | Enabled
+Root | Randomize scheduled task times |In Windows Defender Antivirus: Randomize the start time of the scan to any interval from 0 to 4 hours. <br>In FEP/SCEP: randomize to any interval plus or minus 30 minutes. This can be useful in VM or VDI deployments. | Enabled
 
 **Use PowerShell cmdlets to schedule scans:**
 

windows/security/threat-protection/windows-defender-application-guard/reqs-wd-app-guard.md

@@ -36,6 +36,6 @@ Your environment needs the following software to run Windows Defender Applicatio
 
 |Software|Description|
 |--------|-----------|
-|Operating system|Windows 10 Enterprise edition, version 1709 or higher<br>Windows 10 Professional edition, version 1803|
+|Operating system|Windows 10 Enterprise edition, version 1709 or higher<br>Windows 10 Professional edition, version 1803 or higher<br>Windows 10 Education edition, version 1709 or higher<br>Windows 10 Pro Education edition, version 1803 or higher|
 |Browser|Microsoft Edge and Internet Explorer|
 |Management system<br> (only for managed devices)|[Microsoft Intune](https://docs.microsoft.com/intune/)<br><br>**-OR-**<br><br>[System Center Configuration Manager](https://docs.microsoft.com/sccm/)<br><br>**-OR-**<br><br>[Group Policy](https://technet.microsoft.com/library/cc753298(v=ws.11).aspx)<br><br>**-OR-**<br><br>Your current company-wide 3rd party mobile device management (MDM) solution. For info about 3rd party MDM solutions, see the documentation that came with your product.|

windows/security/threat-protection/windows-defender-atp/TOC.md

@@ -333,6 +333,7 @@
 #### Reporting
 ##### [Create and build Power BI reports using Windows Defender ATP data](powerbi-reports-windows-defender-advanced-threat-protection.md)
 ##### [Threat protection reports](threat-protection-reports-windows-defender-advanced-threat-protection.md)
+##### [Machine health and compliance reports](machine-reports-windows-defender-advanced-threat-protection.md)
 
 #### Role-based access control
 ##### [Manage portal access using RBAC](rbac-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/configure-server-endpoints-windows-defender-advanced-threat-protection.md

@@ -67,7 +67,7 @@ You'll need to tak the following steps if you choose to onboard servers through
     >This step is required only if your organization uses System Center Endpoint Protection (SCEP) and you're onboarding Windows Server 2012 R2.
 
 - Turn on server monitoring from Windows Defender Security Center.
-- If you're already leveraging System Center Operations Manager (SCOM) or Operations Management Suite (OMS), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through Multi Homing support. Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below.
+- If you're already leveraging System Center Operations Manager (SCOM) or Azure Monitor (formerly known as Operations Management Suite (OMS)), simply attach the Microsoft Monitoring Agent (MMA) to report to your Windows Defender ATP workspace through Multi Homing support. Otherwise, install and configure MMA to report sensor data to Windows Defender ATP as instructed below. For more information, see [Collect log data with Azure Log Analytics agent](https://docs.microsoft.com/azure/azure-monitor/platform/log-analytics-agent).
 
 >[!TIP]
 > After onboarding the machine, you can choose to run a detection test to verify that it is properly onboarded to the service. For more information, see [Run a detection test on a newly onboarded Windows Defender ATP endpoint](run-detection-test-windows-defender-advanced-threat-protection.md).

windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection.md

@@ -0,0 +1,84 @@
+---
+title: Machine health and compliance report in Windows Defender ATP
+description: Track machine health state detections, antivirus status, OS platform, and Windows 10 versions using the machine health and compliance report
+keywords: health state, antivirus, os platform, windows 10 version, version, health, compliance, state
+search.product: eADQiWindows 10XVcnh
+search.appverid: met150
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+ms.author: macapara
+author: mjcaparas
+ms.localizationpriority: medium
+manager: dansimp
+audience: ITPro
+ms.collection: M365-security-compliance 
+ms.topic: article
+---
+
+# Machine health and compliance report in Windows Defender ATP
+ 
+**Applies to:**
+- [Windows Defender Advanced Threat Protection (Windows Defender ATP)](https://wincom.blob.core.windows.net/documents/Windows10_Commercial_Comparison.pdf)
+ 
+[!include[Prerelease information](prerelease.md)]
+ 
+The machines status report provides high-level information about the devices in your organization. The report includes trending information showing the sensor health state, antivirus status, OS platforms, and Windows 10 versions.
+ 
+ 
+The dashboard is structured into two sections:
+ ![Image of the machine report](images/machine-reports.png)
+ 
+Section | Description 
+:---|:---
+1 | Machine trends
+2 | Machine summary (current day)
+ 
+ 
+ 
+By default, the machine trends displays machine information from the 30-day period ending in the latest full day. To gain better perspective on trends occurring in your organization, you can fine-tune the reporting period by adjusting the time period shown. To adjust the time period, select a time range from the drop-down options:
+ 
+- 30 days
+- 3 months
+- 6 months
+- Custom
+ 
+While the machines trends shows trending machine information, the machine summary shows machine information scoped to the current day.
+ 
+The machine trends section allows you to drill down to the machines list with the corresponding filter applied to it. For example, clicking on the Inactive bar in the Sensor health state card will bring you the machines list with results showing only machines whose sensor status is inactive. 
+ 
+ 
+ 
+ 
+## Machine attributes
+The report is made up of cards that display the following machine attributes:
+ 
+- **Health state**: shows information about the sensor state on devices, providing an aggregated view of devices that are active, experiencing impaired communications, inactive, or where no sensor data is seen.
+  
+- **Antivirus status for active Windows 10 machines**: shows the number of machines and status of Windows Defender Antivirus.
+    
+- **OS platforms**: shows the distribution of OS platforms that exists within your organization. 
+ 
+- **Windows 10 versions**: shows the distribution of Windows 10 machines and their versions in your organization.
+ 
+ 
+ 
+## Filter data
+ 
+Use the provided filters to include or exclude machines with certain attributes.
+
+You can select multiple filters to apply from the machine attributes. 
+ 
+>[!NOTE]
+>These filters apply to **all** the cards in the report.
+ 
+For example, to show data about Windows 10 machines with Active sensor health state:
+ 
+1. Under **Filters > Sensor health state > Active**.
+2. Then select **OS platforms > Windows 10**.
+3. Select **Apply**.
+
+
+## Related topic
+- [Threat protection report ](threat-protection-reports-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/manage-allowed-blocked-list-windows-defender-advanced-threat-protection.md

@@ -57,7 +57,9 @@ On the top navigation you can:
 
 
 >[!NOTE]
->Blocking IPs, domains, or URLs is currently available on limited preview only. This requires sending your custom list to [network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection) to be enforeced. While the option is not yet generally available, it will only be used when identified during an investigation.
+>Blocking IPs, domains, or URLs is currently available on limited preview only.
+>This requires sending your custom list to [network protection](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-exploit-guard/enable-network-protection) to be enforced which is an option that will be generally available soon. 
+>As it is not yet generally available, when Automated investigations finds this indicator during an investigation it will use the allowed/block list as the basis of its decision to automatically remediate (blocked list) or skip (allowed list) the entity.
 
 
 ## Manage indicators

windows/security/threat-protection/windows-defender-atp/respond-file-alerts-windows-defender-advanced-threat-protection.md

@@ -15,7 +15,6 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance 
 ms.topic: article
-ms.date: 04/24/2018
 ---
 
 # Take response actions on a file
@@ -109,13 +108,17 @@ You can roll back and remove a file from quarantine if you’ve determined that
 You can prevent further propagation of an attack in your organization by banning potentially malicious files or suspected malware. If you know a potentially malicious portable executable (PE) file, you can block it. This operation will prevent it from being read, written, or executed on machines in your organization.
 
 >[!IMPORTANT]
->- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md). </br></br>
+>- This feature is available if your organization uses Windows Defender Antivirus and Cloud–based protection is enabled. For more information, see [Manage cloud–based protection](../windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus.md).
+>- The Antimalware client version must be 4.18.1901.x or later.
 >- This feature is designed to prevent suspected malware (or potentially malicious files) from being downloaded from the web. It currently supports portable executable (PE) files, including _.exe_ and _.dll_ files. The coverage will be extended over time. 
 >- This response action is available for machines on Windows 10, version 1703 or later.
+>- The allow or block function cannot be done on files if the file's classification exists on the device's cache prior to the allow or block action.
+
+
 
 >[!NOTE]
 > The PE file needs to be in the machine timeline for you to be able to take this action.  
-
+>- There may be a couple of minutes of latency between the time the action is taken and the actual file being blocked.
 
 ### Enable the block file feature
 Before you can block files, you'll need to enable the feature.
@@ -149,6 +152,9 @@ Before you can block files, you'll need to enable the feature.
 
 When the file is blocked, there will be a new event in the machine timeline.</br>
 
+>[!NOTE]
+>-If a file was scanned before the action was taken, it may take longer to be effective on the device.
+
 **Notification on machine user**:</br>
 When a file is being blocked on the machine, the following notification is displayed to inform the user that the file was blocked:
 

windows/security/threat-protection/windows-defender-atp/response-actions-windows-defender-advanced-threat-protection.md

@@ -31,7 +31,7 @@ ms.date: 11/12/2017
 You can take response actions on machines and files to quickly respond to detected attacks so that you can contain or reduce and prevent further damage caused by malicious attackers in your organization.
 
 >[!NOTE]
-> These response actions are only available for machines on Windows 10, version  1703 or higher.
+> The machine related response actions are only available for machines on Windows 10 (version 1703 or higher), Windows Server, version 1803 and Windows Server 2019.
 
 ## In this section
 Topic | Description

windows/security/threat-protection/windows-defender-atp/threat-protection-reports-windows-defender-advanced-threat-protection.md

@@ -43,7 +43,7 @@ By default, the alert trends display alert information from the 30-day period en
 - 6 months
 - Custom
 
-While the alerts trends shows trending information alerts, the alert summary shows alert information scoped to the current day.
+While the alert trends shows trending alert information, the alert summary shows alert information scoped to the current day.
 
  The alert summary allows you to drill down to a particular alert queue with the corresponding filter applied to it. For example, clicking on the EDR bar in the Detection sources card will bring you the alerts queue with results showing only alerts generated from EDR detections. 
 
@@ -77,3 +77,6 @@ For example, to show data about high-severity alerts only:
 1. Under **Filters > Severity**, select **High**
 2. Ensure that all other options under **Severity** are deselected.
 3. Select **Apply**. 
+
+## Related topic
+- [Machine health and compliance report](machine-reports-windows-defender-advanced-threat-protection.md)

windows/security/threat-protection/windows-defender-atp/whats-new-in-windows-defender-atp.md

@@ -23,6 +23,13 @@ ms.topic: conceptual
 
 Here are the new features in the latest release of Windows Defender ATP as well as security features in Windows 10 and Windows Server.
 
+## March 2019
+### In preview
+The following capability are included in the February 2019 preview release. 
+
+- [Machine health and compliance report](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/machine-reports-windows-defender-advanced-threat-protection) <BR> The machine health and compliance report provides high-level information about the devices in your organization. 
+
+
 ## February 2019
 The following capabilities are generally available (GA).
 - [Incidents](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/incidents-queue) <BR> Incident is a new entity in Windows Defender ATP that brings together all relevant alerts and related entities to narrate the broader attack story, giving analysts better perspective on the purview of complex threats. 

windows/security/threat-protection/windows-defender-exploit-guard/attack-surface-reduction-exploit-guard.md

@@ -36,6 +36,29 @@ Triggered rules display a notification on the device. You can [customize the not
 
 For information about configuring attack surface reduction rules, see [Enable attack surface reduction rules](enable-attack-surface-reduction.md).
 
+## Review attack surface reduction events in Windows Event Viewer
+
+You can review the Windows event log to view events that are created when attack surface reduction rules fire:
+
+1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *cfa-events.xml* to an easily accessible location on the machine.
+
+2. Type **Event Viewer** in the Start menu to open the Windows Event Viewer.
+
+3. Click **Import custom view...** on the left panel, under **Actions**.
+   
+4. Select the file *cfa-events.xml* from where it was extracted. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
+
+5. Click **OK**.
+
+This will create a custom view that filters to only show the following events related to controlled folder access:
+
+Event ID | Description
+-|-
+5007 | Event when settings are changed
+1121 | Event when rule fires in Block-mode
+1122 | Event when rule fires in Audit-mode
+
+
 ## Attack surface reduction rules
 
 The following sections describe each of the 15 attack surface reduction rules. This table shows their corresponding GUIDs, which you use if you're configuring the rules with Group Policy or PowerShell. If you use System Center Configuration Manager or Microsoft Intune, you do not need the GUIDs:

windows/security/threat-protection/windows-defender-exploit-guard/enable-attack-surface-reduction.md

@@ -36,6 +36,9 @@ You can exclude files and folders from being evaluated by most attack surface re
 
 You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules the exclusions apply to.
 
+>[!IMPORTANT] The rule **Block executable files from running unless they meet a prevalence, age, or trusted list criterion** with GUID 01443614-cd74-433a-b99e-2ecdc07bfc25, it's owned by microsoft and is not specified by admins. It uses Microsoft CLoud's Protection to update its trusted list regularly.
+>You can specify individual files or folders (using folder paths or fully qualified resource names) but you can't specify which rules or exclusions apply to.
+
 ASR rules support environment variables and wildcards. For information about using wildcards, see [Use wildcards in the file name and folder path or extension exclusion lists](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-antivirus/configure-extension-file-exclusions-windows-defender-antivirus#use-wildcards-in-the-file-name-and-folder-path-or-extension-exclusion-lists). 
 
 The following procedures for enabling ASR rules include instructions for how to exclude files and folders.

windows/security/threat-protection/windows-defender-exploit-guard/network-protection-exploit-guard.md

@@ -53,17 +53,11 @@ You can query Windows Defender ATP data by using [Advanced hunting](https://docs
 
 You can review the Windows event log to see events that are created when network protection blocks (or audits) access to a malicious IP or domain:
 
-1. Download the [Exploit Guard Evaluation Package](https://aka.ms/mp7z2w) and extract the file *np-events.xml* to an easily accessible location on the machine.
+1.  [Copy the XML directly](event-views-exploit-guard.md).
 
-1. Type **Event viewer** in the Start menu to open the Windows Event Viewer.
+2. Click **OK**.
 
-2. On the left panel, under **Actions**, click **Import custom view...**
- 
-3. Navigate to the Exploit Guard Evaluation Package, and select the file *np-events.xml*. Alternatively, [copy the XML directly](event-views-exploit-guard.md).
-
-4. Click **OK**.
-
-5. This will create a custom view that filters to only show the following events related to network protection:
+3. This will create a custom view that filters to only show the following events related to network protection:
 
  Event ID | Description
 -|-

windows/security/threat-protection/windows-firewall/assign-security-group-filters-to-the-gpo.md

@@ -12,7 +12,7 @@ manager: dansimp
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 04/02/2019
 ---
 
 # Assign Security Group Filters to the GPO
@@ -23,7 +23,8 @@ ms.date: 04/19/2017
 
 To make sure that your GPO is applied to the correct computers, use the Group Policy Management MMC snap-in to assign security group filters to the GPO.
 
->**Important:**  This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones.
+>[!IMPORTANT]
+>This deployment guide uses the method of adding the Domain Computers group to the membership group for the main isolated domain after testing is complete and you are ready to go live in production. To make this method work, you must prevent any computer that is a member of either the boundary or encryption zone from applying the GPO for the main isolated domain. For example, on the GPOs for the main isolated domain, deny Read and Apply Group Policy permissions to the membership groups for the boundary and encryption zones.
 
  
 
@@ -47,7 +48,8 @@ Use the following procedure to add a group to the security filter on the GPO tha
 
 3.  In the details pane, under **Security Filtering**, click **Authenticated Users**, and then click **Remove**.
 
-    >**Note:**  You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify.
+    >[!NOTE]
+    >You must remove the default permission granted to all authenticated users and computers to restrict the GPO to only the groups you specify. If the GPO contains User settings, and the **Authenticated Users** group is removed, and new security filtering is added using a security group that only contains user accounts, the GPO can fail to apply. Details and various workarounds are mentioned in this [Microsoft blog](https://techcommunity.microsoft.com/t5/Core-Infrastructure-and-Security/Who-broke-my-user-GPOs/ba-p/258781). 
 
 4.  Click **Add**.
 

windows/whats-new/whats-new-windows-10-version-1809.md

@@ -202,6 +202,9 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables
 
     ![fast sign-in](images/fastsignin.png "fast sign-in")
 
+>[!NOTE]
+>This is a preview feature and therefore not meant or recommended for production purposes.
+
 ## Web sign-in to Windows 10
 
 Until now, Windows logon only supported the use of identities federated to ADFS or other providers that support the WS-Fed protocol. We are introducing “web sign-in,” a new way of signing into your Windows PC. Web Sign-in enables Windows logon support for non-ADFS federated providers (e.g.SAML).
@@ -214,6 +217,9 @@ Until now, Windows logon only supported the use of identities federated to ADFS
 
     ![Web sign-in](images/websignin.png "web sign-in")
 
+>[!NOTE]
+>This is a preview feature and therefore not meant or recommended for production purposes.
+
 ## Your Phone app
 
 Android phone users, you can finally stop emailing yourself photos. With Your Phone you get instant access to your Android’s most recent photos on your PC. Drag and drop a photo from your phone onto your PC, then you can copy, edit, or ink on the photo.  Try it out by opening the **Your Phone** app. You’ll receive a text with a link to download an app from Microsoft to your phone. Android 7.0+ devices with ethernet or Wi-Fi on unmetered networks are compatible with the **Your Phone** app. For PCs tied to the China region, **Your Phone** app services will be enabled in the future.