From 61149771d21407e0591221acf12c171e6f0b3b64 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Mon, 23 Aug 2021 14:11:14 +0530
Subject: [PATCH 1/6] TASK 5358645: Windows 11 Inclusion Update -01

TASK 5358645: First batch of Windows 11 Inclusion updates under Windows-defender-application-control folder. (I've also made some changes to few words as per Acrolinx suggestions to meet the PR criteria).
---
 .../LOB-win32-apps-on-s.md                    | 11 +++--
 ...ows-defender-application-control-policy.md | 13 +++---
 ...s-defender-application-control-policies.md | 10 +++--
 ...s-defender-application-control-policies.md | 10 +++--
 ...-apps-deployed-with-a-managed-installer.md | 10 +++--
 .../configure-wdac-managed-installer.md       | 12 ++++--
 ...or-windows-defender-application-control.md | 10 +++--
 .../create-initial-default-policy.md          | 30 +++++++------
 ...e-wdac-policy-for-fully-managed-devices.md | 40 ++++++++++--------
 ...wdac-policy-for-lightly-managed-devices.md | 42 ++++++++++---------
 ...rt-windows-defender-application-control.md |  8 +++-
 ...s-defender-application-control-policies.md | 10 +++--
 ...ion-control-policies-using-group-policy.md | 14 ++++---
 ...plication-control-policies-using-intune.md | 13 ++++--
 ...s-defender-application-control-policies.md |  8 +++-
 ...s-defender-application-control-policies.md | 12 ++++--
 .../example-wdac-base-policies.md             | 10 +++--
 .../feature-availability.md                   | 12 ++++--
 ...th-windows-defender-application-control.md |  8 +++-
 ...s-defender-application-control-policies.md | 12 ++++--
 .../microsoft-recommended-block-rules.md      | 16 ++++---
 ...icrosoft-recommended-driver-block-rules.md | 12 ++++--
 ...defender-application-control-management.md | 14 ++++---
 .../select-types-of-rules-to-create.md        | 18 ++++----
 .../types-of-devices.md                       | 16 ++++---
 25 files changed, 236 insertions(+), 135 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index 311cfd2625..af1e30dca2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -1,5 +1,5 @@
 ---
-title: Allow LOB Win32 Apps on Intune-Managed S Mode Devices (Windows 10)
+title: Allow LOB Win32 Apps on Intune-Managed S Mode Devices (Windows)
 description: Using WDAC supplemental policies, you can expand the S mode base policy on your Intune-managed devices.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -23,10 +23,15 @@ ms.technology: mde
 **Applies to:**
 
 -   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
 
-Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications as well as Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows 10 in S mode devices. 
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
-With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from "every app is Microsoft-verified" to "every app is verified by Microsoft or your organization". 
+Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications and Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows 10 in S mode devices.
+
+With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from "every app is Microsoft-verified" to "every app is verified by Microsoft or your organization".
 
 Refer to the below video for an overview and brief demo.
 > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mlcp]
diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index 4b3eb396a8..107430388b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -1,5 +1,5 @@
 ---
-title: Allow COM object registration in a WDAC policy (Windows 10)
+title: Allow COM object registration in a WDAC policy (Windows)
 description: You can allow COM object registration in a Windows Defender Application Control policy.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -22,17 +22,20 @@ ms.technology: mde
 **Applies to:**
 
 -   Windows 10
--   Windows Server 2016
--   Windows Server 2019
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
 >[!IMPORTANT]
->Some information relates to prereleased product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
+>Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.
 
 The [Microsoft Component Object Model (COM)](/windows/desktop/com/the-component-object-model) is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM specifies an object model and programming requirements that enable COM objects to interact with other objects.
 
 ### COM object configurability in WDAC policy
 
-Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
+Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allowlist for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
 
 **NOTE**: To add this functionality to other versions of Windows 10, you can install the following or later updates:
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
index c1d7ac7c71..bc1218b82c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
@@ -1,5 +1,5 @@
 ---
-title: Use audit events to create then enforce WDAC policy rules (Windows 10)
+title: Use audit events to create then enforce WDAC policy rules (Windows)
 description: Learn how audits allow admins to discover apps, binaries, and scripts that should be added to a WDAC policy, then learn how to switch that WDAC policy from audit to enforced mode.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -22,8 +22,12 @@ ms.technology: mde
 
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016 and above
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
 Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
index 5ed5fa1cf7..cb94565bff 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
@@ -1,5 +1,5 @@
 ---
-title: Use audit events to create WDAC policy rules (Windows 10)
+title: Use audit events to create WDAC policy rules (Windows)
 description: Audits allow admins to discover apps, binaries, and scripts that should be added to the WDAC policy.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -22,8 +22,12 @@ ms.technology: mde
 
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016 and above
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
 Running Application Control in audit mode lets you discover applications, binaries, and scripts that are missing from your WDAC policy but should be included.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
index 15639fd8d3..76eb273ded 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -1,5 +1,5 @@
 ---
-title: Configure authorized apps deployed with a WDAC-managed installer (Windows 10)
+title: Configure authorized apps deployed with a WDAC-managed installer (Windows)
 description: Explains how to configure a custom Manged Installer.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -22,8 +22,12 @@ ms.technology: mde
 
 **Applies to:**
 
-- Windows 10
-- Windows Server 2019
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
 Windows 10, version 1703 introduced a new option for Windows Defender Application Control (WDAC), called _managed installer_, that helps balance security and manageability when enforcing application control policies. This option lets you automatically allow applications installed by a designated software distribution solution such as Microsoft Endpoint Configuration Manager.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
index 9d15cbfcc7..14ac17e575 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
@@ -1,5 +1,5 @@
 ---
-title: Configure a WDAC managed installer (Windows 10)
+title: Configure a WDAC managed installer (Windows)
 description: Explains how to configure a custom Manged Installer.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -22,8 +22,12 @@ ms.technology: mde
 
 **Applies to:**
 
-- Windows 10
-- Windows Server 2019
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
 Setting up managed installer tracking and application execution enforcement requires applying both an AppLocker and WDAC policy with specific rules and options enabled.
 There are three primary steps to keep in mind:
@@ -126,7 +130,7 @@ For example:
 In order to enable trust for the binaries laid down by managed installers, the Enabled: Managed Installer option must be specified in your WDAC policy.
 This can be done by using the [Set-RuleOption cmdlet](/powershell/module/configci/set-ruleoption) with Option 13.
 
-Below are steps to create a WDAC policy which allows Windows to boot and enables the managed installer option.
+Below are steps to create a WDAC policy that allows Windows to boot and enables the managed installer option.
 
 1. Copy the DefaultWindows_Audit policy into your working folder from C:\Windows\schemas\CodeIntegrity\ExamplePolicies\DefaultWindows_Audit.xml
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
index f3b993cbc0..b9ca84a296 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
@@ -1,5 +1,5 @@
 ---
-title: Create a code signing cert for Windows Defender Application Control  (Windows 10)
+title: Create a code signing cert for Windows Defender Application Control (Windows)
 description: Learn how to set up a publicly-issued code signing certificate, so you can sign catalog files or WDAC policies internally.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -23,7 +23,11 @@ ms.technology: mde
 **Applies to:**
 
 -   Windows 10
--   Windows Server 2016
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
 As you deploy Windows Defender Application Control (WDAC), you might need to sign catalog files or WDAC policies internally. To do this, you will either need a publicly issued code signing certificate or an internal CA. If you have purchased a code signing certificate, you can skip this topic and instead follow other topics listed in the [Windows Defender Application Control Deployment Guide](windows-defender-application-control-deployment-guide.md). 
 
@@ -75,7 +79,7 @@ When this certificate template has been created, you must publish it to the CA p
 
 2.  Select the WDAC Catalog signing certificate, and then click **OK**.
 
-Now that the template is available to be issued, you must request one from the computer running Windows 10 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps:
+Now that the template is available to be issued, you must request one from the computer running Windows 10 and Windows 11 on which you create and sign catalog files. To begin, open the MMC, and then complete the following steps:
 
 1.  In MMC, from the **File** menu, click **Add/Remove Snap-in**. Double-click **Certificates**, and then select **My user account**.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
index a4d560af0b..40ab4ad3bd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-initial-default-policy.md
@@ -1,5 +1,5 @@
 ---
-title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows 10)
+title: Create a WDAC policy for fixed-workload devices using a reference computer (Windows)
 description: To create a Windows Defender Application Control (WDAC) policy for fixed-workload devices within your organization, follow this guide.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -22,30 +22,34 @@ ms.technology: mde
 
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016 and above
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
 
-This section outlines the process to create a WDAC policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc...
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
-For this example, you must initiate variables to be used during the creation process or use the full file paths in the command. 
-Then create the WDAC policy by scanning the system for installed applications. 
+This section outlines the process to create a WDAC policy for fixed-workload devices within an organization. Fixed-workload devices tend to be dedicated to a specific functional purpose and share common configuration attributes with other devices servicing the same functional role. Examples of fixed-workload devices may include Active Directory Domain Controllers, Secure Admin Workstations, pharmaceutical drug-mixing equipment, manufacturing devices, cash registers, ATMs, etc.
+
+For this example, you must initiate variables to be used during the creation process or use the full file paths in the command.
+Then create the WDAC policy by scanning the system for installed applications.
 The policy file is converted to binary format when it gets created so that Windows can interpret it.
 
 ## Overview of the process of creating Windows Defender Application Control policies
 
 A common system imaging practice in today’s IT organization is to establish a “golden” image as a reference for what an ideal system should look like, and then use that image to clone additional company assets. WDAC policies follow a similar methodology, that begins with the establishment of a golden computer. As with imaging, you can have multiple golden computers based on model, department, application set, and so on. Although the thought process around the creation of WDAC policies is similar to imaging, these policies should be maintained independently. Assess the necessity of additional WDAC policies based on what should be allowed to be installed and run and for whom. For more details on doing this assessment, see the [WDAC Design Guide](windows-defender-application-control-design-guide.md).
 
-Optionally, WDAC can align with your software catalog as well as any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged or serviced, and managed.
+Optionally, WDAC can align with your software catalog and any IT department–approved applications. One straightforward method to implement WDAC is to use existing images to create one master WDAC policy. You do so by creating a WDAC policy from each image, and then by merging the policies. This way, what is installed on all of those images will be allowed to run, if the applications are installed on a computer based on a different image. Alternatively, you may choose to create a base applications policy and add policies based on the computer’s role or department. Organizations have a choice of how their policies are created, merged, or serviced, and managed.
 
-If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md). 
+If you plan to use an internal CA to sign catalog files or WDAC policies, see the steps in [Optional: Create a code signing certificate for Windows Defender Application Control](create-code-signing-cert-for-windows-defender-application-control.md).
 
 > [!NOTE]
-> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy. 
+> Make sure the reference computer is virus and malware-free, and install any software you want to be scanned before creating the WDAC policy.
 
-Each installed software application should be validated as trustworthy before you create a policy. 
-We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable. 
-Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want to run scripts. 
-You can remove or disable such software on the reference computer. 
+Each installed software application should be validated as trustworthy before you create a policy.
+We recommend that you review the reference computer for software that can load arbitrary DLLs and run code or scripts that could render the PC more vulnerable.
+Examples include software aimed at development or scripting such as msbuild.exe (part of Visual Studio and the .NET Framework) which can be removed if you do not want to run scripts.
+You can remove or disable such software on the reference computer.
 
 
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
index cceb8da77d..3870af3447 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -1,5 +1,5 @@
 ---
-title: Create a WDAC policy for fully-managed devices (Windows 10)
+title: Create a WDAC policy for fully managed devices (Windows)
 description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
 keywords: security, malware
 ms.topic: conceptual
@@ -19,29 +19,33 @@ ms.date: 11/20/2019
 ms.technology: mde
 ---
 
-# Create a WDAC policy for fully-managed devices
+# Create a WDAC policy for fully managed devices
 
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016 and above
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
 
-This section outlines the process to create a WDAC policy for **fully-managed devices** within an organization. The key difference between this scenario and [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully-managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager (MEM). Additionally, users on fully-managed devices should ideally run as standard user and only authorized IT pros have administrative access.
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+
+This section outlines the process to create a WDAC policy for **fully managed devices** within an organization. The key difference between this scenario and [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md) is that all software deployed to a fully managed device is managed by IT and users of the device cannot install arbitrary apps. Ideally, all apps are deployed using a software distribution solution, such as Microsoft Endpoint Manager (MEM). Additionally, users on fully managed devices should ideally run as standard user and only authorized IT pros have administrative access.
 
 > [!NOTE]
-> Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
+> Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
 
 As described in [common WDAC deployment scenarios](types-of-devices.md), we will use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
 
 **Alice Pena** is the IT team lead tasked with the rollout of WDAC.
 
-Alice previously created a policy for the organization's lightly-managed devices. Some devices, however, are more tightly managed and can benefit from a more constrained policy. In particular, certain job functions such as administrative staff and task-workers are not granted administrator level access to their devices. Similarly, shared kiosks are configured only with a managed set of apps and all users of the device except IT run as standard user. On these devices, all apps are deployed and installed by IT.
+Alice previously created a policy for the organization's lightly managed devices. Some devices, however, are more tightly managed and can benefit from a more constrained policy. In particular, certain job functions such as administrative staff and firstline workers are not granted administrator level access to their devices. Similarly, shared kiosks are configured only with a managed set of apps and all users of the device except IT run as standard user. On these devices, all apps are deployed and installed by IT.
 
-## Define the "circle-of-trust" for fully-managed devices
+## Define the "circle-of-trust" for fully managed devices
 
-Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully-managed devices:
+Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's fully managed devices:
 
-- All clients are running Windows 10 version 1903 or above;
+- All clients are running Windows 10 version 1903 or above or Windows 11;
 - All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune;
 
 > [!NOTE]
@@ -55,15 +59,15 @@ Alice's team develops a simple console application, called *LamnaITInstaller.exe
 
 Based on the above, Alice defines the pseudo-rules for the policy:
 
-1. **“Windows works”** rules which authorizes:
+1. **“Windows works”** rules that authorize:
    - Windows
    - WHQL (3rd party kernel drivers)
    - Windows Store signed apps
 
-2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function
+2. **"MEMCM works”** rules that include signer and hash rules for MEMCM components to properly function
 3. **Allow Managed Installer** (MEMCM and *LamnaITInstaller.exe* configured as a managed installer)
 
-The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly-managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are:
+The critical differences between this set of pseudo-rules and those defined for Lamna's [lightly managed devices](create-wdac-policy-for-lightly-managed-devices.md#define-the-circle-of-trust-for-lightly-managed-devices) are:
 
 - Removal of the Intelligent Security Graph (ISG) option; and
 - Removal of filepath rules.
@@ -77,7 +81,7 @@ Alice follows these steps to complete this task:
 > [!NOTE]
 > If you do not use MEMCM or prefer to use a different [example WDAC base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy.
 
-1. [Use MEMCM to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above.
+1. [Use MEMCM to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above, or Windows 11.
 
 2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
 
@@ -129,12 +133,12 @@ Alice follows these steps to complete this task:
 
 At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
 
-## Security considerations of this fully-managed policy
+## Security considerations of this fully managed policy
 
-Alice has defined a policy for Lamna's fully-managed devices that makes some trade-offs between security and manageability for apps. Some of the trade-offs include:
+Alice has defined a policy for Lamna's fully managed devices that makes some trade-offs between security and manageability for apps. Some of the trade-offs include:
 
 - **Users with administrative access**<br>
-    Although applying to fewer users, Lamna still allows some IT staff to log in to its fully-managed devices as administrator. This allows these admin users (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+    Although applying to fewer users, Lamna still allows some IT staff to log in to its fully managed devices as administrator. This allows these admin users (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish.
 
    Possible mitigations:
   - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
@@ -160,7 +164,7 @@ Alice has defined a policy for Lamna's fully-managed devices that makes some tra
     Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
 
    Possible mitigations:
-  - Use signed WDAC policies which allow authorized signed supplemental policies only.
+  - Use signed WDAC policies that allow authorized signed supplemental policies only.
   - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
 
 ## Up next
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
index c4dabcde4c..76199f55b5 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-lightly-managed-devices.md
@@ -1,5 +1,5 @@
 ---
-title: Create a WDAC policy for lightly-managed devices (Windows 10)
+title: Create a WDAC policy for lightly managed devices (Windows)
 description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
 keywords: security, malware
 ms.topic: conceptual
@@ -19,29 +19,33 @@ ms.date: 11/15/2019
 ms.technology: mde
 ---
 
-# Create a WDAC policy for lightly-managed devices
+# Create a WDAC policy for lightly managed devices
 
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016 and above
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
 
-This section outlines the process to create a WDAC policy for **lightly-managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC managed devices as described in later topics.
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+
+This section outlines the process to create a WDAC policy for **lightly managed devices** within an organization. Typically, organizations that are new to application control will be most successful if they start with a permissive policy like the one described in this topic. Organizations can choose to harden the policy over time to achieve a stronger overall security posture on their WDAC-managed devices as described in later topics.
 
 > [!NOTE]
-> Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
+> Some of the WDAC options described in this topic are only available on Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features and assess the impact for any features that may be unavailable on your clients. You may need to adapt this guidance to meet your specific organization's needs.
 
 As in the [previous topic](types-of-devices.md), we will use the example of **Lamna Healthcare Company (Lamna)** to illustrate this scenario. Lamna is attempting to adopt stronger application policies, including the use of application control to prevent unwanted or unauthorized applications from running on their managed devices.
 
-**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing where Lamna is starting from, with very loose application usage policies and a culture of maximum app flexibility for users, Alice knows that she will need to take an incremental approach to application control and use different policies for different workloads.
+**Alice Pena** is the IT team lead tasked with the rollout of WDAC. Recognizing where Lamna is starting from, with loose application usage policies and a culture of maximum app flexibility for users, Alice knows that she will need to take an incremental approach to application control and use different policies for different workloads.
 
 For the majority of users and devices, Alice wants to create an initial policy that is as relaxed as possible in order to minimize user productivity impact, while still providing security value.
 
-## Define the "circle-of-trust" for lightly-managed devices
+## Define the "circle-of-trust" for lightly managed devices
 
-Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's lightly-managed devices, which currently includes most end-user devices:
+Alice identifies the following key factors to arrive at the "circle-of-trust" for Lamna's lightly managed devices, which currently include most end-user devices:
 
-- All clients are running Windows 10 version 1903 or above;
+- All clients are running Windows 10 version 1903 and above, or Windows 11;
 - All clients are managed by Microsoft Endpoint Manager (MEM) either with Configuration Manager (MEMCM) standalone or hybrid mode with Intune;
 
     > [!NOTE]
@@ -53,12 +57,12 @@ Alice identifies the following key factors to arrive at the "circle-of-trust" fo
 
 Based on the above, Alice defines the pseudo-rules for the policy:
 
-1. **“Windows works”** rules which authorizes:
+1. **“Windows works”** rules that authorize:
    - Windows
    - WHQL (3rd party kernel drivers)
    - Windows Store signed apps
 
-2. **"MEMCM works”** rules which includes signer and hash rules for MEMCM components to properly function
+2. **"MEMCM works”** rules which include signer and hash rules for MEMCM components to properly function
 3. **Allow Managed Installer** (MEMCM configured as a managed installer)
 4. **Allow Intelligent Security Graph (ISG)** (reputation-based authorization)
 5. **Admin-only path rules** for the following locations:
@@ -68,14 +72,14 @@ Based on the above, Alice defines the pseudo-rules for the policy:
 
 ## Create a custom base policy using an example WDAC base policy
 
-Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly-managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs.
+Having defined the "circle-of-trust", Alice is ready to generate the initial policy for Lamna's lightly managed devices. She decides to use MEMCM to create the initial base policy and then customize it to meet Lamna's needs.
 
 Alice follows these steps to complete this task:
 
 > [!NOTE]
 > If you do not use MEMCM or prefer to use a different [example WDAC base policy](example-wdac-base-policies.md) for your own policy, skip to step 2 and substitute the MEMCM policy path with your preferred example base policy.
 
-1. [Use MEMCM to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 or above.
+1. [Use MEMCM to create and deploy an audit policy](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) to a client device running Windows 10 version 1903 and above, or Windows 11.
 
 2. On the client device, run the following commands in an elevated Windows PowerShell session to initialize variables:
 
@@ -137,12 +141,12 @@ Alice follows these steps to complete this task:
 
 At this point, Alice now has an initial policy that is ready to deploy in audit mode to the managed clients within Lamna.
 
-## Security considerations of this lightly-managed policy
+## Security considerations of this lightly managed policy
 
 In order to minimize user productivity impact, Alice has defined a policy that makes several trade-offs between security and user app flexibility. Some of the trade-offs include:
 
 - **Users with administrative access**<br>
-    By far the most impactful security trade-off, this allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer which would allow them to gain persistent app authorization for whatever apps or binaries they wish.
+    By far the most impactful security trade-off, this allows the device user (or malware running with the user's privileges) to modify or remove altogether the WDAC policy applied on the device. Additionally, administrators can configure any app they wish to operate as a managed installer that would allow them to gain persistent app authorization for whatever apps or binaries they wish.
 
     Possible mitigations:
   - Use signed WDAC policies and UEFI BIOS access protection to prevent tampering of WDAC policies.
@@ -164,13 +168,13 @@ In order to minimize user productivity impact, Alice has defined a policy that m
     See [security considerations with the Intelligent Security Graph](use-windows-defender-application-control-with-intelligent-security-graph.md#security-considerations-with-the-intelligent-security-graph)
 
     Possible mitigations:
-  - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature based rules.
+  - Implement policies requiring apps are managed by IT; audit existing app usage and deploy authorized apps using a software distribution solution such as Microsoft Endpoint Manager; move from ISG to managed installer or signature-based rules.
   - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
 - **Supplemental policies**<br>
     Supplemental policies are designed to relax the associated base policy. Additionally allowing unsigned policies allows any administrator process to expand the "circle-of-trust" defined by the base policy without restriction.
 
     Possible mitigations:
-  - Use signed WDAC policies which allow authorized signed supplemental policies only.
+  - Use signed WDAC policies that allow authorized signed supplemental policies only.
   - Use a restrictive audit mode policy to audit app usage and augment vulnerability detection.
 - **FilePath rules**<br>
     See [more information about filepath rules](select-types-of-rules-to-create.md#more-information-about-filepath-rules)
@@ -181,5 +185,5 @@ In order to minimize user productivity impact, Alice has defined a policy that m
 
 ## Up next
 
-- [Create a WDAC policy for fully-managed devices](create-wdac-policy-for-fully-managed-devices.md)
+- [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md)
 - [Prepare to deploy WDAC policies](windows-defender-application-control-deployment-guide.md)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index 2a3d5a91f3..52cac752d2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -1,5 +1,5 @@
 ---
-title: Deploy catalog files to support Windows Defender Application Control (Windows 10)
+title: Deploy catalog files to support Windows Defender Application Control (Windows)
 description: Catalog files simplify running unsigned applications in the presence of a Windows Defender Application Control (WDAC) policy.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -23,7 +23,11 @@ ms.technology: mde
 **Applies to:**
 
 -   Windows 10
--   Windows Server 2016
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
 Catalog files can be important in your deployment of Windows Defender Application Control (WDAC) if you have unsigned line-of-business (LOB) applications for which the process of signing is difficult. To prepare to create WDAC policies that allow these trusted applications but block unsigned code (most malware is unsigned), you create a *catalog file* that contains information about the trusted applications. After you sign and distribute the catalog, your trusted applications can be handled by WDAC in the same way as any other signed application. With this foundation, you can more easily block all unsigned applications, allowing only signed applications to run.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index 33cc699ac1..9ea7cc663a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -1,5 +1,5 @@
 ---
-title: Use multiple Windows Defender Application Control Policies  (Windows 10)
+title: Use multiple Windows Defender Application Control Policies  (Windows)
 description: Windows Defender Application Control supports multiple code integrity policies for one device.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -22,8 +22,12 @@ ms.technology: mde
 
 **Applies to:**
 
-- Windows 10 version 1903 and above
-- Windows Server 2022 and above
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
 Prior to Windows 10 1903, WDAC only supported a single active policy on a system at any given time. This significantly limited customers in situations where multiple policies with different intents would be useful. Beginning with Windows 10 version 1903, WDAC supports up to 32 active policies on a device at once in order to enable the following scenarios:
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
index 8e8fa29002..d20e96958f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
@@ -1,5 +1,5 @@
 ---
-title: Deploy WDAC policies via Group Policy (Windows 10)
+title: Deploy WDAC policies via Group Policy (Windows)
 description: Windows Defender Application Control (WDAC) policies can easily be deployed and managed with Group Policy. Learn how by following this step-by-step guide.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -22,11 +22,15 @@ ms.technology: mde
 
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016 and above
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
 > [!NOTE]
-> Group Policy-based deployment of WDAC policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, we recommend using an alternative method for policy deployment. 
+> Group Policy-based deployment of WDAC policies only supports single-policy format WDAC policies. To use WDAC on devices running Windows 10 1903 and greater, or Windows 11, we recommend using an alternative method for policy deployment.
 
 Single-policy format WDAC policies (pre-1903 policy schema) can be easily deployed and managed with Group Policy. The following procedure walks you through how to deploy a WDAC policy called **ContosoPolicy.bin** to a test OU called *WDAC Enabled PCs* by using a GPO called **Contoso GPO Test**.
 
@@ -61,4 +65,4 @@ To deploy and manage a WDAC policy with Group Policy:
     > [!NOTE]
     > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
 
-7. Close the Group Policy Management Editor, and then restart the Windows 10 test computer. Restarting the computer updates the WDAC policy.
+7. Close the Group Policy Management Editor, and then restart the Windows test computer. Restarting the computer updates the WDAC policy.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 8cf09e5b2f..250600e081 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -1,5 +1,5 @@
 ---
-title: Deploy WDAC policies using Mobile Device Management (MDM) (Windows 10)
+title: Deploy WDAC policies using Mobile Device Management (MDM) (Windows)
 description: You can use an MDM like Microsoft Intune to configure Windows Defender Application Control (WDAC). Learn how with this step-by-step guide.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -22,13 +22,18 @@ ms.technology: mde
 
 **Applies to:**
 
-- Windows 10
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
 You can use a Mobile Device Management (MDM) solution, like Microsoft Endpoint Manager (MEM) Intune, to configure Windows Defender Application Control (WDAC) on client machines. Intune includes native support for WDAC which can be a helpful starting point, but customers may find the available circle-of-trust options too limiting. To deploy a custom policy through Intune and define your own circle of trust, you can configure a profile using Custom OMA-URI. If your organization uses another MDM solution, check with your solution provider for WDAC policy deployment steps.
 
 ## Use Intune's built-in policies
 
-Intune's built-in WDAC support allows you to configure Windows 10 client computers to only run:
+Intune's built-in WDAC support allows you to configure Windows client computers to only run:
 
 - Windows components
 - 3rd party hardware and software kernel drivers
@@ -36,7 +41,7 @@ Intune's built-in WDAC support allows you to configure Windows 10 client compute
 - [Optional] Reputable apps as defined by the Intelligent Security Graph (ISG)
 
 > [!NOTE]
-> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. You can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ as described later in this topic.
+> Intune's built-in policies use the pre-1903 single-policy format version of the DefaultWindows policy. You can use Intune's custom OMA-URI feature to deploy your own multiple-policy format WDAC policies and leverage features available on Windows 10 1903+ or Windows 11 as described later in this topic.
 
 > [!NOTE]
 > Intune currently uses the AppLocker CSP to deploy its built-in policies. The AppLocker CSP will always request a reboot when applying WDAC policies. You can use Intune's custom OMA-URI feature with the ApplicationControl CSP to deploy your own WDAC policies rebootlessly.
diff --git a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
index 6cbf4d90fa..ad706276ac 100644
--- a/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/disable-windows-defender-application-control-policies.md
@@ -1,5 +1,5 @@
 ---
-title: Disable Windows Defender Application Control policies  (Windows 10)
+title: Disable Windows Defender Application Control policies  (Windows)
 description: Learn how to disable both signed and unsigned Windows Defender Application Control policies, within Windows and within the BIOS.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -23,7 +23,11 @@ ms.technology: mde
 **Applies to:**
 
 -   Windows 10
--   Windows Server 2016
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
 This topic covers how to disable unsigned or signed WDAC policies.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
index 6c3b04eb5a..5dd1fd73f9 100644
--- a/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/enforce-windows-defender-application-control-policies.md
@@ -1,5 +1,5 @@
 ---
-title: Enforce Windows Defender Application Control (WDAC) policies (Windows 10)
+title: Enforce Windows Defender Application Control (WDAC) policies (Windows)
 description: Learn how to switch a WDAC policy from audit to enforced mode.
 keywords: security, malware
 ms.prod: m365-security
@@ -20,13 +20,17 @@ ms.localizationpriority: medium
 
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016 and above
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
 You should now have one or more WDAC policies broadly deployed in audit mode. You have analyzed events collected from the devices with those policies and you're ready to enforce. Use this procedure to prepare and deploy your WDAC policies in enforcement mode.
 
 > [!NOTE]
-> Some of the steps described in this article only apply to Windows 10 version 1903 and above. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features. Evaluate the impact for any features that may be unavailable on your clients running earlier versions of Windows 10 and Windows Server. You may need to adapt this guidance to meet your specific organization's needs.
+> Some of the steps described in this article only apply to Windows 10 version 1903 and above, or Windows 11. When using this topic to plan your own organization's WDAC policies, consider whether your managed clients can use all or some of these features. Evaluate the impact for any features that may be unavailable on your clients running earlier versions of Windows 10 and Windows Server. You may need to adapt this guidance to meet your specific organization's needs.
 
 ## Convert WDAC **base** policy from audit to enforced
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
index 8457a3a69c..4e249a4f50 100644
--- a/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/example-wdac-base-policies.md
@@ -1,5 +1,5 @@
 ---
-title: Example Windows Defender Application Control (WDAC) base policies (Windows 10)
+title: Example Windows Defender Application Control (WDAC) base policies (Windows)
 description: When creating a WDAC policy for an organization, start from one of the many available example base policies.
 keywords: security, malware
 ms.topic: article
@@ -23,8 +23,12 @@ ms.technology: mde
 
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016 and above
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
 When creating policies for use with Windows Defender Application Control (WDAC), start from an existing base policy and then add or remove rules to build your own custom policy. Windows includes several example policies that can be used, or organizations that use the Device Guard Signing Service can download a starter policy from that service.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
index 0f9af0978c..16eb1e9257 100644
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@@ -23,16 +23,20 @@ ms.technology: mde
 
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016 and above
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
 | Capability  | WDAC | AppLocker   |
 |-------------|------|-------------|
-| Platform support    | Available on Windows 10   | Available on Windows 8+   |
+| Platform support    | Available on Windows 10 and Windows 11  | Available on Windows 8+   |
 | SKU availability     | Cmdlets are available on all SKUs on 1909+ builds.<br>For pre-1909 builds, cmdlets are only available on Enterprise but policies are effective on all SKUs.  | Policies deployed through GP are only effective on Enterprise devices.<br>Policies deployed through MDM are effective on all SKUs.  |
 | Management solutions   | <ul><li>[Intune](./deploy-windows-defender-application-control-policies-using-intune.md) (limited built-in policies or custom policy deployment via OMA-URI)</li><li>[Microsoft Endpoint Manager Configuration Manager (MEMCM)](/configmgr/protect/deploy-use/use-device-guard-with-configuration-manager) (limited built-in policies or custom policy deployment via Software Distribution)</li><li>[Group Policy](./deploy-windows-defender-application-control-policies-using-group-policy.md) </li><li>PowerShell</li></ul>  | <ul><li>[Intune](/windows/client-management/mdm/applocker-csp) (custom policy deployment via OMA-URI only)</li><li>MEMCM (custom policy deployment via Software Distribution only)</li><li>[Group Policy](./applocker/determine-group-policy-structure-and-rule-enforcement.md)</li><li>PowerShell</li><ul> |
 | Per-User and Per-User group rules | Not available (policies are device-wide)  | Available on Windows 8+  |
-| Kernel mode policies  | Available on all Windows 10 versions  | Not available |
+| Kernel mode policies  | Available on all Windows 10 versions and Windows 11  | Not available |
 | Per-app rules  | [Available on 1703+](./use-windows-defender-application-control-policy-to-control-specific-plug-ins-add-ins-and-modules.md)  | Not available |
 | Managed Installer (MI)  | [Available on 1703+](./configure-authorized-apps-deployed-with-a-managed-installer.md)  | Not available  |
 | Reputation-Based intelligence     | [Available on 1709+](./use-windows-defender-application-control-with-intelligent-security-graph.md)  | Not available |
diff --git a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
index 4d5cd8178f..2d0ccf9451 100644
--- a/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/manage-packaged-apps-with-windows-defender-application-control.md
@@ -1,5 +1,5 @@
 ---
-title: Manage packaged apps with WDAC  (Windows 10)
+title: Manage packaged apps with WDAC  (Windows)
 description: Packaged apps, also known as Universal Windows apps, allow you to control the entire app by using a single Windows Defender Application Control (WDAC) rule.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -23,7 +23,11 @@ ms.technology: mde
 **Applies to:**
 
 -   Windows 10
--   Windows Server 2016
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
 This topic for IT professionals describes concepts and lists procedures to help you manage packaged apps with Windows Defender Application Control (WDAC) as part of your overall application control strategy.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
index a3a2084a23..f2561cb90c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/merge-windows-defender-application-control-policies.md
@@ -1,5 +1,5 @@
 ---
-title: Merge Windows Defender Application Control policies (WDAC) (Windows 10)
+title: Merge Windows Defender Application Control policies (WDAC) (Windows)
 description: Learn how to merge WDAC policies as part of your policy lifecycle management. 
 keywords: security, malware
 ms.prod: m365-security
@@ -20,8 +20,12 @@ ms.localizationpriority: medium
 
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016 and above
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
 This article shows how to merge multiple policy XML files together and how to merge rules directly into a policy. WDAC deployments often include a few base policies and optional supplemental policies for specific use cases.
 
@@ -87,7 +91,7 @@ Now that you have your new, merged policy, you can convert and deploy the policy
    ```
 
    > [!NOTE]
-   > In the sample commands above, for policies targeting Windows 10 version 1903+, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. For Windows 10 versions prior to 1903, use the name SiPolicy.p7b for the binary file name.
+   > In the sample commands above, for policies targeting Windows 10 version 1903+ or Windows 11, replace the string "{InsertPolicyID}" with the actual PolicyID GUID (including braces **{ }**) found in your policy XML file. For Windows 10 versions prior to 1903, use the name SiPolicy.p7b for the binary file name.
 
 2. Upload your merged policy XML and the associated binary to the source control solution you are using for your WDAC policies. such as [GitHub](https://github.com/) or a document management solution such as [Office 365 SharePoint](https://products.office.com/sharepoint/collaboration).
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
index c69955e62b..9d1ed76f05 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules.md
@@ -1,5 +1,5 @@
 ---
-title: Microsoft recommended block rules (Windows 10)
+title: Microsoft recommended block rules (Windows)
 description: View a list of recommended block rules, based on knowledge shared between Microsoft and the wider security community.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -22,8 +22,12 @@ ms.technology: mde
 
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016 and above
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
 Members of the security community<sup>*</sup> continuously collaborate with Microsoft to help protect customers. With the help of their valuable reports, Microsoft has identified a list of valid applications that an attacker could also potentially use to bypass Windows Defender Application Control. 
 
@@ -71,7 +75,7 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 
 <sup>1</sup> A vulnerability in bginfo.exe has been fixed in the latest version 4.22. If you use BGInfo, for security, make sure to download and run the latest version here [BGInfo 4.22](/sysinternals/downloads/bginfo). Note that BGInfo versions earlier than 4.22 are still vulnerable and should be blocked.
 
-<sup>2</sup> If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end user device that is not being used in a development context, we recommend that you block msbuild.exe.
+<sup>2</sup> If you are using your reference system in a development context and use msbuild.exe to build managed applications, we recommend that you allow msbuild.exe in your code integrity policies. However, if your reference system is an end-user device that is not being used in a development context, we recommend that you block msbuild.exe.
 
 <sup>*</sup> Microsoft recognizes the efforts of those in the security community who help us protect customers through responsible vulnerability disclosure, and extends thanks to the following people:
 
@@ -96,9 +100,9 @@ Unless your use scenarios explicitly require them, Microsoft recommends that you
 > [!Note]
 > This application list will be updated with the latest vendor information as application vulnerabilities are resolved and new issues are discovered. 
 
-Certain software applications may allow additional code to run by design. 
+Certain software applications may allow extra code to run by design. 
 These types of applications should be blocked by your Windows Defender Application Control policy. 
-In addition, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Application Control bypass, you should add deny rules to your WDAC policies for that application’s previous, less secure versions. 
+Also, when an application version is upgraded to fix a security vulnerability or potential Windows Defender Application Control bypass, you should add Deny rules to your WDAC policies for that application’s previous, less secure versions. 
 
 Microsoft recommends that you install the latest security updates. 
 The June 2017 Windows updates resolve several issues in PowerShell modules that allowed an attacker to bypass Windows Defender Application Control. 
diff --git a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
index f85b75d3ad..56ff102873 100644
--- a/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
+++ b/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-driver-block-rules.md
@@ -1,5 +1,5 @@
 ---
-title: Microsoft recommended driver block rules (Windows 10)
+title: Microsoft recommended driver block rules (Windows)
 description: View a list of recommended block rules to block vulnerable third-party drivers discovered by Microsoft and the security research community.  
 keywords:  security, malware, kernel mode, driver
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -21,10 +21,14 @@ ms.date:
 
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016 and above
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
 
-Microsoft has strict requirements for code running in kernel. Consequently, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices:
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+
+Microsoft has strict requirements for code running in kernel. So, malicious actors are turning to exploit vulnerabilities in legitimate and signed kernel drivers to run malware in kernel. One of the many strengths of the Windows platform is our strong collaboration with independent hardware vendors (IHVs) and OEMs. Microsoft works closely with our IHVs and security community to ensure the highest level of driver security for our customers and when vulnerabilities in drivers do arise, that they're patched and rolled out to the ecosystem in an expedited manner. Microsoft then adds the vulnerable versions of the drivers to our ecosystem block policy, which is applied to the following sets of devices:
 
 - Hypervisor-protected code integrity (HVCI) enabled devices
 - Windows 10 in S mode (S mode) devices
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index a9cd8c8585..848bfe1e62 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -1,5 +1,5 @@
 ---
-title: Plan for WDAC policy management (Windows 10)
+title: Plan for WDAC policy management (Windows)
 description: Learn about the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control policies.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -22,8 +22,12 @@ ms.technology: mde
 
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016 and above
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
+
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
 This topic describes the decisions you need to make to establish the processes for managing and maintaining Windows Defender Application Control (WDAC) policies.
 
@@ -49,10 +53,10 @@ To effectively manage WDAC policies, you should store and maintain your policy X
 
 ### Set PolicyName, PolicyID, and Version metadata for each policy
 
-Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique ID in order to differentiate each policy when reviewing WDAC events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system auto-generate a unique ID for the policy.
+Use the [Set-CIPolicyIDInfo](/powershell/module/configci/set-cipolicyidinfo) cmdlet to give each policy a descriptive name and set a unique ID in order to differentiate each policy when reviewing WDAC events or when viewing the policy XML document. Although you can specify a string value for PolicyId, for policies using the multiple policy format we recommend using the -ResetPolicyId switch to let the system autogenerate a unique ID for the policy.
 
 > [!NOTE]
-> PolicyID only applies to policies using the [multiple policy format](deploy-multiple-windows-defender-application-control-policies.md) on computers running Windows 10, version 1903 and above. Running -ResetPolicyId on a policy created for pre-1903 computers will convert it to multiple policy format and prevent it from running on those earlier versions of Windows 10.
+> PolicyID only applies to policies using the [multiple policy format](deploy-multiple-windows-defender-application-control-policies.md) on computers running Windows 10, version 1903 and above, or Windows 11. Running -ResetPolicyId on a policy created for pre-1903 computers will convert it to multiple policy format and prevent it from running on those earlier versions of Windows 10.
 > PolicyID should be set only once per policy and use different PolicyID's for the audit and enforced mode versions of each policy.
 
 In addition, we recommend using the [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion) cmdlet to increment the policy's internal version number when you make changes to the policy. The version must be defined as a standard four-part version string (e.g. "1.0.0.0").
diff --git a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
index 8f9b6ac45d..403aab58d8 100644
--- a/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
+++ b/windows/security/threat-protection/windows-defender-application-control/select-types-of-rules-to-create.md
@@ -1,6 +1,6 @@
 ---
-title: Understand Windows Defender Application Control (WDAC) policy rules and file rules (Windows 10)
-description: Learn how WDAC policy rules and file rules can control your Windows 10 computers.
+title: Understand Windows Defender Application Control (WDAC) policy rules and file rules (Windows)
+description: Learn how WDAC policy rules and file rules can control your Windows 10 and Windows 11 computers.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: m365-security
@@ -22,10 +22,14 @@ ms.technology: mde
 
 **Applies to:**
 
-- Windows 10
-- Windows Server 2016 and above
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
 
-Windows Defender Application Control (WDAC) can control what runs on Windows 10 by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+
+Windows Defender Application Control (WDAC) can control what runs on Windows 10 and Windows 11 by setting policies that specify whether a driver or application is trusted. A policy includes *policy rules* that control options such as audit mode, and *file rules* (or *file rule levels*) that specify how applications are identified and trusted.
 
 ## Windows Defender Application Control policy rules
 
@@ -58,10 +62,10 @@ You can set several rule options within a WDAC policy. Table 1 describes each ru
 | **5 Enabled:Inherit Default Policy** | This option is reserved for future use and currently has no effect. | Yes |
 | **6 Enabled:Unsigned System Integrity Policy (Default)** | Allows the policy to remain unsigned. When this option is removed, the policy must be signed and the certificates that are trusted for future policy updates must be identified in the UpdatePolicySigners section. | Yes |
 | **7 Allowed:Debug Policy Augmented** | This option is not currently supported. | Yes |
-| **8 Required:EV Signers** | This rule requires that drivers must be WHQL signed and have been submitted by a partner with an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. | No |
+| **8 Required:EV Signers** | This rule requires that drivers must be WHQL signed and have been submitted by a partner with an Extended Verification (EV) certificate. All Windows 10 and Windows 11 drivers will meet this requirement. | No |
 | **9 Enabled:Advanced Boot Options Menu** | The F8 preboot menu is disabled by default for all WDAC policies. Setting this rule option allows the F8 menu to appear to physically present users. | No |
 | **10 Enabled:Boot Audit on Failure** | Used when the WDAC policy is in enforcement mode. When a driver fails during startup, the WDAC policy will be placed in audit mode so that Windows will load. Administrators can validate the reason for the failure in the CodeIntegrity event log. | No |
-| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows 10 without the proper update may have unintended results. | No |
+| **11 Disabled:Script Enforcement** | This option disables script enforcement options. Unsigned PowerShell scripts and interactive PowerShell are no longer restricted to [Constrained Language Mode](/powershell/module/microsoft.powershell.core/about/about_language_modes). NOTE: This option is required to run HTA files, and is supported on 1709, 1803, and 1809 builds with the 2019 10C LCU or higher, and on devices with the Windows 10 May 2019 Update (1903) and higher. Using it on versions of Windows without the proper update may have unintended results. | No |
 | **12 Required:Enforce Store Applications** | If this rule option is enabled, WDAC policies will also apply to Universal Windows applications. | No |
 | **13 Enabled:Managed Installer** | Use this option to automatically allow applications installed by a managed installer. For more information, see [Authorize apps deployed with a WDAC managed installer](configure-authorized-apps-deployed-with-a-managed-installer.md) | Yes |
 | **14 Enabled:Intelligent Security Graph Authorization** | Use this option to automatically allow applications with "known good" reputation as defined by Microsoft’s Intelligent Security Graph (ISG). | Yes |
diff --git a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
index 936314d342..fcdf006d68 100644
--- a/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/types-of-devices.md
@@ -1,5 +1,5 @@
 ---
-title: Policy creation for common WDAC usage scenarios (Windows 10)
+title: Policy creation for common WDAC usage scenarios (Windows)
 description: Develop a plan for deploying Windows Defender Application Control (WDAC) in your organization based on these common scenarios.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -22,10 +22,14 @@ ms.technology: mde
 
 **Applies to**
 
-- Windows 10
-- Windows Server 2016 and above
+-   Windows 10
+-   Windows 11
+-   Windows Server 2016 and above
 
-Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is very common for organizations to have device use cases across each of the categories described.
+>[!NOTE]
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+
+Typically, deployment of Windows Defender Application Control (WDAC) happens best in phases, rather than being a feature that you simply “turn on.” The choice and sequence of phases depends on the way various computers and other devices are used in your organization, and to what degree IT manages those devices. The following table can help you begin to develop a plan for deploying WDAC in your organization. It is common for organizations to have device use cases across each of the categories described.
 
 ## Types of devices
 
@@ -34,7 +38,7 @@ Typically, deployment of Windows Defender Application Control (WDAC) happens bes
 | **Lightly managed devices**: Company-owned, but users are free to install software.<br>Devices are required to run organization's antivirus solution and client management tools. | WDAC can be used to help protect the kernel, and to monitor (audit) for problem applications rather than limiting the applications that can be run. | 
 | **Fully managed devices**: Allowed software is restricted by IT department.<br>Users can request additional software, or install from a list of applications provided by IT department.<br>Examples: locked-down, company-owned desktops and laptops. | An initial baseline WDAC policy can be established and enforced. Whenever the IT department approves additional applications, it will update the WDAC policy and (for unsigned LOB applications) the catalog.<br>WDAC policies are supported by the HVCI service. | 
 | **Fixed-workload devices**: Perform same tasks every day.<br>Lists of approved applications rarely change.<br>Examples: kiosks, point-of-sale systems, call center computers. | WDAC can be deployed fully, and deployment and ongoing administration are relatively straightforward.<br>After WDAC deployment, only approved applications can run. This is because of protections offered by WDAC. | 
-| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a block-list only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. | 
+| **Bring Your Own Device**: Employees are allowed to bring their own devices, and also use those devices away from work. | In most cases, WDAC does not apply. Instead, you can explore other hardening and security features with MDM-based conditional access solutions, such as Microsoft Intune. However, you may choose to deploy an audit-mode policy to these devices or employ a blocklist only policy to prevent specific apps or binaries that are considered malicious or vulnerable by your organization. | 
 
 ## An introduction to Lamna Healthcare Company
 
@@ -42,7 +46,7 @@ In the next set of topics, we will explore each of the above scenarios using a f
 
 Lamna Healthcare Company (Lamna) is a large healthcare provider operating in the United States. Lamna employs thousands of people, from doctors and nurses to accountants, in-house lawyers, and IT technicians. Their device use cases are varied and include single-user workstations for their professional staff, shared kiosks used by doctors and nurses to access patient records, dedicated medical devices such as MRI scanners, and many others. Additionally, Lamna has a relaxed, bring-your-own-device policy for many of their professional staff.
 
-Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager (MEMCM) and Intune. Although they use MEM to deploy many applications, Lamna has always had very relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response.
+Lamna uses [Microsoft Endpoint Manager](https://www.microsoft.com/microsoft-365/microsoft-endpoint-manager) (MEM) in hybrid mode with both Configuration Manager (MEMCM) and Intune. Although they use MEM to deploy many applications, Lamna has always had relaxed application usage practices: individual teams and employees have been able to install and use any applications they deem necessary for their role on their own workstations. Lamna also recently started to use [Microsoft Defender for Endpoint](https://www.microsoft.com/microsoft-365/windows/microsoft-defender-atp) for better endpoint detection and response.
 
 > [!NOTE]
 > Microsoft Endpoint Configuration Manager was previously known as System Center Configuration Manager. 

From b1dfa8c50e4e3eba877e538a1eaad0c693459233 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Mon, 23 Aug 2021 16:33:05 +0530
Subject: [PATCH 2/6] Suggestion fixes

---
 .../LOB-win32-apps-on-s.md                             | 10 +++++-----
 ...uthorized-apps-deployed-with-a-managed-installer.md |  4 ++--
 .../configure-wdac-managed-installer.md                |  2 +-
 .../create-wdac-policy-for-fully-managed-devices.md    |  2 +-
 4 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index af1e30dca2..ab40f94622 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -47,18 +47,18 @@ The general steps for expanding the S mode base policy on your Intune-managed de
     Refer to [Deploy multiple Windows Defender Application Control Policies](deploy-multiple-windows-defender-application-control-policies.md) for guidance on creating supplemental policies and [Deploy Windows Defender Application Control policy rules and file rules](select-types-of-rules-to-create.md) to choose the right type of rules to create for your policy. 
 
     Below are a basic set of instructions for creating an S mode supplemental policy:
-    - Create a new base policy using [New-CIPolicy](/powershell/module/configci/new-cipolicy?view=win10-ps)
+    - Create a new base policy using [New-CIPolicy](/powershell/module/configci/new-cipolicy?view=win10-ps&preserve-view=true)
 
         ```powershell
         New-CIPolicy -MultiplePolicyFormat -ScanPath <path> -UserPEs -FilePath "<path>\SupplementalPolicy.xml" -Level Publisher -Fallback Hash
         ```
-    - Change it to a supplemental policy using [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo?view=win10-ps)
+    - Change it to a supplemental policy using [Set-CIPolicyIdInfo](/powershell/module/configci/set-cipolicyidinfo?view=win10-ps&preserve-view=true)
 
         ```powershell
         Set-CIPolicyIdInfo -SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784 -FilePath "<path>\SupplementalPolicy.xml"
         ```
         Policies which are supplementing the S mode base policy must use **-SupplementsBasePolicyID 5951A96A-E0B5-4D3D-8FB8-3E5B61030784**, as this is the S mode policy ID.
-    - Put the policy in enforce mode using [Set-RuleOption](/powershell/module/configci/set-ruleoption?view=win10-ps)
+    - Put the policy in enforce mode using [Set-RuleOption](/powershell/module/configci/set-ruleoption?view=win10-ps&preserve-view=true)
 
         ```powershell
         Set-RuleOption -FilePath "<path>\SupplementalPolicy.xml>" -Option 3 –Delete
@@ -69,7 +69,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de
         ```powershell
         Add-SignerRule -FilePath <policypath> -CertificatePath <certpath> -User -Update
         ```
-    - Convert to .bin using [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy?view=win10-ps)
+    - Convert to .bin using [ConvertFrom-CIPolicy](/powershell/module/configci/convertfrom-cipolicy?view=win10-ps&preserve-view=true)
 
         ```powershell
         ConvertFrom-CIPolicy -XmlFilePath "<path>\SupplementalPolicy.xml" -BinaryFilePath "<path>\SupplementalPolicy.bin>
@@ -86,7 +86,7 @@ The general steps for expanding the S mode base policy on your Intune-managed de
     Go to the Azure portal online and navigate to the Microsoft Intune page, then go to the Client apps blade and select 'S mode supplemental policies'. Upload the signed policy to Intune and assign it to user or device groups. Intune will generate tenant- and device- specific authorization tokens. Intune then deploys the corresponding authorization token and supplemental policy to each device in the assigned group. Together, these expand the S mode base policy on the device. 
 
 > [!Note]
-> When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps) for information on setting the version number.
+> When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps&preserve-view=true) for information on setting the version number.
 
 ## Standard Process for Deploying Apps through Intune
 ![Deploying Apps through Intune](images/wdac-intune-app-deployment.png)
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
index 76eb273ded..70e5a3a31d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-authorized-apps-deployed-with-a-managed-installer.md
@@ -1,6 +1,6 @@
 ---
 title: Configure authorized apps deployed with a WDAC-managed installer (Windows)
-description: Explains how to configure a custom Manged Installer.
+description: Explains about how to configure a custom Manged Installer.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
 ms.prod: m365-security
@@ -77,7 +77,7 @@ The identity of the managed installer executable(s) is specified in an AppLocker
 
 Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, you can use a text editor to make the changes that are needed to an EXE or DLL rule collection policy, to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
 
-1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability.
+1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback but other rule types can be used as well. You may need to reformat the output for readability.
 
     ```powershell
     Get-ChildItem <exe filepath> | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml
diff --git a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
index 14ac17e575..a6fe5ce62e 100644
--- a/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
+++ b/windows/security/threat-protection/windows-defender-application-control/configure-wdac-managed-installer.md
@@ -44,7 +44,7 @@ The identity of the managed installer executable(s) is specified in an AppLocker
 
 Currently, neither the AppLocker policy creation UI in GPO Editor nor the PowerShell cmdlets allow for directly specifying rules for the Managed Installer rule collection. However, a text editor can be used to make the simple changes needed to an EXE or DLL rule collection policy to specify Type="ManagedInstaller", so that the new rule can be imported into a GPO.
 
-1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback, but other rule types can be used as well. You may need to reformat the output for readability.
+1. Use [New-AppLockerPolicy](/powershell/module/applocker/new-applockerpolicy?view=win10-ps&preserve-view=true) to make an EXE rule for the file you are designating as a managed installer. Note that only EXE file types can be designated as managed installers. Below is an example using the rule type Publisher with a hash fallback, but other rule types can be used as well. You may need to reformat the output for readability.
 
     ```powershell
     Get-ChildItem <exe filepath> | Get-AppLockerFileInformation | New-AppLockerPolicy -RuleType Publisher, Hash -User Everyone -Xml > AppLocker_MI_PS_ISE.xml
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
index 3870af3447..0037968837 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-wdac-policy-for-fully-managed-devices.md
@@ -1,6 +1,6 @@
 ---
 title: Create a WDAC policy for fully managed devices (Windows)
-description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in the system core.
+description: Windows Defender Application Control restricts which applications users are allowed to run and the code that runs in system core.
 keywords: security, malware
 ms.topic: conceptual
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb

From e87ef8501d40b3c702f8ea2aea542b91cc179bf2 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Fri, 27 Aug 2021 11:58:56 +0530
Subject: [PATCH 3/6] Revert "Merge branch 'master' into
 aljupudi-w11defender-branch01"

This reverts commit 6e47b57bcd3bccd4020bf71580e90b8a10cd716e, reversing
changes made to 4467c6631d67200cfabcdd9d4ff576855e14a2e5.
---
 CONTRIBUTING.md                               |  10 +-
 ...ct-data-using-enterprise-site-discovery.md |  14 +-
 ...rprise-mode-logging-and-data-collection.md |  18 +-
 ...-on-enterprise-mode-and-use-a-site-list.md |   4 +-
 ...control-and-logging-for-enterprise-mode.md |   4 +-
 ...ct-data-using-enterprise-site-discovery.md |  14 +-
 .../deprecated-document-modes.md              |   2 +-
 ...doc-modes-and-enterprise-mode-site-list.md |   6 +-
 .../out-of-date-activex-control-blocking.md   |   6 +-
 ...-the-default-browser-using-group-policy.md |   2 +-
 ...rprise-mode-logging-and-data-collection.md |  18 +-
 ...s-and-tricks-to-manage-ie-compatibility.md |   4 +-
 ...-on-enterprise-mode-and-use-a-site-list.md |   4 +-
 ...control-and-logging-for-enterprise-mode.md |   4 +-
 .../licensing-version-and-features-ieak11.md  |  52 ++---
 .../educator-tib-get-started.md               |  62 +++---
 education/trial-in-a-box/index.md             |   4 +-
 .../trial-in-a-box/itadmin-tib-get-started.md |  46 ++---
 education/trial-in-a-box/support-options.md   |  12 +-
 education/windows/autopilot-reset.md          |   8 +-
 education/windows/change-to-pro-education.md  |  20 +-
 .../windows/chromebook-migration-guide.md     |   4 +-
 .../configure-windows-for-education.md        |  10 +-
 .../deploy-windows-10-in-a-school-district.md |  16 +-
 .../windows/deploy-windows-10-in-a-school.md  |  14 +-
 .../windows/edu-deployment-recommendations.md |  12 +-
 .../education-scenarios-store-for-business.md |   4 +-
 .../windows/get-minecraft-for-education.md    |   6 +-
 education/windows/index.md                    |  10 +-
 education/windows/school-get-minecraft.md     |  46 ++---
 .../set-up-school-pcs-azure-ad-join.md        |   2 +-
 .../set-up-students-pcs-to-join-domain.md     |   2 +-
 .../windows/set-up-students-pcs-with-apps.md  |  26 +--
 education/windows/set-up-windows-10.md        |   2 +-
 education/windows/take-a-test-multiple-pcs.md |  14 +-
 education/windows/take-a-test-single-pc.md    |   4 +-
 education/windows/take-tests-in-windows-10.md |   2 +-
 education/windows/teacher-get-minecraft.md    |  22 +-
 .../windows/use-set-up-school-pcs-app.md      |   2 +-
 smb/cloud-mode-business-setup.md              |  92 ++++-----
 smb/index.md                                  |   6 +-
 ...quire-apps-microsoft-store-for-business.md |   2 +-
 .../billing-understand-your-invoice-msfb.md   |   6 +-
 ...or-business-education-powershell-module.md |   2 +-
 ...oubleshoot-microsoft-store-for-business.md |  10 +-
 ...-new-microsoft-store-business-education.md |   4 +-
 .../working-with-line-of-business-apps.md     |   2 +-
 ...ation-publishing-and-client-interaction.md |   6 +-
 .../app-v/appv-deployment-checklist.md        |   6 +-
 .../app-v/appv-install-the-sequencer.md       |   2 +-
 .../app-v/appv-planning-checklist.md          |  12 +-
 ...enterprise-background-activity-controls.md |   6 +-
 .../per-user-services-in-windows.md           |  14 +-
 .../svchost-service-refactoring.md            |   8 +-
 .../administrative-tools-in-windows-10.md     |   4 +-
 ...nced-troubleshooting-802-authentication.md |  20 +-
 .../advanced-troubleshooting-boot-problems.md |   2 +-
 ...eshooting-wireless-network-connectivity.md |   4 +-
 ...t-removal-policy-external-storage-media.md |   2 +-
 .../connect-to-remote-aadj-pc.md              |   4 +-
 .../client-management/img-boot-sequence.md    |   2 +-
 .../introduction-page-file.md                 |   6 +-
 ...e-device-installation-with-group-policy.md |  38 ++--
 .../manage-settings-app-with-group-policy.md  |   2 +-
 ...-in-your-organization-modern-management.md |   2 +-
 .../mandatory-user-profile.md                 |  16 +-
 .../mdm/accountmanagement-csp.md              |   2 +-
 ...ure-ad-tenant-and-azure-ad-subscription.md |  32 +--
 .../client-management/mdm/applocker-csp.md    |   6 +-
 .../mdm/appv-deploy-and-config.md             |   2 +-
 ...e-active-directory-integration-with-mdm.md |   6 +-
 ...omatic-mdm-enrollment-in-the-new-portal.md |   4 +-
 .../client-management/mdm/bootstrap-csp.md    |   2 +-
 .../mdm/browserfavorite-csp.md                |   2 +-
 ...ollment-using-windows-provisioning-tool.md |  16 +-
 .../mdm/cellularsettings-csp.md               |   2 +-
 .../mdm/cm-cellularentries-csp.md             |   2 +-
 ...onfiguration-service-provider-reference.md |  60 +++---
 .../mdm/device-update-management.md           |  14 +-
 .../mdm/deviceinstanceservice-csp.md          |   2 +-
 .../client-management/mdm/devicelock-csp.md   |   2 +-
 .../diagnose-mdm-failures-in-windows-10.md    |  20 +-
 .../disconnecting-from-mdm-unenrollment.md    |   2 +-
 .../mdm/eap-configuration.md                  |  22 +-
 .../mdm/enable-admx-backed-policies-in-mdm.md |  12 +-
 ...dded-8-1-handheld-devices-to-windows-10.md |  44 ++--
 ...device-automatically-using-group-policy.md |  44 ++--
 .../mdm/enterprise-app-management.md          |   2 +-
 .../mdm/enterpriseappmanagement-csp.md        |   2 +-
 .../client-management/mdm/filesystem-csp.md   |   2 +-
 .../mdm/healthattestation-csp.md              |   2 +-
 windows/client-management/mdm/hotspot-csp.md  |   2 +-
 ...rver-side-mobile-application-management.md |   2 +-
 ...ent-tool-for-windows-store-for-business.md |   6 +-
 .../mdm/mdm-enrollment-of-windows-devices.md  |  76 +++----
 .../client-management/mdm/messaging-csp.md    |   2 +-
 .../mdm/mobile-device-enrollment.md           |   2 +-
 windows/client-management/mdm/napdef-csp.md   |   4 +-
 ...ew-in-windows-mdm-enrollment-management.md |  10 +-
 .../mdm/passportforwork-csp.md                |   4 +-
 .../policy-configuration-service-provider.md  |   2 +-
 .../mdm/policy-csp-deviceinstallation.md      |   8 +-
 .../mdm/policy-csp-mixedreality.md            |  28 +--
 .../mdm/policy-csp-system.md                  |  15 +-
 .../mdm/push-notification-windows-mdm.md      |  16 +-
 .../client-management/mdm/pxlogical-csp.md    |   4 +-
 ...ree-azure-active-directory-subscription.md |   6 +-
 .../mdm/securitypolicy-csp.md                 |   2 +-
 .../mdm/understanding-admx-backed-policies.md |   4 +-
 .../mdm/unifiedwritefilter-csp.md             |   2 +-
 windows/client-management/mdm/vpn-csp.md      |   2 +-
 .../mdm/w4-application-csp.md                 |   2 +-
 .../mdm/w7-application-csp.md                 |   2 +-
 windows/client-management/mdm/wifi-csp.md     |   2 +-
 .../mdm/windows-mdm-enterprise-settings.md    |   2 +-
 .../windowsadvancedthreatprotection-csp.md    |   2 +-
 .../mdm/wmi-providers-supported-in-windows.md |  60 +++---
 windows/client-management/quick-assist.md     |   2 +-
 .../troubleshoot-inaccessible-boot-device.md  |  16 +-
 .../troubleshoot-stop-errors.md               |   4 +-
 .../troubleshoot-tcpip-connectivity.md        |  16 +-
 .../troubleshoot-tcpip-netmon.md              |   8 +-
 .../troubleshoot-tcpip-port-exhaust.md        |  18 +-
 .../troubleshoot-tcpip-rpc-errors.md          |  10 +-
 .../windows-version-search.md                 |  10 +-
 .../configure-windows-10-taskbar.md           |  16 +-
 .../cortana-at-work/cortana-at-work-crm.md    |   4 +-
 .../cortana-at-work-powerbi.md                |  26 +--
 .../cortana-at-work-voice-commands.md         |   2 +-
 .../customize-and-export-start-layout.md      |   2 +-
 ...-10-start-screens-by-using-group-policy.md |   4 +-
 ...-by-using-provisioning-packages-and-icd.md |   2 +-
 ...ation-user-model-id-of-an-installed-app.md |   2 +-
 windows/configuration/kiosk-methods.md        |  12 +-
 windows/configuration/kiosk-prepare.md        |   4 +-
 windows/configuration/kiosk-shelllauncher.md  |   2 +-
 windows/configuration/kiosk-single-app.md     |  10 +-
 windows/configuration/kiosk-troubleshoot.md   |   2 +-
 .../lock-down-windows-10-applocker.md         |   8 +-
 .../lock-down-windows-10-to-specific-apps.md  |  14 +-
 .../manage-wifi-sense-in-enterprise.md        |   6 +-
 .../mobile-devices/lockdown-xml.md            |  30 +--
 .../mobile-lockdown-designer.md               |  28 +--
 .../provisioning-configure-mobile.md          |   6 +-
 .../mobile-devices/provisioning-nfc.md        |   2 +-
 ...kiosk-for-windows-10-for-mobile-edition.md |  12 +-
 .../mobile-devices/start-layout-xml-mobile.md |   2 +-
 windows/configuration/provisioning-apn.md     |   4 +-
 ...can-use-configuration-service-providers.md |  10 +-
 .../provision-pcs-for-initial-deployment.md   |   6 +-
 ...rovision-pcs-with-apps-and-certificates.md |   8 +-
 .../provision-pcs-with-apps.md                |  10 +-
 .../provisioning-apply-package.md             |  14 +-
 .../provisioning-create-package.md            |  10 +-
 .../provisioning-install-icd.md               |   2 +-
 .../provisioning-multivariant.md              |   2 +-
 .../provisioning-packages.md                  |   2 +-
 .../provisioning-script-to-install-app.md     |   4 +-
 .../set-up-shared-or-guest-pc.md              |   8 +-
 .../start-layout-troubleshoot.md              |  14 +-
 .../configuration/start-secondary-tiles.md    |   8 +-
 .../uev-deploy-uev-for-custom-applications.md |   2 +-
 windows/configuration/ue-v/uev-for-windows.md |   4 +-
 .../ue-v/uev-prepare-for-deployment.md        |  16 +-
 .../uev-upgrade-uev-from-previous-releases.md |   2 +-
 .../configuration/wcd/wcd-admxingestion.md    |   4 +-
 ...ws-10-start-layout-options-and-policies.md |   4 +-
 windows/configuration/windows-spotlight.md    |   8 +-
 windows/deployment/TOC.yml                    |   2 -
 .../deployment/deploy-enterprise-licenses.md  |   6 +-
 windows/deployment/deploy-m365.md             |   4 +-
 windows/deployment/deploy-whats-new.md        |   2 +-
 ...ystem-image-using-configuration-manager.md |   4 +-
 ...-windows-pe-using-configuration-manager.md |  16 +-
 ...e-boot-image-with-configuration-manager.md |  10 +-
 ...ence-with-configuration-manager-and-mdt.md |   4 +-
 ...-windows-10-using-configuration-manager.md |   4 +-
 ...-10-using-pxe-and-configuration-manager.md |  30 +--
 ...0-deployment-with-configuration-manager.md |  12 +-
 ...f-windows-10-with-configuration-manager.md |  22 +-
 ...-windows-10-using-configuration-manager.md |  22 +-
 ...-windows-10-using-configuration-manager.md |  24 +--
 ...to-windows-10-with-configuraton-manager.md |  16 +-
 .../assign-applications-using-roles-in-mdt.md |   6 +-
 ...d-environment-for-windows-10-deployment.md |  10 +-
 .../configure-mdt-settings.md                 |   2 +-
 .../create-a-windows-10-reference-image.md    |  28 +--
 .../deploy-a-windows-10-image-using-mdt.md    |  38 ++--
 ...d-with-the-microsoft-deployment-toolkit.md |   8 +-
 ...prepare-for-windows-deployment-with-mdt.md |  10 +-
 ...sh-a-windows-7-computer-with-windows-10.md |   6 +-
 ...s-7-computer-with-a-windows-10-computer.md |  12 +-
 .../set-up-mdt-for-bitlocker.md               |   6 +-
 ...ows-10-deployment-in-a-test-environment.md |   4 +-
 ...0-with-the-microsoft-deployment-toolkit.md |   8 +-
 .../use-orchestrator-runbooks-with-mdt.md     |  20 +-
 ...stage-windows-10-deployment-information.md |   8 +-
 .../use-web-services-in-mdt.md                |  16 +-
 windows/deployment/index.yml                  |   2 +-
 windows/deployment/mbr-to-gpt.md              |   2 +-
 ...compatibility-administrator-users-guide.md |   2 +-
 ...oyment-considerations-for-windows-to-go.md |  12 +-
 ...rstanding-and-using-compatibility-fixes.md |   4 +-
 .../deployment/planning/using-the-sua-tool.md |   2 +-
 .../planning/using-the-sua-wizard.md          |   2 +-
 .../windows-10-infrastructure-requirements.md |   2 +-
 windows/deployment/s-mode.md                  |   4 +-
 windows/deployment/update/PSFxWhitepaper.md   |   8 +-
 windows/deployment/update/WIP4Biz-intro.md    |   2 +-
 .../deployment/update/check-release-health.md |  12 +-
 .../update/deployment-service-overview.md     |   4 +-
 .../get-started-updates-channels-tools.md     |  12 +-
 .../update/how-windows-update-works.md        |  14 +-
 .../deployment/update/media-dynamic-update.md |   2 +-
 .../olympia/olympia-enrollment-guidelines.md  |  14 +-
 .../deployment/update/plan-define-strategy.md |   4 +-
 windows/deployment/update/safeguard-holds.md  |   2 +-
 ...update-compliance-delivery-optimization.md |   2 +-
 ...update-compliance-feature-update-status.md |   2 +-
 .../update-compliance-need-attention.md       |   2 +-
 ...pdate-compliance-security-update-status.md |   2 +-
 .../update/update-compliance-using.md         |   8 +-
 .../deployment/update/waas-configure-wufb.md  |   2 +-
 .../waas-delivery-optimization-setup.md       |   2 +-
 .../update/waas-delivery-optimization.md      |   2 +-
 ...aas-deployment-rings-windows-10-updates.md |  12 +-
 .../deployment/update/waas-integrate-wufb.md  |   2 +-
 .../update/waas-manage-updates-wsus.md        |  48 ++---
 .../update/waas-manage-updates-wufb.md        |  14 +-
 .../waas-optimize-windows-10-updates.md       |  16 +-
 windows/deployment/update/waas-overview.md    |  14 +-
 windows/deployment/update/waas-restart.md     |  19 +-
 ...s-servicing-channels-windows-10-updates.md |  24 +--
 .../update/waas-servicing-differences.md      |   6 +-
 ...s-servicing-strategy-windows-10-updates.md |  14 +-
 .../deployment/update/waas-wufb-csp-mdm.md    |  18 +-
 .../update/waas-wufb-group-policy.md          |  18 +-
 windows/deployment/update/waas-wufb-intune.md |  20 +-
 .../deployment/update/windows-update-logs.md  |  10 +-
 .../update/windows-update-overview.md         |   2 +-
 .../update/wufb-compliancedeadlines.md        |  12 +-
 .../deployment/update/wufb-manageupdate.md    |   2 +-
 windows/deployment/upgrade/quick-fixes.md     |   8 +-
 windows/deployment/upgrade/setupdiag.md       |  14 +-
 windows/deployment/upgrade/submit-errors.md   |   4 +-
 .../upgrade/troubleshoot-upgrade-errors.md    |  14 +-
 .../upgrade/windows-10-edition-upgrades.md    |  42 ++--
 .../upgrade/windows-error-reporting.md        |   2 +-
 .../usmt/migration-store-types-overview.md    |   2 +-
 .../usmt/usmt-common-migration-scenarios.md   |   4 +-
 ...ctive-directory-based-activation-client.md |  12 +-
 ...ivate-using-key-management-service-vamt.md |  12 +-
 .../activate-windows-10-clients-vamt.md       |   4 +-
 .../add-remove-computers-vamt.md              |   2 +-
 .../configure-client-computers-vamt.md        |   2 +-
 .../volume-activation/install-vamt.md         |   4 +-
 .../volume-activation/introduction-vamt.md    |   4 +-
 .../plan-for-volume-activation-client.md      |   6 +-
 .../scenario-online-activation-vamt.md        |   2 +-
 .../scenario-proxy-activation-vamt.md         |   2 +-
 ...olume-activation-management-tool-client.md |   4 +-
 .../volume-activation/vamt-known-issues.md    |   2 +-
 .../windows-10-deployment-posters.md          |   4 +-
 windows/deployment/windows-10-media.md        |   4 +-
 windows/deployment/windows-10-poc-mdt.md      |   4 +-
 .../windows-10-poc-sc-config-mgr.md           |  18 +-
 windows/deployment/windows-10-poc.md          |  16 +-
 .../windows-10-subscription-activation.md     |  14 +-
 .../demonstrate-deployment-on-vm.md           | 128 ++++++------
 .../windows-deployment-scenarios-and-tools.md |  28 +--
 .../privacy/Microsoft-DiagnosticDataViewer.md |   4 +-
 .../diagnostic-data-viewer-overview.md        |  16 +-
 ...system-components-to-microsoft-services.md | 192 +++++++++---------
 .../active-directory-accounts.md              |  30 +--
 .../access-control/local-accounts.md          |  16 +-
 .../access-control/security-identifiers.md    |   2 +-
 .../access-control/security-principals.md     |   2 +-
 .../identity-protection/configure-s-mime.md   |   8 +-
 .../credential-guard-how-it-works.md          |   2 +-
 .../credential-guard-manage.md                |   4 +-
 .../enterprise-certificate-pinning.md         |  12 +-
 .../feature-multifactor-unlock.md             |   4 +-
 .../hello-adequate-domain-controllers.md      |  10 +-
 .../hello-cert-trust-adfs.md                  |  20 +-
 .../hello-cert-trust-validate-ad-prereq.md    |   2 +-
 .../hello-deployment-rdp-certs.md             |   6 +-
 .../hello-errors-during-pin-creation.md       |   2 +-
 .../hello-feature-pin-reset.md                |   8 +-
 .../hello-feature-remote-desktop.md           |   2 +-
 .../hello-how-it-works-authentication.md      |  10 +-
 .../hello-how-it-works-provisioning.md        |  12 +-
 .../hello-hybrid-aadj-sso-base.md             |  52 ++---
 .../hello-hybrid-aadj-sso-cert.md             |  94 ++++-----
 .../hello-hybrid-cert-trust-devreg.md         |  18 +-
 .../hello-hybrid-cert-whfb-provision.md       |   8 +-
 .../hello-hybrid-key-whfb-provision.md        |   8 +-
 .../hello-key-trust-adfs.md                   |  20 +-
 .../hello-for-business/hello-overview.md      |   2 +-
 .../hello-prepare-people-to-use.md            |   6 +-
 .../passwordless-strategy.md                  |  20 +-
 .../retired/hello-how-it-works.md             |   2 +-
 .../remote-credential-guard.md                |   6 +-
 .../smart-card-and-remote-desktop-services.md |   2 +-
 .../smart-cards/smart-card-architecture.md    |   8 +-
 ...rt-card-certificate-propagation-service.md |   2 +-
 ...ertificate-requirements-and-enumeration.md |  12 +-
 .../smart-card-removal-policy-service.md      |   2 +-
 .../how-user-account-control-works.md         |  10 +-
 ...l-smart-card-deploy-virtual-smart-cards.md |   2 +-
 .../virtual-smart-card-evaluate-security.md   |   2 +-
 .../virtual-smart-card-get-started.md         |  22 +-
 ...tual-smart-card-use-virtual-smart-cards.md |   2 +-
 .../vpn/vpn-authentication.md                 |   2 +-
 .../vpn/vpn-auto-trigger-profile.md           |   4 +-
 .../vpn/vpn-conditional-access.md             |   2 +-
 .../vpn/vpn-connection-type.md                |   6 +-
 .../vpn/vpn-name-resolution.md                |   2 +-
 .../vpn/vpn-profile-options.md                |   2 +-
 .../identity-protection/vpn/vpn-routing.md    |   4 +-
 .../vpn/vpn-security-features.md              |   2 +-
 ...dential-theft-mitigation-guide-abstract.md |   2 +-
 .../bitlocker/bitlocker-countermeasures.md    |   4 +-
 .../bitlocker-deployment-comparison.md        |  48 ++---
 .../bitlocker-recovery-guide-plan.md          |  16 +-
 ...ve-encryption-tools-to-manage-bitlocker.md |   2 +-
 .../bitlocker/troubleshoot-bitlocker.md       |   4 +-
 .../ts-bitlocker-cannot-encrypt-issues.md     |   4 +-
 .../ts-bitlocker-decode-measured-boot-logs.md |  16 +-
 .../bitlocker/ts-bitlocker-intune-issues.md   |  38 ++--
 .../kernel-dma-protection-for-thunderbolt.md  |  10 +-
 .../secure-the-windows-10-boot-process.md     |   4 +-
 .../tpm/how-windows-uses-the-tpm.md           |   4 +-
 ...reate-and-verify-an-efs-dra-certificate.md |   2 +-
 ...e-vpn-and-wip-policy-using-intune-azure.md |   8 +-
 .../create-wip-policy-using-configmgr.md      |  40 ++--
 .../create-wip-policy-using-intune-azure.md   |  56 ++---
 .../deploy-wip-policy-using-intune-azure.md   |   2 +-
 .../wip-app-enterprise-context.md             |   4 +-
 .../wip-learning.md                           |   8 +-
 ...tion-based-protection-of-code-integrity.md |   4 +-
 .../coordinated-malware-eradication.md        |   2 +-
 .../intelligence/fileless-threats.md          |   4 +-
 .../intelligence/malware-naming.md            |   2 +-
 .../intelligence/phishing.md                  |   2 +-
 .../portal-submission-troubleshooting.md      |  14 +-
 .../intelligence/worms-malware.md             |   2 +-
 .../mbsa-removal-and-guidance.md              |   4 +-
 .../install-md-app-guard.md                   |   6 +-
 .../md-app-guard-overview.md                  |   2 +-
 .../test-scenarios-md-app-guard.md            |  34 ++--
 ...microsoft-defender-smartscreen-overview.md |   2 +-
 ...ender-smartscreen-set-individual-device.md |   2 +-
 ...tions-for-app-related-security-policies.md |   6 +-
 ...iew-of-threat-mitigations-in-windows-10.md |   4 +-
 ...-the-health-of-windows-10-based-devices.md |  26 +--
 ...-information-when-the-session-is-locked.md |   2 +-
 .../security-policy-settings.md               |   8 +-
 ...arding-to-assist-in-intrusion-detection.md |   8 +-
 .../windows-10-mobile-security-guide.md       |   2 +-
 .../LOB-win32-apps-on-s.md                    |   6 +-
 .../plan-for-applocker-policy-management.md   |   2 +-
 ...ent-setting-inheritance-in-group-policy.md |   2 +-
 ...the-applocker-policy-deployment-process.md |   2 +-
 ...s-defender-application-control-policies.md |   2 +-
 ...s-defender-application-control-policies.md |   2 +-
 ...or-windows-defender-application-control.md |   8 +-
 ...rt-windows-defender-application-control.md |  20 +-
 ...ion-control-policies-using-group-policy.md |   6 +-
 ...plication-control-policies-using-intune.md |   2 +-
 ...defender-application-control-management.md |   2 +-
 .../wdac-wizard-create-base-policy.md         |  10 +-
 .../wdac-wizard-create-supplemental-policy.md |  12 +-
 .../wdac-wizard-editing-policy.md             |   4 +-
 .../wdac-wizard-merging-policies.md           |   2 +-
 .../wdsc-account-protection.md                |   2 +-
 .../wdsc-app-browser-control.md               |   2 +-
 .../wdsc-customize-contact-information.md     |   4 +-
 .../wdsc-device-performance-health.md         |   2 +-
 .../wdsc-device-security.md                   |   2 +-
 .../wdsc-family-options.md                    |   2 +-
 .../wdsc-firewall-network-protection.md       |   2 +-
 .../wdsc-virus-threat-protection.md           |   2 +-
 .../wdsc-windows-10-in-s-mode.md              |   2 +-
 .../windows-defender-security-center.md       |  10 +-
 ...sed-root-of-trust-helps-protect-windows.md |   4 +-
 ...-guard-secure-launch-and-smm-protection.md |   8 +-
 .../best-practices-configuring.md             |  14 +-
 .../windows-firewall/boundary-zone.md         |   2 +-
 ...create-windows-firewall-rules-in-intune.md |   2 +-
 .../domain-isolation-policy-design-example.md |   2 +-
 .../domain-isolation-policy-design.md         |   2 +-
 .../filter-origin-documentation.md            |  10 +-
 .../firewall-policy-design-example.md         |   2 +-
 ...wall-with-advanced-security-design-plan.md |   2 +-
 .../windows-firewall/quarantine.md            |   4 +-
 ...n-accessing-sensitive-network-resources.md |   2 +-
 ...cess-to-only-specified-users-or-devices.md |   2 +-
 ...restrict-access-to-only-trusted-devices.md |   2 +-
 ...to-end-ipsec-connections-by-using-ikev2.md |   6 +-
 .../server-isolation-policy-design-example.md |   2 +-
 .../server-isolation-policy-design.md         |   2 +-
 ...-administration-with-windows-powershell.md |   4 +-
 .../windows-security-baselines.md             |   6 +-
 .../windows-security-baselines.md             |   6 +-
 windows/whats-new/contribute-to-a-topic.md    |  10 +-
 .../ltsc/whats-new-windows-10-2019.md         |  20 +-
 .../whats-new-windows-10-version-1703.md      |   8 +-
 .../whats-new-windows-10-version-1809.md      |  36 ++--
 .../whats-new-windows-10-version-1903.md      |   2 +-
 .../whats-new-windows-10-version-2004.md      |   2 +-
 410 files changed, 2121 insertions(+), 2137 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index ef3a69ff52..75cb7255c8 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -20,7 +20,7 @@ We've tried to make editing an existing, public file as simple as possible.
 
 1. Go to the page on docs.microsoft.com that you want to update, and then click **Edit**.
 
-    ![GitHub Web, showing the Edit link.](images/contribute-link.png)
+    ![GitHub Web, showing the Edit link](images/contribute-link.png)
 
 2. Log into (or sign up for) a GitHub account.
     
@@ -28,7 +28,7 @@ We've tried to make editing an existing, public file as simple as possible.
 
 3. Click the **Pencil** icon (in the red box) to edit the content.
 
-    ![GitHub Web, showing the Pencil icon in the red box.](images/pencil-icon.png)
+    ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png)
 
 4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
     - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring)
@@ -37,11 +37,11 @@ We've tried to make editing an existing, public file as simple as possible.
 
 5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct.
 
-    ![GitHub Web, showing the Preview Changes tab.](images/preview-changes.png)
+    ![GitHub Web, showing the Preview Changes tab](images/preview-changes.png)
 
 6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change** to create a fork in your personal GitHub account.
 
-    ![GitHub Web, showing the Propose file change button.](images/propose-file-change.png)
+    ![GitHub Web, showing the Propose file change button](images/propose-file-change.png)
 
     The **Comparing changes** screen appears to see what the changes are between your fork and the original content.
 
@@ -49,7 +49,7 @@ We've tried to make editing an existing, public file as simple as possible.
 
     If there are no problems, you’ll see the message, **Able to merge**.
     
-    ![GitHub Web, showing the Comparing changes screen.](images/compare-changes.png)
+    ![GitHub Web, showing the Comparing changes screen](images/compare-changes.png)
 
 8. Click **Create pull request**.
 
diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
index d4f9600d8b..4fc4fb1ecc 100644
--- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
@@ -34,11 +34,11 @@ Before you start, you need to make sure you have the following:
 
     1.  Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**.
 
-        ![microsoft security bulletin techcenter.](images/securitybulletin-filter.png)
+        ![microsoft security bulletin techcenter](images/securitybulletin-filter.png)
 
     2.  Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table.
 
-        ![affected software section.](images/affectedsoftware.png)
+        ![affected software section](images/affectedsoftware.png)
 
     3.  Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section.
 
@@ -280,13 +280,13 @@ You can collect your hardware inventory using the MOF Editor, while you’re con
 
 1.  From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
 
-    ![Configuration Manager, showing the hardware inventory settings for client computers.](images/configmgrhardwareinventory.png)
+    ![Configuration Manager, showing the hardware inventory settings for client computers](images/configmgrhardwareinventory.png)
 
 2.  Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes.
 
 3.  Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**.
 
-    ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box.](images/ie11-inventory-addclassconnectscreen.png)
+    ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box](images/ie11-inventory-addclassconnectscreen.png)
 
 4.  Select the check boxes next to the following classes, and then click **OK**:
 
@@ -393,12 +393,12 @@ The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sam
 ### SCCM Report Sample – ActiveX.rdl
 Gives you a list of all of the ActiveX-related sites visited by the client computer.
 
-![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer.](images/configmgractivexreport.png)
+![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer](images/configmgractivexreport.png)
 
 ### SCCM Report Sample – Site Discovery.rdl
 Gives you a list of all of the sites visited by the client computer.
 
-![Site Discovery.rdl report, lists all websites visited by the client computer.](images/ie-site-discovery-sample-report.png)
+![Site Discovery.rdl report, lists all websites visited by the client computer](images/ie-site-discovery-sample-report.png)
 
 ## View the collected XML data
 After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like:
@@ -436,7 +436,7 @@ You can import this XML data into the correct version of the Enterprise Mode Sit
 
 1.  Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**.
 
-    ![Enterprise Mode Site List Manager with Bulk add from file option.](images/bulkadd-emiesitelistmgr.png)
+    ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png)
 
 2.  Go to your XML file to add the included sites to the tool, and then click **Open**.<br>Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
 
diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md
index 923d4dfe04..47322f0c03 100644
--- a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md
@@ -27,11 +27,11 @@ ms.date: 07/27/2017
 
 Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu.
 
-![enterprise mode option on the tools menu.](images/ie-emie-toolsmenu.png)
+![enterprise mode option on the tools menu](images/ie-emie-toolsmenu.png)
 
 The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic.
 
-![group policy to turn on enterprise mode.](images/ie-emie-grouppolicy.png)
+![group policy to turn on enterprise mode](images/ie-emie-grouppolicy.png)
 
 Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system.
 
@@ -47,11 +47,11 @@ This lets you create an ASP form that accepts the incoming POST messages.
 
 3.  Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port.
 
-    ![IIS Manager, editing website bindings.](images/ie-emie-editbindings.png)
+    ![IIS Manager, editing website bindings](images/ie-emie-editbindings.png)
 
 4.  Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box.
 
-    ![IIS Manager, setting logging options.](images/ie-emie-logging.png)
+    ![IIS Manager, setting logging options](images/ie-emie-logging.png)
 
 5.  Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.<p>
 Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users.
@@ -72,7 +72,7 @@ This code logs your POST fields to your IIS log file, where you can review all o
 ### IIS log file information
 This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode.
 
-![Enterprise Mode log file.](images/ie-emie-logfile.png)
+![Enterprise Mode log file](images/ie-emie-logfile.png)
 
 
 ## Using the GitHub sample to collect your data
@@ -99,14 +99,14 @@ The required packages are automatically downloaded and included in the solution.
 
 1.  Right-click on the name, PhoneHomeSample, and click **Publish**.
 
-    ![Visual Studio, Publish menu.](images/ie-emie-publishsolution.png)
+    ![Visual Studio, Publish menu](images/ie-emie-publishsolution.png)
 
 2.  In the **Publish Web** wizard, pick the publishing target and options that work for your organization.
 
    **Important**<br>
    Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website. 
 
-    ![Visual Studio, Publish Web wizard.](images/ie-emie-publishweb.png)
+    ![Visual Studio, Publish Web wizard](images/ie-emie-publishweb.png)
 
    After you finish the publishing process, you need to test to make sure the app deployed successfully.
 
@@ -131,7 +131,7 @@ The required packages are automatically downloaded and included in the solution.
 -   Go to `https://<deploy_URL>/List` to see the report results.<p>
 If you’re already on the webpage, you’ll need to refresh the page to see the results.
 
-    ![Enterprise Mode Result report with details.](images/ie-emie-reportwdetails.png)
+    ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png)
 
 
 ### Troubleshooting publishing errors
@@ -141,7 +141,7 @@ If you have errors while you’re publishing your project, you should try to upd
 
 1.  From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**.
 
-    ![Nuget Package Manager for package updates.](images/ie-emie-packageupdate.png)
+    ![Nuget Package Manager for package updates](images/ie-emie-packageupdate.png)
 
 2.  Click **Updates** on the left side of the tool, and click the **Update All** button.<p>
 You may need to do some additional package cleanup to remove older package versions.
diff --git a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
index 4573423115..4651adf5cf 100644
--- a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -9,7 +9,7 @@ centralized control, you can create one global list of websites that render usin
 1.  Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Enterprise Mode     Site List** setting.<p>Turning this setting on also requires you to create and store a site list.
 
 <!-- 
-    ![Local Group Policy Editor for using a site list.](../edge/images/config-enterprise-site-list.png)
+    ![Local Group Policy Editor for using a site list](../edge/images/config-enterprise-site-list.png)
 -->
 
 2.  Click **Enabled**, and then in the **Options** area, type the location to your site list.
@@ -24,7 +24,7 @@ All of your managed devices must have access to this location if you want them t
 
 2.  Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file.<p>For example:
     <!--
-    ![Enterprise mode with site list in the registry.](../edge/images/enterprise-mode-value-data.png) -->
+    ![Enterprise mode with site list in the registry](../edge/images/enterprise-mode-value-data.png) -->
 
     -   **HTTPS location:** `"SiteList"="https://localhost:8080/sites.xml"`
 
diff --git a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md
index c8ef3d030c..b34f9be63f 100644
--- a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -33,7 +33,7 @@ Besides turning on this feature, you also have the option to provide a URL for E
 
 1.  Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting.
 
-    ![group policy editor with emie setting.](images/ie-emie-editpolicy.png)
+    ![group policy editor with emie setting](images/ie-emie-editpolicy.png)
 
 2.  Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu.
 
@@ -45,7 +45,7 @@ Besides turning on this feature, you also have the option to provide a URL for E
 
 3.  Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates.
 
-    ![edit registry string for data collection location.](images/ie-emie-editregistrystring.png)
+    ![edit registry string for data collection location](images/ie-emie-editregistrystring.png)
 
 Your **Value data** location can be any of the following types:
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 65fbb8eaaf..1acd936993 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -38,11 +38,11 @@ Before you start, you need to make sure you have the following:
 
     1.  Go to the [Microsoft Security Bulletin](/security-updates/) page, and change the filter to **Windows Internet Explorer 11**.
 
-        ![microsoft security bulletin techcenter.](images/securitybulletin-filter.png)
+        ![microsoft security bulletin techcenter](images/securitybulletin-filter.png)
 
     2.  Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table.
 
-        ![affected software section.](images/affectedsoftware.png)
+        ![affected software section](images/affectedsoftware.png)
 
     3.  Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section.
 
@@ -284,13 +284,13 @@ You can collect your hardware inventory using the MOF Editor, while you’re con
 
 1.  From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
 
-    ![Configuration Manager, showing the hardware inventory settings for client computers.](images/configmgrhardwareinventory.png)
+    ![Configuration Manager, showing the hardware inventory settings for client computers](images/configmgrhardwareinventory.png)
 
 2.  Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes.
 
 3.  Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**.
 
-    ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box.](images/ie11-inventory-addclassconnectscreen.png)
+    ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box](images/ie11-inventory-addclassconnectscreen.png)
 
 4.  Select the check boxes next to the following classes, and then click **OK**:
 
@@ -397,12 +397,12 @@ The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sam
 ### SCCM Report Sample – ActiveX.rdl
 Gives you a list of all of the ActiveX-related sites visited by the client computer.
 
-![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer.](images/configmgractivexreport.png)
+![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer](images/configmgractivexreport.png)
 
 ### SCCM Report Sample – Site Discovery.rdl
 Gives you a list of all of the sites visited by the client computer.
 
-![Site Discovery.rdl report, lists all websites visited by the client computer.](images/ie-site-discovery-sample-report.png)
+![Site Discovery.rdl report, lists all websites visited by the client computer](images/ie-site-discovery-sample-report.png)
 
 ## View the collected XML data
 After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like:
@@ -440,7 +440,7 @@ You can import this XML data into the correct version of the Enterprise Mode Sit
 
 1.  Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**.
 
-    ![Enterprise Mode Site List Manager with Bulk add from file option.](images/bulkadd-emiesitelistmgr.png)
+    ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png)
 
 2.  Go to your XML file to add the included sites to the tool, and then click **Open**.<br>Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
index 5cfa201d18..e8d1ec3d7d 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
@@ -48,7 +48,7 @@ The compatibility improvements made in IE11 lets older websites just work in the
 ## Document mode selection flowchart
 This flowchart shows how IE11 works when document modes are used.
 
-![Flowchart detailing how document modes are chosen in IE11.](images/docmode-decisions-sm.png)<br>
+![Flowchart detailing how document modes are chosen in IE11](images/docmode-decisions-sm.png)<br>
 [Click this link to enlarge image](img-ie11-docmode-lg.md)
 
 ## Known Issues with Internet Explorer 8 document mode in Enterprise Mode
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
index 9ec7ddf862..333686dc07 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
@@ -45,7 +45,7 @@ To see if this fix might help you, run through this process one step at a time,
 
 1.  Go to a site having compatibility problems, press **F12** to open the **F12 Developer Tools**, and go to the **Emulation** tool.
 
-    ![Emulation tool showing document mode selection.](images/docmode-f12.png)
+    ![Emulation tool showing document mode selection](images/docmode-f12.png)
 
 2.  Starting with the **11 (Default)** option, test your broken scenario.<br>
 If that doesn’t work, continue down to the next lowest document mode, stopping as soon as you find a document mode that fixes your problems. For more information about the Emulation tool, see [Emulate browsers, screen sizes, and GPS locations](/previous-versions/windows/internet-explorer/ie-developer/samples/dn255001(v=vs.85)).
@@ -62,7 +62,7 @@ There are two versions of the Enterprise Mode site list schema and the Enterpris
 
 1.  Open the Enterprise Mode Site List Manager, and click **Add**.
 
-    ![Enterprise Mode Site List Manager, showing the available modes.](images/emie-listmgr.png)
+    ![Enterprise Mode Site List Manager, showing the available modes](images/emie-listmgr.png)
 
 2.  Add the **URL** and pick the document mode from the **Launch in** box. This should be the same document mode you found fixed your problems while testing the site.<br>
 Similar to Enterprise Mode, you can specify a document mode for a particular web path—such as contoso.com/ERP—or at a domain level. In the above, the entire contoso.com domain loads in Enterprise Mode, while microsoft.com is forced to load into IE8 Document Mode and bing.com loads in IE11.
@@ -74,7 +74,7 @@ For more information about Enterprise Mode, see [What is Enterprise Mode?](what-
 ### Review your Enterprise Mode site list
 Take a look at your Enterprise Mode site list and make sure everything is the way you want it. The next step will be to turn the list on and start to use it in your company. The Enterprise Mode Site List Manager will look something like:
 
-![Enterprise Mode Site List Manager, showing the different modes.](images/emie-sitelistmgr.png)
+![Enterprise Mode Site List Manager, showing the different modes](images/emie-sitelistmgr.png)
 
 And the underlying XML code will look something like:
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index 4eed39657f..75283c1f64 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -62,15 +62,15 @@ When IE blocks an outdated ActiveX control, you’ll see a notification bar simi
 
 **Internet Explorer 9 through Internet Explorer 11**
 
-![Warning about outdated activex controls (ie9+).](images/outdatedcontrolwarning.png)
+![Warning about outdated activex controls (ie9+)](images/outdatedcontrolwarning.png)
 
 **Windows Internet Explorer 8**
 
-![Warning about outdated activex controls (ie8).](images/ieoutdatedcontrolwarning.png)
+![Warning about outdated activex controls (ie8)](images/ieoutdatedcontrolwarning.png)
 
 Out-of-date ActiveX control blocking also gives you a security warning that tells you if a webpage tries to launch specific outdated apps, outside of IE:
 
-![Warning about outdated activex controls outside ie.](images/ieoutdatedcontroloutsideofie.png)
+![Warning about outdated activex controls outside ie](images/ieoutdatedcontroloutsideofie.png)
 
 
 ## How do I fix an outdated ActiveX control or app?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index 9424e5e32f..6edccdda73 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -27,7 +27,7 @@ You can use the Group Policy setting, **Set a default associations configuration
 1.  Open your Group Policy editor and go to the **Computer Configuration\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.<p>
 Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268).
 
-    ![set default associations group policy setting.](images/setdefaultbrowsergp.png)
+    ![set default associations group policy setting](images/setdefaultbrowsergp.png)
 
 2.  Click **Enabled**, and then in the **Options** area, type the location to your default associations configuration file.<p>
 If this setting is turned on and your employee's device is domain-joined, this file is processed and default associations are applied at logon. If this setting isn't configured or is turned off, or if your employee's device isn't domain-joined, no default associations are applied at logon.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
index b42426f1d7..dd26f8e369 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
@@ -31,11 +31,11 @@ ms.date: 07/27/2017
 
 Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu.
 
-![enterprise mode option on the tools menu.](images/ie-emie-toolsmenu.png)
+![enterprise mode option on the tools menu](images/ie-emie-toolsmenu.png)
 
 The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic.
 
-![group policy to turn on enterprise mode.](images/ie-emie-grouppolicy.png)
+![group policy to turn on enterprise mode](images/ie-emie-grouppolicy.png)
 
 Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system.
 
@@ -51,11 +51,11 @@ When you turn logging on, you need a valid URL that points to a server that can
 
 3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port.
 
-   ![IIS Manager, editing website bindings.](images/ie-emie-editbindings.png)
+   ![IIS Manager, editing website bindings](images/ie-emie-editbindings.png)
 
 4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box.
 
-   ![IIS Manager, setting logging options.](images/ie-emie-logging.png)
+   ![IIS Manager, setting logging options](images/ie-emie-logging.png)
 
 5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.<p>
    Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users.
@@ -76,7 +76,7 @@ When you turn logging on, you need a valid URL that points to a server that can
 ### IIS log file information
 This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode.
 
-![Enterprise Mode log file.](images/ie-emie-logfile.png)
+![Enterprise Mode log file](images/ie-emie-logfile.png)
 
 
 ## Using the GitHub sample to collect your data
@@ -103,14 +103,14 @@ For logging, you’re going to need a valid URL that points to a server that can
 
 5. Right-click on the name, PhoneHomeSample, and click **Publish**.
 
-   ![Visual Studio, Publish menu.](images/ie-emie-publishsolution.png)
+   ![Visual Studio, Publish menu](images/ie-emie-publishsolution.png)
 
 6. In the **Publish Web** wizard, pick the publishing target and options that work for your organization.
 
    **Important**<br>
    Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website. 
 
-   ![Visual Studio, Publish Web wizard.](images/ie-emie-publishweb.png)
+   ![Visual Studio, Publish Web wizard](images/ie-emie-publishweb.png)
 
    After you finish the publishing process, you need to test to make sure the app deployed successfully.
 
@@ -135,7 +135,7 @@ For logging, you’re going to need a valid URL that points to a server that can
 -   Go to `https://<deploy_URL>/List` to see the report results.<p>
 If you’re already on the webpage, you’ll need to refresh the page to see the results.
 
-    ![Enterprise Mode Result report with details.](images/ie-emie-reportwdetails.png)
+    ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png)
 
 
 ### Troubleshooting publishing errors
@@ -145,7 +145,7 @@ If you have errors while you’re publishing your project, you should try to upd
 
 1.  From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**.
 
-    ![Nuget Package Manager for package updates.](images/ie-emie-packageupdate.png)
+    ![Nuget Package Manager for package updates](images/ie-emie-packageupdate.png)
 
 2.  Click **Updates** on the left side of the tool, and click the **Update All** button.<p>
 You may need to do some additional package cleanup to remove older package versions.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
index ec77071c73..14bd40e745 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
@@ -28,7 +28,7 @@ Jump to:
 
 [Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md) can be very effective in providing backward compatibility for older web apps. The Enterprise Mode Site List includes the ability to put any web app in any document mode, include IE8 and IE7 Enterprise Modes, without changing a single line of code on the website.
 
-![Internet Explorer Enterprise Modes and document modes.](images/img-enterprise-mode-site-list-xml.jpg)
+![Internet Explorer Enterprise Modes and document modes](images/img-enterprise-mode-site-list-xml.jpg)
 
 Sites in the \<docMode\> section can be rendered in any document mode, as shown in blue above. Some sites designed for older versions of Internet Explorer may require better backward compatibility, and these can leverage the \<emie\> section of the Enterprise Mode Site List. IE8 Enterprise Mode provides higher-fidelity emulation for Internet Explorer 8 by using, among other improvements, the original Internet Explorer 8 user agent string. IE7 Enterprise Mode further improves emulation by adding Compatibility View.  
   
@@ -84,7 +84,7 @@ To see if the site works in the Internet Explorer 5, Internet Explorer 7, Intern
 
 -   Open the site in Internet Explorer 11, load the F12 tools by pressing the **F12** key or by selecting **F12 Developer Tools** from the **Tools** menu, and select the **Emulation** tab.  
 
-    ![F12 Developer Tools Emulation tab.](images/img-f12-developer-tools-emulation.jpg)
+    ![F12 Developer Tools Emulation tab](images/img-f12-developer-tools-emulation.jpg)
 
 -   Run the site in each document mode until you find the mode in which the site works.
  
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
index 1b32fa64ad..8c84054dc3 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -39,7 +39,7 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi
 1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list` setting.<p>
    Turning this setting on also requires you to create and store a site list. For more information about creating your site list, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
 
-   ![local group policy editor for using a site list.](images/ie-emie-grouppolicysitelist.png)
+   ![local group policy editor for using a site list](images/ie-emie-grouppolicysitelist.png)
 
 2. Click **Enabled**, and then in the **Options** area, type the location to your site list.
 
@@ -51,7 +51,7 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi
 
 4. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file. For example:
 
-   ![enterprise mode with site list in the registry.](images/ie-emie-registrysitelist.png)
+   ![enterprise mode with site list in the registry](images/ie-emie-registrysitelist.png)
 
    -   **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"`
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
index 897b27ceed..b4db0fb7a4 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -37,7 +37,7 @@ Besides turning on this feature, you also have the option to provide a URL for E
 
 1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting.
 
-   ![group policy editor with emie setting.](images/ie-emie-editpolicy.png)
+   ![group policy editor with emie setting](images/ie-emie-editpolicy.png)
 
 2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu.
 
@@ -49,7 +49,7 @@ Besides turning on this feature, you also have the option to provide a URL for E
 
 5. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates.
 
-   ![edit registry string for data collection location.](images/ie-emie-editregistrystring.png)
+   ![edit registry string for data collection location](images/ie-emie-editregistrystring.png)
 
 Your **Value data** location can be any of the following types:
 
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index 54ae269373..fd6904f4a8 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -33,32 +33,32 @@ During installation, you must pick a version of IEAK 11, either **External** or
 
 |                  Feature                  |                                     Internal                                     |                                       External                                       |
 |-------------------------------------------|:--------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------:|
-|              Welcome screen               | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|              File locations               | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|            Platform selection             | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|            Language selection             | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|          Package type selection           | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|             Feature selection             | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|  Automatic Version Synchronization (AVS)  | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|             Custom components             | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|             Internal install              | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
-|              User experience              | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
-|          Browser user interface           | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|             Search providers              | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|  Important URLs – Home page and support   | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|               Accelerators                | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|    Favorites, Favorites bar, and feeds    | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|             Browsing options              | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
-| First Run wizard and Welcome page options | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|            Connection manager             | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|            Connection settings            | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|          Automatic configuration          | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
-|              Proxy settings               | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|       Security and privacy settings       | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
-|          Add a root certificate           | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
-|                 Programs                  | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|            Additional settings            | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
-|              Wizard complete              | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|              Welcome screen               | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|              File locations               | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|            Platform selection             | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|            Language selection             | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|          Package type selection           | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|             Feature selection             | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|  Automatic Version Synchronization (AVS)  | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|             Custom components             | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|             Internal install              | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
+|              User experience              | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
+|          Browser user interface           | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|             Search providers              | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|  Important URLs – Home page and support   | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|               Accelerators                | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|    Favorites, Favorites bar, and feeds    | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|             Browsing options              | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
+| First Run wizard and Welcome page options | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|            Connection manager             | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|            Connection settings            | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|          Automatic configuration          | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
+|              Proxy settings               | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|       Security and privacy settings       | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
+|          Add a root certificate           | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
+|                 Programs                  | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|            Additional settings            | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
+|              Wizard complete              | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
 
 ---
 
diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md
index bbf1be6015..d0251e80ba 100644
--- a/education/trial-in-a-box/educator-tib-get-started.md
+++ b/education/trial-in-a-box/educator-tib-get-started.md
@@ -24,13 +24,13 @@ manager: dansimp
 
 | Tool | Description |
 | :---: |:--- |
-| [![Connect the device to Wi-Fi.](images/edu-TIB-setp-1-v3.png)](#edu-task1) | [Log in](#edu-task1) to **Device A** with your Teacher credentials and connect to the school network. |
-| [![Try Learning Tools Immersive Reader.](images/edu-TIB-setp-2-v3.png)](#edu-task2) | **Interested in significantly improving your students' reading speed and comprehension?<sup>[1](#footnote1)</sup>** </br>Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. |
-| [![Launch Microsoft Teams.](images/edu-TIB-setp-3-v3.png)](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?** </br>Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. |
-| [![Open OneNote.](images/edu-TIB-setp-4-v3.png)](#edu-task4) | **Trying to expand classroom creativity and interaction between students?** </br>Open [OneNote](#edu-task4) and create an example group project for your class. |
-| [![Try Photos app.](images/edu-tib-setp-5-v4.png)](#edu-task5) | **Curious about telling stories through video?** </br>Try the [Photos app](#edu-task5) to make your own example video. |
-| [![Play with Minecraft: Education Edition.](images/edu-tib-setp-6-v4.png)](#edu-task6) | **Want to teach kids to further collaborate and problem solve?** </br>Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. |
-| [![Do Math with Windows Ink.](images/edu-tib-setp-7-v1.png)](#edu-task7) | **Want to provide a personal math tutor for your students?** </br>Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. |
+| [![Connect the device to Wi-Fi](images/edu-TIB-setp-1-v3.png)](#edu-task1) | [Log in](#edu-task1) to **Device A** with your Teacher credentials and connect to the school network. |
+| [![Try Learning Tools Immersive Reader](images/edu-TIB-setp-2-v3.png)](#edu-task2) | **Interested in significantly improving your students' reading speed and comprehension?<sup>[1](#footnote1)</sup>** </br>Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. |
+| [![Launch Microsoft Teams](images/edu-TIB-setp-3-v3.png)](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?** </br>Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. |
+| [![Open OneNote](images/edu-TIB-setp-4-v3.png)](#edu-task4) | **Trying to expand classroom creativity and interaction between students?** </br>Open [OneNote](#edu-task4) and create an example group project for your class. |
+| [![Try Photos app](images/edu-tib-setp-5-v4.png)](#edu-task5) | **Curious about telling stories through video?** </br>Try the [Photos app](#edu-task5) to make your own example video. |
+| [![Play with Minecraft: Education Edition](images/edu-tib-setp-6-v4.png)](#edu-task6) | **Want to teach kids to further collaborate and problem solve?** </br>Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. |
+| [![Do Math with Windows Ink](images/edu-tib-setp-7-v1.png)](#edu-task7) | **Want to provide a personal math tutor for your students?** </br>Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. |
 
 
 </br>
@@ -41,7 +41,7 @@ manager: dansimp
 </br>
 
 
-![Log in to Device A and connect to the school network.](images/edu-TIB-setp-1-jump.png)
+![Log in to Device A and connect to the school network](images/edu-TIB-setp-1-jump.png)
 ## <a name="edu-task1"></a>1. Log in and connect to the school network
 To try out the educator tasks, start by logging in as a teacher.
 
@@ -55,7 +55,7 @@ To try out the educator tasks, start by logging in as a teacher.
 </br>
 </br>
 
-![Improve student reading speed and comprehension.](images/edu-TIB-setp-2-jump.png)
+![Improve student reading speed and comprehension](images/edu-TIB-setp-2-jump.png)
 ## <a name="edu-task2"></a>2. Significantly improve student reading speed and comprehension
 
 > [!VIDEO https://www.youtube.com/embed/GCzSAslq_2Y]
@@ -78,7 +78,7 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse
 
 4. Select the **Immersive Reader** button.
 
-   ![Word's Immersive Reader.](images/word_online_immersive_reader.png)
+   ![Word's Immersive Reader](images/word_online_immersive_reader.png)
 
 5. Press the **Play** button to hear text read aloud.
 
@@ -86,14 +86,14 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse
 
    | Text to Speech | Text Preferences | Grammar Options | Line Focus |
    | :------------: | :--------------: | :-------------: | :--------: |
-   | ![Word Text to Speech.](images/wordonline_tts.png) | ![Word Text Preferences](images/wordonline_text_preferences.png) | ![Word Grammar Options](images/wordonline_grammar_options.png) | ![Word Line Focus](images/wordonline_line_focus.png) |
+   | ![Word Text to Speech](images/wordonline_tts.png) | ![Word Text Preferences](images/wordonline_text_preferences.png) | ![Word Grammar Options](images/wordonline_grammar_options.png) | ![Word Line Focus](images/wordonline_line_focus.png) |
 
 </br>
 </br>
 
 
 
-![Spark communication, critical thinking, and creativity with Microsoft Teams.](images/edu-TIB-setp-3-jump.png)
+![Spark communication, critical thinking, and creativity with Microsoft Teams](images/edu-TIB-setp-3-jump.png)
 ## <a name="edu-task3"></a>3. Spark communication, critical thinking, and creativity in the classroom
 
 > [!VIDEO https://www.youtube.com/embed/riQr4Dqb8B8]
@@ -114,7 +114,7 @@ Take a guided tour of Microsoft Teams and test drive this digital hub.
 </br>
 </br>
 
-![Expand classroom collaboration and interaction with OneNote.](images/edu-TIB-setp-4-jump.png)
+![Expand classroom collaboration and interaction with OneNote](images/edu-TIB-setp-4-jump.png)
 ## <a name="edu-task4"></a>4. Expand classroom collaboration and interaction between students
 
 > [!VIDEO https://www.youtube.com/embed/dzDSWMb_fIE]
@@ -135,16 +135,16 @@ When you're not using the pen, just use the magnet to stick it to the left side
 3. Follow the instructions for the project. Look for the **Try this!** callouts to experiment with these engaging activities.
    - Discover the power of digital ink by selecting the Draw tab. Choose your pen and get scribbling.
 
-     ![OneNote Draw tab.](images/onenote_draw.png)
+     ![OneNote Draw tab](images/onenote_draw.png)
 
    - Type anywhere on the page! Just click your cursor where you want to place text.
    - Use the checkmark in the **Home** tab to keep track of completed tasks.
 
-     ![OneNote To Do Tag.](images/onenote_checkmark.png)
+     ![OneNote To Do Tag](images/onenote_checkmark.png)
 
    - To find information without leaving OneNote, use the Researcher tool found under the Insert tab.
 
-     ![OneNote Researcher.](images/onenote_researcher.png)
+     ![OneNote Researcher](images/onenote_researcher.png)
 
 </br>
 </br>
@@ -178,7 +178,7 @@ Use video to create a project summary.
 
 8. Drag the videos to the Storyboard, one by one. Your project should look roughly like this:
 
-   ![Photos app layout showing videos added in previous steps.](images/photo_app_1.png)
+   ![Photos app layout showing videos added in previous steps](images/photo_app_1.png)
 
 9. Select the first card in the Storyboard (the video of the project materials) and select **Text**, type a title in, a text style, a layout, and select **Done**.
 
@@ -191,7 +191,7 @@ Use video to create a project summary.
     4. Play back your effect.
     5. Select **Done** when you have it where you want it.
 
-    ![Lighting bolt effect being added to a video clip.](images/photo_app_2.png)
+    ![Lighting bolt effect being added to a video clip](images/photo_app_2.png)
 
 12. Select **Music** and select a track from the **Recommended** music collection.
     1. The music will update automatically to match the length of your video project, even as you make changes.
@@ -208,7 +208,7 @@ Check out this use case video of the Photos team partnering with the Bureau Of F
 </br>
 </br>
 
-![Further collaborate and problem solve with Minecraft: Education Edition.](images/edu-TIB-setp-5-jump.png)
+![Further collaborate and problem solve with Minecraft: Education Edition](images/edu-TIB-setp-5-jump.png)
 ## <a name="edu-task6"></a>6. Get kids to further collaborate and problem solve
 
 > [!VIDEO https://www.youtube.com/embed/QI_bRNUugog]
@@ -226,7 +226,7 @@ Today, we'll explore a Minecraft world through the eyes of a student.
 
 3. Scroll down to the **Details** section and select **Download World**.
 
-   ![Select the download world link.](images/mcee_downloadworld.png)
+   ![Select the download world link](images/mcee_downloadworld.png)
 
 4. When prompted, save the world.
 
@@ -250,7 +250,7 @@ Today, we'll explore a Minecraft world through the eyes of a student.
 
     To try more advanced movements or building within Minecraft, use the Minecraft Controls Diagram.
 
-    ![Minecraft mouse and keyboard controls.](images/mcee_keyboard_mouse_controls.png)
+    ![Minecraft mouse and keyboard controls](images/mcee_keyboard_mouse_controls.png)
 
 12. Access and adapt over 300 lesson plans, spanning all grades and subjects, to meet your needs. Enjoy exploring new worlds and happy crafting.
 
@@ -260,13 +260,13 @@ Today, we'll explore a Minecraft world through the eyes of a student.
     2. Click **Class Resources**.
     3. Click **Find a Lesson**.
 
-    ![Access and adapt over 300 Minecraft lesson plans.](images/minecraft_lesson_plans.png)
+    ![Access and adapt over 300 Minecraft lesson plans](images/minecraft_lesson_plans.png)
 
 </br>
 </br>
 </br>
 
-![Help students understand new math concepts with the Math Assistant in OneNote.](images/Inking.png)
+![Help students understand new math concepts with the Math Assistant in OneNote](images/Inking.png)
 ## <a name="edu-task7"></a>7. Use Windows Ink to provide a personal math tutor for your students
 
 The **Math Assistant** and **Ink Replay** features available in the OneNote app give your students step-by-step instructions on how to solve their math problems and help them visualize math functions on an interactive 2D graph.
@@ -275,15 +275,15 @@ The **Math Assistant** and **Ink Replay** features available in the OneNote app
 To get started:
 1. Open the OneNote app for Windows 10 (not OneNote 2016).
 
-   ![OneNote icon.](images/OneNote_logo.png)
+   ![OneNote icon](images/OneNote_logo.png)
 
 2. In the top left corner, click on the **<** arrow to access your notebooks and pages.
 
-   ![OneNote back arrow navigation button.](images/left_arrow.png)
+   ![OneNote back arrow navigation button](images/left_arrow.png)
 
 3. Click **Add Page** to launch a blank work space.
 
-   ![Select add page button.](images/plus-page.png)
+   ![Select add page button](images/plus-page.png)
 
 4. Make sure your pen is paired to the device. To pair, see <a href="https://support.microsoft.com/help/12383" target="_blank">Connect to Bluetooth devices</a>.
 
@@ -292,26 +292,26 @@ To solve the equation 3x+4=7, follow these instructions:
 
 2. If you wrote the equation using digital ink, use the **Lasso tool** to circle the equation. If you typed the equation, highlight it using your mouse.
 
-   ![Lasso button.](images/lasso.png)
+   ![Lasso button](images/lasso.png)
 
 3. On the **Draw** tab, click the **Math** button.
 
-   ![Math button.](images/math-button.png)
+   ![Math button](images/math-button.png)
 
 4. From the drop-down menu in the **Math** pane, select the option to **Solve for x**. You can now see the final solution of the equation.
 
-   ![Solve for x menu.](images/solve-for-x.png)
+   ![Solve for x menu](images/solve-for-x.png)
 
 5. From the second drop-down below, choose **Steps for Solving Linear Formula**, which shows you the step-by-step solution of this equation.
 
 6. On the **View** tab, click the **Replay** button. Use your mouse to select the written equation and watch your text in replay. Replay is great for students to review how the teacher solved the equation and for teachers to review how students approached a problem.
 
-   ![Replay button.](images/replay.png)
+   ![Replay button](images/replay.png)
 
 To graph the equation 3x+4=7, follow these instructions:
 1. From the drop-down menu in the **Math** pane, select the option to **Graph Both Sides in 2D**. You can play with the interactive graph of your equation - use a single finger to move the graph position or two fingers to change the **zoom** level.
 
-   ![Graph both sides in 2D.](images/graph-for-x.png)
+   ![Graph both sides in 2D](images/graph-for-x.png)
 
 2. Click the **Insert on Page** button below the graph to add a screenshot of the graph to your page.
    </br>
diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md
index 5f1c865bce..f21a0ddcf4 100644
--- a/education/trial-in-a-box/index.md
+++ b/education/trial-in-a-box/index.md
@@ -16,7 +16,7 @@ ms.date: 12/11/2017
 
 # Microsoft Education Trial in a Box
 
-![Microsoft Education Trial in a Box - Unlock Limitless Learning.](images/Unlock-Limitless-Learning.png)
+![Microsoft Education Trial in a Box - Unlock Limitless Learning](images/Unlock-Limitless-Learning.png)
 
 </br>
 
@@ -28,7 +28,7 @@ Welcome to Microsoft Education Trial in a Box. We built this trial to make it ea
 
 </br>
 
-| [![Get started for Educators.](images/teacher_rotated_resized.png)](educator-tib-get-started.md) | [![Get started for IT Admins](images/itadmin_rotated_resized.png)](itadmin-tib-get-started.md) |
+| [![Get started for Educators](images/teacher_rotated_resized.png)](educator-tib-get-started.md) | [![Get started for IT Admins](images/itadmin_rotated_resized.png)](itadmin-tib-get-started.md) |
 | :---: | :---: | 
 | <span style="font-size: 1.5em">**Educator**</span></br>Enhance students of all abilities by unleashing their creativity, collaboration, and improving problem-solving skills. </br>[Get started](educator-tib-get-started.md) | <span style="font-size: 1.5em">**IT Admin**</span></br>Quickly implement and deploy a full cloud infrastructure that's secure and easy to manage. </br> [Get started](itadmin-tib-get-started.md) |
 
diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md
index d0ba6a05b3..be9a131941 100644
--- a/education/trial-in-a-box/itadmin-tib-get-started.md
+++ b/education/trial-in-a-box/itadmin-tib-get-started.md
@@ -24,11 +24,11 @@ manager: dansimp
 
 |&nbsp;  |&nbsp;  |
 | :---: |:--- |
-| [![Log in to Device A.](images/admin-TIB-setp-1-v3.png)](#it-task1) | [Log in](#it-task1) to **Device A** with your IT Admin credentials and connect to your school's network. |
-| [![Configure Device B with Set up School PCs.](images/admin-TIB-setp-2-v3.png)](#it-task2) | [Configure Device B](#it-task2) with the Set up School PCs app. |
-| [![Configure Intune for Education.](images/admin-TIB-setp-3-v3.png)](#it-task3) | [Express configure Intune for Education](#it-task3) to manage devices, users, and policies. |
-| [![Find and deploy apps.](images/admin-TIB-setp-4-v3.png)](#it-task4) | [Find apps from the Microsoft Store for Education](#it-task4) and deploy them to manage devices in your tenant. |
-| [![Create custom folders.](images/admin-TIB-setp-5-v3.png)](#it-task5) | [Create custom folders](#it-task5) that will appear on each managed device's **Start** menu. |
+| [![Log in to Device A](images/admin-TIB-setp-1-v3.png)](#it-task1) | [Log in](#it-task1) to **Device A** with your IT Admin credentials and connect to your school's network. |
+| [![Configure Device B with Set up School PCs](images/admin-TIB-setp-2-v3.png)](#it-task2) | [Configure Device B](#it-task2) with the Set up School PCs app. |
+| [![Configure Intune for Education](images/admin-TIB-setp-3-v3.png)](#it-task3) | [Express configure Intune for Education](#it-task3) to manage devices, users, and policies. |
+| [![Find and deploy apps](images/admin-TIB-setp-4-v3.png)](#it-task4) | [Find apps from the Microsoft Store for Education](#it-task4) and deploy them to manage devices in your tenant. |
+| [![Create custom folders](images/admin-TIB-setp-5-v3.png)](#it-task5) | [Create custom folders](#it-task5) that will appear on each managed device's **Start** menu. |
 
 
 </br>
@@ -42,7 +42,7 @@ If you run into any problems while following the steps in this guide, or you hav
 
 </br>
 
-![Log in to Device A.](images/admin-TIB-setp-1-jump.png) 
+![Log in to Device A](images/admin-TIB-setp-1-jump.png) 
 ## <a name="it-task1"></a>1. Log in to Device A with your IT Admin credentials and connect to the school network
 To try out the IT admin tasks, start by logging in as an IT admin.
 
@@ -56,7 +56,7 @@ To try out the IT admin tasks, start by logging in as an IT admin.
 
 </br>
 
-![Configure Device B with Set up School PCs.](images/admin-TIB-setp-2-jump.png) 
+![Configure Device B with Set up School PCs](images/admin-TIB-setp-2-jump.png) 
 ## <a name="it-task2"></a>2. Configure Device B with Set up School PCs
 Now you're ready to learn how to configure a brand new device. You will start on **Device A** by downloading and running the Set up School PCs app. Then, you will configure **Device B**.
 
@@ -66,11 +66,11 @@ If you've previously used Set up School PCs to provision student devices, you ca
 
 1. From the **Start** menu, find and then click **Microsoft Store** to launch the Store.
 
-    ![Microsoft Store from the Start menu.](images/start_microsoft_store.png)
+    ![Microsoft Store from the Start menu](images/start_microsoft_store.png)
 
 2. Search for the **Set up School PCs** app.
 
-    ![Set up School PCs on Microsoft Store.](images/microsoft_store_suspc_install.png)
+    ![Set up School PCs on Microsoft Store](images/microsoft_store_suspc_install.png)
 
 3. Click **Install**.
 
@@ -78,7 +78,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
 
 1. On **Device A**, launch the Set up School PCs app.
 
-    ![Launch the Set up School PCs app.](images/suspc_start.png)
+    ![Launch the Set up School PCs app](images/suspc_start.png)
 
 2. Click **Get started**.
 3. Select **Sign-in**.
@@ -95,7 +95,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
 
     We recommend checking the highlighted settings below:
 
-    ![Configure student PC settings.](images/suspc_configure_pcsettings_selected.png)
+    ![Configure student PC settings](images/suspc_configure_pcsettings_selected.png)
 
    - **Remove apps pre-installed by the device manufacturer** - If you select this option, this will reset the machine and the provisioning process will take longer (about 30 minutes).
    - **Allow local storage (not recommended for shared devices)** lets students save files to the **Desktop** and **Documents** folder on the student PC.
@@ -108,7 +108,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
 
 7. **Set up the Take a Test app** configures the device for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. Windows will lock down the student PC so that students can't access anything else while taking the test.
 
-    ![Configure the Take a Test app.](images/suspc_takeatest.png)
+    ![Configure the Take a Test app](images/suspc_takeatest.png)
 
    1. Specify if you want to create a Take a Test button on the students' sign-in screens.
    2. Select **Advanced settings** to allow keyboard text suggestions to appear and to allow teachers to monitor online tests. 
@@ -120,7 +120,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
 
 8. **Add recommended apps** lets you choose from a set of recommended Microsoft Store apps to provision. 
 
-    ![Recommended apps in Set up School PCs package configuration.](images/suspc_configure_recommendedapps_v2.png)
+    ![Recommended apps in Set up School PCs package configuration](images/suspc_configure_recommendedapps_v2.png)
 
     The recommended apps include the following:
     * **Office 365 for Windows 10 S (Education Preview)** - Optional. This works well for the Trial in a Box PCs running Windows 10 S. However, if you try to install this app on other editions of Windows 10, setup will fail. Also note that if you select **Office 365 for Windows 10 S (Education Preview)**, it will take about 30-45 minutes longer for Set up School PCs to create the provisioning package as the app downloads Office 365 for Windows 10 S (Education Preview) from the Microsoft Store.
@@ -131,7 +131,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
 
     To change any of the settings, select the page or section (such as **Sign-in** or **Settings**) to go back to that page and make your changes.
 
-    ![Select the section or page name to make a change.](images/suspc_review_summary.png)
+    ![Select the section or page name to make a change](images/suspc_review_summary.png)
 
 10. Accept the summary and then insert a USB drive in **Device A**. Use the USB drive that came in the Trial in a Box accessories box to save the provisioning package.
 11. Select the drive and then **Save** to create the provisioning package. 
@@ -153,7 +153,7 @@ A provisioning package is a method for applying settings to Windows 10 without n
 
 1. Start with **Device B** turned off or with the PC on the first-run setup screen. In Windows 10 S Fall Creators Update, the first-run setup screen says **Let's start with region. Is this right?**. 
 
-    ![The first screen to set up a new PC in Windows 10 Fall Creators Update.](images/win10_oobe_firstscreen.png)
+    ![The first screen to set up a new PC in Windows 10 Fall Creators Update](images/win10_oobe_firstscreen.png)
 
     If you go past the region selection screen, select **Ctrl + Shift + F3** which will prompt the "System Preparation Tool." Select **Okay** in the tool to return to the region selection screen. If this doesn't work, reset the PC by going to **Settings > Update & Security > Recovery > Reset this PC.**
 
@@ -166,20 +166,20 @@ You can complete the rest of the IT admin tasks using **Device A**.
 
 </br>
 
-![Express configure Intune for Education.](images/admin-TIB-setp-3-jump.png) 
+![Express configure Intune for Education](images/admin-TIB-setp-3-jump.png) 
 ## <a name="it-task3"></a>3. Express configure Intune for Education to manage devices, users, and policies
 Intune for Education provides an **Express configuration** option so you can get going right away. We'll use that option here.
 
 1. Log into the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>. 
 2. On the Intune for Education dashboard, click **Launch Express Configuration** or select the **Express configuration**.
 
-    ![Intune for Education dashboard.](images/i4e_dashboard_expressconfig.png)
+    ![Intune for Education dashboard](images/i4e_dashboard_expressconfig.png)
 
 3. In the **Welcome to Intune for Education** screen, click **Get started** and follow the prompts until you get to the **Choose group** screen.
 4. In the **Choose group** screen, select **All Users** so that all apps and settings that we select during express setup will apply to this group. 
 5. In the **Choose apps** screen, you will see a selection of desktop (Win32) apps, Web apps, and Microsoft Store apps. 
 
-    ![Choose apps you want to provision to the group.](images/i4e_expressconfig_chooseapps.png)
+    ![Choose apps you want to provision to the group](images/i4e_expressconfig_chooseapps.png)
 
 6. Add or remove apps by clicking on them. A blue checkmark means the app is added and will be installed for all members of the group selected in step 5.
 
@@ -197,7 +197,7 @@ Intune for Education provides an **Express configuration** option so you can get
 
 </br>
 
-![Find apps from the Microsoft Store for Education.](images/admin-TIB-setp-4-jump.png) 
+![Find apps from the Microsoft Store for Education](images/admin-TIB-setp-4-jump.png) 
 ## <a name="it-task4"></a>4. Find apps from the Microsoft Store for Education and deploy them to managed devices in your tenant
 The Microsoft Store for Education is where you can shop for more apps for your school.
 
@@ -205,7 +205,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s
 2. In the **Store apps** section, select **+ New app** to go to the <a href="https://educationstore.microsoft.com" target="_blank">Microsoft Store for Education</a>.
 3. Select **Sign in** and start shopping for apps for your school.
 
-    ![Microsoft Store for Education site.](images/msfe_portal.png)
+    ![Microsoft Store for Education site](images/msfe_portal.png)
 
 4. Check some of the categories for suggested apps or search the Store for a free educational or reference app. Find ones that you haven't already installed during express configuration for Intune for Education. For example, these apps are free:
     - Duolingo - Learn Languages for Free
@@ -222,7 +222,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s
 
     The apps will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
 
-    ![List of apps bought for the school.](images/msfe_boughtapps.png)
+    ![List of apps bought for the school](images/msfe_boughtapps.png)
 
     In the **Private store** column of the **Products & services** page, the status for some apps will indicate that it's "In private store" while others will say "Adding to private store" or "Not applicable". Learn more about this in <a href="/microsoft-store/distribute-apps-from-your-private-store" target="_blank">Distribute apps using your private store</a>.
 
@@ -231,7 +231,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s
 
 </br>
 
-![Create custom folders that appear on managed devices.](images/admin-TIB-setp-5-jump.png) 
+![Create custom folders that appear on managed devices](images/admin-TIB-setp-5-jump.png) 
 ## <a name="it-task5"></a>5. Create custom folders that will appear on each managed device's Start menu
 Update settings for all devices in your tenant by adding the **Documents** and **Downloads** folders to all devices managed in Intune for Education.
 
@@ -239,7 +239,7 @@ Update settings for all devices in your tenant by adding the **Documents** and *
 2. Select **Group > All Devices > Settings** and expand **Windows interface settings**.
 3. In **Choose folders that appear in the Start menu**, select **Documents** and **Downloads**.
 
-    ![Choose folders that appear in the Start menu.](images/screenshot-bug.png)
+    ![Choose folders that appear in the Start menu](images/screenshot-bug.png)
 
 4. **Save** your changes.
 
diff --git a/education/trial-in-a-box/support-options.md b/education/trial-in-a-box/support-options.md
index 627a78c9ef..9cb32351de 100644
--- a/education/trial-in-a-box/support-options.md
+++ b/education/trial-in-a-box/support-options.md
@@ -38,7 +38,7 @@ For more information about checking for updates, and how to optionally turn on a
    > [!NOTE]
    > For the alternate email address, make sure you use a different address from your Office 365 email address.
 
-   ![Complete your contact details.](images/o365_adminaccountinfo.png)
+   ![Complete your contact details](images/o365_adminaccountinfo.png)
 
 4. Click **Save**.
 
@@ -46,17 +46,17 @@ For more information about checking for updates, and how to optionally turn on a
 
 1. Click the **Need help?** button in the lower right-hand corner of the Office 365 console.
 
-   ![Select Need help to get support.](images/o365_needhelp.png)
+   ![Select Need help to get support](images/o365_needhelp.png)
 
    You will see a sidebar window open up on the right-hand side of the screen.
 
-   ![Option to have a support representative call you.](images/o365_needhelp_callingoption.png)
+   ![Option to have a support representative call you](images/o365_needhelp_callingoption.png)
 
    If you chose to have a support representative call you, a new support ticket will be opened and you can track these in **Support tickets**.
 
-   ![Track your support tickets.](images/o365_needhelp_supporttickets.png)
+   ![Track your support tickets](images/o365_needhelp_supporttickets.png)
 
-2. Click the **question button** ![Question button.](images/o365_needhelp_questionbutton.png) in the top navigation of the sidebar window.
+2. Click the **question button** ![Question button](images/o365_needhelp_questionbutton.png) in the top navigation of the sidebar window.
 3. In the field below **Need help?**, enter a description of your help request.
 4. Click the **Get help button**.
 5. In the **Let us call you** section, enter a phone number where you can be reached.
@@ -69,7 +69,7 @@ Forget your password? Follow these steps to recover it.
 1. Go to <a href="https://portal.office.com/" target="_blank">https://portal.office.com</a>
 2. Select **Can't access your account** and follow the prompts to get back into your account.
 
-   ![Recover your account.](images/officeportal_cantaccessaccount.png)
+   ![Recover your account](images/officeportal_cantaccessaccount.png)
 
 
 
diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md
index c0ac95e03e..00b99a4c75 100644
--- a/education/windows/autopilot-reset.md
+++ b/education/windows/autopilot-reset.md
@@ -61,7 +61,7 @@ You can set the policy using one of these methods:
 
   - When using [Set up School PCs](use-set-up-school-pcs-app.md), in the **Configure student PC settings** screen, select **Enable Windows 10 Autopilot Reset** among the list of settings for the student PC as shown in the following example:
 
-    ![Configure student PC settings in Set up School PCs.](images/suspc_configure_pc2.jpg)
+    ![Configure student PC settings in Set up School PCs](images/suspc_configure_pc2.jpg)
     
 ## Trigger Autopilot Reset
 Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use. 
@@ -70,7 +70,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
 
 1. From the Windows device lock screen, enter the keystroke: **CTRL + Windows key + R**. 
 
-   ![Enter CTRL+Windows key+R on the Windows lockscreen.](images/autopilot-reset-lockscreen.png)
+   ![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png)
 
    This will open up a custom login screen for Autopilot Reset. The screen serves two purposes:
 
@@ -78,7 +78,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
 
    2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process.
 
-      ![Custom login screen for Autopilot Reset.](images/autopilot-reset-customlogin.png)
+      ![Custom login screen for Autopilot Reset](images/autopilot-reset-customlogin.png)
 
 2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Autopilot Reset.
 
@@ -97,7 +97,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
 
    - Is returned to a known good managed state, connected to Azure AD and MDM.
 
-     ![Notification that provisioning is complete.](images/autopilot-reset-provisioningcomplete.png)
+     ![Notification that provisioning is complete](images/autopilot-reset-provisioningcomplete.png)
 
      Once provisioning is complete, the device is again ready for use.
 
diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md
index ea30225b3e..b104042dbc 100644
--- a/education/windows/change-to-pro-education.md
+++ b/education/windows/change-to-pro-education.md
@@ -65,7 +65,7 @@ See [change using Microsoft Store for Education](#change-using-microsoft-store-f
    
         **Figure 1** - Enter the details for the Windows edition change
 
-        ![Enter the details for the Windows edition change.](images/i4e_editionupgrade.png)
+        ![Enter the details for the Windows edition change](images/i4e_editionupgrade.png)
 
 3. The change will automatically be applied to the group you selected.
 
@@ -78,7 +78,7 @@ You can use Windows Configuration Designer to create a provisioning package that
 
     **Figure 2** - Enter the license key 
 
-    ![Enter the license key to change to Windows 10 Pro Education.](images/wcd_productkey.png)
+    ![Enter the license key to change to Windows 10 Pro Education](images/wcd_productkey.png)
 
 3. Complete the rest of the process for creating a provisioning package and then apply the package to the devices you want to change to Windows 10 Pro Education.
 
@@ -123,7 +123,7 @@ Once you enable the setting to change to Windows 10 Pro Education, the change wi
 
     **Figure 3** - Check the box to confirm
 
-    ![Check the box to confirm.](images/msfe_manage_benefits_checktoconfirm.png)
+    ![Check the box to confirm](images/msfe_manage_benefits_checktoconfirm.png)
 
 5. Click **Change all my devices**. 
 
@@ -169,13 +169,13 @@ If the Windows device is running Windows 10, version 1703, follow these steps.
 
     **Figure 4** - Select how you'd like to set up the device
 
-    ![Select how you'd like to set up the device.](images/1_howtosetup.png)
+    ![Select how you'd like to set up the device](images/1_howtosetup.png)
 
 2. On the **Sign in with Microsoft** page, enter the username and password to use with Office 365 or other services from Microsoft, and then click **Next**.
 
     **Figure 5** - Enter the account details
 
-    ![Enter the account details you use with Office 365 or other Microsoft services.](images/2_signinwithms.png)
+    ![Enter the account details you use with Office 365 or other Microsoft services](images/2_signinwithms.png)
 
 3. Go through the rest of Windows device setup. Once you're done, the device will be Azure AD joined to your school's subscription.
 
@@ -188,21 +188,21 @@ If the Windows device is running Windows 10, version 1703, follow these steps.
 
     **Figure 6** - Go to **Access work or school** in Settings
 
-    ![Go to Access work or school in Settings.](images/settings_workorschool_1.png)
+    ![Go to Access work or school in Settings](images/settings_workorschool_1.png)
 
 2. In **Access work or school**, click **Connect**.
 3. In the **Set up a work or school account** window, click the **Join this device to Azure Active Directory** option at the bottom.
 
     **Figure 7** - Select the option to join the device to Azure Active Directory
 
-    ![Select the option to join the device to Azure Active Directory.](images/settings_setupworkorschoolaccount_2.png)
+    ![Select the option to join the device to Azure Active Directory](images/settings_setupworkorschoolaccount_2.png)
 
 4. On the **Let's get you signed in** window, enter the Azure AD credentials (username and password) and sign in. This will join the device to the school's Azure AD.
 5. To verify that the device was successfully joined to Azure AD, go back to **Settings > Accounts > Access work or school**. You should now see a connection under the **Connect to work or school** section that indicates the device is connected to Azure AD.
 
     **Figure 8** - Verify the device connected to Azure AD
 
-    ![Verify the device is connected to Azure AD.](images/settings_connectedtoazuread_3.png)
+    ![Verify the device is connected to Azure AD](images/settings_connectedtoazuread_3.png)
 
 
 #### Step 2: Sign in using Azure AD account
@@ -286,7 +286,7 @@ Once the automatic change to Windows 10 Pro Education is turned off, the change
 
     **Figure 12** - Revert to Windows 10 Pro
 
-    ![Revert to Windows 10 Pro.](images/msfe_manage_reverttowin10pro.png)
+    ![Revert to Windows 10 Pro](images/msfe_manage_reverttowin10pro.png)
 
 4. You will be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**.
 5. Click **Close** in the **Success** page.
@@ -304,7 +304,7 @@ You need to synchronize these identities so that users will have a *single ident
 
 **Figure 13** - On-premises AD DS integrated with Azure AD
 
-![Illustration of Azure Active Directory Connect.](images/windows-ad-connect.png)
+![Illustration of Azure Active Directory Connect](images/windows-ad-connect.png)
 
 For more information about integrating on-premises AD DS domains with Azure AD, see these resources:
 -   [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity)
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index d927aef072..59da859362 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -118,7 +118,7 @@ At the end of this section, you should have a list of Chromebook user and device
 
 You use the Google Admin Console (as shown in Figure 1) to manage user and device settings. These settings are applied to all the Chromebook devices in your institution that are enrolled in the Google Admin Console. Review the user and device settings in the Google Admin Console and determine which settings are appropriate for your Windows devices.
 
-![figure 1.](images/chromebook-fig1-googleadmin.png)
+![figure 1](images/chromebook-fig1-googleadmin.png)
 
 Figure 1. Google Admin Console
 
@@ -221,7 +221,7 @@ Table 3. Settings in the Security node in the Google Admin Console
 
 In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2).
 
-![figure 2.](images/fig2-locallyconfig.png)
+![figure 2](images/fig2-locallyconfig.png)
 
 Figure 2. Locally-configured settings on Chromebook
 
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index 27b3806af5..f662b8ac78 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -94,19 +94,19 @@ Use one of these methods to set this policy.
     - Data type:  Integer
     - Value:  0
 
-      ![Create an OMA URI for AllowCortana.](images/allowcortana_omauri.png)
+      ![Create an OMA URI for AllowCortana](images/allowcortana_omauri.png)
 
 ### Group Policy
 Set **Computer Configuration > Administrative Templates > Windows Components > Search > AllowCortana** to **Disabled**.
 
-![Set AllowCortana to disabled through Group Policy.](images/allowcortana_gp.png)
+![Set AllowCortana to disabled through Group Policy](images/allowcortana_gp.png)
 
 ### Provisioning tools
 - [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
 - [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) 
     - Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**.
 
-        ![Set AllowCortana to No in Windows Configuration Designer.](images/allowcortana_wcd.png)
+        ![Set AllowCortana to No in Windows Configuration Designer](images/allowcortana_wcd.png)
 
 ## SetEduPolicies
 **SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It is a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp).
@@ -123,7 +123,7 @@ Use one of these methods to set this policy.
     - Data type:  Boolean
     - Value:  true
 
-      ![Create an OMA URI for SetEduPolices.](images/setedupolicies_omauri.png)
+      ![Create an OMA URI for SetEduPolices](images/setedupolicies_omauri.png)
 
 ### Group Policy
 **SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). 
@@ -147,7 +147,7 @@ For example:
 - [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) 
     - Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**.
 
-        ![Set SetEduPolicies to True in Windows Configuration Designer.](images/setedupolicies_wcd.png)
+        ![Set SetEduPolicies to True in Windows Configuration Designer](images/setedupolicies_wcd.png)
 
 ## Ad-free search with Bing
 Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. 
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 9dcdd7ca81..5ca4cb7ea0 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -34,21 +34,21 @@ Proper preparation is essential for a successful district deployment. To avoid c
 As part of preparing for your district deployment, you need to plan your district configuration — the focus of this guide. Figure 1 illustrates a typical finished district configuration that you can use as a model (the blueprint in our builder analogy) for the finished state.
 
 > [!div class="mx-imgBorder"]
-> ![Typical district configuration for this guide.](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide")
+> ![Typical district configuration for this guide](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide")
 
 *Figure 1. Typical district configuration for this guide*
 
 A *district* consists of multiple schools, typically at different physical locations. Figure 2 illustrates a typical school configuration within the district that this guide uses.
 
 > [!div class="mx-imgBorder"]
-> ![Typical school configuration for this guide.](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide")
+> ![Typical school configuration for this guide](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide")
 
 *Figure 2. Typical school configuration for this guide*
 
 Finally, each school consists of multiple classrooms. Figure 3 shows the classroom configuration this guide uses.
 
 > [!div class="mx-imgBorder"]
-> ![Typical classroom configuration in a school.](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school")
+> ![Typical classroom configuration in a school](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school")
 
 *Figure 3. Typical classroom configuration in a school*
 
@@ -181,7 +181,7 @@ The high-level process for deploying and configuring devices within individual c
 9. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS–Azure AD integration.
 
 > [!div class="mx-imgBorder"]
-> ![How district configuration works.](images/edu-districtdeploy-fig4.png "How district configuration works")
+> ![How district configuration works](images/edu-districtdeploy-fig4.png "How district configuration works")
 
 *Figure 4. How district configuration works*
 
@@ -768,7 +768,7 @@ In this method, you have an on-premises AD DS domain. As shown in Figure 5, the
 > Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)).
 
 > [!div class="mx-imgBorder"]
-> ![Automatic synchronization between AD DS and Azure AD.](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD")
+> ![Automatic synchronization between AD DS and Azure AD](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD")
 
 *Figure 5. Automatic synchronization between AD DS and Azure AD*
 
@@ -779,7 +779,7 @@ For more information about how to perform this step, see the [Integrate on-premi
 In this method, you have no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
 
 > [!div class="mx-imgBorder"]
-> ![Bulk import into Azure AD from other sources.](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources")
+> ![Bulk import into Azure AD from other sources](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources")
 
 *Figure 6. Bulk import into Azure AD from other sources*
 
@@ -812,14 +812,14 @@ You can deploy the Azure AD Connect tool:
 - **On premises.** As shown in Figure 7, Azure AD Connect runs on premises, which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server.
 
   > [!div class="mx-imgBorder"]
-  > ![Azure AD Connect on premises.](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises")
+  > ![Azure AD Connect on premises](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises")
 
   *Figure 7. Azure AD Connect on premises*
 
 - **In Azure.** As shown in Figure 8, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
 
   > [!div class="mx-imgBorder"]
-  > ![Azure AD Connect in Azure.](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure")
+  > ![Azure AD Connect in Azure](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure")
 
   *Figure 8. Azure AD Connect in Azure*
 
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 318b892188..3b464f9fa6 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -30,13 +30,13 @@ Proper preparation is essential for a successful school deployment. To avoid com
 
 As part of preparing for your school deployment, you need to plan your configuration—the focus of this guide. Figure 1 illustrates a typical finished school configuration that you can use as a model (the blueprint in our builder analogy) for the finished state.
 
-![fig 1.](images/deploy-win-10-school-figure1.png)
+![fig 1](images/deploy-win-10-school-figure1.png)
 
 *Figure 1. Typical school configuration for this guide*
 
 Figure 2 shows the classroom configuration this guide uses.
 
-![fig 2.](images/deploy-win-10-school-figure2.png)
+![fig 2](images/deploy-win-10-school-figure2.png)
 
 *Figure 2. Typical classroom configuration in a school*
 
@@ -112,7 +112,7 @@ The high-level process for deploying and configuring devices within individual c
 6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
 7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration.
 
-![fig 3.](images/deploy-win-10-school-figure3.png)
+![fig 3](images/deploy-win-10-school-figure3.png)
 
 *Figure 3. How school configuration works*
 
@@ -346,7 +346,7 @@ In this method, you have an on-premises AD DS domain. As shown in Figure 4, the
 
 **Note**&nbsp;&nbsp;Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)?f=255&MSPPError=-2147217396).
 
-![fig 4.](images/deploy-win-10-school-figure4.png)
+![fig 4](images/deploy-win-10-school-figure4.png)
 
 *Figure 4. Automatic synchronization between AD DS and Azure AD*
 
@@ -356,7 +356,7 @@ For more information about how to perform this step, see the [Integrate on-premi
 
 In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
 
-![fig 5.](images/deploy-win-10-school-figure5.png)
+![fig 5](images/deploy-win-10-school-figure5.png)
 
 *Figure 5. Bulk import into Azure AD from other sources*
 
@@ -383,13 +383,13 @@ You can deploy the Azure AD Connect tool by using one of the following methods:
 
 - **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server.
 
-  ![fig 6.](images/deploy-win-10-school-figure6.png)
+  ![fig 6](images/deploy-win-10-school-figure6.png)
 
   *Figure 6. Azure AD Connect on premises*
 
 - **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
 
-  ![fig 7.](images/deploy-win-10-school-figure7.png)
+  ![fig 7](images/deploy-win-10-school-figure7.png)
 
   *Figure 7. Azure AD Connect in Azure*
 
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index 03a761c858..eaa2f7c35b 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -55,11 +55,11 @@ To turn off access to contacts for all apps on individual Windows devices:
 
 1. On the computer, go to **Settings** and select **Privacy**.
 
-   ![Privacy settings.](images/win10_settings_privacy.png)
+   ![Privacy settings](images/win10_settings_privacy.png)
 
 2. Under the list of **Privacy** areas, select **Contacts**.
 
-   ![Contacts privacy settings.](images/win10_settings_privacy_contacts.png)
+   ![Contacts privacy settings](images/win10_settings_privacy_contacts.png)
 
 3. Turn off **Let apps access my contacts**.
 
@@ -73,7 +73,7 @@ For IT-managed Windows devices, you can use a Group Policy to turn off the setti
 
 If you want to allow only certain apps to have access to contacts, you can use the switch for each app to specify which ones you want on or off.
 
-![Choose apps with access to contacts.](images/win10_settings_privacy_contacts_apps.png)
+![Choose apps with access to contacts](images/win10_settings_privacy_contacts_apps.png)
 
 The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you have installed and which of these apps access contacts.
 
@@ -83,7 +83,7 @@ To allow only certain apps to have access to contacts, you can:
 
 * Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** and then specify the default for each app by adding the app's Package Family Name under the default behavior you want to enforce.
 
-  ![App privacy Group Policy.](images/gp_letwinappsaccesscontacts.png)
+  ![App privacy Group Policy](images/gp_letwinappsaccesscontacts.png)
 
 
 ## Skype and Xbox settings
@@ -109,7 +109,7 @@ Skype uses the user’s contact details to deliver important information about t
 
 To manage and edit your profile in the Skype UWP app, follow these steps:
 
-1. In the Skype UWP app, select the user profile icon ![Skype profile icon.](images/skype_uwp_userprofile_icon.png)  to go to the user’s profile page.
+1. In the Skype UWP app, select the user profile icon ![Skype profile icon](images/skype_uwp_userprofile_icon.png)  to go to the user’s profile page.
 
 2. In the account page, select **Manage account** for the Skype account that you want to change. This will take you to the online Skype portal.
 
@@ -127,7 +127,7 @@ To manage and edit your profile in the Skype UWP app, follow these steps:
 
 6. To change the profile picture, go to the Skype app and click on the current profile picture or avatar. The **Manage Profile Picture** window pops up.
 
-   ![Skype profile icon.](images/skype_uwp_manageprofilepic.png)
+   ![Skype profile icon](images/skype_uwp_manageprofilepic.png)
 
    * To take a new picture, click the camera icon in the pop up window. To upload a new picture, click the three dots (**...**).
 
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index f4ea0cf4ef..586d6ea6b8 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -39,7 +39,7 @@ Admins can control whether or not teachers are automatically assigned the **Basi
 2. Click **Manage**, and then click **Settings**. 
 3. On **Shop**, select or clear **Make everyone a Basic Purchaser**.
 
-![manage settings to control Basic Purchaser role assignment.](images/sfe-make-everyone-bp.png)
+![manage settings to control Basic Purchaser role assignment](images/sfe-make-everyone-bp.png)
 
 > [!NOTE]
 > **Make everyone a Basic Purchaser** is on by default. 
@@ -52,7 +52,7 @@ When **Make everyone a Basic Purchaser** is turned off, admins can manually assi
 2. Click **Manage**, and then choose **Permissions**.
 3. On **Roles**, click **Assign roles**, type and select a name, choose the role you want to assign, and then click **Save**.
 
-    ![Permission page for Microsoft Store for Business.](images/sfe-roles.png)
+    ![Permission page for Microsoft Store for Business](images/sfe-roles.png)
 
 **Blocked Basic Purchasers**
 
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index a89e29de02..78f1759c45 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -29,7 +29,7 @@ ms.topic: conceptual
 
 Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution. 
 
-<!-- ![education.minecraft.net.](images/minecraft.png) -->
+<!-- ![education.minecraft.net](images/minecraft.png) -->
 
 ## Prerequisites
  
@@ -39,11 +39,11 @@ Teachers and IT administrators can now get early access to **Minecraft: Educatio
   - Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan)
   - If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription)
 
-<!-- ![teacher.](images/teacher.png) --> 
+<!-- ![teacher](images/teacher.png) --> 
 
 [Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher-get-minecraft.md)
 
   
-<!-- ![IT administrator.](images/school.png) -->
+<!-- ![IT administrator](images/school.png) -->
 
 [Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
\ No newline at end of file
diff --git a/education/windows/index.md b/education/windows/index.md
index cf961bfe83..81e3f97634 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -14,15 +14,15 @@ ms.date: 10/13/2017
 
 # Windows 10 for Education
 
-![Windows 10 Education and Windows 10 Pro Education.](images/windows-10-for-education-banner.png)
+![Windows 10 Education and Windows 10 Pro Education](images/windows-10-for-education-banner.png)
 
-## ![Learn more about Windows.](images/education.png) Learn
+## ![Learn more about Windows](images/education.png) Learn
 
 <p><b><a href="windows-editions-for-education-customers.md" data-raw-source="[Windows 10 editions for education customers](windows-editions-for-education-customers.md)">Windows 10 editions for education customers</a></b><br />Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.</p>
 <p><b><a href="https://www.microsoft.com/WindowsForBusiness/Compare" data-raw-source="[Compare each Windows edition](https://www.microsoft.com/WindowsForBusiness/Compare)">Compare each Windows edition</a></b><br />Find out more about the features and functionality we support in each edition of Windows.</p>
 <p><b><a href="https://www.microsoft.com/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools" data-raw-source="[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)">Get Windows 10 Education or Windows 10 Pro Education</a></b><br />When you&#39;ve made your decision, find out how to buy Windows for your school.</p>
 
-## ![Plan for Windows 10 in your school.](images/clipboard.png) Plan
+## ![Plan for Windows 10 in your school](images/clipboard.png) Plan
 
 <p><b><a href="configure-windows-for-education.md" data-raw-source="[Windows 10 configuration recommendations for education customers](configure-windows-for-education.md)">Windows 10 configuration recommendations for education customers</a></b><br />Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.</p>
 <p><b><a href="edu-deployment-recommendations.md" data-raw-source="[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)">Deployment recommendations for school IT administrators</a></b><br />Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.</p>
@@ -30,14 +30,14 @@ ms.date: 10/13/2017
 <div class="side-by-side-content-right"><p><b><a href="take-tests-in-windows-10.md" data-raw-source="[Take tests in Windows 10](take-tests-in-windows-10.md)">Take tests in Windows 10</a></b><br />Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.</p>
 <p><b><a href="chromebook-migration-guide.md" data-raw-source="[Chromebook migration guide](chromebook-migration-guide.md)">Chromebook migration guide</a></b><br />Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.</p>
 
-## ![Deploy Windows 10 for Education.](images/PCicon.png) Deploy
+## ![Deploy Windows 10 for Education](images/PCicon.png) Deploy
 
 <p><b><a href="set-up-windows-10.md" data-raw-source="[Set up Windows devices for education](set-up-windows-10.md)">Set up Windows devices for education</a></b><br />Depending on your school&#39;s device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.</p>
 <p><b><a href="deploy-windows-10-in-a-school.md" data-raw-source="[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)">Deploy Windows 10 in a school</a></b><br />Get step-by-step guidance to help you deploy Windows 10 in a school environment.</p>
 <p><b><a href="deploy-windows-10-in-a-school-district.md" data-raw-source="[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)">Deploy Windows 10 in a school district</a></b><br />Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.</p>
 <p><b><a href="test-windows10s-for-edu.md" data-raw-source="[Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md)">Test Windows 10 S on existing Windows 10 education devices</a></b><br />Test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.</p>
 
-## ![Switch to Windows 10 for Education.](images/windows.png) Switch
+## ![Switch to Windows 10 for Education](images/windows.png) Switch
 
 <p><b><a href="change-to-pro-education.md" data-raw-source="[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)">Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S</a></b><br />If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.</p>
 
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index a728b75a41..e3900603b6 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -50,15 +50,15 @@ If you’ve been approved and are part of the Enrollment for Education Solutions
 
 1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **GET STARTED**.
 
-    <!-- ![Click Get the app.](images/it-get-app.png) --> 
+    <!-- ![Click Get the app](images/it-get-app.png) --> 
 
 2. Enter your email address, and select Educator, Administrator, or Student. </br> If your email address isn't associated to an Azure AD or Office 365 Education tenant, you'll be asked to create one.
 
-    <!-- ![Enter school email address.](images/enter-email.png) -->
+    <!-- ![Enter school email address](images/enter-email.png) -->
     
 3. Select **Get the app**. This will take you to the Microsoft Store for Education to download the app. You will also receive an email with instructions and a link to the Store.
 
-    <!-- ![You can get the app now.](images/get-the-app.png) -->
+    <!-- ![You can get the app now](images/get-the-app.png) -->
 
 4. Sign in to Microsoft Store for Education with your email address.
 
@@ -66,7 +66,7 @@ If you’ve been approved and are part of the Enrollment for Education Solutions
 
 6. **Minecraft: Education Edition** opens in the Microsoft Store for Education. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory.
 
-    <!-- ![Get Minecraft app in Store.](images/minecraft-get-the-app.png) -->
+    <!-- ![Get Minecraft app in Store](images/minecraft-get-the-app.png) -->
 
 Now that the app is in your Microsoft Store for Education inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft).
 
@@ -113,11 +113,11 @@ After you've finished the purchase, you can find your invoice by checking **Mine
 2. Click **Minecraft: Education Edition** in the list of apps. 
 3. On **Minecraft: Education Edition**, click **View Bills**.
 
-    ![Minecraft: Education Edition app details page with view bills link highlighted.](images/mcee-view-bills.png) 
+    ![Minecraft: Education Edition app details page with view bills link highlighted](images/mcee-view-bills.png) 
 
 4. On **Invoice Bills**, click the invoice number to view and download your invoice. It downloads as a .pdf.
 
-   ![Minecraft: Education Edition app details page with view bills link highlighted.](images/mcee-invoice-bills.png)
+   ![Minecraft: Education Edition app details page with view bills link highlighted](images/mcee-invoice-bills.png)
 
 The **Payment Instructions** section on the first page of the invoice has information on invoice amount, due date, and how to pay with electronic funds transfer, or with a check. 
 
@@ -133,11 +133,11 @@ Admins can also add Minecraft: Education Edition to the private store. This allo
 <!---
 Here's the page you'll see for Minecraft: Education Edition licenses purchased directly through the Microsoft Store for Business. 
 
-![App distribution options - individual copies.](images/mc-install-for-me-teacher.png)
+![App distribution options - individual copies](images/mc-install-for-me-teacher.png)
 
 Here's the page you'll see for Minecraft: Education Edition licenses purchased through volume licensing.
 
-![App distribution options - individual copies.](images/wsfb-minecraft-vl.png)
+![App distribution options - individual copies](images/wsfb-minecraft-vl.png)
 --->
 
 ### Configure automatic subscription assignment
@@ -168,7 +168,7 @@ You can install the app on your PC. This gives you a chance to test the app and
 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 
 2. Click **Manage**, and then click **Install**.
 
-    <!-- ![Minecraft Education Edition product page.](images/mc-install-for-me-teacher.png) -->
+    <!-- ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png) -->
 
 3. Click **Install**.  
 
@@ -180,33 +180,33 @@ Enter email addresses for your students, and each student will get an email with
 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 
 2. Click **Manage**.
 
-    ![Minecraft Education Edition product page.](images/mc-install-for-me-teacher.png)
+    ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png)
 3. Click **Invite people**.
  
 4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**. 
 
     You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student.    
    
-    ![Assign to people showing student name.](images/minecraft-assign-to-people-name.png)
+    ![Assign to people showing student name](images/minecraft-assign-to-people-name.png)
 
 **To finish Minecraft install (for students)**
 
 1. Students will receive an email with a link that will install the app on their PC.</br>
 
-    ![Email with Get the app link.](images/minecraft-student-install-email.png)
+    ![Email with Get the app link](images/minecraft-student-install-email.png)
 
 2. Click **Get the app** to start the app install in Microsoft Store app. 
 3. In Microsoft Store app, click **Install**. 
 
-    ![Microsoft Store app with Minecraft page.](images/minecraft-in-windows-store-app.png)
+    ![Microsoft Store app with Minecraft page](images/minecraft-in-windows-store-app.png)
 
     After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**. Microsoft Store app is preinstalled with Windows 10.
 
-    ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) 
+    ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png) 
 
     When students click **My Library** they'll find apps assigned to them.
 
-    ![My Library for example student.](images/minecraft-my-library.png) 
+    ![My Library for example student](images/minecraft-my-library.png) 
 
 ### Download for others
 Download for others allows teachers or IT admins to download an app that they can install on PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when:
@@ -225,11 +225,11 @@ Minecraft: Education Edition will not install if there are updates pending for o
 1. Start Microsoft Store app on the PC (click **Start**, and type **Store**).
 2. Click the account button, and then click **Downloads and updates**.
 
-      ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png)
+      ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png)
       
 3. Click **Check for updates**, and install all available updates. 
 
-      ![Microsoft Store app showing access to My Library.](images/mc-check-for-updates.png)
+      ![Microsoft Store app showing access to My Library](images/mc-check-for-updates.png)
       
 4. Restart the computer before installing Minecraft: Education Edition.  
 
@@ -238,7 +238,7 @@ You'll download a .zip file, extract the files, and then use one of the files to
 
 1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
 
-    ![Microsoft Store app showing access to My Library.](images/mc-dnld-others-teacher.png)
+    ![Microsoft Store app showing access to My Library](images/mc-dnld-others-teacher.png)
  
 2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.  
@@ -257,7 +257,7 @@ However, tenant admins can control whether or not teachers automatically sign up
 To prevent educators from automatically signing up for Microsoft Store for Business
 1.  In Microsoft Store for Business, click **Settings**, and then click **Permissions**. 
 
-    ![Permission page for Microsoft Store for Business.](images/minecraft-admin-permissions.png)
+    ![Permission page for Microsoft Store for Business](images/minecraft-admin-permissions.png)
 
 2. Click **Allow educators in my organization to sign up for the Microsoft Store for Business.**
 
@@ -269,7 +269,7 @@ Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**.
 - Acquire and manage the app
 - Info on Support page (including links to documentation and access to support through customer service)
 
-    ![assign roles to manage Minecraft permissions.](images/minecraft-perms.png)
+    ![assign roles to manage Minecraft permissions](images/minecraft-perms.png)
 
 **To assign Basic Purchaser role**
 
@@ -280,15 +280,15 @@ Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**.
 
 2. Click **Settings**, and then choose **Permissions**.
 
-    ![Permission page for Microsoft Store for Business.](images/minecraft-admin-permissions.png)
+    ![Permission page for Microsoft Store for Business](images/minecraft-admin-permissions.png)
 
 3. Click **Add people**, type a name, select the correct person, choose the role you want to assign, and click **Save**.
 
-    ![Permission page for Microsoft Store for Business.](images/minecraft-assign-roles.png)
+    ![Permission page for Microsoft Store for Business](images/minecraft-assign-roles.png)
     
     Microsoft Store for Business updates the list of people and permissions. 
     
-    ![Permission page for Microsoft Store for Business.](images/minecraft-assign-roles-2.png)
+    ![Permission page for Microsoft Store for Business](images/minecraft-assign-roles-2.png)
 
 -->
 
diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md
index 02198518ca..6d62b6bb55 100644
--- a/education/windows/set-up-school-pcs-azure-ad-join.md
+++ b/education/windows/set-up-school-pcs-azure-ad-join.md
@@ -48,7 +48,7 @@ Active Directory** \> **Devices** \> **Device settings**.
 for Azure AD by selecting **All** or **Selected**. If you choose the latter
 option, select the teachers and IT staff to allow them to connect to Azure AD.  
 
-![Select the users you want to let join devices to Azure AD.](images/suspc-enable-shared-pc-1807.png)  
+![Select the users you want to let join devices to Azure AD](images/suspc-enable-shared-pc-1807.png)  
 
 You can also create an account that holds the exclusive rights to join devices. When a student PC needs to be set up, provide the account credentials to the appropriate teachers or staff.
 
diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md
index 328b2f80a1..22d45b09fc 100644
--- a/education/windows/set-up-students-pcs-to-join-domain.md
+++ b/education/windows/set-up-students-pcs-to-join-domain.md
@@ -43,7 +43,7 @@ Follow the steps in [Provision PCs with common settings for initial deployment (
 
       **Figure 7** - Add the account to use for test-taking
 
-      ![Add the account to use for test-taking.](images/wcd_settings_assignedaccess.png)
+      ![Add the account to use for test-taking](images/wcd_settings_assignedaccess.png)
 
       The account can be in one of the following formats:
       - username
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
index f0bb65fa78..7d803777e5 100644
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -35,7 +35,7 @@ You can apply a provisioning package on a USB drive to off-the-shelf devices dur
 2. 
 2. On the **Finish** page, select **Switch to advanced editor**.
 
-  ![Switch to advanced editor.](images/icd-school-adv-edit.png)
+  ![Switch to advanced editor](images/icd-school-adv-edit.png)
 
 **Next steps**
 - [Add a desktop app to your package](#add-a-desktop-app-to-your-package)
@@ -52,7 +52,7 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
 
 2. Click **Advanced provisioning**.
 
-  ![ICD start options.](images/icdstart-option.png)  
+  ![ICD start options](images/icdstart-option.png)  
   
 3. Name your project and click **Next**.
 
@@ -89,17 +89,17 @@ Universal apps that you can distribute in the provisioning package can be line-o
 
 2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page.
 
-    ![details for offline app package.](images/uwp-family.png)
+    ![details for offline app package](images/uwp-family.png)
 
 3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
 
 4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. 
 
-    ![required frameworks for offline app package.](images/uwp-dependencies.png)
+    ![required frameworks for offline app package](images/uwp-dependencies.png)
 
 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Microsoft Store for Business, you generate the license for the app on the app's download page.
 
-    ![generate license for offline app.](images/uwp-license.png)
+    ![generate license for offline app](images/uwp-license.png)
 
 [Learn more about distributing offline apps from the Microsoft Store for Business.](/microsoft-store/distribute-offline-apps)
 
@@ -168,7 +168,7 @@ If your build is successful, the name of the provisioning package, output direct
 **During initial setup, from a USB drive**
 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
 
-    ![The first screen to set up a new PC.](images/oobe.jpg)
+    ![The first screen to set up a new PC](images/oobe.jpg)
 
 2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
 
@@ -176,11 +176,11 @@ If your build is successful, the name of the provisioning package, output direct
 
 3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
 
-    ![Provision this device.](images/prov.jpg)
+    ![Provision this device](images/prov.jpg)
     
 4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
 
-    ![Choose a package.](images/choose-package.png)
+    ![Choose a package](images/choose-package.png)
 
 5. Select **Yes, add it**.
 
@@ -188,11 +188,11 @@ If your build is successful, the name of the provisioning package, output direct
     
 6. Read and accept the Microsoft Software License Terms.  
 
-    ![Sign in.](images/license-terms.png)
+    ![Sign in](images/license-terms.png)
     
 7. Select **Use Express settings**.
 
-    ![Get going fast.](images/express-settings.png)
+    ![Get going fast](images/express-settings.png)
 
 8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
 
@@ -200,18 +200,18 @@ If your build is successful, the name of the provisioning package, output direct
 
 9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
 
-    ![Connect to Azure AD.](images/connect-aad.png)
+    ![Connect to Azure AD](images/connect-aad.png)
 
 10. Sign in with  your domain, Azure AD,  or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
 
-    ![Sign in.](images/sign-in-prov.png)
+    ![Sign in](images/sign-in-prov.png)
 
     
 **After setup, from a USB drive, network folder, or SharePoint site**
 
 On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work access** &gt; **Add or remove a management package** &gt; **Add a package**, and select the package to install. 
 
-![add a package option.](images/package.png)
+![add a package option](images/package.png)
 
 -->
 
diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md
index e1acdf9f1d..b401df97ef 100644
--- a/education/windows/set-up-windows-10.md
+++ b/education/windows/set-up-windows-10.md
@@ -27,7 +27,7 @@ Choose the tool that is appropriate for how your students will sign in (Active D
 
 You can use the following diagram to compare the tools.
 
-![Which tool to use to set up Windows 10.](images/suspc_wcd_featureslist.png)
+![Which tool to use to set up Windows 10](images/suspc_wcd_featureslist.png)
 
 
 ## In this section
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index 10e2d2f7e0..3044c770e5 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -39,7 +39,7 @@ If you set up Take a Test, this adds a **Take a Test** button on the student PC'
 
 **Figure 1** - Configure Take a Test in the Set up School PCs app
 
-![Configure Take a Test in the Set up School PCs app.](images/suspc_choosesettings_setuptakeatest.png)
+![Configure Take a Test in the Set up School PCs app](images/suspc_choosesettings_setuptakeatest.png)
 
 ### Set up a test account in Intune for Education
 You can set up a test-taking account in Intune for Education. To do this, follow these steps:
@@ -49,7 +49,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow
 
     **Figure 2** - Add a test profile in Intune for Education
 
-    ![Add a test profile in Intune for Education.](images/i4e_takeatestprofile_addnewprofile.png)
+    ![Add a test profile in Intune for Education](images/i4e_takeatestprofile_addnewprofile.png)
 
 3. In the new profile page:
    1. Enter a name for the profile.
@@ -60,7 +60,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow
 
       **Figure 3** - Add information about the test profile
 
-      ![Add information about the test profile.](images/i4e_takeatestprofile_newtestaccount.png)
+      ![Add information about the test profile](images/i4e_takeatestprofile_newtestaccount.png)
 
       After you save the test profile, you will see a summary of the settings that you configured for Take a Test. Next, you'll need to assign the test profile to a group that will be using the test account.
     
@@ -68,13 +68,13 @@ You can set up a test-taking account in Intune for Education. To do this, follow
 
    **Figure 4** - Assign the test account to a group
 
-   ![Assign the test account to a group.](images/i4e_takeatestprofile_accountsummary.png)
+   ![Assign the test account to a group](images/i4e_takeatestprofile_accountsummary.png)
 
 5. In the **Groups** page, click **Change group assignments**.
 
     **Figure 5** - Change group assignments
 
-    ![Change group assignments.](images/i4e_takeatestprofile_groups_changegroupassignments.png)
+    ![Change group assignments](images/i4e_takeatestprofile_groups_changegroupassignments.png)
 
 6. In the **Change group assignments** page:
    1. Select a group from the right column and click **Add Members** to select the group and assign the test-taking account to that group. You can select more than one group. 
@@ -82,7 +82,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow
 
       **Figure 6** - Select the group(s) that will use the test account
 
-      ![Select the groups that will use the test account.](images/i4e_takeatestprofile_groupassignment_selected.png)
+      ![Select the groups that will use the test account](images/i4e_takeatestprofile_groupassignment_selected.png)
 
 And that's it! When the students from the selected group sign in to the student PCs using the Take a Test user name that you selected, the PC will be locked down and Take a Test will open the assessment URL and students can start taking tests.
 
@@ -136,7 +136,7 @@ To set up a test account through Windows Configuration Designer, follow these st
 
       **Figure 7** - Add the account to use for test-taking
 
-      ![Add the account to use for test-taking.](images/wcd_settings_assignedaccess.png)
+      ![Add the account to use for test-taking](images/wcd_settings_assignedaccess.png)
 
       The account can be in one of the following formats:
       - username
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index 9d26301975..1286a5aec8 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -30,13 +30,13 @@ To configure the assessment URL and a dedicated testing account on a single PC,
 
    **Figure 1** - Use the Settings app to set up a test-taking account
 
-   ![Use the Settings app to set up a test-taking account.](images/tat_settingsapp_workorschoolaccess_setuptestaccount.png)
+   ![Use the Settings app to set up a test-taking account](images/tat_settingsapp_workorschoolaccess_setuptestaccount.png)
 
 4. In the **Set up an account for taking tests** window, choose an existing account to use as the dedicated testing account.
 
    **Figure 2** - Choose the test-taking account
 
-   ![Choose the test-taking account.](images/tat_settingsapp_setuptesttakingaccount_1703.png) 
+   ![Choose the test-taking account](images/tat_settingsapp_setuptesttakingaccount_1703.png) 
 
     > [!NOTE]  
     > If you don't have an account on the device, you can create a new account. To do this, go to **Settings > Accounts > Other people > Add someone else to this PC > I don’t have this person’s sign-in information > Add a user without a Microsoft account**.
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index f9ba6a9479..7e016c22c0 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -32,7 +32,7 @@ Many schools use online testing for formative and summative assessments. It's cr
 
 ## How to use Take a Test
 
-![Set up and user flow for the Take a Test app.](images/take_a_test_flow_dark.png)
+![Set up and user flow for the Take a Test app](images/take_a_test_flow_dark.png)
 
 There are several ways to configure devices for assessments, depending on your use case:
 
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 6f0d1d4341..136499ee4c 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -65,7 +65,7 @@ After Minecraft: Education Edition licenses have been purchased, either directly
 - You can assign the app to others.  
 - You can download the app to distribute. 
 
-<!-- ![App distribution options.](images/mc-install-for-me-teacher.png) -->
+<!-- ![App distribution options](images/mc-install-for-me-teacher.png) -->
 
 ### Install for me
 You can install the app on your PC. This gives you a chance to work with the app before using it with your students.   
@@ -73,7 +73,7 @@ You can install the app on your PC. This gives you a chance to work with the app
 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 
 2. Click **Manage**, and then click **Install**.
 
-    <!-- ![Minecraft Education Edition product page.](images/mc-install-for-me-teacher.png) -->
+    <!-- ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png) -->
 
 3. Click **Install**. 
 
@@ -84,13 +84,13 @@ Enter email addresses for your students, and each student will get an email with
 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 
 2. Click **Manage**.
 
-    <!-- ![Minecraft Education Edition product page.](images/mc-install-for-me-teacher.png) -->
+    <!-- ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png) -->
 
 3. Click **Invite people**.
     
 4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**.
 
-   ![Assign to people showing student name.](images/minecraft-assign-to-people-name.png)
+   ![Assign to people showing student name](images/minecraft-assign-to-people-name.png)
    
    You can assign the app to students with work or school accounts. </br>
    If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Microsoft 365 admin center where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin. 
@@ -100,20 +100,20 @@ Enter email addresses for your students, and each student will get an email with
 
 Students will receive an email with a link that will install the app on their PC.
 
-![Email with Get the app link.](images/minecraft-student-install-email.png)
+![Email with Get the app link](images/minecraft-student-install-email.png)
 
 1. Click **Get the app** to start the app install in Microsoft Store app. 
 2. In Microsoft Store app, click **Install**. 
 
-     ![Microsoft Store app with Minecraft page.](images/minecraft-in-windows-store-app.png)
+     ![Microsoft Store app with Minecraft page](images/minecraft-in-windows-store-app.png)
 
       After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**.
 
-    ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) 
+    ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png) 
 
       When students click **My Library** they'll find apps assigned to them.
 
-    ![My Library for example student.](images/minecraft-my-library.png)  
+    ![My Library for example student](images/minecraft-my-library.png)  
 
 ### Download for others
 Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when:
@@ -132,11 +132,11 @@ Minecraft: Education Edition will not install if there are updates pending for o
 1. Start Microsoft Store app on the PC (click **Start**, and type **Store**).
 2. Click the account button, and then click **Downloads and updates**.
 
-      ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png)
+      ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png)
       
 3. Click **Check for updates**, and install all available updates. 
 
-      ![Microsoft Store app showing access to My Library.](images/mc-check-for-updates.png)
+      ![Microsoft Store app showing access to My Library](images/mc-check-for-updates.png)
       
 4. Restart the computer before installing Minecraft: Education Edition. 
    
@@ -145,7 +145,7 @@ You'll download a .zip file, extract the files, and then use one of the files to
 
 1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
 
-    ![Microsoft Store app showing access to My Library.](images/mc-dnld-others-teacher.png)
+    ![Microsoft Store app showing access to My Library](images/mc-dnld-others-teacher.png)
  
 2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.  
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index ca36e12e5a..3f31119391 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -103,7 +103,7 @@ We strongly recommend that you avoid changing preset policies. Changes can slow
 
 The **Set up School PCs** app guides you through the configuration choices for the student PCs.  To begin, open the app on your PC and click **Get started**.   
     
-   ![Launch the Set up School PCs app.](images/suspc_getstarted_050817.png)  
+   ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png)  
 
 ### Package name  
 Type a unique name to help distinguish your school's provisioning packages. The name appears:  
diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md
index 3b6a109ef3..4294d7199e 100644
--- a/smb/cloud-mode-business-setup.md
+++ b/smb/cloud-mode-business-setup.md
@@ -18,7 +18,7 @@ ms.topic: conceptual
 
 # Get started: Deploy and manage a full cloud IT solution for your business
 
-![Learn how to set up a full cloud infrastructure for your business.](images/business-cloud-mode.png)
+![Learn how to set up a full cloud infrastructure for your business](images/business-cloud-mode.png)
 
 **Applies to:**
 
@@ -61,7 +61,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
 
    **Figure 1** - Try or buy Office 365
 
-   ![Office 365 for business sign up.](images/office365_tryorbuy_now.png)
+   ![Office 365 for business sign up](images/office365_tryorbuy_now.png)
 
 2. Fill out the sign up form and provide information about you and your company.
 3. Create a user ID and password to use to sign into your account.
@@ -76,7 +76,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
 
    **Figure 2** - Microsoft 365 admin center
 
-   ![Microsoft 365 admin center.](images/office365_portal.png)
+   ![Microsoft 365 admin center](images/office365_portal.png)
 
 
 6. Select the **Admin** tile to go to the admin center.
@@ -86,7 +86,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
   
    **Figure 3** - Admin center
 
-   ![Microsoft 365 admin center.](images/office365_admin_portal.png)
+   ![Microsoft 365 admin center](images/office365_admin_portal.png)
 
 
 8. Go back to the <a href="https://portal.office.com/adminportal/home#/homepage" target="_blank">admin center</a> to add or buy a domain.
@@ -94,14 +94,14 @@ If this is the first time you're setting this up, and you'd like to see how it's
 
       **Figure 4** - Option to add or buy a domain
 
-      ![Add or buy a domain in admin center.](images/office365_buy_domain.png)
+      ![Add or buy a domain in admin center](images/office365_buy_domain.png)
     
 
    2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as *fabrikamdesign.onmicrosoft.com*.
 
       **Figure 5** - Microsoft-provided domain
 
-      ![Microsoft-provided domain.](images/office365_ms_provided_domain.png)
+      ![Microsoft-provided domain](images/office365_ms_provided_domain.png)
 
       - If you already have a domain, select **+ Add domain** to add your existing domain. If you select this option, you'll be required to verify that you own the domain. Follow the steps in the wizard to verify your domain.
       - If you don't already own a domain, select **+ Buy domain**. If you're using a trial plan, you'll be required to upgrade your trial plan in order to buy a domain. Choose the subscription plan to use for your business and provide the details to complete your order.
@@ -110,7 +110,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
 
       **Figure 6** - Domains
 
-      ![Verify your domains in the admin center.](images/office365_additional_domain.png)
+      ![Verify your domains in the admin center](images/office365_additional_domain.png)
 
 ### 1.2 Add users and assign product licenses
 Once you've set up Office and added your domain, it's time to add users so they have access to Office 365. People in your organization need an account before they can sign in and access Office 365. The easiest way to add users is to add them one at a time in the Microsoft 365 admin center.
@@ -123,7 +123,7 @@ When adding users, you can also assign admin privileges to certain users in your
 
    **Figure 7** - Add users
 
-   ![Add Office 365 users.](images/office365_users.png)
+   ![Add Office 365 users](images/office365_users.png)
 
 2. In the **Home > Active users** page, add users individually or in bulk.
    - To add users one at a time, select **+ Add a user**.
@@ -132,7 +132,7 @@ When adding users, you can also assign admin privileges to certain users in your
 
      **Figure 8** - Add an individual user
 
-     ![Add an individual user.](images/office365_add_individual_user.png)
+     ![Add an individual user](images/office365_add_individual_user.png)
 
    - To add multiple users at once, select **More** and then choose **+ Import multiple users**. If you select this option, you'll need to create and upload a CSV file containing the list of users.
 
@@ -140,13 +140,13 @@ When adding users, you can also assign admin privileges to certain users in your
 
      **Figure 9** - Import multiple users
 
-     ![Import multiple users.](images/office365_import_multiple_users.png)
+     ![Import multiple users](images/office365_import_multiple_users.png)
 
 3. Verify that all the users you added appear in the list of **Active users**. The **Status** should indicate the product licenses that were assigned to them.
 
    **Figure 10** - List of active users
 
-   ![Verify users and assigned product licenses.](images/o365_active_users.png)
+   ![Verify users and assigned product licenses](images/o365_active_users.png)
 
 ### 1.3 Add Microsoft Intune
 Microsoft Intune provides mobile device management, app management, and PC management capabilities from the cloud. Using Intune, organizations can provide their employees with access to apps, data, and corporate resources from anywhere on almost any device while helping to keep corporate information secure. To learn more, see <a href="/intune/understand-explore/introduction-to-microsoft-intune" target="_blank">What is Intune?</a>
@@ -160,14 +160,14 @@ Microsoft Intune provides mobile device management, app management, and PC manag
 
    **Figure 11** - Assign Intune licenses
 
-   ![Assign Microsoft Intune licenses to users.](images/o365_assign_intune_license.png)
+   ![Assign Microsoft Intune licenses to users](images/o365_assign_intune_license.png)
 
 5. In the admin center, confirm that **Intune** shows up in the list under **Admin centers**. If it doesn't, sign out and then sign back in and then check again.
 6. Select **Intune**. This will take you to the Intune management portal.
 
    **Figure 12** - Microsoft Intune management portal
 
-   ![Microsoft Intune management portal.](images/intune_portal_home.png)
+   ![Microsoft Intune management portal](images/intune_portal_home.png)
 
 Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Microsoft Store for Business for app distribution](#17-configure-microsoft-store-for-business-for-app-distribution).
 
@@ -185,21 +185,21 @@ Microsoft Azure is an open and flexible cloud platform that enables you to quick
 
    **Figure 13** - Access to Azure AD is not available
 
-   ![Access to Azure AD not available.](images/azure_ad_access_not_available.png)
+   ![Access to Azure AD not available](images/azure_ad_access_not_available.png)
 
 3. From the error message, select the country/region for your business. This should match with the location you specified when you signed up for Office 365.
 4. Click **Azure subscription**. This will take you to a free trial sign up screen.
 
    **Figure 14** - Sign up for Microsoft Azure
 
-   ![Sign up for Microsoft Azure.](images/azure_ad_sign_up_screen.png)
+   ![Sign up for Microsoft Azure](images/azure_ad_sign_up_screen.png)
 
 5. In the **Free trial sign up** screen, fill in the required information and then click **Sign up**.
 6. After you sign up, you should see the message that your subscription is ready. Click **Start managing my service**.
 
    **Figure 15** - Start managing your Azure subscription
 
-   ![Start managing your Azure subscription.](images/azure_ad_successful_signup.png)
+   ![Start managing your Azure subscription](images/azure_ad_successful_signup.png)
 
    This will take you to the <a href="https://portal.azure.com" target="_blank">Microsoft Azure portal</a>.
 
@@ -216,26 +216,26 @@ To add Azure AD group(s), we will use the <a href="https://manage.windowsazure.c
 
    **Figure 16** - Azure first sign-in screen
 
-   ![Select Azure AD.](images/azure_portal_classic_configure_directory.png)
+   ![Select Azure AD](images/azure_portal_classic_configure_directory.png)
 
 2. Select the directory (such as Fabrikam Design) to go to the directory's home page.
 
    **Figure 17** - Directory home page
 
-   ![Directory home page.](images/azure_portal_classic_directory_ready.png)
+   ![Directory home page](images/azure_portal_classic_directory_ready.png)
 
 3. From the menu options on top, select **Groups**.
 
    **Figure 18** - Azure AD groups
 
-   ![Add groups in Azure AD.](images/azure_portal_classic_groups.png)
+   ![Add groups in Azure AD](images/azure_portal_classic_groups.png)
 
 4. Select **Add a group** (from the top) or **Add group** at the bottom.
 5. In the **Add Group** window, add a name, group type, and description for the group and click the checkmark to save your changes. The new group will appear on the groups list.
 
    **Figure 19** - Newly added group in Azure AD
 
-   ![Verify the new group appears on the list.](images/azure_portal_classic_all_users_group.png)
+   ![Verify the new group appears on the list](images/azure_portal_classic_all_users_group.png)
 
 6. In the **Groups** tab, select the arrow next to the group (such as **All users**), add members to the group, and then save your changes.
 
@@ -243,7 +243,7 @@ To add Azure AD group(s), we will use the <a href="https://manage.windowsazure.c
 
    **Figure 20** - Members in the new group
 
-   ![Members added to the new group.](images/azure_portal_classic_members_added.png)
+   ![Members added to the new group](images/azure_portal_classic_members_added.png)
 
 7. Repeat steps 2-6 to add other groups. You can add groups based on their roles in your company, based on the apps that each group can use, and so on.
 
@@ -263,14 +263,14 @@ You can read <a href="https://blogs.technet.microsoft.com/enterprisemobility/201
 
    **Figure 21** - List of applications for your company
 
-   ![List of applications for your company.](images/azure_portal_classic_applications.png)
+   ![List of applications for your company](images/azure_portal_classic_applications.png)
 
 2. Select **Microsoft Intune** to configure the application.
 3. In the Microsoft Intune configuration page, click **Configure** to start automatic MDM enrollment configuration with Intune.
 
    **Figure 22** - Configure Microsoft Intune in Azure
 
-   ![Configure Microsoft Intune in Azure.](images/azure_portal_classic_configure_intune_app.png)
+   ![Configure Microsoft Intune in Azure](images/azure_portal_classic_configure_intune_app.png)
 
 4. In the Microsoft Intune configuration page:
    - In the **Properties** section, you should see a list of URLs for MDM discovery, MDM terms of use, and MDM compliance.
@@ -289,7 +289,7 @@ You can read <a href="https://blogs.technet.microsoft.com/enterprisemobility/201
 
    **Figure 23** - Configure Microsoft Intune
 
-   ![Configure automatic MDM enrollment with Intune.](images/azure_portal_classic_configure_intune_mdm_enrollment.png)
+   ![Configure automatic MDM enrollment with Intune](images/azure_portal_classic_configure_intune_mdm_enrollment.png)
 
 ### 1.7 Configure Microsoft Store for Business for app distribution
 Next, you'll need to configure Microsoft Store for Business to distribute apps with a management tool such as Intune.
@@ -303,7 +303,7 @@ In this part of the walkthrough, we'll be working on the <a href="https://manage
 
    **Figure 24** - Mobile device management
 
-   ![Set up mobile device management in Intune.](images/intune_admin_mdm_configure.png)
+   ![Set up mobile device management in Intune](images/intune_admin_mdm_configure.png)
 
 3. Sign into <a href="https://businessstore.microsoft.com/en-us/Store/Apps" target="_blank">Microsoft Store for Business</a> using the same tenant account that you used to sign into Intune.
 4. Accept the EULA.
@@ -312,20 +312,20 @@ In this part of the walkthrough, we'll be working on the <a href="https://manage
 
    **Figure 25** - Activate Intune as the Store management tool
 
-   ![Activate Intune from the Store portal.](images/wsfb_management_tools_activate.png)
+   ![Activate Intune from the Store portal](images/wsfb_management_tools_activate.png)
 
 7. Go back to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Admin > Mobile Device Management**, expand **Windows**, and then choose **Store for Business**.
 8. In the **Microsoft Store for Business** page, select **Configure Sync** to sync your Store for Business volume-purchased apps with Intune.
 
    **Figure 26** - Configure Store for Business sync in Intune
 
-   ![Configure Store for Business sync in Intune.](images/intune_admin_mdm_store_sync.png)
+   ![Configure Store for Business sync in Intune](images/intune_admin_mdm_store_sync.png)
 
 9. In the **Configure Microsoft Store for Business app sync** dialog box, check **Enable Microsoft Store for Business sync**. In the **Language** dropdown list, choose the language in which you want apps from the Store to be displayed in the Intune console and then click **OK**.
 
    **Figure 27** - Enable Microsoft Store for Business sync in Intune
 
-   ![Enable Store for Business sync in Intune.](images/intune_configure_store_app_sync_dialog.png)
+   ![Enable Store for Business sync in Intune](images/intune_configure_store_app_sync_dialog.png)
 
    The **Microsoft Store for Business** page will refresh and it will show the details from the sync.
 
@@ -348,7 +348,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S
 
    **Figure 28** - Shop for Store apps
 
-   ![Shop for Store apps.](images/wsfb_shop_microsoft_apps.png)
+   ![Shop for Store apps](images/wsfb_shop_microsoft_apps.png)
 
 2. Click to select an app, such as **Reader**. This opens the app page.
 3. In the app's Store page, click **Get the app**. You should see a dialog that confirms your order. Click **Close**. This will refresh the app's Store page.
@@ -358,7 +358,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S
 
    **Figure 29** - App inventory shows the purchased apps
 
-   ![Confirm that your inventory shows purchased apps.](images/wsfb_manage_inventory_newapps.png)
+   ![Confirm that your inventory shows purchased apps](images/wsfb_manage_inventory_newapps.png)
 
    > [!NOTE]
    > Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune to sync all your purchased apps. You can force a sync to make this process happen faster. For more info, see [To sync recently purchased apps](#forceappsync).
@@ -372,7 +372,7 @@ If you need to sync your most recently purchased apps and have it appear in your
 
    **Figure 30** - Force a sync in Intune
 
-   ![Force a sync in Intune.](images/intune_admin_mdm_forcesync.png)
+   ![Force a sync in Intune](images/intune_admin_mdm_forcesync.png)
 
 **To view purchased apps**
 - In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Apps > Apps** and then choose **Volume-Purchased Apps** to see the list of available apps. Verify that the apps you purchased were imported correctly.
@@ -393,7 +393,7 @@ To set up new Windows devices, go through the Windows initial device setup or fi
 
    **Figure 31** - First screen in Windows device setup
 
-   ![First screen in Windows device setup.](images/win10_hithere.png)
+   ![First screen in Windows device setup](images/win10_hithere.png)
 
    > [!NOTE]  
    > During setup, if you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired/Ethernet connection.
@@ -403,13 +403,13 @@ To set up new Windows devices, go through the Windows initial device setup or fi
 
    **Figure 32** - Choose how you'll connect your Windows device
 
-   ![Choose how you'll connect the Windows device.](images/win10_choosehowtoconnect.png)
+   ![Choose how you'll connect the Windows device](images/win10_choosehowtoconnect.png)
 
 4. In the **Let's get you signed in** screen, sign in using one of the user accounts you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts.
 
    **Figure 33** - Sign in using one of the accounts you added
 
-   ![Sign in using one of the accounts you added.](images/win10_signin_admin_account.png)
+   ![Sign in using one of the accounts you added](images/win10_signin_admin_account.png)
 
 5. If this is the first time you're signing in, you will be asked to update your password. Update the password and continue with sign-in and setup.
 
@@ -430,7 +430,7 @@ In the <a href="https://manage.microsoft.com/" target="_blank">Intune management
 
    **Figure 34** - Check the PC name on your device
 
-   ![Check the PC name on your device.](images/win10_settings_pcname.png)
+   ![Check the PC name on your device](images/win10_settings_pcname.png)
   
 2. Log in to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>.
 3. Select **Groups** and then go to **Devices**.
@@ -441,7 +441,7 @@ In the <a href="https://manage.microsoft.com/" target="_blank">Intune management
 
    **Figure 35** - Check that the device appears in Intune
 
-   ![Check that the device appears in Intune.](images/intune_groups_devices_list.png)
+   ![Check that the device appears in Intune](images/intune_groups_devices_list.png)
 
 ## 3. Manage device settings and features
 You can use Microsoft Intune admin settings and policies to manage features on your organization's mobile devices and computers. For more info, see [Manage settings and features on your devices with Microsoft Intune policies](/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies).
@@ -460,7 +460,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
 
    **Figure 36** - Reconfigure an app's deployment setting in Intune
 
-   ![Reconfigure app deployment settings in Intune.](images/intune_apps_deploymentaction.png)
+   ![Reconfigure app deployment settings in Intune](images/intune_apps_deploymentaction.png)
 
 6. Click **Finish**.
 7. Repeat steps 2-6 for other apps that you want to deploy to the device(s) as soon as possible.
@@ -470,7 +470,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
 
      **Figure 37** - Confirm that additional apps were deployed to the device
 
-     ![Confirm that additional apps were deployed to the device.](images/win10_deploy_apps_immediately.png)
+     ![Confirm that additional apps were deployed to the device](images/win10_deploy_apps_immediately.png)
 
 ### 3.2 Configure other settings in Intune
 
@@ -486,7 +486,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
 
    **Figure 38** - Add a configuration policy
 
-   ![Add a configuration policy.](images/intune_policy_disablecamera.png)
+   ![Add a configuration policy](images/intune_policy_disablecamera.png)
 
 7. Click **Save Policy**. A confirmation window will pop up.
 8. On the **Deploy Policy** confirmation window, select **Yes** to deploy the policy now.
@@ -495,7 +495,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
 
     **Figure 39** - The new policy should appear in the **Policies** list.
 
-    ![New policy appears on the list.](images/intune_policies_newpolicy_deployed.png)
+    ![New policy appears on the list](images/intune_policies_newpolicy_deployed.png)
 
 **To turn off Windows Hello and PINs during device setup**
 1. In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Admin**.
@@ -504,7 +504,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
 
    **Figure 40** - Policy to disable Windows Hello for Business
 
-   ![Disable Windows Hello for Business.](images/intune_policy_disable_windowshello.png)
+   ![Disable Windows Hello for Business](images/intune_policy_disable_windowshello.png)
 
 4. Click **Save**.
 
@@ -531,32 +531,32 @@ For other devices, such as those personally-owned by employees who need to conne
 
    **Figure 41** - Add an Azure AD account to the device
 
-   ![Add an Azure AD account to the device.](images/win10_add_new_user_join_aad.png)
+   ![Add an Azure AD account to the device](images/win10_add_new_user_join_aad.png)
 
 4. In the **Let's get you signed in** window, enter the work credentials for the account and then click **Sign in** to authenticate the user.
 
    **Figure 42** - Enter the account details
 
-   ![Enter the account details.](images/win10_add_new_user_account_aadwork.png)
+   ![Enter the account details](images/win10_add_new_user_account_aadwork.png)
 
 5. You will be asked to update the password so enter a new password.
 6. Verify the details to make sure you're connecting to the right organization and then click **Join**.
 
    **Figure 43** - Make sure this is your organization
 
-   ![Make sure this is your organization.](images/win10_confirm_organization_details.png)
+   ![Make sure this is your organization](images/win10_confirm_organization_details.png)
 
 7. You will see a confirmation window that says the device is now connected to your organization. Click **Done**.
 
    **Figure 44** - Confirmation that the device is now connected
 
-   ![Confirmation that the device is now connected.](images/win10_confirm_device_connected_to_org.png)
+   ![Confirmation that the device is now connected](images/win10_confirm_device_connected_to_org.png)
 
 8. The **Connect to work or school** window will refresh and will now include an entry that shows you're connected to your organization's Azure AD. This means the device is now registered in Azure AD and enrolled in MDM and the account should have access to the organization's resources.
 
    **Figure 45** - Device is now enrolled in Azure AD
 
-   ![Device is enrolled in Azure AD.](images/win10_device_enrolled_in_aad.png)
+   ![Device is enrolled in Azure AD](images/win10_device_enrolled_in_aad.png)
 
 9. You can confirm that the new device and user are showing up as Intune-managed by going to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a> and following the steps in [2.3 Verify the device is Azure AD joined](#23-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later.
 
diff --git a/smb/index.md b/smb/index.md
index a6ae7f1200..cc4c596a1c 100644
--- a/smb/index.md
+++ b/smb/index.md
@@ -17,16 +17,16 @@ audience: itpro
 
 # Windows 10 for SMB
 
-![Windows 10 for SMB.](images/smb_portal_banner.png)
+![Windows 10 for SMB](images/smb_portal_banner.png)
 
-## ![Learn more about Windows and other resources for SMBs.](images/learn.png) Learn
+## ![Learn more about Windows and other resources for SMBs](images/learn.png) Learn
 
 <p><b><a href="https://business.microsoft.com/en-us/products/windows" target="_blank">Windows 10 for business</a></b><br />Learn how Windows 10 and Windows devices can help your business.</p>
 <p><b><a href="https://blogs.business.microsoft.com/" target="_blank">SMB blog</a></b><br />Read about the latest stories, technology insights, and business strategies for SMBs.</p>
 <p><b><a href="https://business.microsoft.com/en-us/products" target="_blank">How to buy</a></b><br />Go here when you&#39;re ready to buy or want to learn more about Microsoft products you can use to help transform your business.</p>
 
 
-## ![Deploy a Microsoft solution for your business.](images/deploy.png) Deploy
+## ![Deploy a Microsoft solution for your business](images/deploy.png) Deploy
 
 <p><b><a href="cloud-mode-business-setup.md" data-raw-source="[Get started: Deploy and manage a full cloud IT solution for your business](cloud-mode-business-setup.md)">Get started: Deploy and manage a full cloud IT solution for your business</a></b><br />Find out how easy it is to deploy and manage a full cloud IT solution for your small to midsize business using Microsoft cloud services and tools.</p>
 
diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md
index 882b7e57ba..73c2ce1f3d 100644
--- a/store-for-business/acquire-apps-microsoft-store-for-business.md
+++ b/store-for-business/acquire-apps-microsoft-store-for-business.md
@@ -55,7 +55,7 @@ There are a couple of things we need to know when you pay for apps. You can add
 2. Select **Manage**, and then select **Settings**. 
 3. On **Shop**, , under **Shopping behavior**, turn on or turn off **Allow users to shop**.
 
-![manage settings to control Basic Purchaser role assignment.](images/sfb-allow-shop-setting.png)
+![manage settings to control Basic Purchaser role assignment](images/sfb-allow-shop-setting.png)
 
 ## Allow app requests
 
diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md
index bee1e82435..26bb2598f8 100644
--- a/store-for-business/billing-understand-your-invoice-msfb.md
+++ b/store-for-business/billing-understand-your-invoice-msfb.md
@@ -51,7 +51,7 @@ invoice and descriptions for each term.
 
 The **Invoice Summary** is on the top of the first page and shows information about your billing profile and how you pay.
 
-![Invoice summary section.](images/invoicesummary.png)
+![Invoice summary section](images/invoicesummary.png)
 
 
 | Term | Description |
@@ -68,7 +68,7 @@ The **Invoice Summary** is on the top of the first page and shows information ab
 The **Billing Summary**  shows the charges against the billing profile since the previous billing period, any credits that were applied, tax, and the total amount due.
 
 
-![Billing summary section.](images/billingsummary.png)
+![Billing summary section](images/billingsummary.png)
 
 | Term | Description |
 | --- | --- |
@@ -91,7 +91,7 @@ The total amount due for each service family is calculated by subtracting Azure
 
 `Total = Charges/Credits - Azure Credit + Tax`
 
-![Details by invoice section.](images/invoicesectiondetails.png)
+![Details by invoice section](images/invoicesectiondetails.png)
 
 | Term |Description |
 | --- | --- |
diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md
index 3bdd7d61bc..bb29be21a9 100644
--- a/store-for-business/microsoft-store-for-business-education-powershell-module.md
+++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md
@@ -91,7 +91,7 @@ Get-MSStoreInventory
 >1. Sign in to [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Microsoft Store for Education](https://businessstore.microsoft.com/).
 >2. Click **Manage** and then choose **Apps & software**.
 >3. Click the line-of-business app. The URL of the page will contain the product ID and SKU as part of the URL. For example:
->![Url after apps/ is product id and next is SKU.](images/lob-sku.png)
+>![Url after apps/ is product id and next is SKU](images/lob-sku.png)
 
 ## View people assigned to a product
 Most items in **Products and Services** in **Microsoft Store for Business and Education** need to be assigned to people in your org. You can view the people in your org assigned to a specific product by using these commands:
diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md
index 0a66d2a739..784e422a8a 100644
--- a/store-for-business/troubleshoot-microsoft-store-for-business.md
+++ b/store-for-business/troubleshoot-microsoft-store-for-business.md
@@ -36,23 +36,23 @@ The private store for your organization is a page in Microsoft Store app that co
 
 1.  Click the people icon in Microsoft Store app, and click **Sign in**.
 
-    ![Sign in to Store app with a different account.](images/wsfb-wsappsignin.png)
+    ![Sign in to Store app with a different account](images/wsfb-wsappsignin.png)
 
 2.  Click **Add account**, and then click **Work or school account**.
 
-    ![Choose an account to use.](images/wsfb-wsappaddacct.png)
+    ![Choose an account to use](images/wsfb-wsappaddacct.png)
 
 3.  Type the email account and password, and click **Sign in**.
 
-    ![Sign in for work or school account.](images/wsfb-wsappworkacct.png)
+    ![Sign in for work or school account](images/wsfb-wsappworkacct.png)
 
 4.  You should see the private store for your organization. In our example, the page is named **Contoso publishing**.
 
-    ![Private store with name highlighted.](images/wsfb-wsappprivatestore.png)
+    ![Private store with name highlighted](images/wsfb-wsappprivatestore.png)
 
     Click the private store to see apps in your private store.
 
-    ![Private store for Contoso publishing.](images/wsfb-privatestoreapps.png)
+    ![Private store for Contoso publishing](images/wsfb-privatestoreapps.png)
 
 ## Troubleshooting Microsoft Store for Business integration with Microsoft Endpoint Configuration Manager
 
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index 4b0cd1e47d..66f34fdabe 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -26,7 +26,7 @@ Microsoft Store for Business and Education regularly releases new and improved f
 
 :::row:::
    :::column span="1":::
-   ![Security groups.](images/security-groups-icon.png)
+   ![Security groups](images/security-groups-icon.png)
    :::column-end:::
    :::column span="1":::
    **Use security groups with Private store apps**<br /><br /> On the details page for apps in your private store, you can set **Private store availability**. This allows you to choose which security groups can see an app in the private store. <br /><br />[Get more info](./app-inventory-management-microsoft-store-for-business.md#private-store-availability)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education
@@ -38,7 +38,7 @@ Microsoft Store for Business and Education regularly releases new and improved f
 We’ve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new features!
 |  |  |
 |-----------------------|---------------------------------|
-| ![Private store performance icon.](images/perf-improvement-icon.png) |**Performance improvements in private store**<br /><br /> We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. <br /><br />[Get more info](./manage-private-store-settings.md#private-store-performance)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
+| ![Private store performance icon](images/perf-improvement-icon.png) |**Performance improvements in private store**<br /><br /> We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. <br /><br />[Get more info](./manage-private-store-settings.md#private-store-performance)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
 | <iframe width="288" height="232" src="https://www.youtube-nocookie.com/embed/IpLIZU_j7Z0" frameborder="0" allowfullscreen></iframe>| **Manage Windows device deployment with Windows Autopilot Deployment** <br /><br /> In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.<br /><br />[Get more info](add-profile-to-devices.md)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education  |
 | ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**<br /><br />People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. <br /><br />[Get more info](./acquire-apps-microsoft-store-for-business.md#request-apps)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
 ||  ![Image showing Add a Collection.](images/msfb-add-collection.png) |**Private store collections**<br /><br> You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom. <br /><br />[Get more info](https://review.docs.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md
index 8efc8effad..2150c9e7c3 100644
--- a/store-for-business/working-with-line-of-business-apps.md
+++ b/store-for-business/working-with-line-of-business-apps.md
@@ -46,7 +46,7 @@ You'll need to set up:
 -   LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store.
 
 The process and timing look like this:
-![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for MSFB admin, LOB publisher, and Developer.](images/lob-workflow.png)
+![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for MSFB admin, LOB publisher, and Developer](images/lob-workflow.png)
 
 ## <a href="" id="add-lob-publisher"></a>Add an LOB publisher (Admin)
 Admins need to invite developer or ISVs to become an LOB publisher.
diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index 130ad633ee..b0bdee5283 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -423,7 +423,7 @@ The process then configures the client for package or connection group additions
 
 This completes an App-V package add for the publishing refresh process. The next step is publishing the package to a specific target (machine or user).
 
-![Package add file and registry data.](images/packageaddfileandregistrydata.png)
+![Package add file and registry data](images/packageaddfileandregistrydata.png)
 
 **Package add file and registry data**
 
@@ -454,7 +454,7 @@ During the Publishing Refresh operation, the specific publishing operation, **Pu
 
 Publishing an App-V Package that is part of a Connection Group is very similar to the above process. For connection groups, the path that stores the specific catalog information includes PackageGroups as a child of the Catalog Directory. Review the Machine and User Catalog information in the preceding sections for details.
 
-![package add file and registry data - global.](images/packageaddfileandregistrydata-global.png)
+![package add file and registry data - global](images/packageaddfileandregistrydata-global.png)
 
 **Package add file and registry data—global**
 
@@ -481,7 +481,7 @@ After the Publishing Refresh process, the user launches and then relaunches an A
 
 7. The Application launches. For any missing files in the package store (sparse files), App-V will stream fault the files on an as-needed basis.
 
-    ![package add file and registry data - stream.](images/packageaddfileandregistrydata-stream.png)
+    ![package add file and registry data - stream](images/packageaddfileandregistrydata-stream.png)
 
     **Package add file and registry data—stream**
 
diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md
index 4183212c31..501a6eae9f 100644
--- a/windows/application-management/app-v/appv-deployment-checklist.md
+++ b/windows/application-management/app-v/appv-deployment-checklist.md
@@ -20,9 +20,9 @@ This checklist outlines the recommended steps and items to consider when deployi
 
 |Status|Task|References|Notes|
 |---|---|---|---|
-|![Checklist box.](../app-v/images/checklistbox.gif)|Prepare the computing environment for App-V deployment during your planning phase.|[App-V planning checklist](appv-planning-checklist.md)||
-|![Checklist box.](../app-v/images/checklistbox.gif)|Review App-V's supported configurations.|[App-V supported configurations](appv-supported-configurations.md)||
-|![Checklist box.](../app-v/images/checklistbox.gif)|Run App-V Setup to deploy the required App-V features for your environment.|[How to install the sequencer](appv-install-the-sequencer.md)<br>[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)<br>[How to deploy the App-V server](appv-deploy-the-appv-server.md)||
+|![Checklist box](../app-v/images/checklistbox.gif)|Prepare the computing environment for App-V deployment during your planning phase.|[App-V planning checklist](appv-planning-checklist.md)||
+|![Checklist box](../app-v/images/checklistbox.gif)|Review App-V's supported configurations.|[App-V supported configurations](appv-supported-configurations.md)||
+|![Checklist box](../app-v/images/checklistbox.gif)|Run App-V Setup to deploy the required App-V features for your environment.|[How to install the sequencer](appv-install-the-sequencer.md)<br>[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)<br>[How to deploy the App-V server](appv-deploy-the-appv-server.md)||
 
 >[!NOTE]
 >Keep track of server names and associated URLs you create during installation. You'll need this information throughout the installation process.
diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md
index 9bde5d0531..e8785b3d7f 100644
--- a/windows/application-management/app-v/appv-install-the-sequencer.md
+++ b/windows/application-management/app-v/appv-install-the-sequencer.md
@@ -28,7 +28,7 @@ The App-V Sequencer is included in the Windows 10 Assessment and Deployment Kit
 1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
 2. Select the **Get Windows ADK for Windows 10** button on the page to start the ADK installer. Make sure that **Microsoft Application Virtualization (App-V) Sequencer** is selected during the installation.
 
-    ![Selecting APP-V features in ADK.](images/app-v-in-adk.png)
+    ![Selecting APP-V features in ADK](images/app-v-in-adk.png)
 3. To open the Sequencer, go to the **Start** menu and select **Microsoft Application Virtualization (App-V) Sequencer**.
 
 See [Creating and managing virtual applications](appv-creating-and-managing-virtualized-applications.md) and the [Application Virtualization Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx) for information about creating virtual applications with the Sequencer.
diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md
index 50887ca724..e838f04c45 100644
--- a/windows/application-management/app-v/appv-planning-checklist.md
+++ b/windows/application-management/app-v/appv-planning-checklist.md
@@ -23,12 +23,12 @@ This checklist can be used to help you plan for preparing your organization for
 
 |Status|Task|References|Notes|
 |---|---|---|---|
-|![Checklist box.](../app-v/images/checklistbox.gif)|Review the getting started information about App-V to gain a basic understanding of the product before beginning deployment planning.|[Getting started with App-V](appv-getting-started.md)||
-|![Checklist box.](../app-v/images/checklistbox.gif)|Plan for App-V deployment prerequisites and prepare your computing environment.|[App-V prerequisites](appv-prerequisites.md)||
-|![Checklist box.](../app-v/images/checklistbox.gif)|If you plan to use the App-V management server, plan for the required roles.|[Planning for the App-V server deployment](appv-planning-for-appv-server-deployment.md)||
-|![Checklist box.](../app-v/images/checklistbox.gif)|Plan for the App-V sequencer and client to create and run virtualized applications.|[Planning for the App-V Sequencer and client deployment](appv-planning-for-sequencer-and-client-deployment.md)||
-|![Checklist box.](../app-v/images/checklistbox.gif)|If applicable, review the options and steps for migrating from a previous version of App-V.|[Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md)||
-|![Checklist box.](../app-v/images/checklistbox.gif)|Decide whether to configure App-V clients in Shared Content Store mode.|[Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md)||
+|![Checklist box](../app-v/images/checklistbox.gif)|Review the getting started information about App-V to gain a basic understanding of the product before beginning deployment planning.|[Getting started with App-V](appv-getting-started.md)||
+|![Checklist box](../app-v/images/checklistbox.gif)|Plan for App-V deployment prerequisites and prepare your computing environment.|[App-V prerequisites](appv-prerequisites.md)||
+|![Checklist box](../app-v/images/checklistbox.gif)|If you plan to use the App-V management server, plan for the required roles.|[Planning for the App-V server deployment](appv-planning-for-appv-server-deployment.md)||
+|![Checklist box](../app-v/images/checklistbox.gif)|Plan for the App-V sequencer and client to create and run virtualized applications.|[Planning for the App-V Sequencer and client deployment](appv-planning-for-sequencer-and-client-deployment.md)||
+|![Checklist box](../app-v/images/checklistbox.gif)|If applicable, review the options and steps for migrating from a previous version of App-V.|[Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md)||
+|![Checklist box](../app-v/images/checklistbox.gif)|Decide whether to configure App-V clients in Shared Content Store mode.|[Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md)||
 
 
 
diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md
index 0a72c19e87..d123957cd1 100644
--- a/windows/application-management/enterprise-background-activity-controls.md
+++ b/windows/application-management/enterprise-background-activity-controls.md
@@ -23,15 +23,15 @@ Enterprise users want the same ability to enable or limit background activity. I
 
 Users have the ability to control background activity for their device through two interfaces in the **Settings** app: the **Background apps** page and the **Battery usage by app** page. The **Background apps** page has a master switch to turn background activity on or off for all apps, and provides individual switches to control each app's ability to run in the background. 
 
-![Background apps settings page.](images/backgroundapps-setting.png)
+![Background apps settings page](images/backgroundapps-setting.png)
 
 The **Battery usage by app** page allows fine-grained tuning of background activity. Users have the ability to set background activity to by **Managed By Windows**, as well as turning it on or off for each app. Only devices with a battery have this page available in the **Settings** app. Here is the set of available controls on desktop: 
 
-![Battery usage by app on desktop.](images/battery-usage-by-app-desktop.png)
+![Battery usage by app on desktop](images/battery-usage-by-app-desktop.png)
 
 Here is the set of available controls for mobile devices: 
 
-![Battery usage by app on mobile.](images/battery-usage-by-app-mobile.png)
+![Battery usage by app on mobile](images/battery-usage-by-app-mobile.png)
 
 Although the user interface differs across editions of the operating system, the policy and developer interface is consistent across Windows 10. For more information about these controls, see [Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity).
 
diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md
index 4483687ba8..0cda2dc8c9 100644
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@@ -102,19 +102,19 @@ If a per-user service can't be disabled using a the security template, you can d
 
 5. Right-click **Registry** > **New** > **Registry Item**.
 
-   ![Group Policy preferences disabling per-user services.](media/gpp-per-user-services.png) 
+   ![Group Policy preferences disabling per-user services](media/gpp-per-user-services.png) 
    
 6. Make sure that  HKEY_Local_Machine is selected for Hive and then click ... (the ellipses) next to Key Path.
 
-   ![Choose HKLM.](media/gpp-hklm.png)  
+   ![Choose HKLM](media/gpp-hklm.png)  
     
 7. Browse to **System\CurrentControlSet\Services\PimIndexMaintenanceSvc**. In the list of values, highlight **Start** and click **Select**.
 
-   ![Select Start.](media/gpp-svc-start.png)   
+   ![Select Start](media/gpp-svc-start.png)   
    
 8. Change **Value data** from **00000003** to **00000004** and click **OK**. Note setting the Value data to **4** = **Disabled**. 
 
-   ![Startup Type is Disabled.](media/gpp-svc-disabled.png)   
+   ![Startup Type is Disabled](media/gpp-svc-disabled.png)   
    
 9. To add the other services that cannot be managed with a Group Policy templates, edit the policy and repeat steps 5-8.  
 
@@ -140,14 +140,14 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE
 
 If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the template services, change the Startup Type for each service to 4 (disabled):
 
-![Using Regedit to change servive Starup Type.](media/regedit-change-service-startup-type.png) 
+![Using Regedit to change servive Starup Type](media/regedit-change-service-startup-type.png) 
 
 > [!CAUTION]
 > We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks. If you must edit the registry, use extreme caution. 
 
 Beginning with Windows 10, version 1709 and Windows Server, version 1709, you can prevent the per-user service from being created by setting **UserServiceFlags** to 0 under the same service configuration in the registry:
 
-![Create per-user services in disabled state.](media/user-service-flag.png)
+![Create per-user services in disabled state](media/user-service-flag.png)
 
 ### Manage template services by modifying the Windows image
 
@@ -186,4 +186,4 @@ For example, you might see the following per-user services listed in the Service
 
 You can query the service configuration from the command line. The **Type** value indicates whether the service is a user-service template or user-service instance.
 
-![Use sc.exe to view service type.](media/cmd-type.png)
\ No newline at end of file
+![Use sc.exe to view service type](media/cmd-type.png)
\ No newline at end of file
diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md
index 8482a3497c..4130fde7e5 100644
--- a/windows/application-management/svchost-service-refactoring.md
+++ b/windows/application-management/svchost-service-refactoring.md
@@ -48,11 +48,11 @@ Refactoring also makes it easier to view running processes in Task Manager. You
 
 For example, here are the running processes displayed in Task Manager in Windows 10 version 1607:
 
-![Running processes in Task Manager, version 1607.](media/svchost-grouped-processes.png) 
+![Running processes in Task Manager, version 1607](media/svchost-grouped-processes.png) 
   
 Compare that to the same view of running processes in Windows 10 version 1703:
 
-![Running processes in Task Manager, version 1703.](media/svchost-separated-processes.png)
+![Running processes in Task Manager, version 1703](media/svchost-separated-processes.png)
   
  
 
@@ -66,7 +66,7 @@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
 The default value of **1** prevents the service from being split.
 
 For example, this is the registry key configuration for BFE:
-![Example of a service that cannot be separated.](media/svchost-separation-disabled.png)
+![Example of a service that cannot be separated](media/svchost-separation-disabled.png)
 
 ## Memory footprint
 
@@ -77,7 +77,7 @@ Consider the following:
 
 |Grouped Services (< 3.5GB) | Split Services (3.5GB+)
 |--------------------------------------- | ------------------------------------------ | 
-|![Memory utilization for grouped services.](media/svchost-grouped-utilization.png)   |![Memory utilization for separated services](media/svchost-separated-utilization.png)       |
+|![Memory utilization for grouped services](media/svchost-grouped-utilization.png)   |![Memory utilization for separated services](media/svchost-separated-utilization.png)       |
 
 > [!NOTE]
 > The above represents the peak observed values.
diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md
index 6da0fdfdb9..260944a53c 100644
--- a/windows/client-management/administrative-tools-in-windows-10.md
+++ b/windows/client-management/administrative-tools-in-windows-10.md
@@ -23,11 +23,11 @@ ms.topic: article
 
 Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. 
 
-![Screenshot of Control Panel.](images/admin-tools.png)
+![Screenshot of Control Panel](images/admin-tools.png)
 
 The tools in the folder might vary depending on which edition of Windows you are using. 
 
-![Screenshot of folder of admin tools.](images/admin-tools-folder.png)
+![Screenshot of folder of admin tools](images/admin-tools-folder.png)
 
 These tools were included in previous versions of Windows. The associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders.
 
diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md
index c2a8ea0c57..ac96c101cf 100644
--- a/windows/client-management/advanced-troubleshooting-802-authentication.md
+++ b/windows/client-management/advanced-troubleshooting-802-authentication.md
@@ -41,53 +41,53 @@ Check Windows Security Event log on the NPS Server for NPS events that correspon
  
 In the event message, scroll to the very bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it.
  
-   ![example of an audit failure.](images/auditfailure.png)
+   ![example of an audit failure](images/auditfailure.png)
    *Example: event ID 6273 (Audit Failure)*<br><br>
 ‎
-   ![example of an audit success.](images/auditsuccess.png)
+   ![example of an audit success](images/auditsuccess.png)
    *Example: event ID 6272 (Audit Success)*<br>
 
 ‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one.
 
 On the client side, go to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, go to  **..\Wired-AutoConfig/Operational**. See the following example:
 
-![event viewer screenshot showing wired-autoconfig and WLAN autoconfig.](images/eventviewer.png)
+![event viewer screenshot showing wired-autoconfig and WLAN autoconfig](images/eventviewer.png)
  
 Most 802.1X authentication issues are because of problems with the certificate that's used for client or server authentication. Examples include invalid certificate, expiration, chain verification failure, and revocation check failure. 
 
 First, validate the type of EAP method that's used:
  
-![eap authentication type comparison.](images/comparisontable.png)
+![eap authentication type comparison](images/comparisontable.png)
 
 If a certificate is used for its authentication method, check whether the certificate is valid. For the server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Select and hold (or right-click) the policy, and then select **Properties**. In the pop-up window, go to the **Constraints** tab, and then select the **Authentication Methods** section.
 
-![Constraints tab of the secure wireless connections properties.](images/eappropertymenu.png)
+![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png)
  
 The CAPI2 event log is useful for troubleshooting certificate-related issues.
 By default, this log isn't enabled. To enable this log, expand **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, select and hold (or right-click) **Operational**, and then select **Enable Log**.
 
-![screenshot of event viewer.](images/capi.png)
+![screenshot of event viewer](images/capi.png)
  
 For information about how to analyze CAPI2 event logs, see
 [Troubleshooting PKI Problems on Windows Vista](/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29).
 
 When troubleshooting complex 802.1X authentication issues, it's important to understand the 802.1X authentication process. Here's an example of wireless connection process with 802.1X authentication:
 
-![authenticator flow chart.](images/authenticator_flow_chart.png)
+![authenticator flow chart](images/authenticator_flow_chart.png)
  
 If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter for a client-side capture, and **EAP** for an NPS-side capture. See the following examples:
 
-![client-side packet capture data.](images/clientsidepacket_cap_data.png)
+![client-side packet capture data](images/clientsidepacket_cap_data.png)
 *Client-side packet capture data*<br><br>
 
-![NPS-side packet capture data.](images/NPS_sidepacket_capture_data.png) 
+![NPS-side packet capture data](images/NPS_sidepacket_capture_data.png) 
 *NPS-side packet capture data*<br>
 ‎
 
 > [!NOTE]
 > If you have a wireless trace, you can also [view ETL files with network monitor](/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. If you need to load the required [parser](/archive/blogs/netmon/parser-profiles-in-network-monitor-3-4), see the instructions under the **Help** menu in Network Monitor. Here's an example:
 
-![ETL parse.](images/etl.png) 
+![ETL parse](images/etl.png) 
 
 ## Audit policy
 
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
index d039c10c17..646585085e 100644
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -50,7 +50,7 @@ The kernel passes control to the session manager process (Smss.exe) which initia
 
 Here is a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement.
 
-![thumbnail of boot sequence flowchart.](images/boot-sequence-thumb.png)<br>
+![thumbnail of boot sequence flowchart](images/boot-sequence-thumb.png)<br>
 [Click to enlarge](img-boot-sequence.md)<br>
 
 
diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
index 57d2cc10a8..ce4154396e 100644
--- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
+++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
@@ -152,7 +152,7 @@ The important components of the MSM include:
 - Security Manager (SecMgr) - handles all pre and post-connection security operations.
 - Authentication Engine (AuthMgr) – Manages 802.1x auth requests
 
-    ![MSM details.](images/msmdetails.png)
+    ![MSM details](images/msmdetails.png)
 
 Each of these components has their own individual state machines which follow specific transitions.
 Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail.
@@ -327,4 +327,4 @@ Copy and paste all the lines below and save them into a text file named "wifi.ta
 
 In the following example, the **View** settings are configured to **Show Only Filtered Lines**.
 
-![TAT filter example.](images/tat.png)
\ No newline at end of file
+![TAT filter example](images/tat.png)
\ No newline at end of file
diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md
index d59710d70b..69fa51d4e4 100644
--- a/windows/client-management/change-default-removal-policy-external-storage-media.md
+++ b/windows/client-management/change-default-removal-policy-external-storage-media.md
@@ -54,4 +54,4 @@ To change the policy for an external storage device:
   
 7. Select the policy that you want to use.
   
-   ![Policy options for disk management.](./images/change-def-rem-policy-2.png)
+   ![Policy options for disk management](./images/change-def-rem-policy-2.png)
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index 4d8f35673e..275869bf99 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -24,7 +24,7 @@ ms.topic: article
 
 From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
 
-![Remote Desktop Connection client.](images/rdp.png)
+![Remote Desktop Connection client](images/rdp.png)
 
 ## Set up
 
@@ -40,7 +40,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
   
   2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
 
-     ![Allow remote connections to this computer.](images/allow-rdp.png)
+     ![Allow remote connections to this computer](images/allow-rdp.png)
 
   3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies:
      
diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md
index 6ce343dade..b1077e5be6 100644
--- a/windows/client-management/img-boot-sequence.md
+++ b/windows/client-management/img-boot-sequence.md
@@ -14,4 +14,4 @@ ms.prod: w10
 
 Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)<br>
 
-![Full-sized boot sequence flowchart.](images/boot-sequence.png)
+![Full-sized boot sequence flowchart](images/boot-sequence.png)
diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md
index 9354d9c8c9..376916c1d3 100644
--- a/windows/client-management/introduction-page-file.md
+++ b/windows/client-management/introduction-page-file.md
@@ -56,13 +56,13 @@ Page files extend how much "committed memory" (also known as "virtual memory") i
 
 The system commit memory limit is the sum of physical memory and all page files combined. It represents the maximum system-committed memory (also known as the "system commit charge") that the system can support.
 
-![Task manager.](images/task-manager.png)
+![Task manager](images/task-manager.png)
  
 The system commit charge is the total committed or "promised" memory of all committed virtual memory in the system. If the system commit charge reaches the system commit limit, the system and processes might not get committed memory. This condition can cause freezing, crashing, and other malfunctions. Therefore, make sure that you set the system commit limit high enough to support the system commit charge during peak usage.
 
-![Out of memory.](images/out-of-memory.png)
+![Out of memory](images/out-of-memory.png)
 
-![Task Manager.](images/task-manager-commit.png)
+![Task Manager](images/task-manager-commit.png)
 
 The system committed charge and system committed limit can be measured on the **Performance** tab in Task Manager or by using the "\Memory\Committed Bytes" and "\Memory\Commit Limit" performance counters. The \Memory\% Committed Bytes In Use counter is a ratio of \Memory\Committed Bytes to \Memory\Commit Limit values.
 
diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md
index db00986ab0..263dd24430 100644
--- a/windows/client-management/manage-device-installation-with-group-policy.md
+++ b/windows/client-management/manage-device-installation-with-group-policy.md
@@ -212,7 +212,7 @@ This policy setting will change the evaluation order in which Allow and Prevent
 
 Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below.
  			
-![Device Installation policies flow chart.](images/device-installation-flowchart.png)<br/>_Device Installation policies flow chart_
+![Device Installation policies flow chart](images/device-installation-flowchart.png)<br/>_Device Installation policies flow chart_
 
 
 
@@ -261,17 +261,17 @@ To find device identification strings using Device Manager
 
 4. Find the “Printers” section and find the target printer
  
-    ![Selecting the printer in Device Manager.](images/device-installation-dm-printer-by-device.png)<br/>_Selecting the printer in Device Manager_
+    ![Selecting the printer in Device Manager](images/device-installation-dm-printer-by-device.png)<br/>_Selecting the printer in Device Manager_
 
 5. Double-click the printer and move to the ‘Details’ tab.
 
-    ![‘Details’ tab.](images/device-installation-dm-printer-details-screen.png)<br/>_Open the ‘Details’ tab to look for the device identifiers_
+    ![‘Details’ tab](images/device-installation-dm-printer-details-screen.png)<br/>_Open the ‘Details’ tab to look for the device identifiers_
 
 6. From the ‘Value’ window, copy the most detailed Hardware ID – we will use this in the policies.
 
-    ![HWID.](images/device-installation-dm-printer-hardware-ids.png)
+    ![HWID](images/device-installation-dm-printer-hardware-ids.png)
 
-    ![Compatible ID.](images/device-installation-dm-printer-compatible-ids.png)<br/>_HWID and Compatible ID_
+    ![Compatible ID](images/device-installation-dm-printer-compatible-ids.png)<br/>_HWID and Compatible ID_
 
     > [!TIP]
     > You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil) in Microsoft Docs.
@@ -360,7 +360,7 @@ Creating the policy to prevent all printers from being installed:
 
 6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318}
 
-    ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
+    ![List of prevent Class GUIDs](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
 
 7. Click ‘OK’.
 
@@ -399,7 +399,7 @@ Getting the right device identifier to prevent it from being installed:
 
 1. Get your printer’s Hardware ID – in this example we will use the identifier we found previously
 
-    ![Printer Hardware ID identifier.](images/device-installation-dm-printer-hardware-ids.png)<br/>_Printer Hardware ID_
+    ![Printer Hardware ID identifier](images/device-installation-dm-printer-hardware-ids.png)<br/>_Printer Hardware ID_
 
 2. Write down the device ID (in this case Hardware ID) – WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers
 
@@ -417,7 +417,7 @@ Creating the policy to prevent a single printer from being installed:
 
 5. Enter the printer device ID you found above – WSDPRINT\CanonMX920_seriesC1A0
 
-    ![Prevent Device ID list.](images/device-installation-gpo-prevent-device-id-list-printer.png)<br/>_Prevent Device ID list_
+    ![Prevent Device ID list](images/device-installation-gpo-prevent-device-id-list-printer.png)<br/>_Prevent Device ID list_
 
 6. Click ‘OK’.
 
@@ -477,7 +477,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
 
 6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318}
 
-    ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
+    ![List of prevent Class GUIDs](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
 
 7. Click ‘OK’.
 
@@ -489,7 +489,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
 
     ![Image of Local Group Policy Editor that shows the policies under "Device Installation Restrictions" and the policy named in this step.](images/device-installation-apply-layered_policy-1.png)
 
-    ![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.".](images/device-installation-apply-layered-policy-2.png)<br/>_Apply layered order of evaluation policy_
+    ![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria."](images/device-installation-apply-layered-policy-2.png)<br/>_Apply layered order of evaluation policy_
 
 9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
 
@@ -497,7 +497,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
 
 11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0.
 
-    ![Allow Printer Hardware ID.](images/device-installation-gpo-allow-device-id-list-printer.png)<br/>_Allow Printer Hardware ID_
+    ![Allow Printer Hardware ID](images/device-installation-gpo-allow-device-id-list-printer.png)<br/>_Allow Printer Hardware ID_
 
 12. Click ‘OK’.
 
@@ -532,22 +532,22 @@ Getting the right device identifier to prevent it from being installed and its l
 
 3. Find the USB thumb-drive and select it.
  
-    ![Selecting the usb thumb-drive in Device Manager.](images/device-installation-dm-usb-by-device.png)<br/>_Selecting the usb thumb-drive in Device Manager_
+    ![Selecting the usb thumb-drive in Device Manager](images/device-installation-dm-usb-by-device.png)<br/>_Selecting the usb thumb-drive in Device Manager_
 
 4. Change View (in the top menu) to ‘Devices by connections’. This view represents the way devices are installed in the PnP tree.
 
-    ![Changing view in Device Manager to see the PnP connection tree.](images/device-installation-dm-usb-by-connection.png)<br/>_Changing view in Device Manager to see the PnP connection tree_
+    ![Changing view in Device Manager to see the PnP connection tree](images/device-installation-dm-usb-by-connection.png)<br/>_Changing view in Device Manager to see the PnP connection tree_
 
     > [!NOTE]
     > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a “Generic USB Hub” from being installed, all the devices that lay below a “Generic USB Hub” will be blocked.
  
-    ![Blocking nested devices from the root.](images/device-installation-dm-usb-by-connection-blocked.png)<br/>_When blocking one device, all the devices that are nested below it will be blocked as well_
+    ![Blocking nested devices from the root](images/device-installation-dm-usb-by-connection-blocked.png)<br/>_When blocking one device, all the devices that are nested below it will be blocked as well_
 
 5. Double-click the USB thumb-drive and move to the ‘Details’ tab.
 
 6. From the ‘Value’ window, copy the most detailed Hardware ID—we will use this in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
  
-    ![USB device hardware IDs.](images/device-installation-dm-usb-hwid.png)<br/>_USB device hardware IDs_
+    ![USB device hardware IDs](images/device-installation-dm-usb-hwid.png)<br/>_USB device hardware IDs_
 
 Creating the policy to prevent a single USB thumb-drive from being installed:
 
@@ -563,7 +563,7 @@ Creating the policy to prevent a single USB thumb-drive from being installed:
 
 5. Enter the USB thumb-drive device ID you found above – USBSTOR\DiskGeneric_Flash_Disk______8.07
  
-    ![Prevent Device IDs list.](images/device-installation-gpo-prevent-device-id-list-usb.png)<br/>_Prevent Device IDs list_
+    ![Prevent Device IDs list](images/device-installation-gpo-prevent-device-id-list-usb.png)<br/>_Prevent Device IDs list_
 
 6. Click ‘OK’.
 
@@ -620,7 +620,7 @@ As mentioned in scenario #4, it is not enough to enable only a single hardware I
 - “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30
 - “Generic USB Hub” -> USB\USB20_HUB
  
-![USB devices nested in the PnP tree.](images/device-installation-dm-usb-by-connection-layering.png)<br/>_USB devices nested under each other in the PnP tree_
+![USB devices nested in the PnP tree](images/device-installation-dm-usb-by-connection-layering.png)<br/>_USB devices nested under each other in the PnP tree_
 
 These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them should not enable any external/peripheral device from being installed on the machine.
 
@@ -663,7 +663,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
 
 9. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device.
 
-    ![Apply layered order of evaluation policy.](images/device-installation-apply-layered_policy-1.png)<br/>_Apply layered order of evaluation policy_
+    ![Apply layered order of evaluation policy](images/device-installation-apply-layered_policy-1.png)<br/>_Apply layered order of evaluation policy_
 
 10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
 
@@ -671,7 +671,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
 
 12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation – USBSTOR\DiskGeneric_Flash_Disk______8.07
 
-    ![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs.".](images/device-installation-gpo-allow-device-id-list-usb.png)<br/>_Allowed USB Device IDs list_
+    ![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs."](images/device-installation-gpo-allow-device-id-list-usb.png)<br/>_Allowed USB Device IDs list_
 
 13. Click ‘OK’.
 
diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md
index f64ee0de0c..a177277d07 100644
--- a/windows/client-management/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/manage-settings-app-with-group-policy.md
@@ -35,7 +35,7 @@ Policy paths:
 
 **User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**.
 
-![Settings page visibility policy.](images/settings-page-visibility-gp.png)
+![Settings page visibility policy](images/settings-page-visibility-gp.png)
 
 ## Configuring the Group Policy
 
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index 0e9dd8a789..22ba2d74a8 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -92,7 +92,7 @@ For more information about how Windows 10 and Azure AD optimize access to work r
 
 As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
 
-![Decision tree for device authentication options.](images/windows-10-management-cyod-byod-flow.png)
+![Decision tree for device authentication options](images/windows-10-management-cyod-byod-flow.png)
 
 ## Settings and Configuration
 
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index 7b77f47742..b5b30659d6 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -75,7 +75,7 @@ First, you create a default user profile with the customizations that you want,
    > [!TIP]
    > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following:
    >
-   > ![Microsoft Bing Translator package error.](images/sysprep-error.png)
+   > ![Microsoft Bing Translator package error](images/sysprep-error.png)
    >
    > Use the [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true) and [Remove-AppxPackage -AllUsers](/powershell/module/appx/remove-appxpackage?view=win10-ps&preserve-view=true) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
 
@@ -86,11 +86,11 @@ First, you create a default user profile with the customizations that you want,
 1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
 
 
-   ![Example of User Profiles UI.](images/copy-to.png)
+   ![Example of User Profiles UI](images/copy-to.png)
 
 1. In **Copy To**, under **Permitted to use**, click **Change**.
 
-   ![Example of Copy To UI.](images/copy-to-change.png)
+   ![Example of Copy To UI](images/copy-to-change.png)
 
 1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
 
@@ -98,11 +98,11 @@ First, you create a default user profile with the customizations that you want,
 
    - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
 
-   ![Example of Copy profile to.](images/copy-to-path.png)
+   ![Example of Copy profile to](images/copy-to-path.png)
 
    - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
 
-   ![Example of Copy To UI with UNC path.](images/copy-to-path.png)
+   ![Example of Copy To UI with UNC path](images/copy-to-path.png)
 
 1. Click **OK** to copy the default user profile.
 
@@ -139,9 +139,9 @@ When a user is configured with a mandatory profile, Windows 10 starts as though
 
 | Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 |
 | --- | --- | --- | --- | --- |
-| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) |
-| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png)  | ![not supported](images/crossmark.png)  |
-| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported.](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) |
+| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) |
+| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png)  | ![not supported](images/crossmark.png)  |
+| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) |
 
 > [!NOTE]
 > The Group Policy settings above can be applied in Windows 10 Professional edition.
diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md
index 42722f7bd7..930343209f 100644
--- a/windows/client-management/mdm/accountmanagement-csp.md
+++ b/windows/client-management/mdm/accountmanagement-csp.md
@@ -22,7 +22,7 @@ AccountManagement CSP is used to configure setting in the Account Manager servic
 
 The following diagram shows the AccountManagement configuration service provider in tree format.
 
-![accountmanagement csp.](images/provisioning-csp-accountmanagement.png)
+![accountmanagement csp](images/provisioning-csp-accountmanagement.png)
 
 <a href="" id="accountmanagement"></a>**./Vendor/MSFT/AccountManagement**  
 Root node for the AccountManagement configuration service provider.
diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
index 64394a6989..34f60116f4 100644
--- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
+++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
@@ -21,45 +21,45 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a
 
 1. Sign up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization.
 
-   ![sign up for azure ad tenant.](images/azure-ad-add-tenant1.png)
+   ![sign up for azure ad tenant](images/azure-ad-add-tenant1.png)
 
 2. Enter the information for your organization. Select **check availability** to verify that domain name that you selected is available.
 
-   ![sign up for azure ad.](images/azure-ad-add-tenant2.png)
+   ![sign up for azure ad](images/azure-ad-add-tenant2.png)
 
 3. Complete the login and country information. Enter a valid phone number, then select **Send text message** or **Call me**.
 
-   ![create azure account.](images/azure-ad-add-tenant3.png)
+   ![create azure account](images/azure-ad-add-tenant3.png)
 
 4. Enter the code that you receive and then select **Verify code**. After the code is verified and the continue button turns green, select **continue**.
 
-   ![add aad tenant.](images/azure-ad-add-tenant3-b.png)
+   ![add aad tenant](images/azure-ad-add-tenant3-b.png)
 
 5. After you finish creating your Azure account, you can add an Azure AD subscription.
 
    If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to the Office 356 portal at https://portal.office.com/, and then sign in using the admin account that you created in Step 4 (for example, user1@contosoltd.onmicrosoftcom).
 
-   ![login to office 365.](images/azure-ad-add-tenant4.png)
+   ![login to office 365](images/azure-ad-add-tenant4.png)
 
 6. Select **Install software**.
 
-   ![login to office 365.](images/azure-ad-add-tenant5.png)
+   ![login to office 365](images/azure-ad-add-tenant5.png)
 
 7. In the Microsoft 365 admin center, select **Purchase Services** from the left navigation.
 
-   ![purchase service option in admin center menu.](images/azure-ad-add-tenant6.png)
+   ![purchase service option in admin center menu](images/azure-ad-add-tenant6.png)
 
 8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then select to purchase.
 
-   ![azure active directory option in purchase services page.](images/azure-ad-add-tenant7.png)
+   ![azure active directory option in purchase services page](images/azure-ad-add-tenant7.png)
 
 9. Continue with your purchase.
 
-   ![azure active directory premium payment page.](images/azure-ad-add-tenant8.png)
+   ![azure active directory premium payment page](images/azure-ad-add-tenant8.png)
 
 10. After the purchase is completed, you can log in to your Office 365 Admin Portal and you will see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint, Exchange, etc....).
 
-    ![admin center left navigation menu.](images/azure-ad-add-tenant9.png)
+    ![admin center left navigation menu](images/azure-ad-add-tenant9.png)
 
     When you choose Azure AD, it will take you to the Azure AD portal where you can manage your Azure AD applications.
 
@@ -69,27 +69,27 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent
 
 1.  Sign in to the Microsoft 365 admin center at <https://portal.office.com> using your organization's account.
 
-    ![register azuread.](images/azure-ad-add-tenant10.png)
+    ![register azuread](images/azure-ad-add-tenant10.png)
 
 2.  On the **Home** page, select on the Admin tools icon.
 
-    ![register azuread.](images/azure-ad-add-tenant11.png)
+    ![register azuread](images/azure-ad-add-tenant11.png)
 
 3.  On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information.
 
-    ![register azuread.](images/azure-ad-add-tenant12.png)
+    ![register azuread](images/azure-ad-add-tenant12.png)
 
 4.  On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**.
 
-    ![register azuread.](images/azure-ad-add-tenant13.png)
+    ![register azuread](images/azure-ad-add-tenant13.png)
 
 5.  It may take a few minutes to process the request.
 
-    ![register azuread.](images/azure-ad-add-tenant14.png)
+    ![register azuread](images/azure-ad-add-tenant14.png)
 
 6.  You will see a welcome page when the process completes.
 
-    ![register azuread.](images/azure-ad-add-tenant15.png)
+    ![register azuread](images/azure-ad-add-tenant15.png)
 
  
 
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 5669fcf0f8..3df830bda7 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -263,16 +263,16 @@ Supported operations are Get, Add, Delete, and Replace.
 
     The **Device Portal** page opens on your browser.
 
-    ![device portal screenshot.](images/applocker-screenshot1.png)
+    ![device portal screenshot](images/applocker-screenshot1.png)
 
 8.  On the desktop **Device Portal** page, click **Apps** to open the **App Manager**.
 9.  On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps.
 
-    ![device portal app manager.](images/applocker-screenshot3.png)
+    ![device portal app manager](images/applocker-screenshot3.png)
 
 10. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed.
 
-    ![app manager.](images/applocker-screenshot2.png)
+    ![app manager](images/applocker-screenshot2.png)
 
 The following table shows the mapping of information to the AppLocker publisher rule field.
 
diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md
index 4c8f6eaecd..157bf6f4d0 100644
--- a/windows/client-management/mdm/appv-deploy-and-config.md
+++ b/windows/client-management/mdm/appv-deploy-and-config.md
@@ -23,7 +23,7 @@ manager: dansimp
 
 [EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md)
 
-![enterpriseappvmanagement csp.](images/provisioning-csp-enterpriseappvmanagement.png)
+![enterpriseappvmanagement csp](images/provisioning-csp-enterpriseappvmanagement.png)
 
 <p>(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.</p>
 
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
index 97f22aae88..82a11f3eb6 100644
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@@ -90,7 +90,7 @@ After the users accepts the Terms of Use, the device is registered in Azure AD a
 
 The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Subsequently, the device is enrolled for management with the MDM. This is done by calling the enrollment endpoint and requesting enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is made available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
 
-![azure ad enrollment flow.](images/azure-ad-enrollment-flow.png)
+![azure ad enrollment flow](images/azure-ad-enrollment-flow.png)
 
 The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this topic.
 
@@ -173,7 +173,7 @@ IT administrators use the Azure AD app gallery to add an MDM for their organizat
 
 The following image illustrates how MDM applications will show up in the Azure app gallery in a category dedicated to MDM software.
 
-![azure ad add an app for mdm.](images/azure-ad-app-gallery.png)
+![azure ad add an app for mdm](images/azure-ad-app-gallery.png)
 
 ### Add cloud-based MDM to the app gallery
 
@@ -732,7 +732,7 @@ Response:
 
 When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
 
-![aadj unenrollment.](images/azure-ad-unenrollment.png)
+![aadj unenrollment](images/azure-ad-unenrollment.png)
 
 ## Error codes
 
diff --git a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
index ce25592491..21499425a9 100644
--- a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+++ b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
@@ -20,10 +20,10 @@ manager: dansimp
 2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
 3. Select **Microsoft Intune** and configure the blade. 
 
-![How to get to the Blade.](images/azure-mdm-intune.png) 
+![How to get to the Blade](images/azure-mdm-intune.png) 
 
 Configure the blade                                                                      
 
-![Configure the Blade.](images/azure-intune-configure-scope.png) 
+![Configure the Blade](images/azure-intune-configure-scope.png) 
 
 You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users). 
diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md
index e07354fa81..0bb9326924 100644
--- a/windows/client-management/mdm/bootstrap-csp.md
+++ b/windows/client-management/mdm/bootstrap-csp.md
@@ -27,7 +27,7 @@ The BOOTSTRAP configuration service provider sets the Trusted Provisioning Serve
 
 The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
 
-![bootstrap csp (cp).](images/provisioning-csp-bootstrap-cp.png)
+![bootstrap csp (cp)](images/provisioning-csp-bootstrap-cp.png)
 
 <a href="" id="context-allow"></a>**CONTEXT-ALLOW**  
 Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value.
diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md
index 15a939f7eb..46ee3a5e98 100644
--- a/windows/client-management/mdm/browserfavorite-csp.md
+++ b/windows/client-management/mdm/browserfavorite-csp.md
@@ -30,7 +30,7 @@ This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID
 
 The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
 
-![browserfavorite csp (cp).](images/provisioning-csp-browserfavorite-cp.png)
+![browserfavorite csp (cp)](images/provisioning-csp-browserfavorite-cp.png)
 
 <a href="" id="favorite-name-------------"></a>***favorite name***   
 Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
index d1db6d514e..4fabdbc971 100644
--- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
@@ -57,7 +57,7 @@ Using the WCD, create a provisioning package using the enrollment information re
 1. Open the WCD tool.
 2. Click **Advanced Provisioning**.
 
-   ![icd start page.](images/bulk-enrollment7.png)
+   ![icd start page](images/bulk-enrollment7.png)
 3. Enter a project name and click **Next**.
 4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then click **Next**.
 5. Skip **Import a provisioning package (optional)** and click **Finish**.
@@ -74,20 +74,20 @@ Using the WCD, create a provisioning package using the enrollment information re
    For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
    Here is the screenshot of the WCD at this point.
    
-    ![bulk enrollment screenshot.](images/bulk-enrollment.png)
+    ![bulk enrollment screenshot](images/bulk-enrollment.png)
 9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
 10. When you are done adding all the settings, on the **File** menu, click **Save**.
 11. On the main menu click **Export** &gt; **Provisioning package**.
 
-    ![icd menu for export.](images/bulk-enrollment2.png)
+    ![icd menu for export](images/bulk-enrollment2.png)
 12. Enter the values for your package and specify the package output location.
 
-    ![enter package information.](images/bulk-enrollment3.png)
-    ![enter additional information for package information.](images/bulk-enrollment4.png)
-    ![specify file location.](images/bulk-enrollment6.png)
+    ![enter package information](images/bulk-enrollment3.png)
+    ![enter additional information for package information](images/bulk-enrollment4.png)
+    ![specify file location](images/bulk-enrollment6.png)
 13. Click **Build**.
 
-    ![icb build window.](images/bulk-enrollment5.png)
+    ![icb build window](images/bulk-enrollment5.png)
 14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
 15. Apply the package to your devices.
 
@@ -108,7 +108,7 @@ Using the WCD, create a provisioning package using the enrollment information re
    5.  Set **ExportCertificate** to False.
    6.  For **KeyLocation**, select **Software only**.
 
-   ![icd certificates section.](images/bulk-enrollment8.png)
+   ![icd certificates section](images/bulk-enrollment8.png)
 7. Specify the workplace settings.
    1. Got to **Workplace** &gt; **Enrollments**.
    2. Enter the **UPN** for the enrollment and then click **Add**.
diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md
index ab4cb97c8f..64372f26a8 100644
--- a/windows/client-management/mdm/cellularsettings-csp.md
+++ b/windows/client-management/mdm/cellularsettings-csp.md
@@ -21,7 +21,7 @@ The CellularSettings configuration service provider is used to configure cellula
 
 The following image shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
 
-![provisioning for cellular settings.](images/provisioning-csp-cellularsettings.png)
+![provisioning for cellular settings](images/provisioning-csp-cellularsettings.png)
 
 <a href="" id="dataroam"></a>**DataRoam**  
 <p style="margin-left: 20px"> Optional. Integer. Specifies the default roaming value. Valid values are:</p>
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index 1d42413872..5063181c3f 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -20,7 +20,7 @@ This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capa
 
 The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
 
-![cm\-cellularentries csp.](images/provisioning-csp-cm-cellularentries.png)
+![cm\-cellularentries csp](images/provisioning-csp-cm-cellularentries.png)
 
 <a href="" id="entryname"></a>***entryname***  
 <p style="margin-left: 20px">Defines the name of the connection.</p>
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index d4793c91e6..cce8060fe3 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -2555,36 +2555,36 @@ The following list shows the CSPs supported in HoloLens devices:
 
 | Configuration service provider        | HoloLens (1st gen) Development Edition      | HoloLens (1st gen) Commercial Suite | HoloLens 2 |
 |------|--------|--------|--------|
-| [AccountManagement CSP](accountmanagement-csp.md)   | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png)
-| [Accounts CSP](accounts-csp.md)    | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
-| [ApplicationControl CSP](applicationcontrol-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) |  ![check mark](images/checkmark.png) |
-| [AppLocker CSP](applocker-csp.md)      | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![cross mark](images/crossmark.png) |
-| [AssignedAccess CSP](assignedaccess-csp.md)      | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png) |
-| [CertificateStore CSP](certificatestore-csp.md)    | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png)| ![check mark](images/checkmark.png) |
-| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)  | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [DevDetail CSP](devdetail-csp.md)   | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [DeveloperSetup CSP](developersetup-csp.md)   | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>2</sup>   (runtime provisioning via provisioning packages only; no MDM support)| ![check mark](images/checkmark.png) |
-| [DeviceManageability CSP](devicemanageability-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
-| [DeviceStatus CSP](devicestatus-csp.md)  | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)  | ![check mark](images/checkmark.png) |
-| [DevInfo CSP](devinfo-csp.md)  | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [DiagnosticLog CSP](diagnosticlog-csp.md)  | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [DMAcc CSP](dmacc-csp.md)      | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [DMClient CSP](dmclient-csp.md)    | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>10</sup>  |
-| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [NetworkProxy CSP](networkproxy-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
-| [NetworkQoSPolicy CSP](networkqospolicy-csp.md)  | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png)       | ![check mark](images/checkmark.png) <sup>8</sup>|
-| [NodeCache CSP](nodecache-csp.md)  | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-[PassportForWork CSP](passportforwork-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
-| [Policy CSP](policy-configuration-service-provider.md)    | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [RemoteFind CSP](remotefind-csp.md)    | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png) |
-| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only)  | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png) |
-| [RootCATrustedCertificates CSP](rootcacertificates-csp.md)   | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>10</sup>  |
-| [Update CSP](update-csp.md)     | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [VPNv2 CSP](vpnv2-csp.md)    | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [WiFi CSP](wifi-csp.md)     | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [WindowsLicensing CSP](windowslicensing-csp.md)   | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![cross mark](images/crossmark.png) |
+| [AccountManagement CSP](accountmanagement-csp.md)   | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png)
+| [Accounts CSP](accounts-csp.md)    | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
+| [ApplicationControl CSP](applicationcontrol-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) |  ![check mark](images/checkmark.png) |
+| [AppLocker CSP](applocker-csp.md)      | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![cross mark](images/crossmark.png) |
+| [AssignedAccess CSP](assignedaccess-csp.md)      | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png) |
+| [CertificateStore CSP](certificatestore-csp.md)    | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)| ![check mark](images/checkmark.png) |
+| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)  | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [DevDetail CSP](devdetail-csp.md)   | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [DeveloperSetup CSP](developersetup-csp.md)   | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>2</sup>   (runtime provisioning via provisioning packages only; no MDM support)| ![check mark](images/checkmark.png) |
+| [DeviceManageability CSP](devicemanageability-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
+| [DeviceStatus CSP](devicestatus-csp.md)  | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)  | ![check mark](images/checkmark.png) |
+| [DevInfo CSP](devinfo-csp.md)  | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [DiagnosticLog CSP](diagnosticlog-csp.md)  | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [DMAcc CSP](dmacc-csp.md)      | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [DMClient CSP](dmclient-csp.md)    | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>10</sup>  |
+| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [NetworkProxy CSP](networkproxy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
+| [NetworkQoSPolicy CSP](networkqospolicy-csp.md)  | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png)       | ![check mark](images/checkmark.png) <sup>8</sup>|
+| [NodeCache CSP](nodecache-csp.md)  | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+[PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
+| [Policy CSP](policy-configuration-service-provider.md)    | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [RemoteFind CSP](remotefind-csp.md)    | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png) |
+| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only)  | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png) |
+| [RootCATrustedCertificates CSP](rootcacertificates-csp.md)   | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>10</sup>  |
+| [Update CSP](update-csp.md)     | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [VPNv2 CSP](vpnv2-csp.md)    | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [WiFi CSP](wifi-csp.md)     | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [WindowsLicensing CSP](windowslicensing-csp.md)   | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![cross mark](images/crossmark.png) |
 
  
 ## <a href="" id="surfacehubcspsupport"></a>CSPs supported in Microsoft Surface Hub
diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md
index cc589f1f13..8e886f3661 100644
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@@ -42,7 +42,7 @@ For more information about the CSPs, see [Update CSP](update-csp.md) and the upd
 
 The following diagram provides a conceptual overview of how this works:
 
-![mobile device update management.](images/mdm-update-sync.png)
+![mobile device update management](images/mdm-update-sync.png)
 
 The diagram can be roughly divided into three areas:
 
@@ -56,7 +56,7 @@ The Microsoft Update Catalog is huge and contains many updates that are not need
 
 This section describes how this is done. The following diagram shows the server-server sync protocol process.
 
-![mdm server-server sync.](images/deviceupdateprocess2.png)
+![mdm server-server sync](images/deviceupdateprocess2.png)
 
 MSDN provides much information about the Server-Server sync protocol. In particular:
 
@@ -140,7 +140,7 @@ The enterprise IT can configure auto-update polices via OMA DM using the [Policy
 
 The following diagram shows the Update policies in a tree format.
 
-![update policies.](images/update-policies.png)
+![update policies](images/update-policies.png)
 
 <a href="" id="update-activehoursend"></a>**Update/ActiveHoursEnd**
 > [!NOTE]
@@ -676,7 +676,7 @@ Example
 
 The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following diagram shows the Update CSP in tree format..
 
-![provisioning csp update.](images/provisioning-csp-update.png)
+![provisioning csp update](images/provisioning-csp-update.png)
 
 <a href="" id="update"></a>**Update**
 The root node.
@@ -889,9 +889,9 @@ Here is the list of older policies that are still supported for backward compati
 
 The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields.
 
-![mdm update management screenshot.](images/deviceupdatescreenshot1.png)
+![mdm update management screenshot](images/deviceupdatescreenshot1.png)
 
-![mdm update management metadata screenshot.](images/deviceupdatescreenshot2.png)
+![mdm update management metadata screenshot](images/deviceupdatescreenshot2.png)
 
 
 ## <a href="" id="syncmlexample"></a>SyncML example
@@ -945,5 +945,5 @@ Set auto update to notify and defer.
 
 The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog.
 
-![mdm device update management screenshot3.](images/deviceupdatescreenshot3.png)![mdm device update management screenshot4](images/deviceupdatescreenshot4.png)![mdm device update management screenshot5](images/deviceupdatescreenshot5.png)![mdm device update management screenshot6](images/deviceupdatescreenshot6.png)![mdm device update management screenshot7](images/deviceupdatescreenshot7.png)![mdm device update management screenshot8](images/deviceupdatescreenshot8.png)![mdm device update management screenshot9](images/deviceupdatescreenshot9.png)
+![mdm device update management screenshot3](images/deviceupdatescreenshot3.png)![mdm device update management screenshot4](images/deviceupdatescreenshot4.png)![mdm device update management screenshot5](images/deviceupdatescreenshot5.png)![mdm device update management screenshot6](images/deviceupdatescreenshot6.png)![mdm device update management screenshot7](images/deviceupdatescreenshot7.png)![mdm device update management screenshot8](images/deviceupdatescreenshot8.png)![mdm device update management screenshot9](images/deviceupdatescreenshot9.png)
 
diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md
index 0db22bf159..f24564545c 100644
--- a/windows/client-management/mdm/deviceinstanceservice-csp.md
+++ b/windows/client-management/mdm/deviceinstanceservice-csp.md
@@ -26,7 +26,7 @@ The DeviceInstance CSP is only supported in Windows 10 Mobile.
 
 The following diagram shows the DeviceInstanceService configuration service provider in tree format.
 
-![provisioning\-csp\-deviceinstanceservice.](images/provisioning-csp-deviceinstanceservice.png)
+![provisioning\-csp\-deviceinstanceservice](images/provisioning-csp-deviceinstanceservice.png)
 
 <a href="" id="roaming"></a>**Roaming**  
 A boolean value that specifies the roaming status of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/Roaming is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/Roaming.
diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md
index 9933e58a23..cef65071ec 100644
--- a/windows/client-management/mdm/devicelock-csp.md
+++ b/windows/client-management/mdm/devicelock-csp.md
@@ -32,7 +32,7 @@ The DevicePasswordEnabled setting must be set to 0 (device password is enabled)
 
 The following image shows the DeviceLock configuration service provider in tree format.
 
-![devicelock csp.](images/provisioning-csp-devicelock.png)
+![devicelock csp](images/provisioning-csp-devicelock.png)
 
 <a href="" id="provider"></a>**Provider**  
 Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get.
diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
index 92ed52968c..6043b61d8c 100644
--- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
@@ -20,13 +20,13 @@ To help diagnose enrollment or device management issues in Windows 10 devices m
 
 1. On your managed device go to **Settings** > **Accounts** > **Access work or school**.
 1. Click your work or school account, then click **Info.**  
-   ![Access work or school page in Settings.](images/diagnose-mdm-failures15.png)
+   ![Access work or school page in Settings](images/diagnose-mdm-failures15.png)
 
 1. At the bottom of the **Settings** page, click **Create report**.  
-   ![Access work or school page and then Create report.](images/diagnose-mdm-failures16.png)
+   ![Access work or school page and then Create report](images/diagnose-mdm-failures16.png)
 1. A window opens that shows the path to the log files. Click **Export**.
 
-   ![Access work or school log files.](images/diagnose-mdm-failures17.png)
+   ![Access work or school log files](images/diagnose-mdm-failures17.png)
 
 1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report.
 
@@ -59,7 +59,7 @@ Starting with the Windows 10, version 1511, MDM logs are captured in the Event
 
 Here's a screenshot:
 
-![mdm event viewer.](images/diagnose-mdm-failures1.png)
+![mdm event viewer](images/diagnose-mdm-failures1.png)
 
 In this location, the **Admin** channel logs events by default. However, if you need more details logs you can enable **Debug** logs by choosing **Show Analytic and Debug** logs option in **View** menu in Event Viewer.
 
@@ -238,26 +238,26 @@ For best results, ensure that the PC or VM on which you are viewing logs matches
 1.  Open eventvwr.msc.
 2.  Right-click on **Event Viewer(Local)** and select **Open Saved Log**.
 
-    ![event viewer screenshot.](images/diagnose-mdm-failures9.png)
+    ![event viewer screenshot](images/diagnose-mdm-failures9.png)
 
 3.  Navigate to the etl file that you got from the device and then open the file.
 4.  Click **Yes** when prompted to save it to the new log format.
 
-    ![event viewer prompt.](images/diagnose-mdm-failures10.png)
+    ![event viewer prompt](images/diagnose-mdm-failures10.png)
 
-    ![diagnose mdm failures.](images/diagnose-mdm-failures11.png)
+    ![diagnose mdm failures](images/diagnose-mdm-failures11.png)
 
 5.  The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu.
 
-    ![event viewer actions.](images/diagnose-mdm-failures12.png)
+    ![event viewer actions](images/diagnose-mdm-failures12.png)
 
 6.  Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**.
 
-    ![event filter for Device Management.](images/diagnose-mdm-failures13.png)
+    ![event filter for Device Management](images/diagnose-mdm-failures13.png)
 
 7.  Now you are ready to start reviewing the logs.
 
-    ![event viewer review logs.](images/diagnose-mdm-failures14.png)
+    ![event viewer review logs](images/diagnose-mdm-failures14.png)
 
 ## Collect device state data
 
diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md
index 5f48d033a0..35fe6568b0 100644
--- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md
+++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md
@@ -137,7 +137,7 @@ You can only use the Work Access page to unenroll under the following conditions
 
 When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
 
-![aadj unenerollment.](images/azure-ad-unenrollment.png)
+![aadj unenerollment](images/azure-ad-unenrollment.png)
 
 When a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be re-imaged. When devices are remotely unenrolled from MDM, the AAD association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state.
 
diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md
index 2ef69ad6c3..43882781ec 100644
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@@ -24,35 +24,35 @@ To get the EAP configuration from your desktop using the rasphone tool that is s
 
 1.  Run rasphone.exe.
 
-    ![vpnv2 rasphone.](images/vpnv2-csp-rasphone.png)
+    ![vpnv2 rasphone](images/vpnv2-csp-rasphone.png)
 
 1.  If you don't currently have a VPN connection and you see the following message, select **OK**.
 
-    ![vpnv2 csp network connections.](images/vpnv2-csp-networkconnections.png)
+    ![vpnv2 csp network connections](images/vpnv2-csp-networkconnections.png)
 
 1.  In the wizard, select **Workplace network**.
 
-    ![vpnv2 csp set up connection.](images/vpnv2-csp-setupnewconnection.png)
+    ![vpnv2 csp set up connection](images/vpnv2-csp-setupnewconnection.png)
 
 1.  Enter an Internet address and connection name. These can be fake since it does not impact the authentication parameters.
 
-    ![vpnv2 csp set up connection 2.](images/vpnv2-csp-setupnewconnection2.png)
+    ![vpnv2 csp set up connection 2](images/vpnv2-csp-setupnewconnection2.png)
 
 1.  Create a fake VPN connection. In the UI shown here, select **Properties**.
 
-    ![vpnv2 csp choose nw connection.](images/vpnv2-csp-choosenetworkconnection.png)
+    ![vpnv2 csp choose nw connection](images/vpnv2-csp-choosenetworkconnection.png)
 
 1.  In the **Test Properties** dialog, select the **Security** tab.
 
-    ![vpnv2 csp test props.](images/vpnv2-csp-testproperties.png)
+    ![vpnv2 csp test props](images/vpnv2-csp-testproperties.png)
 
 1.  On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**.
 
-    ![vpnv2 csp test props2.](images/vpnv2-csp-testproperties2.png)
+    ![vpnv2 csp test props2](images/vpnv2-csp-testproperties2.png)
 
 1.  From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed.
 
-    ![vpnv2 csp test props3.](images/vpnv2-csp-testproperties3.png)![vpnv2 csp test props4](images/vpnv2-csp-testproperties4.png)
+    ![vpnv2 csp test props3](images/vpnv2-csp-testproperties3.png)![vpnv2 csp test props4](images/vpnv2-csp-testproperties4.png)
 
 1.  Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
 
@@ -267,7 +267,7 @@ Alternatively, you can use the following procedure to create an EAP configuratio
 1.  Follow steps 1 through 7 in the EAP configuration article.
 1.  In the **Microsoft VPN SelfHost Properties** dialog box, select **Microsoft: Smart Card or other Certificate** from the drop-down menu (this selects EAP TLS).
 
-    ![vpn self host properties window.](images/certfiltering1.png)
+    ![vpn self host properties window](images/certfiltering1.png)
 
     > [!NOTE]
     > For PEAP or TTLS, select the appropriate method and continue following this procedure.
@@ -277,11 +277,11 @@ Alternatively, you can use the following procedure to create an EAP configuratio
 1.  Select the **Properties** button underneath the drop-down menu.
 1.  On the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
 
-    ![smart card or other certificate properties window.](images/certfiltering2.png)
+    ![smart card or other certificate properties window](images/certfiltering2.png)
 
 1.  On the **Configure Certificate Selection** menu, adjust the filters as needed.
 
-    ![configure certificate window.](images/certfiltering3.png)
+    ![configure certificate window](images/certfiltering3.png)
 
 1.  Select **OK** to close the windows and get back to the main rasphone.exe dialog box.
 1.  Close the rasphone dialog box.
diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
index cfc9928a0b..d6a0127bab 100644
--- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
@@ -47,19 +47,19 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](
 
     2. Under **Best match**, click **Edit group policy** to launch it.  
        
-       ![GPEdit search.](images/admx-gpedit-search.png)
+       ![GPEdit search](images/admx-gpedit-search.png)
 
     3. In **Local Computer Policy** navigate to the policy you want to configure.  
     
        In this example, navigate to **Administrative Templates >  System > App-V**.
 
-       ![App-V policies.](images/admx-appv.png)
+       ![App-V policies](images/admx-appv.png)
 
     4. Double-click **Enable App-V Client**.  
 
        The **Options** section is empty, which means there are no parameters necessary to enable the policy. If the **Options** section is not empty, follow the procedure in [Enable a policy that requires parameters](#enable-a-policy-that-requires-parameters)
 
-       ![Enable App-V client.](images/admx-appv-enableapp-vclient.png)
+       ![Enable App-V client](images/admx-appv-enableapp-vclient.png)
 
 3.  Create the SyncML to enable the policy that does not require any parameter.  
 
@@ -99,15 +99,15 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](
 
    1. Double-click **Publishing Server 2 Settings** to see the parameters you need to configure when you enable this policy.
 
-      ![Enable publishing server 2 policy.](images/admx-appv-publishingserver2.png)
+      ![Enable publishing server 2 policy](images/admx-appv-publishingserver2.png)
 
-      ![Enable publishing server 2 settings.](images/admx-app-v-enablepublishingserver2settings.png)
+      ![Enable publishing server 2 settings](images/admx-app-v-enablepublishingserver2settings.png)
 
    2. Find the variable names of the parameters in the ADMX file.
 
       You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
 
-      ![Publishing server 2 policy description.](images/admx-appv-policy-description.png)
+      ![Publishing server 2 policy description](images/admx-appv-policy-description.png)
 
    3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the admx files) and open appv.admx.
 
diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
index bab52cb7fd..f4c951af17 100644
--- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
+++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
@@ -84,7 +84,7 @@ After the upgrade to Windows 10 is complete, if you decide to push down a new we
 
 The following diagram shows a high-level overview of the process.
 
-![update process for windows embedded 8.1 devices.](images/windowsembedded-update.png)
+![update process for windows embedded 8.1 devices](images/windowsembedded-update.png)
 
 ## Step 1: Prepare a test device to download updates from Microsoft Update
 
@@ -107,15 +107,15 @@ Trigger the device to check for updates either manually or using Microsoft Endpo
 
 1.  Remotely trigger a scan of the test device by deploying a Trigger Scan configuration baseline.
 
-    ![device scan using Configuration Manager.](images/windowsembedded-update2.png)
+    ![device scan using Configuration Manager](images/windowsembedded-update2.png)
 
 2.  Set the value of this OMA-URI by going to **Configuration Item**, and then selecting the newly created Trigger Scan settings from the previous step.
 
-    ![device scan using Configuration Manager.](images/windowsembedded-update3.png)
+    ![device scan using Configuration Manager](images/windowsembedded-update3.png)
 
 3.  Ensure that the value that is specified for this URI is greater than the value on the device(s), and that the **Remediate noncompliant rules when supported** option is selected. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value.
 
-    ![device scan using Configuration Manager.](images/windowsembedded-update4.png)
+    ![device scan using Configuration Manager](images/windowsembedded-update4.png)
 
 4.  Create a configuration baseline for Trigger Scan and Deploy. We recommend that this configuration baseline be deployed after the Controlled Updates baseline has been applied to the device. (The corresponding files are deployed on the device through a device sync session.)
 5.  Follow the prompts for downloading the updates, but do not install the updates on the device.
@@ -216,11 +216,11 @@ The deployment process has three parts:
 
 1.  Create a configuration item. In the **Browse Settings** window, select **Device File** as a filter, and then select **Select**.
 
-    ![embedded device update.](images/windowsembedded-update18.png)
+    ![embedded device update](images/windowsembedded-update18.png)
 
 2.  Browse to the DUControlledUpdates.xml that was created from the test device, and then specify the file path and name on the device as `NonPersistent\DUControlledUpdates.xml`.
 
-    ![embedded device update.](images/windowsembedded-update19.png)
+    ![embedded device update](images/windowsembedded-update19.png)
 
 3.  Select **Remediate noncompliant settings**, and then select **OK**.
 
@@ -231,7 +231,7 @@ The deployment process has three parts:
 1.  Create a configuration item and specify the file path and name on the device as `NonPersistent\DUCustomContentURIs.xml`
 2.  Select **Remediate noncompliant settings**.
 
-    ![embedded device update.](images/windowsembedded-update21.png)
+    ![embedded device update](images/windowsembedded-update21.png)
 
 3.  Select **OK**.
 
@@ -242,11 +242,11 @@ The deployment process has three parts:
 1.  Create a configuration baseline item and give it a name (such as ControlledUpdates).
 2.  Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then select **OK**.
 
-    ![embedded device update.](images/windowsembedded-update22.png)
+    ![embedded device update](images/windowsembedded-update22.png)
 
 3.  Deploy the configuration baseline to the appropriate device or device collection.
 
-    ![embedded device update.](images/windowsembedded-update23.png)
+    ![embedded device update](images/windowsembedded-update23.png)
 
 4.  Select **OK**.
 
@@ -472,57 +472,57 @@ Use this procedure for pre-GDR1 devices:
 2.  In Microsoft Endpoint Configuration Manager, under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Items**.
 3.  Select **Create Configuration Item**.
 
-    ![device update using Configuration Manager.](images/windowsembedded-update5.png)
+    ![device update using Configuration Manager](images/windowsembedded-update5.png)
 4.  Enter a filename (such as GetDUReport), and then select **Mobile Device**.
 5.  On the **Mobile Device Settings** page, select **Configure Additional Settings that are not in the default settings group**, and then select **Next**.
 
-    ![device update using Configuration Manager.](images/windowsembedded-update6.png)
+    ![device update using Configuration Manager](images/windowsembedded-update6.png)
 6.  On the **Additional Settings** page, select **Add**.
 
-    ![device update using Configuration Manager.](images/windowsembedded-update7.png)
+    ![device update using Configuration Manager](images/windowsembedded-update7.png)
 7.  On the **Browse Settings** page, select **Create Setting**.
 
-    ![device update.](images/windowsembedded-update8.png)
+    ![device update](images/windowsembedded-update8.png)
 8.  Enter a unique **Name**. For **Setting type**, select **OMA-URI**, and for **Data type**, select **String**.
 9.  In the **OMA-URI** text box, enter `./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml`, and then select **OK**.
 
-    ![handheld device update.](images/windowsembedded-update9.png)
+    ![handheld device update](images/windowsembedded-update9.png)
 10. On the **Browse Settings** page, select **Close**.
 11. On the **Create Configuration Item Wizard** page, select **All Windows Embedded 8.1 Handheld** as the supported platform, and then select **Next**.
 
-    ![embedded device update.](images/windowsembedded-update10.png)
+    ![embedded device update](images/windowsembedded-update10.png)
 12. Close the **Create Configuration Item Wizard** page.
 13. Right-click on the newly create configuration item, and then select the **Compliance Rules** tab.
 14. Select the new created mobile device setting (such as DUReport), and then select **Select**.
 15. Enter a dummy value (such as zzz) that is different from the one on the device.
 
-    ![embedded device update.](images/windowsembedded-update11.png)
+    ![embedded device update](images/windowsembedded-update11.png)
 16. Disable remediation by deselecting the **Remediate noncompliant rules when supported** option.
 17. Select **OK** to close the **Edit Rule** page.
 18. Create a new configuration baseline. Under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Baselines**.
 19. Select **Create Configuration Item**.
 
-    ![embedded device update.](images/windowsembedded-update12.png)
+    ![embedded device update](images/windowsembedded-update12.png)
 20. Enter a baseline name (such as RetrieveDUReport).
 21. Add the configuration item that you just created. Select **Add**, and then select the configuration item that you just created (such as DUReport).
 
-    ![embedded device update.](images/windowsembedded-update13.png)
+    ![embedded device update](images/windowsembedded-update13.png)
 22. Select **OK**, and then select **OK** again to complete the configuration baseline.
 23. Deploy the newly created configuration baseline to the appropriate device collection. Right-click on the configuration baseline that you created, and then select **Deploy**.
 
-    ![embedded device update.](images/windowsembedded-update14.png)
+    ![embedded device update](images/windowsembedded-update14.png)
 24. Select **Remediate noncompliant rules when supported**.
 25. Select the appropriate device collection and define the schedule.
 
-    ![device update.](images/windowsembedded-update15.png)
+    ![device update](images/windowsembedded-update15.png)
 26. To view the DUReport content, select the appropriate deployment for the configuration baseline that you created. Right-click on the deployment, and then select **View Status**.
 27. Select **Run Summarization**, and then select **Refresh**. The test device(s) should be listed on the **Non-Compliant** tab.
 28. Under **Asset Details**, right-click on the test device, and then select **Mode Details**.
 
-    ![device update.](images/windowsembedded-update16.png)
+    ![device update](images/windowsembedded-update16.png)
 29. On the **Non-compliant** tab, you can see the DUReport, but you cannot retrieve the content from here.
 
-    ![device update.](images/windowsembedded-update17.png)
+    ![device update](images/windowsembedded-update17.png)
 30. To retrieve the DUReport, open C:\\Program Files\\SMS\_CCM\\SMS\_DM.log.
 31. In the log file, search from the bottom for "./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml" RuleExression="Equals zzz," where zzz is the dummy value. Just above this, copy the information for UpdateData and use this information to create the DUControlledUpdates.xml.
 
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index c9f13235e0..322e4dbc40 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -46,11 +46,11 @@ To ensure that the auto-enrollment feature is working as expected, you must veri
 The following steps demonstrate required settings using the Intune service:
 1. Verify that the user who is going to enroll the device has a valid Intune license.
 
-    ![Intune license verification.](images/auto-enrollment-intune-license-verification.png)
+    ![Intune license verification](images/auto-enrollment-intune-license-verification.png)
 
 2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
 
-    ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png)
+    ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png)
 
     > [!IMPORTANT]
     > For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
@@ -62,23 +62,23 @@ The following steps demonstrate required settings using the Intune service:
 
     You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**.
 
-    ![Auto-enrollment device status result.](images/auto-enrollment-device-status-result.png)
+    ![Auto-enrollment device status result](images/auto-enrollment-device-status-result.png)
 
     Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**.
 
-    ![Auto-enrollment Azure AD prt verification.](images/auto-enrollment-azureadprt-verification.png)
+    ![Auto-enrollment Azure AD prt verification](images/auto-enrollment-azureadprt-verification.png)
 
     This information can also be found on the Azure AD device list.
 
-    ![Azure AD device list.](images/azure-ad-device-list.png)
+    ![Azure AD device list](images/azure-ad-device-list.png)
 
 5. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
 
-    ![MDM discovery URL.](images/auto-enrollment-mdm-discovery-url.png)
+    ![MDM discovery URL](images/auto-enrollment-mdm-discovery-url.png)
 
 6. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**.
 
-    ![Mobility setting MDM intune.](images/auto-enrollment-microsoft-intune-setting.png)
+    ![Mobility setting MDM intune](images/auto-enrollment-microsoft-intune-setting.png)
 
 7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune.
 You may contact your domain administrators to verify if the group policy has been deployed successfully.
@@ -87,7 +87,7 @@ You may contact your domain administrators to verify if the group policy has bee
 
 9. Verify that Microsoft Intune should allow enrollment of Windows devices.
 
-    ![Enrollment of Windows devices.](images/auto-enrollment-enrollment-of-windows-devices.png)
+    ![Enrollment of Windows devices](images/auto-enrollment-enrollment-of-windows-devices.png)
 
 ## Configure the auto-enrollment Group Policy for a single PC
 
@@ -102,18 +102,18 @@ Requirements:
 
     Click Start, then in the text box type gpedit.
 
-    ![GPEdit desktop app search result.](images/autoenrollment-gpedit.png)
+    ![GPEdit desktop app search result](images/autoenrollment-gpedit.png)
 
 2. Under **Best match**, click **Edit group policy** to launch it.
 
 3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**.
 
     > [!div class="mx-imgBorder"]
-    > ![MDM policies.](images/autoenrollment-mdm-policies.png)
+    > ![MDM policies](images/autoenrollment-mdm-policies.png)
 
 4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use.
 
-   ![MDM autoenrollment policy.](images/autoenrollment-policy.png)
+   ![MDM autoenrollment policy](images/autoenrollment-policy.png)
 
 5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**.
 
@@ -129,7 +129,7 @@ Requirements:
 
     If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot.
 
-    ![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png)
+    ![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png)
 
     > [!Tip]
     > You can avoid this behavior by using Conditional Access Policies in Azure AD.
@@ -139,7 +139,7 @@ Requirements:
 
 7. Click **Info** to see the MDM enrollment information.
 
-    ![Work School Settings.](images/autoenrollment-settings-work-school.png)
+    ![Work School Settings](images/autoenrollment-settings-work-school.png)
 
     If you do not see the **Info** button or the enrollment information, it is possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app).
 
@@ -148,13 +148,13 @@ Requirements:
 
 1. Click **Start**, then in the text box type **task scheduler**.
 
-   ![Task Scheduler search result.](images/autoenrollment-task-schedulerapp.png)
+   ![Task Scheduler search result](images/autoenrollment-task-schedulerapp.png)
 
 2. Under **Best match**, click **Task Scheduler** to launch it.
 
 3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**.
 
-    ![Auto-enrollment scheduled task.](images/autoenrollment-scheduled-task.png)
+    ![Auto-enrollment scheduled task](images/autoenrollment-scheduled-task.png)
 
     To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab.
 
@@ -239,13 +239,13 @@ To collect Event Viewer logs:
 
 3. Search for event ID 75, which represents a successful auto-enrollment. Here is an example screenshot that shows the auto-enrollment completed successfully:
 
-    ![Event ID 75.](images/auto-enrollment-troubleshooting-event-id-75.png)
+    ![Event ID 75](images/auto-enrollment-troubleshooting-event-id-75.png)
 
     If you cannot find event ID 75 in the logs, it indicates that the auto-enrollment failed. This can happen because of the following reasons:
 
     - The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here is an example screenshot that shows that the auto-enrollment failed:
 
-      ![Event ID 76.](images/auto-enrollment-troubleshooting-event-id-76.png)
+      ![Event ID 76](images/auto-enrollment-troubleshooting-event-id-76.png)
 
       To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](https://support.microsoft.com/en-ph/help/4469913/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for more information.
 
@@ -253,7 +253,7 @@ To collect Event Viewer logs:
 
       The auto-enrollment process is triggered by a task (**Microsoft > Windows > EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is successfully deployed to the target machine as shown in the following screenshot:
 
-      ![Task scheduler.](images/auto-enrollment-task-scheduler.png)
+      ![Task scheduler](images/auto-enrollment-task-scheduler.png)
 
     > [!Note]
     > This task isn't visible to standard users - run Scheduled Tasks with administrative credentials to find the task.
@@ -262,24 +262,24 @@ To collect Event Viewer logs:
     **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**.
     Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from AAD is triggered by event ID 107.
 
-    ![Event ID 107.](images/auto-enrollment-event-id-107.png)
+    ![Event ID 107](images/auto-enrollment-event-id-107.png)
 
     When the task is completed, a new event ID 102 is logged.
 
-    ![Event ID 102.](images/auto-enrollment-event-id-102.png)
+    ![Event ID 102](images/auto-enrollment-event-id-102.png)
 
     Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment.
 
     If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required.
     One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:
 
-    ![Outdated enrollment entries.](images/auto-enrollment-outdated-enrollment-entries.png)
+    ![Outdated enrollment entries](images/auto-enrollment-outdated-enrollment-entries.png)
 
     By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016.
 
     A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot:
 
-    ![Manually deleted entries.](images/auto-enrollment-activation-verification-less-entries.png)
+    ![Manually deleted entries](images/auto-enrollment-activation-verification-less-entries.png)
 
 ### Related topics
 
diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md
index c29e2047ad..b809041a65 100644
--- a/windows/client-management/mdm/enterprise-app-management.md
+++ b/windows/client-management/mdm/enterprise-app-management.md
@@ -41,7 +41,7 @@ These classifications are represented as nodes in the EnterpriseModernAppManagem
 
 The following diagram shows the EnterpriseModernAppManagement CSP in a tree format.
 
-![enterprisemodernappmanagement csp diagram.](images/provisioning-csp-enterprisemodernappmanagement.png)
+![enterprisemodernappmanagement csp diagram](images/provisioning-csp-enterprisemodernappmanagement.png)
 
 Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System).
 
diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md
index 98249aad50..51c1a6581f 100644
--- a/windows/client-management/mdm/enterpriseappmanagement-csp.md
+++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md
@@ -23,7 +23,7 @@ The EnterpriseAppManagement enterprise configuration service provider is used to
 
 The following diagram shows the EnterpriseAppManagement configuration service provider in tree format.
 
-![enterpriseappmanagement csp.](images/provisioning-csp-enterpriseappmanagement.png)
+![enterpriseappmanagement csp](images/provisioning-csp-enterpriseappmanagement.png)
 
 <a href="" id="enterpriseid"></a>***EnterpriseID***
 Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications.
diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md
index 3df7b51be2..12547591ba 100644
--- a/windows/client-management/mdm/filesystem-csp.md
+++ b/windows/client-management/mdm/filesystem-csp.md
@@ -24,7 +24,7 @@ The FileSystem configuration service provider is used to query, add, modify, and
 
 The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
 
-![filesystem csp (dm).](images/provisioning-csp-filesystem-dm.png)
+![filesystem csp (dm)](images/provisioning-csp-filesystem-dm.png)
 
 <a href="" id="filesystem"></a>**FileSystem**
 Required. Defines the root of the file system management object. It functions as the root directory for file system queries.
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index 03fb5b432d..9f691cab8c 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -104,7 +104,7 @@ The following is a list of functions performed by the Device HealthAttestation C
 - Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device</li>
 - Receives attestation requests (DHA-Requests) from a DHA-Enabled-MDM, and replies with a device health report (DHA-Report)</li>
 
-![healthattestation service diagram.](images/healthattestation_2.png)
+![healthattestation service diagram](images/healthattestation_2.png)
 
 <table> 
 <col width="20%" />
diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md
index af7934b674..36a979715e 100644
--- a/windows/client-management/mdm/hotspot-csp.md
+++ b/windows/client-management/mdm/hotspot-csp.md
@@ -27,7 +27,7 @@ The HotSpot configuration service provider is used to configure and enable Inter
 
 The following diagram shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
 
-![hotspot csp (cp).](images/provisioning-csp-hotspot-cp.png)
+![hotspot csp (cp)](images/provisioning-csp-hotspot-cp.png)
 
 <a href="" id="enabled"></a>**Enabled**
 Required. Specifies whether to enable Internet sharing on the device. The default is false.
diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
index 68633b48af..08a455f462 100644
--- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
@@ -44,7 +44,7 @@ To make applications WIP-aware, app developers need to include the following dat
 
 MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.  
 
-![Mobile application management app.](images/implement-server-side-mobile-application-management.png)
+![Mobile application management app](images/implement-server-side-mobile-application-management.png)
 
 MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.  
 
diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
index 875c7d0ded..12e50c7af7 100644
--- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
+++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
@@ -59,13 +59,13 @@ The Store for Business provides services that enable a management tool to synchr
 
 The following diagram provides an overview of app distribution from acquisition of an offline-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices.
 
-![business store offline app distribution.](images/businessstoreportalservices2.png)
+![business store offline app distribution](images/businessstoreportalservices2.png)
 
 ### Online-licensed application distribution
 
 The following diagram provides an overview of app distribution from acquisition of an online-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application prior to issuing the policy to install the application.
 
-![business store online app distribution.](images/businessstoreportalservices3.png)
+![business store online app distribution](images/businessstoreportalservices3.png)
 
 ## Integrate with Azure Active Directory
 
@@ -105,7 +105,7 @@ After registering your management tool with Azure AD, the management tool can ca
 
 The diagram below shows the call patterns for acquiring a new or updated application.
 
-![business store portal service flow diagram.](images/businessstoreportalservicesflow.png)
+![business store portal service flow diagram](images/businessstoreportalservicesflow.png)
 
 **Here is the list of available operations**:
 
diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index 6dbe747d92..d1e7b033f2 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -25,7 +25,7 @@ In today’s cloud-first world, enterprise IT departments increasingly want to l
 
 You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain.
 
-![active directory azure ad signin.](images/unifiedenrollment-rs1-1.png)
+![active directory azure ad signin](images/unifiedenrollment-rs1-1.png)
 
 ### Connect your device to an Active Directory domain (join a domain)
 
@@ -40,15 +40,15 @@ Joining your device to an Active Directory domain during the out-of-box-experien
 
 1.  On the **Who Owns this PC?** page, select **My work or school owns it**.
 
-    ![oobe local account creation.](images/unifiedenrollment-rs1-2.png)
+    ![oobe local account creation](images/unifiedenrollment-rs1-2.png)
 
 2.  Next, select **Join a domain**.
 
-    ![select domain or azure ad.](images/unifiedenrollment-rs1-3.png)
+    ![select domain or azure ad](images/unifiedenrollment-rs1-3.png)
 
 3.  You'll see a prompt to set up a local account on the device. Enter your local account details, and then select **Next** to continue.
 
-    ![create pc account.](images/unifiedenrollment-rs1-4.png)
+    ![create pc account](images/unifiedenrollment-rs1-4.png)
 
 ### Use the Settings app
 
@@ -56,27 +56,27 @@ To create a local account and connect the device:
 
 1.  Launch the Settings app.
 
-    ![windows settings page.](images/unifiedenrollment-rs1-5.png)
+    ![windows settings page](images/unifiedenrollment-rs1-5.png)
 
 2.  Next, select **Accounts**.
 
-    ![windows settings accounts select.](images/unifiedenrollment-rs1-6.png)
+    ![windows settings accounts select](images/unifiedenrollment-rs1-6.png)
 
 3.  Navigate to **Access work or school**.
 
-    ![select access work or school.](images/unifiedenrollment-rs1-7.png)
+    ![select access work or school](images/unifiedenrollment-rs1-7.png)
 
 4.  Select **Connect**.
 
-    ![connect to work or school.](images/unifiedenrollment-rs1-8.png)
+    ![connect to work or school](images/unifiedenrollment-rs1-8.png)
 
 5.  Under **Alternate actions**, select **Join this device to a local Active Directory domain**.
 
-    ![join account to active directory domain.](images/unifiedenrollment-rs1-9.png)
+    ![join account to active directory domain](images/unifiedenrollment-rs1-9.png)
 
 6.  Type in your domain name, follow the instructions, and then select **Next** to continue. After you complete the flow and restart your device, it should be connected to your Active Directory domain. You can now sign in to the device using your domain credentials.
 
-    ![type in domain name.](images/unifiedenrollment-rs1-10.png)
+    ![type in domain name](images/unifiedenrollment-rs1-10.png)
 
 ### Help with connecting to an Active Directory domain
 
@@ -101,11 +101,11 @@ To join a domain:
 
 1.  Select **My work or school owns it**, then select **Next.**
 
-    ![oobe local account creation.](images/unifiedenrollment-rs1-11.png)
+    ![oobe local account creation](images/unifiedenrollment-rs1-11.png)
 
 2.  Select **Join Azure AD**, and then select **Next.**
 
-    ![select domain or azure ad.](images/unifiedenrollment-rs1-12.png)
+    ![select domain or azure ad](images/unifiedenrollment-rs1-12.png)
 
 3.  Type in your Azure AD username. This is the email address you use to log into Microsoft Office 365 and similar services.
 
@@ -113,7 +113,7 @@ To join a domain:
 
     Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain.
 
-    ![azure ad signin.](images/unifiedenrollment-rs1-13.png)
+    ![azure ad signin](images/unifiedenrollment-rs1-13.png)
 
 ### Use the Settings app
 
@@ -121,27 +121,27 @@ To create a local account and connect the device:
 
 1.  Launch the Settings app.
 
-    ![windows settings page.](images/unifiedenrollment-rs1-14.png)
+    ![windows settings page](images/unifiedenrollment-rs1-14.png)
 
 2.  Next, navigate to **Accounts**.
 
-    ![windows settings accounts select.](images/unifiedenrollment-rs1-15.png)
+    ![windows settings accounts select](images/unifiedenrollment-rs1-15.png)
 
 3.  Navigate to **Access work or school**.
 
-    ![select access work or school.](images/unifiedenrollment-rs1-16.png)
+    ![select access work or school](images/unifiedenrollment-rs1-16.png)
 
 4.  Select **Connect**.
 
-    ![connect to work or school.](images/unifiedenrollment-rs1-17.png)
+    ![connect to work or school](images/unifiedenrollment-rs1-17.png)
 
 5.  Under **Alternate Actions**, selct **Join this device to Azure Active Directory**.
 
-    ![join work or school account to azure ad.](images/unifiedenrollment-rs1-18.png)
+    ![join work or school account to azure ad](images/unifiedenrollment-rs1-18.png)
 
 6.  Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
 
-    ![azure ad sign in.](images/unifiedenrollment-rs1-19.png)
+    ![azure ad sign in](images/unifiedenrollment-rs1-19.png)
 
 7.  If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication.
 
@@ -151,7 +151,7 @@ To create a local account and connect the device:
 
     After you reach the end of the flow, your device should be connected to your organization’s Azure AD domain. You may now log out of your current account and sign in using your Azure AD username.
 
-    ![corporate sign in.](images/unifiedenrollment-rs1-20.png)
+    ![corporate sign in](images/unifiedenrollment-rs1-20.png)
 
 ### Help with connecting to an Azure AD domain
 
@@ -183,19 +183,19 @@ To create a local account and connect the device:
 
 1.  Launch the Settings app, and then select **Accounts** >**Start** > **Settings** > **Accounts**.
 
-    ![windows settings page.](images/unifiedenrollment-rs1-21-b.png)
+    ![windows settings page](images/unifiedenrollment-rs1-21-b.png)
 
 2.  Navigate to **Access work or school**.
 
-    ![select access work or school.](images/unifiedenrollment-rs1-23-b.png)
+    ![select access work or school](images/unifiedenrollment-rs1-23-b.png)
 
 3.  Select **Connect**.
 
-    ![connect to work or school.](images/unifiedenrollment-rs1-24-b.png)
+    ![connect to work or school](images/unifiedenrollment-rs1-24-b.png)
 
 4.  Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
 
-    ![join work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png)
+    ![join work or school account to azure ad](images/unifiedenrollment-rs1-25-b.png)
 
 5.  If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication.
 
@@ -205,11 +205,11 @@ To create a local account and connect the device:
 
     Starting in Windows 10, version 1709, you will see the status page that shows the progress of your device being set up.
 
-    ![corporate sign in.](images/unifiedenrollment-rs1-26.png)
+    ![corporate sign in](images/unifiedenrollment-rs1-26.png)
 
 6.  After you complete the flow, your Microsoft account will be connected to your work or school account.
 
-    ![account successfully added.](images/unifiedenrollment-rs1-27.png)
+    ![account successfully added](images/unifiedenrollment-rs1-27.png)
 
 ### Connect to MDM on a desktop (enrolling in device management)
 
@@ -221,29 +221,29 @@ To create a local account and connect the device:
 
 1. Launch the Settings app.
 
-   ![windows settings page.](images/unifiedenrollment-rs1-28.png)
+   ![windows settings page](images/unifiedenrollment-rs1-28.png)
 
 2. Next, navigate to **Accounts**.
 
-   ![windows settings accounts page.](images/unifiedenrollment-rs1-29.png)
+   ![windows settings accounts page](images/unifiedenrollment-rs1-29.png)
 
 3. Navigate to **Access work or school**.
 
-   ![access work or school.](images/unifiedenrollment-rs1-30.png)
+   ![access work or school](images/unifiedenrollment-rs1-30.png)
 
 4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link).
 
-   ![connect to work or school.](images/unifiedenrollment-rs1-31.png)
+   ![connect to work or school](images/unifiedenrollment-rs1-31.png)
 
 5. Type in your work email address.
 
-   ![set up work or school account.](images/unifiedenrollment-rs1-32.png)
+   ![set up work or school account](images/unifiedenrollment-rs1-32.png)
 
 6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information.
 
    Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen.
 
-   ![corporate sign in.](images/unifiedenrollment-rs1-33-b.png)
+   ![corporate sign in](images/unifiedenrollment-rs1-33-b.png)
 
    After you complete the flow, your device will be connected to your organization’s MDM.
    
@@ -300,7 +300,7 @@ To connect your devices to MDM using deep links:
 
     - IT admins can add this link to a welcome email that users can select to enroll into MDM.
 
-      ![using enrollment deeplink in email.](images/deeplinkenrollment1.png)
+      ![using enrollment deeplink in email](images/deeplinkenrollment1.png)
 
     - IT admins can also add this link to an internal web page that users refer to enrollment instructions.
 
@@ -308,20 +308,20 @@ To connect your devices to MDM using deep links:
 
     Type in your work email address.
 
-    ![set up work or school account.](images/deeplinkenrollment3.png)
+    ![set up work or school account](images/deeplinkenrollment3.png)
 
 3.  If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
 
     After you complete the flow, your device will be connected to your organization's MDM.
 
-    ![corporate sign in.](images/deeplinkenrollment4.png)
+    ![corporate sign in](images/deeplinkenrollment4.png)
 
 ## Manage connections
 
 
 To manage your work or school connections, select **Settings** > **Accounts** > **Access work or school**. Your connections will show on this page and selecting one will expand options for that connection.
 
-![managing work or school account.](images/unifiedenrollment-rs1-34-b.png)
+![managing work or school account](images/unifiedenrollment-rs1-34-b.png)
 
 ### Info
 
@@ -335,7 +335,7 @@ Selecting the **Info** button will open a new page in the Settings app that prov
 
 Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screenshot.
 
-![work or school info.](images/unifiedenrollment-rs1-35-b.png)
+![work or school info](images/unifiedenrollment-rs1-35-b.png)
 
 > [!NOTE]
 > Starting in Windows 10, version 1709, the **Manage** button is no longer available. 
@@ -357,7 +357,7 @@ You can collect diagnostic logs around your work connections by going to **Setti
 
 Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you will see the button to create a report, as shown here.
 
-![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png)
+![collecting enrollment management log files](images/unifiedenrollment-rs1-37-c.png)
 
  
 
diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md
index ad2d4edddc..e9383e871f 100644
--- a/windows/client-management/mdm/messaging-csp.md
+++ b/windows/client-management/mdm/messaging-csp.md
@@ -17,7 +17,7 @@ The Messaging configuration service provider is used to configure the ability to
 
 The following diagram shows the Messaging configuration service provider in tree format.
 
-![messaging csp.](images/provisioning-csp-messaging.png)
+![messaging csp](images/provisioning-csp-messaging.png)
 
 <a href="" id="--user-msft-applocker"></a>**./User/Vendor/MSFT/Messaging**  
 
diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md
index 6c898afe02..32f9b5ee66 100644
--- a/windows/client-management/mdm/mobile-device-enrollment.md
+++ b/windows/client-management/mdm/mobile-device-enrollment.md
@@ -68,7 +68,7 @@ Devices that are joined to an on-premises Active Directory can enroll into MDM v
 
 Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **MDM** &gt; **Disable MDM Enrollment**.
 
-![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png)
+![Disable MDM enrollment policy in GP Editor](images/mdm-enrollment-disable-policy.png)
 
 Here is the corresponding registry key:
 
diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md
index 0b715c1a53..1b5f5ecdd4 100644
--- a/windows/client-management/mdm/napdef-csp.md
+++ b/windows/client-management/mdm/napdef-csp.md
@@ -27,11 +27,11 @@ The NAPDEF configuration service provider is used to add, modify, or delete WAP
 
 The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
 
-![napdef csp (cp) (initial bootstrapping).](images/provisioning-csp-napdef-cp.png)
+![napdef csp (cp) (initial bootstrapping)](images/provisioning-csp-napdef-cp.png)
 
 The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
 
-![napdef csp (cp) (update bootstrapping).](images/provisioning-csp-napdef-cp-2.png)
+![napdef csp (cp) (update bootstrapping)](images/provisioning-csp-napdef-cp-2.png)
 
 <a href="" id="napauthinfo"></a>**NAPAUTHINFO**  
 Defines a group of authentication settings.
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index 272489e4a8..ce79fdb702 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -240,7 +240,7 @@ Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windo
 
 The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10. In Windows Phone 8.1, when you set the client certificate to "Accept," it works fine.
 
-![ssl settings.](images/ssl-settings.png)
+![ssl settings](images/ssl-settings.png)
 
 ### MDM enrollment fails on the mobile device when traffic is going through proxy
 
@@ -439,7 +439,7 @@ Alternatively you can use the following procedure to create an EAP Configuration
 1.  Follow steps 1 through 7 in the [EAP configuration](eap-configuration.md) article.
 2.  In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.)
 
-    ![vpn selfhost properties window.](images/certfiltering1.png)
+    ![vpn selfhost properties window](images/certfiltering1.png)
 
     > [!NOTE]
     > For PEAP or TTLS, select the appropriate method and continue following this procedure.
@@ -447,10 +447,10 @@ Alternatively you can use the following procedure to create an EAP Configuration
 3.  Click the **Properties** button underneath the drop down menu.
 4.  In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
 
-    ![smart card or other certificate properties window.](images/certfiltering2.png)
+    ![smart card or other certificate properties window](images/certfiltering2.png)
 5.  In the **Configure Certificate Selection** menu, adjust the filters as needed.
 
-    ![configure certificate selection window.](images/certfiltering3.png)
+    ![configure certificate selection window](images/certfiltering3.png)
 6.  Click **OK** to close the windows to get back to the main rasphone.exe dialog box.
 7.  Close the rasphone dialog box.
 8.  Continue following the procedure in the [EAP configuration](eap-configuration.md) article from Step 9 to get an EAP TLS profile with appropriate filtering.
@@ -492,7 +492,7 @@ No. Only one MDM is allowed.
 4.  Click **Configure**.
 5.  Set quota to unlimited.
 
-    ![aad maximum joined devices.](images/faq-max-devices.png)
+    ![aad maximum joined devices](images/faq-max-devices.png)
  
 
 ### **What is dmwappushsvc?**
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index 84ff8f5e34..c73d5fdc8d 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -23,13 +23,13 @@ The PassportForWork configuration service provider is used to provision Windows
 
 The following diagram shows the PassportForWork configuration service provider in tree format.
 
-![passportforwork csp.](images/provisioning-csp-passportforwork.png)
+![passportforwork csp](images/provisioning-csp-passportforwork.png)
 
 ### Device configuration diagram
 
 The following diagram shows the PassportForWork configuration service provider in tree format.
 
-![passportforwork diagram.](images/provisioning-csp-passportforwork2.png)
+![passportforwork diagram](images/provisioning-csp-passportforwork2.png)
 
 <a href="" id="passportforwork"></a>**PassportForWork**  
 Root node for PassportForWork configuration service provider.
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index da0f0543dc..ddeb61f84a 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -44,7 +44,7 @@ The Policy configuration service provider has the following sub-categories:
 
 The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
 
-![policy csp diagram.](images/provisioning-csp-policy.png)
+![policy csp diagram](images/provisioning-csp-policy.png)
 
 
 <a href="" id="--vendor-msft-policy"></a>**./Vendor/MSFT/Policy**  
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 013edacaec..9d7aa06011 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -549,7 +549,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
 ```
 You can also change the evaluation order of device installation policy settings by using a custom profile in Intune.
 
-:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image.":::
+:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image":::
 
 <!--/Example-->
 <!--Validation-->
@@ -743,7 +743,7 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
 
 You can also block installation by using a custom profile in Intune. 
 
-![Custom profile prevent devices.](images/custom-profile-prevent-other-devices.png)
+![Custom profile prevent devices](images/custom-profile-prevent-other-devices.png)
 <!--/Example-->
 <!--Validation-->
 
@@ -863,7 +863,7 @@ You can also block installation and usage of prohibited peripherals by using a c
 
 For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USB\Composite" and "USB\Class_FF", and applies to USB devices with matching hardware IDs that are already installed.
 
-![Custom profile prevent device ids.](images/custom-profile-prevent-device-ids.png)
+![Custom profile prevent device ids](images/custom-profile-prevent-device-ids.png)
 <!--/Example-->
 <!--Validation-->
 
@@ -977,7 +977,7 @@ You can also block installation and usage of prohibited peripherals by using a c
 
 For example, this custom profile prevents installation of devices with matching device instance IDs.
 
-![Custom profile.](images/custom-profile-prevent-device-instance-ids.png)
+![Custom profile](images/custom-profile-prevent-device-instance-ids.png)
 
 To prevent installation of devices with matching device instance IDs by using custom profile in Intune:
 1. Locate the device instance ID.
diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md
index 7f7e8ae961..cdf909411f 100644
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@@ -40,6 +40,20 @@ manager: dansimp
   </dd>
 </dl>
 
+Steps to use this policy correctly:
+
+1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s).
+1. Create a custom OMA URI based device configuration that sets this policy value to desired number of days (> 0) and assign it to HoloLens device(s).
+    1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays
+    1. The value can be between min / max allowed.
+1. Enroll HoloLens devices and verify both configurations get applied to the device.
+1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created.
+1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days.
+1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point here is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted.
+
+> [!NOTE]
+> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments.
+
 <hr/>
 
 <!--Policy-->
@@ -65,20 +79,6 @@ manager: dansimp
 </tr>
 </table>
 
-Steps to use this policy correctly:
-
-1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s).
-1. Create a custom OMA URI based device configuration that sets this policy value to desired number of days (> 0) and assign it to HoloLens device(s).
-    1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays
-    1. The value can be between min / max allowed.
-1. Enroll HoloLens devices and verify both configurations get applied to the device.
-1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created.
-1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days.
-1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point here is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted.
-
-> [!NOTE]
-> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments.
-
 <!--/SupportedSKUs-->
 <hr/>
 
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index d627137d97..b02ba826b4 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.localizationpriority: medium
-ms.date: 08/26/2021
+ms.date: 10/14/2020
 ms.reviewer: 
 manager: dansimp
 ---
@@ -62,7 +62,7 @@ manager: dansimp
     <a href="#system-allowusertoresetphone">System/AllowUserToResetPhone</a>
   </dd>
  <dd>
-    <a href="#system-allowwufbcloudprocessing">System/AllowWUfBCloudProcessing</a>
+    <a href="#system-allowwufbcloudprocessing">System/AllowWuFBCloudProcessing</a>
   </dd>
   <dd>
     <a href="#system-bootstartdriverinitialization">System/BootStartDriverInitialization</a>
@@ -964,7 +964,7 @@ The following list shows the supported values:
 <hr/>
 
 <!--Policy-->
-<a href="" id="system-allowwufbcloudprocessing"></a>**System/AllowWUfBCloudProcessing**
+<a href="" id="system-allowwufbcloudprocessing"></a>**System/AllowWuFBCloudProcessing**
 
 <hr/>
 
@@ -985,15 +985,6 @@ If you disable or do not configure this policy setting, devices enrolled to the
 
 <hr/>
 
-<!--/Description-->
-<!--SupportedValues-->
-The following list shows the supported values:
-
--   0 - Disabled.
--   8 - Enabled.
-<!--/SupportedValues-->
-
-
 <!--Policy-->
 <a href="" id="system-bootstartdriverinitialization"></a>**System/BootStartDriverInitialization**  
 
diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md
index 92df20eba2..a0a34ee244 100644
--- a/windows/client-management/mdm/push-notification-windows-mdm.md
+++ b/windows/client-management/mdm/push-notification-windows-mdm.md
@@ -52,34 +52,34 @@ To get a PFN and WNS credentials, you must create an Microsoft Store app.
 
 1.  Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account.
 
-    ![mdm push notification1.](images/push-notification1.png)
+    ![mdm push notification1](images/push-notification1.png)
 2.  Create a new app.
 
-    ![mdm push notification2.](images/push-notification2.png)
+    ![mdm push notification2](images/push-notification2.png)
 3.  Reserve an app name.
 
-    ![mdm push notification3.](images/push-notification3.png)
+    ![mdm push notification3](images/push-notification3.png)
 4.  Click **Services**.
 
-    ![mdm push notification4.](images/push-notification4.png)
+    ![mdm push notification4](images/push-notification4.png)
 5.  Click **Push notifications**.
 
-    ![mdm push notification5.](images/push-notification5.png)
+    ![mdm push notification5](images/push-notification5.png)
 6.  Click **Live Services site**. A new window opens for the **Application Registration Portal** page.
 
-    ![mdm push notification6.](images/push-notification6.png)
+    ![mdm push notification6](images/push-notification6.png)
 7.  In the **Application Registration Portal** page, you will see the properties for the app that you created, such as:
     -   Application Id
     -   Application Secrets
     -   Microsoft Store Package SID, Application Identity, and Publisher.
 
-    ![mdm push notification7.](images/push-notification7.png)
+    ![mdm push notification7](images/push-notification7.png)
 8.  Click **Save**.
 9.  Close the **Application Registration Portal** window and go back to the Windows Dev Center Dashboard.
 10. Select your app from the list on the left.
 11. From the left nav, expand **App management** and then click **App identity**.
 
-    ![mdm push notification10.](images/push-notification10.png)
+    ![mdm push notification10](images/push-notification10.png)
 12. In the **App identity** page, you will see the **Package Family Name (PFN)** of your app.
 
  
diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md
index e2d40a822a..48baff3fe8 100644
--- a/windows/client-management/mdm/pxlogical-csp.md
+++ b/windows/client-management/mdm/pxlogical-csp.md
@@ -23,11 +23,11 @@ The PXLOGICAL configuration service provider is used to add, remove, or modify W
 
 The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
 
-![pxlogical csp (cp) (initial bootstrapping).](images/provisioning-csp-pxlogical-cp.png)
+![pxlogical csp (cp) (initial bootstrapping)](images/provisioning-csp-pxlogical-cp.png)
 
 The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
 
-![pxlogical csp (cp) (update bootstrapping).](images/provisioning-csp-pxlogical-cp-2.png)
+![pxlogical csp (cp) (update bootstrapping)](images/provisioning-csp-pxlogical-cp-2.png)
 
 <a href="" id="pxphysical"></a>**PXPHYSICAL**  
 Defines a group of logical proxy settings.
diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md
index 28e198aa1f..be9c8a5339 100644
--- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md
+++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md
@@ -23,15 +23,15 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent
 
 1.  Sign in to the Microsoft 365 admin center at <https://portal.office.com> using your organization's account.
 
-    ![register azuread.](images/azure-ad-add-tenant10.png)
+    ![register azuread](images/azure-ad-add-tenant10.png)
 
 2.  On the **Home** page, click on the Admin tools icon.
 
-    ![register azuread.](images/azure-ad-add-tenant11.png)
+    ![register azuread](images/azure-ad-add-tenant11.png)
 
 3.  On the **Admin center** page, under Admin Centers on the left, click **Azure Active Directory**. This will take you to the Azure Active Directory portal.
 
-    ![Azure-AD-updated.](https://user-images.githubusercontent.com/41186174/71594506-e4845300-2b40-11ea-9a08-c21c824e12a4.png)
+    ![Azure-AD-updated](https://user-images.githubusercontent.com/41186174/71594506-e4845300-2b40-11ea-9a08-c21c824e12a4.png)
 
 
 
diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md
index 4ffdbad557..9e203d4d39 100644
--- a/windows/client-management/mdm/securitypolicy-csp.md
+++ b/windows/client-management/mdm/securitypolicy-csp.md
@@ -25,7 +25,7 @@ For the SecurityPolicy CSP, you cannot use the Replace command unless the node a
 
 The following diagram shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
 
-![securitypolicy csp (dm,cp).](images/provisioning-csp-securitypolicy-dmandcp.png)
+![securitypolicy csp (dm,cp)](images/provisioning-csp-securitypolicy-dmandcp.png)
 
 <a href="" id="policyid"></a>***PolicyID***  
 Defines the security policy identifier as a decimal value.
diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md
index 21f39c4389..5b211a0f55 100644
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@@ -56,11 +56,11 @@ Group Policy option button setting:
 
 The following diagram shows the main display for the Group Policy Editor.
 
-![Group Policy editor.](images/group-policy-editor.png)
+![Group Policy editor](images/group-policy-editor.png)
 
 The following diagram shows the settings for the "Publishing Server 2 Settings" Group Policy in the Group Policy Editor.
 
-![Group Policy publisher server 2 settings.](images/group-policy-publisher-server-2-settings.png)
+![Group Policy publisher server 2 settings](images/group-policy-publisher-server-2-settings.png)
 
 Note that most Group Policies are a simple Boolean type. For a Boolean Group Policy, if you select **Enabled**, the options panel contains no data input fields and the payload of the SyncML is simply `<enabled/>`. However, if there are data input fields in the options panel, the MDM server must supply this data. The following *Enabling a Group Policy* example illustrates this complexity. In this example, 10 name-value pairs are described by `<data />` tags in the payload, which correspond to the 10 data input fields in the Group Policy Editor options panel for the "Publishing Server 2 Settings" Group Policy. The ADMX file, which defines the Group Policies, is consumed by the MDM server, similarly to how the Group Policy Editor consumes it. The Group Policy Editor displays a UI to receive the complete Group Policy instance data, which the MDM server's IT administrator console must also do. For every `<text>` element and id attribute in the ADMX policy definition, there must be a corresponding `<data />` element and id attribute in the payload. The ADMX file drives the policy definition and is required by the MDM server via the SyncML protocol.
 
diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md
index 00d2b86cd5..7916778bec 100644
--- a/windows/client-management/mdm/unifiedwritefilter-csp.md
+++ b/windows/client-management/mdm/unifiedwritefilter-csp.md
@@ -119,7 +119,7 @@ Currently SwapfileSize should not be relied for determining or controlling the o
 <a href="" id="currentsession-maximumoverlaysize"></a>**CurrentSession/MaximumOverlaySize** or <a href="" id="nextsession-maximumoverlaysize"></a>**NextSession/MaximumOverlaySize**
 should be used for that purpose.
 
-:::image type="content" source="images/overlaysetting.png" alt-text="This is the overlay setting.":::
+:::image type="content" source="images/overlaysetting.png" alt-text="This is the overlay setting":::
 
 > [!NOTE]
 > Only single swapfile is supported in current implementation and creating swapfile on specific volume will disable any other swapfile created on other volumes.
diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md
index 42a6882673..3f6badf192 100644
--- a/windows/client-management/mdm/vpn-csp.md
+++ b/windows/client-management/mdm/vpn-csp.md
@@ -33,7 +33,7 @@ Important considerations:
 
 The following diagram shows the VPN configuration service provider in tree format.
 
-![provisioning\-csp\-vpnimg.](images/provisioning-csp-vpn.png)
+![provisioning\-csp\-vpnimg](images/provisioning-csp-vpn.png)
 
 <a href="" id="profilename"></a>***ProfileName***
 Unique alpha numeric Identifier for the profile. The profile name must not include a forward slash (/).
diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md
index e7321b1888..d6b9110b32 100644
--- a/windows/client-management/mdm/w4-application-csp.md
+++ b/windows/client-management/mdm/w4-application-csp.md
@@ -25,7 +25,7 @@ The default security roles are defined in the root characteristic, and map to ea
 
 The following diagram shows the configuration service provider in tree format as used by OMA Client Provisioning.
 
-![w4 application csp (cp).](images/provisioning-csp-w4-application-cp.png)
+![w4 application csp (cp)](images/provisioning-csp-w4-application-cp.png)
 
 <a href="" id="appid"></a>**APPID**
 Required. This parameter takes a string value. The only supported value for configuring MMS is "w4".
diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md
index 7aaa801796..20f21f79bc 100644
--- a/windows/client-management/mdm/w7-application-csp.md
+++ b/windows/client-management/mdm/w7-application-csp.md
@@ -23,7 +23,7 @@ The APPLICATION configuration service provider that has an APPID of w7 is used f
 
 The following image shows the configuration service provider in tree format as used by OMA Client Provisioning.
 
-![w7 application csp (dm).](images/provisioning-csp-w7-application-dm.png)
+![w7 application csp (dm)](images/provisioning-csp-w7-application-dm.png)
 
 > **Note**   All parm names and characteristic types are case sensitive and must use all uppercase.
 Both APPSRV and CLIENT credentials must be provided in provisioning XML.
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index e867ae66ef..125bbfb687 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -31,7 +31,7 @@ Programming considerations:
 
 The following image shows the WiFi configuration service provider in tree format.
 
-![wi-fi csp diagram.](images/provisioning-csp-wifi.png)
+![wi-fi csp diagram](images/provisioning-csp-wifi.png)
 
 The following list shows the characteristics and parameters.
 
diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md
index e5e7511669..a8be6bba9c 100644
--- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md
+++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md
@@ -25,7 +25,7 @@ The DM client is configured during the enrollment process to be invoked by the t
 
 The following diagram shows the work flow between server and client.
 
-![windows client and server mdm diagram.](images/enterprise-workflow.png)
+![windows client and server mdm diagram](images/enterprise-workflow.png)
 
 
 ## Management workflow
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index fc13fd3034..c68424cd04 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -19,7 +19,7 @@ The Windows Defender Advanced Threat Protection (WDATP) configuration service pr
 
 The following diagram shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
 
-![windowsadvancedthreatprotection csp diagram.](images/provisioning-csp-watp.png)
+![windowsadvancedthreatprotection csp diagram](images/provisioning-csp-watp.png)
 
 The following list describes the characteristics and parameters.
 
diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md
index 2fe71b5e76..2f3cdf7fc7 100644
--- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md
+++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md
@@ -213,16 +213,16 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
 
 | Class                                                                    | Test completed in Windows 10 for desktop |
 |--------------------------------------------------------------------------|------------------------------------------|
-| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema)       | ![cross mark.](images/checkmark.png)      |
-| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema)      | ![cross mark.](images/checkmark.png)      |
-| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema)     | ![cross mark.](images/checkmark.png)      |
-| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema)            | ![cross mark.](images/checkmark.png)      |
+| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema)       | ![cross mark](images/checkmark.png)      |
+| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema)      | ![cross mark](images/checkmark.png)      |
+| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema)     | ![cross mark](images/checkmark.png)      |
+| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema)            | ![cross mark](images/checkmark.png)      |
 | [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |                                          |
-| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema)     | ![cross mark.](images/checkmark.png)      |
-| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema)    | ![cross mark.](images/checkmark.png)      |
-| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema)       | ![cross mark.](images/checkmark.png)      |
-| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema)      | ![cross mark.](images/checkmark.png)      |
-| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema)       | ![cross mark.](images/checkmark.png)      |
+| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema)     | ![cross mark](images/checkmark.png)      |
+| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema)    | ![cross mark](images/checkmark.png)      |
+| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema)       | ![cross mark](images/checkmark.png)      |
+| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema)      | ![cross mark](images/checkmark.png)      |
+| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema)       | ![cross mark](images/checkmark.png)      |
 
  
 
@@ -232,17 +232,17 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
 |--------------------------------------------------------------------------|------------------------------------------|
 [**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) |
 [**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard)      |
-[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery)        | ![cross mark.](images/checkmark.png)
-[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios)           | ![cross mark.](images/checkmark.png)
+[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery)        | ![cross mark](images/checkmark.png)
+[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios)           | ![cross mark](images/checkmark.png)
 [**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive)     |
-[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | ![cross mark.](images/checkmark.png)
-[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | ![cross mark.](images/checkmark.png)
-[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime)    | ![cross mark.](images/checkmark.png)
+[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | ![cross mark](images/checkmark.png)
+[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | ![cross mark](images/checkmark.png)
+[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime)    | ![cross mark](images/checkmark.png)
 [**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop)        |
-[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |![cross mark.](images/checkmark.png)
-[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive)      | ![cross mark.](images/checkmark.png)
+[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |![cross mark](images/checkmark.png)
+[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive)      | ![cross mark](images/checkmark.png)
 [**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition)  |
-[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | ![cross mark.](images/checkmark.png)
+[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | ![cross mark](images/checkmark.png)
 [**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel)     | 
 [**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85))      |
 [**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) |
@@ -252,23 +252,23 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
 [**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource)    |
 [**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard)       |
 [**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) |
-[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime)      | ![cross mark.](images/checkmark.png)
+[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime)      | ![cross mark](images/checkmark.png)
 [**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser)   |
-[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk)    | ![cross mark.](images/checkmark.png)
+[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk)    | ![cross mark](images/checkmark.png)
 [**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) |
-[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | ![cross mark.](images/checkmark.png)
+[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | ![cross mark](images/checkmark.png)
 [**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) |
 [**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient)  |
 [**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) |
 [**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) |
 [**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85))  |
-[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | ![cross mark.](images/checkmark.png)
+[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | ![cross mark](images/checkmark.png)
 [**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) |
 [**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) |
 [**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) |
 [**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) |
 [**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia)                                   |  
-[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory)   | ![cross mark.](images/checkmark.png)
+[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory)   | ![cross mark](images/checkmark.png)
 [**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice)        |  
 [**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity)        |  
 [**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice)   |
@@ -277,25 +277,25 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
 [**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem)        |
 [**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer)          |
 [**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) |
-[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor)        | ![cross mark.](images/checkmark.png)
-[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | ![cross mark.](images/checkmark.png)
+[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor)        | ![cross mark](images/checkmark.png)
+[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | ![cross mark](images/checkmark.png)
 [**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry)         |
 [**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller)   |
 [**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport)       |
 [**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) |
 [**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature)    |
-[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service)          | ![cross mark.](images/checkmark.png)
-[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share)            | ![cross mark.](images/checkmark.png)
+[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service)          | ![cross mark](images/checkmark.png)
+[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share)            | ![cross mark](images/checkmark.png)
 [**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice)      |
 [**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount)    |
-[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios)       | ![cross mark.](images/checkmark.png)
+[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios)       | ![cross mark](images/checkmark.png)
 [**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver)     |
-[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure)  | ![cross mark.](images/checkmark.png)
+[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure)  | ![cross mark](images/checkmark.png)
 [**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive)        |
-[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone)         | ![cross mark.](images/checkmark.png)
+[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone)         | ![cross mark](images/checkmark.png)
 [**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) |
 [**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller)    |
-[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime)          | ![cross mark.](images/checkmark.png)
+[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime)          | ![cross mark](images/checkmark.png)
 [**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) |
 **Win32\_WindowsUpdateAgentVersion**                                                        |
  
diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md
index acdcd2d268..6a50151342 100644
--- a/windows/client-management/quick-assist.md
+++ b/windows/client-management/quick-assist.md
@@ -57,7 +57,7 @@ Both the helper and sharer must be able to reach these endpoints over port 443:
 
 7. RDP shares the video to the helper over https (port 443) through the RDP relay service to the helper's RDP control. Input is shared from the helper to the sharer through the RDP relay service.
 
-:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established.":::
+:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established":::
 
 ### Data and privacy
 
diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md
index 490b24075a..e0afd3d480 100644
--- a/windows/client-management/troubleshoot-inaccessible-boot-device.md
+++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md
@@ -119,7 +119,7 @@ To verify the BCD entries:
    > [!NOTE]
    > If the computer is UEFI-based, the file path value that's specified in the **path** parameter of **{bootmgr}** and **{default}** contains an **.efi** extension.
 
-   ![bcdedit.](images/screenshot1.png)
+   ![bcdedit](images/screenshot1.png)
 
 If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that's named **bcdbackup**. To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup**.
 
@@ -179,11 +179,11 @@ Dism /Image:<Specify the OS drive>: /Get-packages
 
 After you run this command, you'll see the **Install pending** and **Uninstall Pending** packages:
 
-![Dism output pending update.](images/pendingupdate.png)
+![Dism output pending update](images/pendingupdate.png)
 
 1. Run the `dism /Image:C:\ /Cleanup-Image /RevertPendingActions` command. Replace **C:** with the system partition for your computer.
 
-    ![Dism output revert pending.](images/revertpending.png)
+    ![Dism output revert pending](images/revertpending.png)
 
 2. Navigate to ***OSdriveLetter*:\Windows\WinSxS**, and then check whether the **pending.xml** file exists. If it does, rename it to **pending.xml.old**.
 
@@ -193,14 +193,14 @@ After you run this command, you'll see the **Install pending** and **Uninstall P
 
 5. Navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **COMPONENT** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineComponentHive** for the new hive.
     
-    ![Load Hive.](images/loadhive.png)
+    ![Load Hive](images/loadhive.png)
 
 6. Expand **HKEY_LOCAL_MACHINE\OfflineComponentHive**, and check whether the **PendingXmlIdentifier** key exists. Create a backup of the **OfflineComponentHive** key, and then delete the **PendingXmlIdentifier** key.
 
 7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**.
 
    > [!div class="mx-imgBorder"]
-   > ![Unload Hive.](images/unloadhive.png)![Unload Hive](images/unloadhive1.png)
+   > ![Unload Hive](images/unloadhive.png)![Unload Hive](images/unloadhive1.png)
 
 8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **SYSTEM** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineSystemHive** for the new hive.
 
@@ -256,7 +256,7 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the
    \Control\Class\\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
 
    > [!div class="mx-imgBorder"]
-   > ![Registry.](images/controlset.png) 
+   > ![Registry](images/controlset.png) 
 
    If an **UpperFilters**  or **LowerFilters**  entry is non-standard (for example, it's not a Windows default filter driver, such as PartMgr), remove the entry. To remove it, double-click it in the right pane, and then delete only that value.
 
@@ -274,8 +274,8 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the
 
 *	`chkdsk /f /r OsDrive:`
 
-    ![Check disk.](images/check-disk.png)
+    ![Check disk](images/check-disk.png)
 
 *	`sfc /scannow /offbootdir=OsDrive:\ /offwindir=OsDrive:\Windows`
 
-    ![SFC scannow.](images/sfc-scannow.png)
+    ![SFC scannow](images/sfc-scannow.png)
diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md
index 390add3169..454101462a 100644
--- a/windows/client-management/troubleshoot-stop-errors.md
+++ b/windows/client-management/troubleshoot-stop-errors.md
@@ -165,13 +165,13 @@ You can use the tools such as Windows Software Development KIT (SDK) and Symbols
 
 6. Click on **Open Crash Dump**, and then open the memory.dmp file that you copied. See the example below.
 
-    ![WinDbg img.](images/windbg.png)
+    ![WinDbg img](images/windbg.png)
 
 7. There should be a link that says **!analyze -v** under **Bugcheck Analysis**. Click that link. This will enter the command !analyze -v in the prompt at the bottom of the page.
 
 8. A detailed bugcheck analysis will appear. See the example below.
 
-    ![Bugcheck analysis.](images/bugcheck-analysis.png)
+    ![Bugcheck analysis](images/bugcheck-analysis.png)
 
 9. Scroll down to the section where it says **STACK_TEXT**. There will be rows of numbers with each row followed by a colon and some text. That text should tell you what DLL is causing the crash and if applicable what service is crashing the DLL.
 
diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md
index 10ae554304..77e524634d 100644
--- a/windows/client-management/troubleshoot-tcpip-connectivity.md
+++ b/windows/client-management/troubleshoot-tcpip-connectivity.md
@@ -44,17 +44,17 @@ If the initial TCP handshake is failing because of packet drops, then you would
     
 Source side connecting on port 445:
 
-![Screenshot of frame summary in Network Monitor.](images/tcp-ts-6.png)
+![Screenshot of frame summary in Network Monitor](images/tcp-ts-6.png)
 
 Destination side: applying the same filter, you do not see any packets.
 
-![Screenshot of frame summary with filter in Network Monitor.](images/tcp-ts-7.png)
+![Screenshot of frame summary with filter in Network Monitor](images/tcp-ts-7.png)
 
 For the rest of the data, TCP will retransmit the packets five times.
 
 **Source 192.168.1.62 side trace:**
 
-![Screenshot showing packet side trace.](images/tcp-ts-8.png)
+![Screenshot showing packet side trace](images/tcp-ts-8.png)
 
 **Destination 192.168.1.2 side trace:**
      
@@ -79,15 +79,15 @@ In the below screenshots, you see that the packets seen on the source and the de
     
 **Source Side**
 
-![Screenshot of packets on source side in Network Monitor.](images/tcp-ts-9.png)
+![Screenshot of packets on source side in Network Monitor](images/tcp-ts-9.png)
 
 **On the destination-side trace** 
 
-![Screenshot of packets on destination side in Network Monitor.](images/tcp-ts-10.png)
+![Screenshot of packets on destination side in Network Monitor](images/tcp-ts-10.png)
 
 You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet.  
 
-![Screenshot of packet flag.](images/tcp-ts-11.png)
+![Screenshot of packet flag](images/tcp-ts-11.png)
 
 The application that's causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection. 
  
@@ -110,8 +110,8 @@ auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /fai
  
 You can then review the Security event logs to see for a packet drop on a particular port-IP and a filter ID associated with it.
 
-![Screenshot of Event Properties.](images/tcp-ts-12.png)
+![Screenshot of Event Properties](images/tcp-ts-12.png)
 
 Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. After you open this file and filter for the ID that you find in the above event (2944008), you'll be able to see a firewall rule name that's associated with this ID that's blocking the connection.
 
-![Screenshot of wfpstate.xml file.](images/tcp-ts-13.png)
+![Screenshot of wfpstate.xml file](images/tcp-ts-13.png)
diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md
index daa23de8b1..b432191920 100644
--- a/windows/client-management/troubleshoot-tcpip-netmon.md
+++ b/windows/client-management/troubleshoot-tcpip-netmon.md
@@ -21,7 +21,7 @@ In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is
 
 To get started, [download Network Monitor tool](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image:
 
-![Adapters.](images/nm-adapters.png)
+![Adapters](images/nm-adapters.png)
 
 When the driver gets hooked to the network interface card (NIC) during installation, the NIC is reinitialized, which might cause a brief network glitch.
 
@@ -29,15 +29,15 @@ When the driver gets hooked to the network interface card (NIC) during installat
 
 1. Run netmon in an elevated status by choosing Run as Administrator.
 
-    ![Image of Start search results for Netmon.](images/nm-start.png)
+    ![Image of Start search results for Netmon](images/nm-start.png)
 
 2. Network Monitor opens with all network adapters displayed. Select the network adapters where you want to capture traffic, click **New Capture**, and then click **Start**.
 
-    ![Image of the New Capture option on menu.](images/tcp-ts-4.png)
+    ![Image of the New Capture option on menu](images/tcp-ts-4.png)
 
 3. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire.
 
-    ![Frame summary of network packets.](images/tcp-ts-5.png)
+    ![Frame summary of network packets](images/tcp-ts-5.png)
 
 4. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file.
 
diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
index 4c1e8b1b7f..ca8551b1dd 100644
--- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md
+++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
@@ -58,19 +58,19 @@ Since outbound connections start to fail, you will see a lot of the below behavi
  
 - Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work.
 
-    ![Screenshot of error for NETLOGON in Event Viewer.](images/tcp-ts-14.png)
+    ![Screenshot of error for NETLOGON in Event Viewer](images/tcp-ts-14.png)
 
 - Group Policy update failures:
 
-    ![Screenshot of event properties for Group Policy failure.](images/tcp-ts-15.png)
+    ![Screenshot of event properties for Group Policy failure](images/tcp-ts-15.png)
 
 - File shares are inaccessible:
 
-    ![Screenshot of error message "Windows cannot access."](images/tcp-ts-16.png)
+    ![Screenshot of error message "Windows cannot access"](images/tcp-ts-16.png)
 
 - RDP from the affected server fails:
 
-    ![Screenshot of error when Remote Desktop is unable to connect.](images/tcp-ts-17.png)
+    ![Screenshot of error when Remote Desktop is unable to connect](images/tcp-ts-17.png)
 
 - Any other application running on the machine will start to give out errors
 
@@ -84,15 +84,15 @@ If you suspect that the machine is in a state of port exhaustion:
 
     a.	**Event ID 4227**
 
-    ![Screenshot of event id 4227 in Event Viewer.](images/tcp-ts-18.png)
+    ![Screenshot of event id 4227 in Event Viewer](images/tcp-ts-18.png)
 
     b.	**Event ID 4231**
 
-    ![Screenshot of event id 4231 in Event Viewer.](images/tcp-ts-19.png)
+    ![Screenshot of event id 4231 in Event Viewer](images/tcp-ts-19.png)
 
 3. Collect a `netstat -anob` output from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID.
 
-    ![Screenshot of netstate command output.](images/tcp-ts-20.png)
+    ![Screenshot of netstate command output](images/tcp-ts-20.png)
 
 After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
  
@@ -136,7 +136,7 @@ If method 1 does not help you identify the process (prior to Windows 10 and Wind
 1. Add a column called “handles” under details/processes.
 2. Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe.
 
-    ![Screenshot of handles column in Windows Task Maner.](images/tcp-ts-21.png)
+    ![Screenshot of handles column in Windows Task Maner](images/tcp-ts-21.png)
 
 3. If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds.
  
@@ -157,7 +157,7 @@ Steps to use Process explorer:
     
     File   \Device\AFD
 
-    ![Screenshot of Process Explorer.](images/tcp-ts-22.png)
+    ![Screenshot of Process Explorer](images/tcp-ts-22.png)
 
 10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app.
  
diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
index ba02501c81..37b4dfa002 100644
--- a/windows/client-management/troubleshoot-tcpip-rpc-errors.md
+++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
@@ -16,7 +16,7 @@ manager: dansimp
 
 You might encounter an **RPC server unavailable** error when connecting to Windows Management Instrumentation (WMI), SQL Server, during a remote connection, or for some Microsoft Management Console (MMC) snap-ins. The following image is an example of an RPC error.
 
-![The following error has occurred: the RPC server is unavailable.](images/rpc-error.png)
+![The following error has occurred: the RPC server is unavailable](images/rpc-error.png)
 
 This is a commonly encountered error message in the networking world and one can lose hope very fast without trying to understand much, as to what is happening ‘under the hood’. 
 
@@ -37,7 +37,7 @@ Before getting in to troubleshooting the <em>*RPC server unavailable</em>- error
 
 Client A wants to execute some functions or wants to make use of a service running on the remote server, will first establish the connection with the Remote Server by doing a three-way handshake.  
 
-![Diagram illustrating connection to remote server.](images/rpc-flow.png)
+![Diagram illustrating connection to remote server](images/rpc-flow.png)
 
 RPC ports can be given from a specific range as well.
 ### Configure RPC dynamic port allocation
@@ -162,13 +162,13 @@ Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md)
 
 - Now check if you are getting a response from the server. If you get a response, note the dynamic port number that you have been allocated to use.
 
-    ![Screenshot of Network Monitor with dynamic port highlighted.](images/tcp-ts-23.png)
+    ![Screenshot of Network Monitor with dynamic port highlighted](images/tcp-ts-23.png)
 
 - Check if we are connecting successfully to this Dynamic port successfully.
 
 - The filter should be something like this: `tcp.port==<dynamic-port-allocated>` and `ipv4.address==<server-ip>` 
 
-    ![Screenshot of Network Monitor with filter applied.](images/tcp-ts-24.png)
+    ![Screenshot of Network Monitor with filter applied](images/tcp-ts-24.png)
 
 This should help you verify the connectivity and isolate if any network issues are seen.
 
@@ -177,7 +177,7 @@ This should help you verify the connectivity and isolate if any network issues a
 
 The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect is not reachable. The client side trace would then show TCP SYN retransmits for the dynamic port.
  
-![Screenshot of Network Monitor with TCP SYN retransmits.](images/tcp-ts-25.png)
+![Screenshot of Network Monitor with TCP SYN retransmits](images/tcp-ts-25.png)
  
 The port cannot be reachable due to one of the following reasons:
 
diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md
index 16c416a9cd..29a781be98 100644
--- a/windows/client-management/windows-version-search.md
+++ b/windows/client-management/windows-version-search.md
@@ -22,27 +22,27 @@ Click **Start** > **Settings** > **System** > click **About** from the bottom of
 
 You'll now see **Edition**, **Version**, and **OS Build** information. Something like this:
 
-![screenshot of the system properties window for a device running Windows 10.](images/systemcollage.png)
+![screenshot of the system properties window for a device running Windows 10](images/systemcollage.png)
 
 ## Using Keyword Search
 You can simply type the following in the search bar and press **ENTER** to see version details for your device. 
 
 **“winver”**
 
-![screenshot of the About Windows display text.](images/winver.png)
+![screenshot of the About Windows display text](images/winver.png)
 
 **“msinfo”** or **"msinfo32"** to open **System Information**:
 
-![screenshot of the System Information display text.](images/msinfo32.png)
+![screenshot of the System Information display text](images/msinfo32.png)
 
 ## Using Command Prompt or PowerShell
 At the Command Prompt or PowerShell interface, type **"systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"** and then press **ENTER**
 
-![screenshot of system information display text.](images/refcmd.png)
+![screenshot of system information display text](images/refcmd.png)
 
 At the Command Prompt or PowerShell, type **"slmgr /dlv"**, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below:
 
-![screenshot of software licensing manager.](images/slmgr_dlv.png)
+![screenshot of software licensing manager](images/slmgr_dlv.png)
 
 ## What does it all mean?
 
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index 5f433844ac..15407ebc50 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -31,7 +31,7 @@ The order of apps in the XML file dictates the order of pinned apps on the taskb
 
 The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square).
 
-![Windows left, user center, enterprise to the right.](images/taskbar-generic.png)
+![Windows left, user center, enterprise to the right](images/taskbar-generic.png)
 
 
 ## Configure taskbar (general)
@@ -142,11 +142,11 @@ The `<CustomTaskbarLayoutCollection>` section will append listed apps to the tas
 ```
 **Before:**
 
-![default apps pinned to taskbar.](images/taskbar-default.png)
+![default apps pinned to taskbar](images/taskbar-default.png)
 
 **After:**
 
- ![additional apps pinned to taskbar.](images/taskbar-default-plus.png)
+ ![additional apps pinned to taskbar](images/taskbar-default-plus.png)
 
 ## Remove default apps and add your own
 
@@ -175,11 +175,11 @@ If you only want to remove some of the default pinned apps, you would use this m
 ```
 **Before:**
 
-![Taskbar with default apps.](images/taskbar-default.png)
+![Taskbar with default apps](images/taskbar-default.png)
 
 **After:**
 
-![Taskbar with default apps removed.](images/taskbar-default-removed.png)
+![Taskbar with default apps removed](images/taskbar-default-removed.png)
 
 ## Remove default apps
 
@@ -250,15 +250,15 @@ The following example shows you how to configure taskbars by country or region.
 
 When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK:
 
-![taskbar for US and UK locale.](images/taskbar-region-usuk.png)
+![taskbar for US and UK locale](images/taskbar-region-usuk.png)
 
 The resulting taskbar for computers in Germany or France:
 
-![taskbar for DE and FR locale.](images/taskbar-region-defr.png)
+![taskbar for DE and FR locale](images/taskbar-region-defr.png)
 
 The resulting taskbar for computers in any other country region:
 
-![taskbar for all other regions.](images/taskbar-region-other.png)
+![taskbar for all other regions](images/taskbar-region-other.png)
 
 
 > [!NOTE]
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
index 1190119050..e8a0cdee55 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
@@ -19,7 +19,7 @@ Cortana integration is a Preview feature that's available for your test or dev e
 >[!NOTE]
 >For more info about Dynamics CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](https://go.microsoft.com/fwlink/p/?LinkId=746819).
 
-![Cortana at work, showing the sales data pulled from Dynamics CRM.](../images/cortana-crm-screen.png)
+![Cortana at work, showing the sales data pulled from Dynamics CRM](../images/cortana-crm-screen.png)
 
 ## Turn on Cortana with Dynamics CRM in your organization
 You must be a CRM administrator to turn on and use Preview features. For more info about what Preview features are and how to use them, see [What are Preview features and how do I enable them](https://go.microsoft.com/fwlink/p/?LinkId=746817)?
@@ -43,7 +43,7 @@ You must tell your employees to turn on Cortana, before they’ll be able to use
 
 2. Click on **Connected Services**, click **Dynamics CRM**, and then click **Connect**.
 
-    ![Cotana at work, showing how to turn on the connected services for Dynamics CRM.](../images/cortana-connect-crm.png)
+    ![Cotana at work, showing how to turn on the connected services for Dynamics CRM](../images/cortana-connect-crm.png)
 
     The employee can also disconnect by clicking **Disconnect** from the **Dynamics CRM** screen.
 
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
index 481cb27659..65919eb8e8 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
@@ -48,35 +48,35 @@ Before you can start this testing scenario, you must first set up your test envi
 
 2. Expand the left rail by clicking the **Show the navigation pane** icon.
 
-    ![Cortana at work, showing the navigation expand icon in Power BI.](../images/cortana-powerbi-expand-nav.png)
+    ![Cortana at work, showing the navigation expand icon in Power BI](../images/cortana-powerbi-expand-nav.png)
 
 3. Click **Get Data** from the left-hand navigation in Power BI.
 
-    ![Cortana at work, showing the Get Data link.](../images/cortana-powerbi-getdata.png)
+    ![Cortana at work, showing the Get Data link](../images/cortana-powerbi-getdata.png)
 
 4. Click **Samples** from the **Content Pack Library** area of the **Get Data** screen.
 
-    ![Cortana at work, showing the Samples link.](../images/cortana-powerbi-getdata-samples.png)
+    ![Cortana at work, showing the Samples link](../images/cortana-powerbi-getdata-samples.png)
 
 5. Click **Retail Analysis Sample**, and then click **Connect**.
 
-    ![Cortana at work, showing the Samples link.](../images/cortana-powerbi-retail-analysis-sample.png)
+    ![Cortana at work, showing the Samples link](../images/cortana-powerbi-retail-analysis-sample.png)
  
     The sample data is imported and you’re returned to the **Power BI** screen.
 
 6. Click **Dashboards** from the left pane of the **Power BI** screen, and then click **Retail Analysis Sample**.
 
-    ![Cortana at work, showing a dashboard view of the sample data.](../images/cortana-powerbi-retail-analysis-dashboard.png)    
+    ![Cortana at work, showing a dashboard view of the sample data](../images/cortana-powerbi-retail-analysis-dashboard.png)    
  
 7. In the upper right-hand menu, click the **Settings** icon, and then click **Settings**.
 
-    ![Cortana at work, showing where to find the Settings option.](../images/cortana-powerbi-settings.png) 
+    ![Cortana at work, showing where to find the Settings option](../images/cortana-powerbi-settings.png) 
 
 8. Click the **Datasets** tab, and then pick the **Retail Analysis Sample** dataset from the list.
 
 9. Click **Q&A and Cortana**, check the **Allow Cortana to access this dataset** box, and then click **Apply**.
 
-    ![Cortana at work, showing where to find the dataset options.](../images/cortana-powerbi-retail-analysis-dataset.png)
+    ![Cortana at work, showing where to find the dataset options](../images/cortana-powerbi-retail-analysis-dataset.png)
 
     >[!NOTE]
     >It can take up to 30 minutes for a new dataset to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.<p>If you enable a dataset for Cortana, and that dataset is part of a content pack you own, you’ll need to re-publish for your colleagues to also use it with Cortana.
@@ -92,7 +92,7 @@ After you’ve finished creating your Answer Page, you can continue to the inclu
 **To create a custom sales data Answer Page for Cortana**
 1. In Power BI, click **My Workspace**, click **Create**, and then click **Report**.
 
-    ![Cortana at work, showing where to create the new report.](../images/cortana-powerbi-create-report.png)
+    ![Cortana at work, showing where to create the new report](../images/cortana-powerbi-create-report.png)
  
 2. In the **Create Report** screen, click the **Retail Analysis Sample**, and then click **Create**.
 
@@ -100,11 +100,11 @@ After you’ve finished creating your Answer Page, you can continue to the inclu
 
 3. In the **Visualizations** pane, click the paint roller icon, expand **Page Size**, and then pick **Cortana** from the **Type** drop-down list.
 
-    ![Cortana at work, showing the Visualizations options.](../images/cortana-powerbi-pagesize.png)
+    ![Cortana at work, showing the Visualizations options](../images/cortana-powerbi-pagesize.png)
 
 4. In the **Fields** pane, click to expand **Sales**, expand **This year sales**, and then add both **Value** and **Goal**.
 
-    ![Cortana at work, showing the Field options.](../images/cortana-powerbi-field-selection.png)
+    ![Cortana at work, showing the Field options](../images/cortana-powerbi-field-selection.png)
  
     The automatically generated graph is added to your blank report. You have the option to change colors, add borders, add additional visualizations, and modify this page so that it answers the question about sales data as precisely, and in as custom a way, as you want. You just need to make sure that it all stays within the page borders.
 
@@ -112,7 +112,7 @@ After you’ve finished creating your Answer Page, you can continue to the inclu
 
     The alternate names help Cortana to know what questions to look for and when to show this report. To also improve your results, you should avoid using the names of your report columns.
 
-    ![Cortana at work, showing the page info for your specific report.](../images/cortana-powerbi-report-qna.png)
+    ![Cortana at work, showing the page info for your specific report](../images/cortana-powerbi-report-qna.png)
     
 6. Click **File**, click **Save as**, and save the report as _Sales data 2016_. 
 
@@ -128,13 +128,13 @@ Now that you’ve set up your device, you can use Cortana to show your info from
 
     Cortana shows you the available results.
 
-    ![Cortana at work, showing the best matches based on the Power BI data.](../images/cortana-powerbi-search.png)
+    ![Cortana at work, showing the best matches based on the Power BI data](../images/cortana-powerbi-search.png)
  	 
 3. In the **Power BI** area, click **This year in sales – in Retail Analysis Sample**.
 
  	Cortana returns your custom report.
 
-    ![Cortana at work, showing your custom report from Power BI.](../images/cortana-powerbi-myreport.png)
+    ![Cortana at work, showing your custom report from Power BI](../images/cortana-powerbi-myreport.png)
  	 
 >[!NOTE]
 >For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/).
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
index c701623a88..478aeb7938 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@@ -49,7 +49,7 @@ While these aren't line-of-business apps, we've worked to make sure to implement
 
 2. Click on **Connected Services**, click **Uber**, and then click **Connect**.
 
-    ![Cortana at work, showing where to connect the Uber service to Cortana.](../images/cortana-connect-uber.png)
+    ![Cortana at work, showing where to connect the Uber service to Cortana](../images/cortana-connect-uber.png)
 
 **To use the voice-enabled commands with Cortana**
 1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index f50e213ce8..601ad70810 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -161,7 +161,7 @@ When you have the Start layout that you want your users to see, use the [Export-
 
 A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users cannot change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image.
 
-![locked tile group.](images/start-pinned-app.png)
+![locked tile group](images/start-pinned-app.png)
 
 When a partial Start layout is applied for the first time, the new groups are added to the users' existing Start layouts. If an app tile is in both an existing group and in a new locked group, the duplicate app tile is removed from the existing (unlocked) group.
 
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index 7b7dcaed64..12f62c8444 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -92,13 +92,13 @@ This procedure adds the customized Start and taskbar layout to the user configur
 
 2. Go to **User Configuration** or **Computer Configuration** &gt; **Administrative Templates** &gt;**Start Menu and Taskbar**.
 
-   ![start screen layout policy settings.](images/starttemplate.jpg)
+   ![start screen layout policy settings](images/starttemplate.jpg)
 
 3. Right-click **Start Layout** in the right pane, and click **Edit**.
 
    This opens the **Start Layout** policy settings.
 
-   ![policy settings for start screen layout.](images/startlayoutpolicy.jpg)
+   ![policy settings for start screen layout](images/startlayoutpolicy.jpg)
 
 4. Enter the following settings, and then click **OK**:
 
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index 42b70e6248..ea856b24cd 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -87,7 +87,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
 7. Open the customizations.xml file in a text editor. The **&lt;Customizations&gt;** section will look like this:
 
-    ![Customizations file with the placeholder text to replace highlighted.](images/customization-start.png)
+    ![Customizations file with the placeholder text to replace highlighted](images/customization-start.png)
 
 7. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape).
 
diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
index f5540c6ddd..aa195fb89f 100644
--- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
+++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
@@ -50,7 +50,7 @@ To get the names and AUMIDs for all apps installed for the current user, perform
 
 3. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to change the **View** setting from **Tiles** to **Details**.)
 
-![Image of the Choose Details options.](images/aumid-file-explorer.png)
+![Image of the Choose Details options](images/aumid-file-explorer.png)
 
 ## To find the AUMID of an installed app for the current user by using the registry
 
diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md
index 9efa2b652d..bd502511d7 100644
--- a/windows/configuration/kiosk-methods.md
+++ b/windows/configuration/kiosk-methods.md
@@ -24,13 +24,13 @@ Some desktop devices in an enterprise serve a special purpose, such as a PC in t
   
     A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen. 
 
-    ![Illustration of a full-screen kiosk experience.](images/kiosk-fullscreen.png)
+    ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png)
 
 - **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. 
 
     A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. 
 
-    ![Illustration of a kiosk Start screen.](images/kiosk-desktop.png)
+    ![Illustration of a kiosk Start screen](images/kiosk-desktop.png)
 
 Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. 
 
@@ -38,25 +38,25 @@ There are several kiosk configuration methods that you can choose from, dependin
 
 - **Which type of app will your kiosk run?**
 
-    ![icon that represents apps.](images/office-logo.png) 
+    ![icon that represents apps](images/office-logo.png) 
 
     Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), simply select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md)
 
 - **Which type of kiosk do you need?**
 
-    ![icon that represents a kiosk.](images/kiosk.png)
+    ![icon that represents a kiosk](images/kiosk.png)
 
     If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#uwp) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop).
 
 - **Which edition of Windows 10 will the kiosk run?**
 
-    ![icon that represents Windows.](images/windows.png)
+    ![icon that represents Windows](images/windows.png)
 
     All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home.
 
 - **Which type of user account will be the kiosk account?**
 
-    ![icon that represents a user account.](images/user.png)
+    ![icon that represents a user account](images/user.png)
 
     The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
 
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index ba1aaa2b58..154b35c3d0 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -54,7 +54,7 @@ Disable removable media. |     Go to **Group Policy Editor** &gt; **Computer Con
 
 Logs can help you [troubleshoot issues](./kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
 
-![Event Viewer, right-click Operational, select enable log.](images/enable-assigned-access-log.png)
+![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png)
 
 ## Automatic logon
 
@@ -257,7 +257,7 @@ A single-app kiosk configuration runs an app above the lock screen. It doesn't w
 
 When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** is not selected in the **View** menu; that means it's a basic session.
 
-![VM windows, View menu, Extended session is not selected.](images/vm-kiosk.png)
+![VM windows, View menu, Extended session is not selected](images/vm-kiosk.png)
 
 To connect to a VM in a basic session, do not select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog. 
 
diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md
index 73e724bd75..f510b637bd 100644
--- a/windows/configuration/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk-shelllauncher.md
@@ -137,7 +137,7 @@ The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`.
 
 For the value, you can select data type `String` and paste the desired configuration file content into the value box. If you wish to upload the xml instead of pasting the content, choose data type `String (XML file)`. 
 
-![Screenshot of custom OMA-URI settings.](images/slv2-oma-uri.png)
+![Screenshot of custom OMA-URI settings](images/slv2-oma-uri.png)
 
 After you configure the profile containing the custom Shell Launcher setting, select **All Devices** or selected groups of devices to apply the profile to. Don't assign the profile to users or user groups.
 
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index eac49be093..8baee6a466 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -24,7 +24,7 @@ ms.topic: article
 
 A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app.
 
-![Illustration of a single-app kiosk experience.](images/kiosk-fullscreen-sm.png)
+![Illustration of a single-app kiosk experience](images/kiosk-fullscreen-sm.png)
 
 >[!IMPORTANT]
 >[User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode.
@@ -66,7 +66,7 @@ When your kiosk is a local device that is not managed by Active Directory or Azu
 
 - If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
 
-![Screenshot of automatic sign-in setting.](images/auto-signin.png)
+![Screenshot of automatic sign-in setting](images/auto-signin.png)
 
 ### Instructions for Windows 10, version 1809
 
@@ -98,7 +98,7 @@ To remove assigned access, select the account tile on the **Set up a kiosk** pag
 
 When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
 
-![The Set up assigned access page in Settings.](images/kiosk-settings.png)
+![The Set up assigned access page in Settings](images/kiosk-settings.png)
 
 **To set up assigned access in PC settings**
 
@@ -131,7 +131,7 @@ To remove assigned access, choose **Turn off assigned access and sign out of the
 >
 >Account type: Local standard user
 
-![PowerShell windows displaying Set-AssignedAccess cmdlet.](images/set-assignedaccess.png)
+![PowerShell windows displaying Set-AssignedAccess cmdlet](images/set-assignedaccess.png)
 
 You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. 
 
@@ -191,7 +191,7 @@ Clear-AssignedAccess
 >
 >Account type: Local standard user, Active Directory 
 
-![Kiosk wizard option in Windows Configuration Designer.](images/kiosk-wizard.png)
+![Kiosk wizard option in Windows Configuration Designer](images/kiosk-wizard.png)
 
 
 >[!IMPORTANT]
diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md
index e34bee8204..75781737fb 100644
--- a/windows/configuration/kiosk-troubleshoot.md
+++ b/windows/configuration/kiosk-troubleshoot.md
@@ -53,7 +53,7 @@ For example:
 3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration.
 4. Additional logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
 
-![Event Viewer, right-click Operational, select enable log.](images/enable-assigned-access-log.png)
+![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png)
 
 
 ### Automatic logon issues 
diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md
index 5c2cfa795b..c2221b549a 100644
--- a/windows/configuration/lock-down-windows-10-applocker.md
+++ b/windows/configuration/lock-down-windows-10-applocker.md
@@ -34,7 +34,7 @@ AppLocker rules are organized into collections based on file format. If no AppLo
 
 This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
 
-![install create lockdown customize.](images/lockdownapps.png)
+![install create lockdown customize](images/lockdownapps.png)
 
 ## Install apps
 
@@ -50,13 +50,13 @@ After you install the desired apps, set up AppLocker rules to only allow specifi
 
 2.  Go to **Security Settings** &gt; **Application Control Policies** &gt; **AppLocker**, and select **Configure rule enforcement**.
 
-    ![configure rule enforcement.](images/apprule.png)
+    ![configure rule enforcement](images/apprule.png)
 
 3.  Check **Configured** under **Executable rules**, and then click **OK**.
 
 4.  Right-click **Executable Rules** and then click **Automatically generate rules**.
 
-    ![automatically generate rules.](images/genrule.png)
+    ![automatically generate rules](images/genrule.png)
 
 5.  Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
 
@@ -68,7 +68,7 @@ After you install the desired apps, set up AppLocker rules to only allow specifi
 
 9.  Read the message and click **Yes**.
 
-    ![default rules warning.](images/appwarning.png)
+    ![default rules warning](images/appwarning.png)
 
 10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
 
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 2bbcd7f1a3..702221c085 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -81,7 +81,7 @@ Let's start by looking at the basic structure of the XML file.
 
 - A profile has no effect if it’s not associated to a config section.
 
-    ![profile = app and config = account.](images/profile-config.png)
+    ![profile = app and config = account](images/profile-config.png)
 
 You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md)
 
@@ -271,7 +271,7 @@ This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint,
 >[!NOTE]
 >If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen.
 
-![What the Start screen looks like when the XML sample is applied.](images/sample-start.png)
+![What the Start screen looks like when the XML sample is applied](images/sample-start.png)
 
 ##### Taskbar
 
@@ -494,7 +494,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
 7. In the center pane, click **Browse** to locate and select the assigned access configuration XML file that you created.
 
-   ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer.](images/multiappassignedaccesssettings.png)
+   ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png)
 
 8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
 
@@ -544,7 +544,7 @@ Provisioning packages can be applied to a device during the first-run experience
 
 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
 
-    ![The first screen to set up a new PC.](images/oobe.jpg)
+    ![The first screen to set up a new PC](images/oobe.jpg)
 
 2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
 
@@ -552,11 +552,11 @@ Provisioning packages can be applied to a device during the first-run experience
 
 3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
 
-    ![Provision this device.](images/prov.jpg)
+    ![Provision this device](images/prov.jpg)
 
 4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
 
-    ![Choose a package.](images/choose-package.png)
+    ![Choose a package](images/choose-package.png)
 
 5. Select **Yes, add it**.
 
@@ -570,7 +570,7 @@ Provisioning packages can be applied to a device during the first-run experience
 >[!NOTE]
 >if your provisioning package doesn’t include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.
 
-![add a package option.](images/package.png)
+![add a package option](images/package.png)
 
 <span id="alternate-methods" />
 ### Use MDM to deploy the multi-app configuration
diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md
index 6dc4c73ddb..d577b69cff 100644
--- a/windows/configuration/manage-wifi-sense-in-enterprise.md
+++ b/windows/configuration/manage-wifi-sense-in-enterprise.md
@@ -46,7 +46,7 @@ You can manage your Wi-Fi Sense settings by using Group Policy and your Group Po
 
 1.  Open your Group Policy editor and go to the `Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services` setting.
 
-    ![Group Policy Editor, showing the Wi-Fi Sense setting.](images/wifisense-grouppolicy.png)
+    ![Group Policy Editor, showing the Wi-Fi Sense setting](images/wifisense-grouppolicy.png)
 
 2.  Turn Wi-Fi Sense on (enabled) or off (disabled), based on your company's environment.
 
@@ -60,7 +60,7 @@ You can manage your Wi-Fi Sense settings by using registry keys and the Registry
 2. Create and set a new **DWORD (32-bit) Value** named, **AutoConnectAllowedOEM**, with a **Value data** of **0 (zero)**.
    <p>Setting this value to <strong>0</strong> turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the <strong>Wi-Fi Settings</strong> screen, but can&#39;t be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see <a href="/troubleshoot/windows-client/networking/configure-wifi-sense-and-paid-wifi-service" data-raw-source="[How to configure Wi-Fi Sense on Windows 10 in an enterprise](/troubleshoot/windows-client/networking/configure-wifi-sense-and-paid-wifi-service)">How to configure Wi-Fi Sense on Windows 10 in an enterprise</a>.
 
-   ![Registry Editor, showing the creation of a new DWORD value.](images/wifisense-registry.png)
+   ![Registry Editor, showing the creation of a new DWORD value](images/wifisense-registry.png)
 
 ### Using the Windows Provisioning settings
 You can manage your Wi-Fi Sense settings by changing the Windows provisioning setting, **WiFISenseAllowed**.
@@ -81,7 +81,7 @@ If your company still uses Unattend, you can manage your Wi-Fi Sense settings by
 ### How employees can change their own Wi-Fi Sense settings
 If you don’t turn off the ability for your employees to use Wi-Fi Sense, they can turn it on locally by selecting **Settings &gt; Network & Internet &gt; Wi-Fi &gt; Manage Wi-Fi settings**, and then turning on **Connect to suggested open hotspots**.
 
-![Wi-Fi Sense options shown to employees if it's not turned off.](images/wifisense-settingscreens.png)
+![Wi-Fi Sense options shown to employees if it's not turned off](images/wifisense-settingscreens.png)
 
 **Important**<br>The service that was used to share networks with Facebook friends, Outlook.com contacts, or Skype contacts is no longer available. This means:
 
diff --git a/windows/configuration/mobile-devices/lockdown-xml.md b/windows/configuration/mobile-devices/lockdown-xml.md
index 87f2b7b7cf..ecf485cb1d 100644
--- a/windows/configuration/mobile-devices/lockdown-xml.md
+++ b/windows/configuration/mobile-devices/lockdown-xml.md
@@ -62,7 +62,7 @@ The settings for the Default role and other roles must be listed in your XML fil
 
 ## Action Center
 
-![XML for Action Center.](../images/ActionCenterXML.jpg)
+![XML for Action Center](../images/ActionCenterXML.jpg)
 
 The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both.
 
@@ -92,7 +92,7 @@ The following example is a complete lockdown XML file that disables Action Cente
 
 ## Apps
 
-![XML for Apps.](../images/AppsXML.png)
+![XML for Apps](../images/AppsXML.png)
 
 The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. 
 
@@ -110,7 +110,7 @@ The following example makes Outlook Calendar available on the device.
 
 When you list an app, you can also set the app to be pinned to the Start screen by specifying the tile size and location. Tip: draw a grid and mark your app tiles on it to make sure you get the result you want. The width (X axis) in the following example is the limit for Windows 10 Mobile, but the length (Y axis) is unlimited. The number of columns available to you depends on the value for [StartScreenSize](#start-screen-size).
 
-![Grid to lay out tiles for Start.](../images/StartGrid.jpg)
+![Grid to lay out tiles for Start](../images/StartGrid.jpg)
 
 Tile sizes are:
 * Small: 1x1
@@ -152,7 +152,7 @@ In the following example, Outlook Calendar and Outlook Mail are pinned to the St
 
 That layout would appear on a device like this:
 
-![Example of the layout on a Start screen.](../images/StartGridPinnedApps.jpg)
+![Example of the layout on a Start screen](../images/StartGridPinnedApps.jpg)
 
 You can create and pin folders to Start by using the Apps setting. Each folder requires a **folderId**, which must be a consecutive positive integer starting with `1`. You can also specify a **folderName** (optional) which will be displayed on Start.
 
@@ -203,7 +203,7 @@ When an app is contained in a folder, its **PinToStart** configuration (tile siz
 
 ## Buttons
 
-![XML for buttons.](../images/ButtonsXML.jpg)
+![XML for buttons](../images/ButtonsXML.jpg)
 
 In the Buttons setting, you use ButtonLockdownList to disable hardware buttons and ButtonRemapList to change button events to open an app that you specify. 
 
@@ -213,11 +213,11 @@ When a user taps a button that is in the lockdown list, nothing will happen. The
 
 Button | Press | PressAndHold | All
 ---|:---:|:---:|:--:|-
-Start | ![no.](../images/crossmark.png) | ![yes](../images/checkmark.png) | ![no](../images/crossmark.png)
-Back | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) 
-Search | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
-Camera | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
-Custom 1, 2, and 3 | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
+Start | ![no](../images/crossmark.png) | ![yes](../images/checkmark.png) | ![no](../images/crossmark.png)
+Back | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) 
+Search | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
+Camera | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
+Custom 1, 2, and 3 | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
 
 > [!NOTE]
 >  Custom buttons are hardware buttons that can be added to devices by OEMs.
@@ -270,7 +270,7 @@ In the following example, when a user presses the Search button, the phone diale
 
 ## CSPRunner
 
-![XML for CSP Runner.](../images/CSPRunnerXML.jpg)
+![XML for CSP Runner](../images/CSPRunnerXML.jpg)
 
 You can use CSPRunner to include settings that are not defined in AssignedAccessXML. For example, you can include settings from other sections of EnterpriseAssignedAccess CSP, such as lockscreen, theme, and time zone. You can also include settings from other CSPs, such as [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) or [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
 
@@ -317,7 +317,7 @@ SyncML entry | Description
 
 ## Menu items
 
-![XML for menu items.](../images/MenuItemsXML.png)
+![XML for menu items](../images/MenuItemsXML.png)
 
 Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Apps list. You can include this entry in the default profile and in any additional user role profiles that you create.
 
@@ -329,7 +329,7 @@ Use DisableMenuItems to prevent use of the context menu, which is displayed when
 
 ## Settings
 
-![XML for settings.](../images/SettingsXML.png)
+![XML for settings](../images/SettingsXML.png)
 
 The **Settings** section contains an `allow` list of pages in the Settings app and quick actions. The following example allows all settings.
 
@@ -363,7 +363,7 @@ For a list of the settings and quick actions that you can allow or block, see [S
 
  ## Tiles
 
- ![XML for tiles.](../images/TilesXML.png)
+ ![XML for tiles](../images/TilesXML.png)
 
  By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile. 
 
@@ -446,7 +446,7 @@ Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (
 
 3.  In the center pane, click **Browse** to locate and select the lockdown XML file that you created.
 
-    ![browse button.](../images/icdbrowse.png)
+    ![browse button](../images/icdbrowse.png)
 
 4.  On the **File** menu, select **Save.**
 
diff --git a/windows/configuration/mobile-devices/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
index a7d82f6088..68774e0da5 100644
--- a/windows/configuration/mobile-devices/mobile-lockdown-designer.md
+++ b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
@@ -16,7 +16,7 @@ manager: dansimp
 
 # Use the Lockdown Designer app to create a Lockdown XML file
 
-![Lockdown Designer in the Store.](../images/ldstore.png)
+![Lockdown Designer in the Store](../images/ldstore.png)
 
 Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. 
 
@@ -55,7 +55,7 @@ Perform these steps on the device running Windows 10 Mobile that you will use to
 >[!IMPORTANT]
 >Check **Settings > Personalization > Start > Show more tiles** on the test mobile device. If **Show more tiles** is **On**, you must select **Large** on the [**Start screen** page](#start) in Lockdown Designer. If you want to apply a **Small** layout, set **Show more tiles** on the test mobile device to **Off**.
 >
->![turn off show more tiles for small start screen size.](../images/show-more-tiles.png) 
+>![turn off show more tiles for small start screen size](../images/show-more-tiles.png) 
 
 ## Prepare the PC
 
@@ -89,7 +89,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf
 
 3. Click **Pair**. 
 
-    ![Pair.](../images/ld-pair.png)
+    ![Pair](../images/ld-pair.png)
 
     **Connect to remote device** appears. 
 
@@ -99,7 +99,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf
 
 6. Next, click **Sync** to pull information from the device in to Lockdown Designer.
 
-    ![Sync.](../images/ld-sync.png)
+    ![Sync](../images/ld-sync.png)
 
 7. Click the **Save** icon and enter a name for your project. 
 
@@ -113,7 +113,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf
 
 3. On the **Project setting** > **General settings** page, click **Pair**. 
 
-    ![Pair.](../images/ld-pair.png)
+    ![Pair](../images/ld-pair.png)
 
     **Connect to remote device** appears. 
 
@@ -123,7 +123,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf
 
 6. Next, click **Sync** to pull information from the device in to Lockdown Designer.
 
-    ![Sync.](../images/ld-sync.png)
+    ![Sync](../images/ld-sync.png)
 
 7. Click the **Save** icon and enter a name for your project. 
 
@@ -134,13 +134,13 @@ The apps and settings available in the pages of Lockdown Designer should now be
 
 | Page | Description |
 | --- | --- |
-| ![Applications.](../images/ld-apps.png) | Each app from the test mobile device is listed. Select the apps that you want visible to users.</br></br>You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. |
-| ![CSP Runner.](../images/ld-csp.png) | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner)  |
-| ![Settings.](../images/ld-settings.png)  |  On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI.  |
-| ![Quick actions.](../images/ld-quick.png)  |  On this page, you select the settings that you want visible to users. |
-| ![Buttons.](../images/ld-buttons.png)  |  Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.</br></br>Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. |
-| ![Other settings.](../images/ld-other.png)  | This page contains several settings that you can configure:</br></br>- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.</br></br>- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.</br></br>- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both.  |
-| <span id="start" />![Start screen.](../images/ld-start.png)  | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)</br></br>On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.</br></br>When you are done changing the layout on the test mobile device, click **Accept** on the PC. |
+| ![Applications](../images/ld-apps.png) | Each app from the test mobile device is listed. Select the apps that you want visible to users.</br></br>You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. |
+| ![CSP Runner](../images/ld-csp.png) | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner)  |
+| ![Settings](../images/ld-settings.png)  |  On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI.  |
+| ![Quick actions](../images/ld-quick.png)  |  On this page, you select the settings that you want visible to users. |
+| ![Buttons](../images/ld-buttons.png)  |  Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.</br></br>Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. |
+| ![Other settings](../images/ld-other.png)  | This page contains several settings that you can configure:</br></br>- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.</br></br>- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.</br></br>- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both.  |
+| <span id="start" />![Start screen](../images/ld-start.png)  | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)</br></br>On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.</br></br>When you are done changing the layout on the test mobile device, click **Accept** on the PC. |
 
 
 ## Validate and export
@@ -169,4 +169,4 @@ You can create additional roles for the device and have unique configurations fo
 
 4. Configure the settings for the role as above, but make sure on each page that you select the correct role.
 
-    ![Current role selection box.](../images/ld-role.png)
\ No newline at end of file
+    ![Current role selection box](../images/ld-role.png)
\ No newline at end of file
diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
index ebd4218503..1d321fd9cb 100644
--- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md
+++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
@@ -66,13 +66,13 @@ You can apply a provisioning package to a device running Windows 10 Mobile by us
 1. Insert an SD card containing the provisioning package into the device.
 2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. 
 
-    ![add a package option.](../images/packages-mobile.png)
+    ![add a package option](../images/packages-mobile.png)
 
 3. Click **Add**.
 
 4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
 
-    ![Is this package from a source you trust.](../images/package-trust.png)
+    ![Is this package from a source you trust](../images/package-trust.png)
     
 ### Copying the provisioning package to the device
 
@@ -82,7 +82,7 @@ You can apply a provisioning package to a device running Windows 10 Mobile by us
 
 3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
 
-    ![Is this package from a source you trust.](../images/package-trust.png)
+    ![Is this package from a source you trust](../images/package-trust.png)
 
 
 ## Related topics
diff --git a/windows/configuration/mobile-devices/provisioning-nfc.md b/windows/configuration/mobile-devices/provisioning-nfc.md
index 42ff3ff229..571a1488af 100644
--- a/windows/configuration/mobile-devices/provisioning-nfc.md
+++ b/windows/configuration/mobile-devices/provisioning-nfc.md
@@ -31,7 +31,7 @@ All Windows 10 Mobile Enterprise and Windows 10 Mobile images have the NFC provi
 
 On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key, which shows the **Provision this device** screen. In the **Provision this device** screen, select **NFC** for NFC-based provisioning. 
 
-![Example of Provision this device screen.](../images/nfc.png)
+![Example of Provision this device screen](../images/nfc.png)
 
 If there is an error during NFC provisioning, the device will show a message if any of the following errors occur:
 
diff --git a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
index a265a544e3..711f3cfc4e 100644
--- a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
+++ b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
@@ -168,28 +168,28 @@ Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or
 
 **To set up Apps Corner**
 
-1.  On Start ![start.](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner**.
+1.  On Start ![start](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner**.
 
-2.  Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![done icon.](images/doneicon.png).
+2.  Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![done icon](images/doneicon.png).
 
-3.  If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back.](../images/backicon.png) to the Apps Corner settings.
+3.  If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](../images/backicon.png) to the Apps Corner settings.
 
 4.  Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode.
 
 5.  Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them.
 
-6.  Press **Back** ![back.](../images/backicon.png) when you're done.
+6.  Press **Back** ![back](../images/backicon.png) when you're done.
 
 **To use Apps Corner**
 
-1.  On Start ![start.](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner** &gt; launch ![launch](../images/launchicon.png).
+1.  On Start ![start](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner** &gt; launch ![launch](../images/launchicon.png).
 
     >[!TIP]
     >Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** &gt; **pin** to pin the Apps Corner tile to your Start screen.
   
 2.  Give the device to someone else, so they can use the device and only the one app you chose.
 
-3.  When they're done and you get the device back, press and hold Power ![power.](../images/powericon.png), and then swipe right to exit Apps Corner.
+3.  When they're done and you get the device back, press and hold Power ![power](../images/powericon.png), and then swipe right to exit Apps Corner.
 
 ## Related topics
 
diff --git a/windows/configuration/mobile-devices/start-layout-xml-mobile.md b/windows/configuration/mobile-devices/start-layout-xml-mobile.md
index 858de39174..41fc17fe04 100644
--- a/windows/configuration/mobile-devices/start-layout-xml-mobile.md
+++ b/windows/configuration/mobile-devices/start-layout-xml-mobile.md
@@ -36,7 +36,7 @@ On Windows 10 Mobile, the customized Start works by:
 
 The following diagrams show the default Windows 10, version 1607 Start layouts for single SIM and dual SIM devices with Cortana support, and single SIM and dual SIM devices with no Cortana support. 
 
-![Start layout for Windows 10 Mobile.](../images/mobile-start-layout.png)
+![Start layout for Windows 10 Mobile](../images/mobile-start-layout.png)
 
 The diagrams show:
 
diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md
index a8d47b38e2..326ea5b8b8 100644
--- a/windows/configuration/provisioning-apn.md
+++ b/windows/configuration/provisioning-apn.md
@@ -53,11 +53,11 @@ For users who work in different locations, you can configure one APN to connect
 
 5. Enter a name for the connection, and then click **Add**.
 
-    ![Example of APN connection name.](images/apn-add.png)
+    ![Example of APN connection name](images/apn-add.png)
     
 6. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection.
 
-    ![settings for new connection.](images/apn-add-details.png)
+    ![settings for new connection](images/apn-add-details.png)
     
 7. The following table describes the settings available for the connection.
 
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index 38d6791423..67c28a8b90 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -38,7 +38,7 @@ Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](/win
 
 CSPs are behind many of the management tasks and policies for Windows 10, both in Microsoft Intune and in non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
 
-![how intune maps to csp.](../images/policytocsp.png)
+![how intune maps to csp](../images/policytocsp.png)
 
 CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Endpoint Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge.
 
@@ -66,7 +66,7 @@ You can use Windows Configuration Designer to create [provisioning packages](./p
 
 Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
 
-![how help content appears in icd.](../images/cspinicd.png)
+![how help content appears in icd](../images/cspinicd.png)
 
 [Provisioning packages in Windows 10](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package.
 
@@ -86,7 +86,7 @@ All CSPs in Windows 10 are documented in the [Configuration service provider ref
 
 The [main CSP topic](/windows/client-management/mdm/configuration-service-provider-reference) tells you which CSPs are supported on each edition of Windows 10, and links to the documentation for each individual CSP.
 
-![csp per windows edition.](../images/csptable.png)
+![csp per windows edition](../images/csptable.png)
 
 The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format.
 
@@ -94,7 +94,7 @@ The full path to a specific configuration setting is represented by its Open Mob
 
 The following example shows the diagram for the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes, and rectangular elements are settings or policies for which a value must be supplied.
 
-![assigned access csp tree.](../images/provisioning-csp-assignedaccess.png)
+![assigned access csp tree](../images/provisioning-csp-assignedaccess.png)
 
 The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see that it uses the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp).
 
@@ -104,7 +104,7 @@ The element in the tree diagram after the root node tells you the name of the CS
 
 When an element in the diagram uses _italic_ font, it indicates a placeholder for specific information, such as the tenant ID in the following example.
 
-![placeholder in csp tree.](../images/csp-placeholder.png)
+![placeholder in csp tree](../images/csp-placeholder.png)
 
 After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed.
 
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
index 818a935488..38b7e01c09 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@@ -58,7 +58,7 @@ Provisioning packages can include management instructions and policies, installa
 > [!TIP]
 > Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
 >
->![open advanced editor.](../images/icd-simple-edit.png)
+>![open advanced editor](../images/icd-simple-edit.png)
 
 ## Create the provisioning package
 
@@ -68,11 +68,11 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
 2. Click **Provision desktop devices**.
 
-   ![ICD start options.](../images/icd-create-options-1703.png)   
+   ![ICD start options](../images/icd-create-options-1703.png)   
 
 3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps.
 
-   ![ICD desktop provisioning.](../images/icd-desktop-1703.png)
+   ![ICD desktop provisioning](../images/icd-desktop-1703.png)
   
 > [!IMPORTANT]
 > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
index 68cfcc37af..a71916bfab 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
@@ -46,7 +46,7 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
 
 2. Click **Advanced provisioning**.
 
-   ![ICD start options.](../images/icdstart-option.png)  
+   ![ICD start options](../images/icdstart-option.png)  
   
 3. Name your project and click **Next**.
 
@@ -73,19 +73,19 @@ Universal apps that you can distribute in the provisioning package can be line-o
 
 2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page.
 
-    ![details for offline app package.](../images/uwp-family.png)
+    ![details for offline app package](../images/uwp-family.png)
 
 3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
 
 4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. 
 
-    ![required frameworks for offline app package.](../images/uwp-dependencies.png)
+    ![required frameworks for offline app package](../images/uwp-dependencies.png)
 
 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. 
 
     - In Microsoft Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**.
 
-        ![generate license for offline app.](../images/uwp-license.png)
+        ![generate license for offline app](../images/uwp-license.png)
         
     - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**.
     
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index f6f7f9876b..cca8b46be8 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -74,11 +74,11 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
 
 2. Enter a name for the first app, and then click **Add**.
 
-    ![enter name for first app.](../images/wcd-app-name.png)
+    ![enter name for first app](../images/wcd-app-name.png)
 
 3. Configure the settings for the appropriate installer type.
 
-    ![enter settings for first app.](../images/wcd-app-commands.png)
+    ![enter settings for first app](../images/wcd-app-commands.png)
 
 ## Add a universal app to your package
 
@@ -88,19 +88,19 @@ Universal apps that you can distribute in the provisioning package can be line-o
 
 2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page.
 
-    ![details for offline app package.](../images/uwp-family.png)
+    ![details for offline app package](../images/uwp-family.png)
 
 3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
 
 4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. 
 
-    ![required frameworks for offline app package.](../images/uwp-dependencies.png)
+    ![required frameworks for offline app package](../images/uwp-dependencies.png)
 
 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. 
 
     - In Microsoft Store for Business, generate the unencoded license for the app on the app's download page. 
 
-        ![generate license for offline app.](../images/uwp-license.png)
+        ![generate license for offline app](../images/uwp-license.png)
         
     - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**.
     
diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md
index 4a9381ab1c..4a1bb159ac 100644
--- a/windows/configuration/provisioning-packages/provisioning-apply-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md
@@ -35,7 +35,7 @@ Provisioning packages can be applied to a device during the first-run experience
 
 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
 
-    ![The first screen to set up a new PC.](../images/oobe.jpg)
+    ![The first screen to set up a new PC](../images/oobe.jpg)
 
 2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
 
@@ -43,11 +43,11 @@ Provisioning packages can be applied to a device during the first-run experience
 
 3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
 
-    ![Provision this device.](../images/prov.jpg)
+    ![Provision this device](../images/prov.jpg)
     
 4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
 
-    ![Choose a package.](../images/choose-package.png)
+    ![Choose a package](../images/choose-package.png)
 
 5. Select **Yes, add it**.
 
@@ -59,7 +59,7 @@ Provisioning packages can be applied to a device during the first-run experience
 
 Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
 
-![add a package option.](../images/package.png)
+![add a package option](../images/package.png)
     
 ## Mobile editions
 
@@ -68,13 +68,13 @@ Insert the USB drive to a desktop computer, navigate to **Settings** > **Account
 1. Insert an SD card containing the provisioning package into the device.
 2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. 
 
-    ![add a package option.](../images/packages-mobile.png)
+    ![add a package option](../images/packages-mobile.png)
 
 3. Click **Add**.
 
 4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
 
-    ![Is this package from a source you trust.](../images/package-trust.png)
+    ![Is this package from a source you trust](../images/package-trust.png)
     
 ### Copying the provisioning package to the device
 
@@ -84,7 +84,7 @@ Insert the USB drive to a desktop computer, navigate to **Settings** > **Account
 
 3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
 
-    ![Is this package from a source you trust.](../images/package-trust.png)
+    ![Is this package from a source you trust](../images/package-trust.png)
 
 
 
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index 0aa10c16b5..b67e28b34d 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -39,7 +39,7 @@ You can use Windows Configuration Designer to create a provisioning package (.pp
 
 2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image:
 
-    ![Configuration Designer wizards.](../images/icd-create-options-1703.png)
+    ![Configuration Designer wizards](../images/icd-create-options-1703.png)
 
     - The following wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices: 
 
@@ -56,7 +56,7 @@ You can use Windows Configuration Designer to create a provisioning package (.pp
         >[!TIP]
         > You can start a project in the simple wizard editor and then switch the project to the advanced editor.
         >
-        > ![Switch to advanced editor.](../images/icd-switch.png)
+        > ![Switch to advanced editor](../images/icd-switch.png)
 
 3. Enter a name for your project, and then select **Next**.
 
@@ -87,7 +87,7 @@ You can use Windows Configuration Designer to create a provisioning package (.pp
 
 For an advanced provisioning project, Windows Configuration Designer opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings.
 
-![What the ICD interface looks like.](../images/icd-runtime.png)
+![What the ICD interface looks like](../images/icd-runtime.png)
 
 The settings in Windows Configuration Designer are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](./how-it-pros-can-use-configuration-service-providers.md).
 
@@ -103,14 +103,14 @@ The process for configuring settings is similar for all settings. The following
 
 For details on each specific setting, see [Windows Provisioning settings reference](../wcd/wcd.md). The reference topic for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image.
 
-![Windows Configuration Designer opens the reference topic when you select a setting.](../images/icd-setting-help.png) 
+![Windows Configuration Designer opens the reference topic when you select a setting](../images/icd-setting-help.png) 
 
 
  ## Build package
 
 1. After you're done configuring your customizations, select **Export**, and then select **Provisioning Package**.
 
-    ![Export on top bar.](../images/icd-export-menu.png)
+    ![Export on top bar](../images/icd-export-menu.png)
 
 2. In the **Describe the provisioning package** window, enter the following information, and then select **Next**:
     - **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field.
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index 1a467d4e6d..8a7b9c464d 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -66,7 +66,7 @@ On devices running Windows 10, you can install [the Windows Configuration Design
 
 6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**.
 
-    ![Only Configuration Designer selected for installation.](../images/icd-install.png)
+    ![Only Configuration Designer selected for installation](../images/icd-install.png)
 
 ## Current Windows Configuration Designer limitations
 
diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md
index 6e54b39009..e5d60aba7f 100644
--- a/windows/configuration/provisioning-packages/provisioning-multivariant.md
+++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md
@@ -35,7 +35,7 @@ In the XML file, you provide an **Id**, or friendly name, for each **Target**. E
 
 A **Target** can have more than one **TargetState**, and a **TargetState** can have more than one **Condition**. 
 
-![Target with multiple target states and conditions.](../images/multi-target.png)
+![Target with multiple target states and conditions](../images/multi-target.png)
 
 The following table describes the logic for the target definition.
 
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index a3b4e25f84..2313b0e929 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -124,7 +124,7 @@ For details about the settings you can customize in provisioning packages, see [
 
 Windows ICD for Windows 10, version 1607, simplified common provisioning scenarios. 
 
-![Configuration Designer options.](../images/icd.png)
+![Configuration Designer options](../images/icd.png)
 
 Windows ICD in Windows 10, version 1607, supported the following scenarios for IT administrators:
 
diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
index 6e01640c44..a616731808 100644
--- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
+++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
@@ -189,13 +189,13 @@ cmd /c InstallMyApp.bat
 
 In Windows Configuration Designer, this looks like:
 
-![Command line in Selected customizations.](../images/icd-script1.png)
+![Command line in Selected customizations](../images/icd-script1.png)
 
 You also need to add the relevant assets for that command line including the orchestrator script and any other assets it references such as installers or .cab files.
 
 In Windows Configuration Designer, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting.
 
-![Command files in Selected customizations.](../images/icd-script2.png)
+![Command files in Selected customizations](../images/icd-script2.png)
 
 When you are done, [build the package](provisioning-create-package.md#build-package). 
  
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index ed5c4ee3a3..e4327a7b35 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -108,13 +108,13 @@ You can configure Windows to be in shared PC mode in a couple different ways:
   8. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**.
 
      > [!div class="mx-imgBorder"]
-     > ![Shared PC mode in the Configuration settings page.](images/shared_pc_3.png) 
+     > ![Shared PC mode in the Configuration settings page](images/shared_pc_3.png) 
 
   11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**.
 
 - A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**.
 
-     ![Shared PC settings in ICD.](images/icd-adv-shared-pc.png)
+     ![Shared PC settings in ICD](images/icd-adv-shared-pc.png)
 
 - WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the [MDM_SharedPC class](/windows/win32/dmwmibridgeprov/mdm-sharedpc). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:
     
@@ -189,7 +189,7 @@ You can apply the provisioning package to a PC during initial setup or to a PC t
 
 1. Start with a PC on the setup screen. 
 
-    ![The first screen to set up a new PC.](images/oobe.jpg)
+    ![The first screen to set up a new PC](images/oobe.jpg)
 
 2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times.
 
@@ -206,7 +206,7 @@ You can apply the provisioning package to a PC during initial setup or to a PC t
 
 On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work access** &gt; **Add or remove a management package** &gt; **Add a package**, and selects the package to install. 
 
-![add a package option.](images/package.png)
+![add a package option](images/package.png)
 
 > [!NOTE]
 > If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost.
diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md
index 5a39031455..24dbcd1b32 100644
--- a/windows/configuration/start-layout-troubleshoot.md
+++ b/windows/configuration/start-layout-troubleshoot.md
@@ -42,7 +42,7 @@ When troubleshooting basic Start issues (and for the most part, all other Window
   - `get-AppXPackage -Name Microsoft.Windows.ShellExperienceHost`
   - `get-AppXPackage -Name Microsoft.Windows.Cortana`
 
-    ![Example of output from cmdlets.](images/start-ts-1.png)
+    ![Example of output from cmdlets](images/start-ts-1.png)
 
     Failure messages will appear if they aren't installed
 
@@ -188,7 +188,7 @@ Events for both PDC and Background Tasks Infrastructure Service will be recorded
 
 ### Symptom: Application tiles like Alarm, Calculator, and Edge are missing from Start menu and the Settings app fails to open on Windows 10, version 1709 when a local user profile is deleted
 
-![Screenshots that show download icons on app tiles and missing app tiles.](images/start-ts-2.png)
+![Screenshots that show download icons on app tiles and missing app tiles](images/start-ts-2.png)
 
 **Cause**: This issue is known. The first-time sign-in experience is not detected and does not trigger the install of some apps.
 
@@ -236,11 +236,11 @@ Specifically, behaviors include
 - If a new roaming user is created, the first sign-in appears normal, but on subsequent sign-ins, tiles are missing.
 
 
-![Example of a working layout.](images/start-ts-3.png)
+![Example of a working layout](images/start-ts-3.png)
 
 *Working layout on first sign-in of a new roaming user profile*
 
-![Example of a failing layout.](images/start-ts-4.png)
+![Example of a failing layout](images/start-ts-4.png)
 
 *Failing layout on subsequent sign-ins*
 
@@ -256,15 +256,15 @@ Specifically, behaviors include
 
 Before the upgrade:
  
-  ![Example of Start screen with customizations applied.](images/start-ts-5.jpg)
+  ![Example of Start screen with customizations applied](images/start-ts-5.jpg)
 
 After the upgrade the user pinned tiles are missing:
 
-  ![Example of Start screen with previously pinned tiles missing.](images/start-ts-6.png)
+  ![Example of Start screen with previously pinned tiles missing](images/start-ts-6.png)
  
 Additionally, users may see blank tiles if sign-in was attempted without network connectivity.
 
-  ![Example of blank tiles.](images/start-ts-7.png)
+  ![Example of blank tiles](images/start-ts-7.png)
  
 
 **Resolution**: This issue was fixed in the [October 2017 update](https://support.microsoft.com/en-us/help/4041676).
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index 351f09ce8e..d988f11531 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -31,15 +31,15 @@ In a Start layout for Windows 10, version 1703, you can include secondary tiles
 
 Suppose that the [Start layout that you export](customize-and-export-start-layout.md) had two secondary tiles, such as in the following image:
 
-![tile for MSN and for a SharePoint site.](images/edge-with-logo.png)
+![tile for MSN and for a SharePoint site](images/edge-with-logo.png)
 
 In prior versions of Windows 10, when you applied the Start layout to a device, the tiles would display as shown in the following image:
 
-![tile for MSN and for a SharePoint site with no logos.](images/edge-without-logo.png)
+![tile for MSN and for a SharePoint site with no logos](images/edge-without-logo.png)
 
 In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutEdgeAssets` and the policy setting `ImportEdgeAssets`, the tiles will now display the same as they did on the device from which you exported the Start layout.
 
-![tile for MSN and for a SharePoint site.](images/edge-with-logo.png)
+![tile for MSN and for a SharePoint site](images/edge-with-logo.png)
 
 **Example of secondary tiles in XML generated by Export-StartLayout**
 
@@ -156,7 +156,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
 12. Open the customizations.xml file in a text editor. The **&lt;Customizations&gt;** section will look like this:
 
-     ![Customizations file with the placeholder text to replace highlighted.](images/customization-start-edge.png)
+     ![Customizations file with the placeholder text to replace highlighted](images/customization-start-edge.png)
 
 13. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape).
 
diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
index 75fcbcdad0..83744db2ca 100644
--- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
+++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
@@ -121,7 +121,7 @@ UE-V for Windows 10, version 1607 includes a new template generator. If you are
 <img src="media/image1.png" width="537" height="394" />
 -->
 
-![Selecting UE-V features in ADK.](images/uev-adk-select-uev-feature.png)
+![Selecting UE-V features in ADK](images/uev-adk-select-uev-feature.png)
 
 3. To open the generator, select **Microsoft Application Virtualization Generator** from the **Start** menu. 
 
diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md
index 0d091fe1bb..bb6d70d870 100644
--- a/windows/configuration/ue-v/uev-for-windows.md
+++ b/windows/configuration/ue-v/uev-for-windows.md
@@ -41,7 +41,7 @@ The diagram below illustrates how UE-V components work together to synchronize u
 <img src="images/uev-archdiagram.png" alt="UE-V architecture, with server share, desktop, and UE-V service" width="625" height="351" />
 
 <!--  SIMPLER METHOD FOR CODING IMAGE
-![UE-V architecture, with server share, desktop, and UE-V service.](images/uev-archdiagram.png)
+![UE-V architecture, with server share, desktop, and UE-V service](images/uev-archdiagram.png)
 -->
 
 | **Component**            | **Function**     |
@@ -65,7 +65,7 @@ Use these UE-V components to create and manage custom templates for your third-p
 <img src="media/image2.gif" width="595" height="330" />
 -->
 
-![UE-V template generator process.](images/uev-generator-process.png)
+![UE-V template generator process](images/uev-generator-process.png)
 
 ## Settings synchronized by default
 
diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md
index 08853f5b22..bfc7cfa6f3 100644
--- a/windows/configuration/ue-v/uev-prepare-for-deployment.md
+++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md
@@ -44,7 +44,7 @@ If you want to use UE-V to synchronize user-defined settings for custom applicat
 
 The workflow diagram below illustrates a typical UE-V deployment and the decisions you need to be prepared to make.
 
-![UE-V deployment preparation.](images/uev-deployment-preparation.png)
+![UE-V deployment preparation](images/uev-deployment-preparation.png)
 
 <!-- PRESERVING ^ORIGINAL IMAGE CODING JUST IN CASE
 <img src="media/image1.png" width="446" height="362" />
@@ -171,13 +171,13 @@ If you’ve decided that you need to synchronize settings for custom application
 
 | &nbsp;   | **Description**  |
 |-------|--------------------------|
-| ![Checklist box.](images/uev-checklist-box.gif) | Does this application contain settings that the user can customize? |
-| ![Checklist box.](images/uev-checklist-box.gif) | Is it important for the user that these settings are synchronized? |
-| ![Checklist box.](images/uev-checklist-box.gif) | Are these user settings already managed by an application management or settings policy solution? UE-V applies application settings at application startup and Windows settings at logon, unlock, or remote connect events. If you use UE-V with other settings sharing solutions, users might experience inconsistency across synchronized settings. |
-| ![Checklist box.](images/uev-checklist-box.gif) | Are the application settings specific to the computer? Application preferences and customizations that are associated with hardware or specific computer configurations do not consistently synchronize across sessions and can cause a poor application experience. |
-| ![Checklist box.](images/uev-checklist-box.gif) | Does the application store settings in the Program Files directory or in the file directory that is located in the **Users**\\ \[User name\] \\**AppData**\\**LocalLow** directory? Application data that is stored in either of these locations usually should not synchronize with the user, because this data is specific to the computer or because the data is too large to synchronize. |
-| ![Checklist box.](images/uev-checklist-box.gif) | Does the application store any settings in a file that contains other application data that should not synchronize? UE-V synchronizes files as a single unit. If settings are stored in files that include application data other than settings, then synchronizing this additional data can cause a poor application experience.|
-| ![Checklist box.](images/uev-checklist-box.gif) | How large are the files that contain the settings? The performance of the settings synchronization can be affected by large files. Including large files can affect the performance of settings synchronization. |
+| ![Checklist box](images/uev-checklist-box.gif) | Does this application contain settings that the user can customize? |
+| ![Checklist box](images/uev-checklist-box.gif) | Is it important for the user that these settings are synchronized? |
+| ![Checklist box](images/uev-checklist-box.gif) | Are these user settings already managed by an application management or settings policy solution? UE-V applies application settings at application startup and Windows settings at logon, unlock, or remote connect events. If you use UE-V with other settings sharing solutions, users might experience inconsistency across synchronized settings. |
+| ![Checklist box](images/uev-checklist-box.gif) | Are the application settings specific to the computer? Application preferences and customizations that are associated with hardware or specific computer configurations do not consistently synchronize across sessions and can cause a poor application experience. |
+| ![Checklist box](images/uev-checklist-box.gif) | Does the application store settings in the Program Files directory or in the file directory that is located in the **Users**\\ \[User name\] \\**AppData**\\**LocalLow** directory? Application data that is stored in either of these locations usually should not synchronize with the user, because this data is specific to the computer or because the data is too large to synchronize. |
+| ![Checklist box](images/uev-checklist-box.gif) | Does the application store any settings in a file that contains other application data that should not synchronize? UE-V synchronizes files as a single unit. If settings are stored in files that include application data other than settings, then synchronizing this additional data can cause a poor application experience.|
+| ![Checklist box](images/uev-checklist-box.gif) | How large are the files that contain the settings? The performance of the settings synchronization can be affected by large files. Including large files can affect the performance of settings synchronization. |
 
 ## Other considerations when preparing a UE-V deployment
 
diff --git a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
index c291585ed5..44febde285 100644
--- a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
+++ b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
@@ -101,7 +101,7 @@ The UE-V template generator is included in the Windows Assessment and Deployment
 
 2. Select the **Get Windows ADK for Windows 10** button on this page to start the ADK installer. On the screen pictured below, select **Microsoft User Experience Virtualization (UE-V) Template Generator** and then select **Install**.
 
-    ![Selecting UE-V features in ADK.](images/uev-adk-select-uev-feature.png)
+    ![Selecting UE-V features in ADK](images/uev-adk-select-uev-feature.png)
  
 3. To open the generator, open the **Start** menu and navigate to **Windows Kits** > **Microsoft User Experience Virtualization (UE-V) Template Generator**. 
 
diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md
index 9a474ff6c8..2a64e58ca8 100644
--- a/windows/configuration/wcd/wcd-admxingestion.md
+++ b/windows/configuration/wcd/wcd-admxingestion.md
@@ -87,11 +87,11 @@ $path="file path"
 
 The following images show snippets of the ADMX file for Office 16 that are used in the examples in the procedures above. The first image highlights the category names.
 
-![Snippet of ADMX shows category names highlighted.](../images/admx-category.png)
+![Snippet of ADMX shows category names highlighted](../images/admx-category.png)
 
 The next image highlights the specific policy.
 
-![Snipped of ADMX shows policy setting highlighted.](../images/admx-policy.png)
+![Snipped of ADMX shows policy setting highlighted](../images/admx-policy.png)
 
 
 ## Related topics
diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index b426a02ca2..e0816bbb6f 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -71,7 +71,7 @@ For more information, see [Use MDM to customize Windows 10 Start and taskbar](cu
 
 ## Start menu policy settings
 
-![start layout sections.](images/startannotated.png)
+![start layout sections](images/startannotated.png)
 
 The following list includes the different Start options, and any policy or local settings. The settings in the list can also be used in a provisioning package. If you use a provisioning package, see the [Windows Configuration Designer reference](./wcd/wcd-policies.md#start).
 
@@ -180,7 +180,7 @@ The following example shows how apps are pinned. In OS configured to use a right
 - Apps pinned by the user in the center (orange triangle)
 - Apps that you pin using XML to the right (green square)
 
-![Windows left, user center, enterprise to the right.](images/taskbar-generic.png)
+![Windows left, user center, enterprise to the right](images/taskbar-generic.png)
 
 If you apply the taskbar configuration to a clean install or an update, users can still:
 
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index 08afef11a3..1b43de2520 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -40,20 +40,20 @@ For managed devices running Windows 10 Enterprise and Windows 10 Education, en
 
     The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis.
 
-    ![lock screen image.](images/lockscreen.png)
+    ![lock screen image](images/lockscreen.png)
 
 -   **Feature suggestions, fun facts, tips**
 
     The lock screen background will occasionally make recommendations on how to enhance your productivity and enjoyment of Microsoft products including suggesting other relevant Microsoft products and services.
     
-    ![fun facts.](images/funfacts.png)
+    ![fun facts](images/funfacts.png)
 
 ## How do you turn off Windows Spotlight locally?
 
 
 To turn off Windows Spotlight locally, go to **Settings** &gt; **Personalization** &gt; **Lock screen** &gt; **Background** &gt; **Windows spotlight** &gt; select a different lock screen background
 
-![personalization background.](images/spotlight.png)
+![personalization background](images/spotlight.png)
 
 ## How do you disable Windows Spotlight for managed devices?
 
@@ -81,7 +81,7 @@ Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mo
  >If you want to use a custom lock screen image that contains text, see [Resolution for custom lock screen image](#resolution-for-custom-lock-screen-image).
 
 
-![lockscreen policy details.](images/lockscreenpolicy.png)
+![lockscreen policy details](images/lockscreenpolicy.png)
 
 Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages.
 
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index 967f57f92e..d61509c788 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -271,8 +271,6 @@
           href: update/how-windows-update-works.md
         - name: Windows 10 upgrade paths
           href: upgrade/windows-10-upgrade-paths.md
-        - name: Windows 10 edition upgrade
-          href: upgrade/windows-10-edition-upgrades.md
         - name: Deploy Windows 10 with Microsoft 365
           href: deploy-m365.md
         - name: Understand the Unified Update Platform
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index 1101efd400..612b3619c6 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -82,7 +82,7 @@ You might ask why you need to synchronize these identities. The answer is so tha
 
 **Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
 
-![Illustration of Azure Active Directory Connect.](images/enterprise-e3-ad-connect.png)
+![Illustration of Azure Active Directory Connect](images/enterprise-e3-ad-connect.png)
 
 **Figure 1. On-premises AD DS integrated with Azure AD**
 
@@ -103,7 +103,7 @@ Devices must be running Windows 10 Pro, version 1703, and be Azure Active Direct
 Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service:
 
 > [!div class="mx-imgBorder"]
-> ![profile.](images/al01.png)
+> ![profile](images/al01.png)
 
 The following methods are available to assign licenses:
 
@@ -111,7 +111,7 @@ The following methods are available to assign licenses:
 
 2. You can sign in to portal.office.com and manually assign licenses:
 
-    ![portal.](images/al02.png)
+    ![portal](images/al02.png)
 
 3. You can assign licenses by uploading a spreadsheet.
 
diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md
index 9758211e0a..25b5de33e1 100644
--- a/windows/deployment/deploy-m365.md
+++ b/windows/deployment/deploy-m365.md
@@ -62,14 +62,14 @@ Examples of these two deployment advisors are shown below.
 - [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example)
 
 ## Microsoft 365 deployment advisor example
-![Microsoft 365 deployment advisor.](images/m365da.png)
+![Microsoft 365 deployment advisor](images/m365da.png)
 
 ## Windows Analytics deployment advisor example
 
 
 ## M365 Enterprise poster
 
-[![M365 Enterprise poster.](images/m365e.png)](https://aka.ms/m365eposter)
+[![M365 Enterprise poster](images/m365e.png)](https://aka.ms/m365eposter)
 
 ## Related Topics
 
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index b092bc6e3c..084c1d13cc 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -102,7 +102,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers
 
 Microsoft previously announced that we are [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there is no change for these editions).  These support policies are summarized in the table below.
 
-![Support lifecycle.](images/support-cycle.png)
+![Support lifecycle](images/support-cycle.png)
 
 ## Windows 10 Enterprise upgrade
 
diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
index 399232f5fe..d5890631a6 100644
--- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -42,7 +42,7 @@ An existing Configuration Manager infrastructure that is integrated with MDT is
 1.  Using File Explorer, in the **D:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
 2.  Copy the REFW10-X64-001.wim file to the **D:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder.
 
-    ![figure 17.](../images/ref-image.png)
+    ![figure 17](../images/ref-image.png)
 
     The Windows 10 image being copied to the Sources folder structure.
 
@@ -53,7 +53,7 @@ An existing Configuration Manager infrastructure that is integrated with MDT is
 7.  In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**.
 8.  View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
 
-    ![figure 18.](../images/fig18-distwindows.png)
+    ![figure 18](../images/fig18-distwindows.png)
 
     The distributed Windows 10 Enterprise x64 RTM package.
 
diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index 0da40d6702..3c4382a940 100644
--- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -38,7 +38,7 @@ This section will show you how to import some network and storage drivers for Wi
 
 This section assumes you have downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01.
 
-![Drivers.](../images/cm01-drivers.png)
+![Drivers](../images/cm01-drivers.png)
 
 Driver folder structure on CM01
 
@@ -52,10 +52,10 @@ On **CM01**:
 6. In the popup window that appears, click **Yes** to automatically update the distribution point.
 7. Click **Next**, wait for the image to be updated, and then click **Close**.
 
-  ![Add drivers to Windows PE step 1.](../images/fig21-add-drivers1.png)<br>
-  ![Add drivers to Windows PE step 2.](../images/fig21-add-drivers2.png)<br>
-  ![Add drivers to Windows PE step 3.](../images/fig21-add-drivers3.png)<br>
-  ![Add drivers to Windows PE step 4.](../images/fig21-add-drivers4.png)
+  ![Add drivers to Windows PE step 1](../images/fig21-add-drivers1.png)<br>
+  ![Add drivers to Windows PE step 2](../images/fig21-add-drivers2.png)<br>
+  ![Add drivers to Windows PE step 3](../images/fig21-add-drivers3.png)<br>
+  ![Add drivers to Windows PE step 4](../images/fig21-add-drivers4.png)
 
   Add drivers to Windows PE
 
@@ -65,7 +65,7 @@ This section illustrates how to add drivers for Windows 10 using the HP EliteBoo
 
 For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01.
 
-![Drivers in Windows.](../images/cm01-drivers-windows.png)
+![Drivers in Windows](../images/cm01-drivers-windows.png)
 
 Driver folder structure on CM01
 
@@ -75,7 +75,7 @@ On **CM01**:
 2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder and click **Next**. Wait a minute for driver information to be validated.
 3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named **Windows 10 x64 - HP EliteBook 8560w**, click **OK**, and then click **Next**.
 
-    ![Create driver categories.](../images/fig22-createcategories.png "Create driver categories")
+    ![Create driver categories](../images/fig22-createcategories.png "Create driver categories")
 
     Create driver categories
 
@@ -93,7 +93,7 @@ On **CM01**:
     >[!NOTE]
     >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
   
-    ![Drivers imported and a new driver package created.](../images/cm01-drivers-packages.png "Drivers imported and a new driver package created")
+    ![Drivers imported and a new driver package created](../images/cm01-drivers-packages.png "Drivers imported and a new driver package created")
   
     Drivers imported and a new driver package created
 
diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index eb6a7f33e2..1943afe9b2 100644
--- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -61,7 +61,7 @@ On **CM01**:
 4.  On the **Options** page, select the **x64** platform, and click **Next**.
 5.  On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box and click **Next**.
 
-    ![Add the DaRT component to the Configuration Manager boot image.](../images/mdt-06-fig16.png "Add the DaRT component to the Configuration Manager boot image")
+    ![Add the DaRT component to the Configuration Manager boot image](../images/mdt-06-fig16.png "Add the DaRT component to the Configuration Manager boot image")
 
     Add the DaRT component to the Configuration Manager boot image.
 
@@ -72,8 +72,8 @@ On **CM01**:
 8.  In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
 9.  Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples:
 
-    ![Content status for the Zero Touch WinPE x64 boot image step 1.](../images/fig16-contentstatus1.png)<br>
-    ![Content status for the Zero Touch WinPE x64 boot image step 2.](../images/fig16-contentstatus2.png)
+    ![Content status for the Zero Touch WinPE x64 boot image step 1](../images/fig16-contentstatus1.png)<br>
+    ![Content status for the Zero Touch WinPE x64 boot image step 2](../images/fig16-contentstatus2.png)
 
     Content status for the Zero Touch WinPE x64 boot image
 
@@ -82,8 +82,8 @@ On **CM01**:
 12. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: **Expanding PS100009 to D:\\RemoteInstall\\SMSImages**.
 13. Review the **D:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS100009) is from your new boot image with DaRT. See the examples below:
 
-    ![PS100009 step 1.](../images/ps100009-1.png)<br>
-    ![PS100009 step 2.](../images/ps100009-2.png)
+    ![PS100009 step 1](../images/ps100009-1.png)<br>
+    ![PS100009 step 2](../images/ps100009-2.png)
 
 >Note: Depending on your infrastructure and the number of packages and boot images present, the Image ID might be a different number than PS100009.
 
diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
index 8bba45f997..7f539c965d 100644
--- a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -87,14 +87,14 @@ On **CM01**:
     >[!NOTE]
     >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
     
-    ![Driver package options.](../images/fig27-driverpackage.png "Driver package options")
+    ![Driver package options](../images/fig27-driverpackage.png "Driver package options")
     
     The driver package options
 
 7.  In the **State Restore / Install Applications** group, select the **Install Application** action.
 8.  Select the **Install the following applications** radio button, and add the OSD / Adobe Reader DC - OSD Install application to the list.
 
-    ![Add an application to the task sequence.](../images/fig28-addapp.png "Add an application to the task sequence")
+    ![Add an application to the task sequence](../images/fig28-addapp.png "Add an application to the task sequence")
 
     Add an application to the Configuration Manager task sequence
 
diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index 1fadc2be61..90f2ec38e6 100644
--- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -54,7 +54,7 @@ On **CM01**:
     * Type: Windows Installer (\*.msi file)
     * Location: \\\\CM01\\Sources$\\Software\\Adobe\\AcroRead.msi
 
-    ![The Create Application Wizard.](../images/mdt-06-fig20.png "The Create Application Wizard")
+    ![The Create Application Wizard](../images/mdt-06-fig20.png "The Create Application Wizard")
 
     The Create Application Wizard
 
@@ -65,7 +65,7 @@ On **CM01**:
   >[!NOTE]
   >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
   
-  ![Add the OSD Install suffix to the application name.](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name")
+  ![Add the OSD Install suffix to the application name](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name")
   
   Add the "OSD Install" suffix to the application name
 
diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
index ff7ad50540..a36d3b0ba3 100644
--- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -65,7 +65,7 @@ All server and client computers referenced in this guide are on the same subnet.
     >[!NOTE]
     >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
 
-    ![MDT monitoring.](../images/pc0001-monitor.png)
+    ![MDT monitoring](../images/pc0001-monitor.png)
 
     Monitoring the deployment with MDT.
 
@@ -73,20 +73,20 @@ All server and client computers referenced in this guide are on the same subnet.
 
 Examples are provided below of various stages of deployment:
 
-![pc0001a.](../images/pc0001a.png)<br>
-![pc0001b.](../images/pc0001b.png)<br>
-![pc0001c.](../images/pc0001c.png)<br>
-![pc0001d.](../images/pc0001d.png)<br>
-![pc0001e.](../images/pc0001e.png)<br>
-![pc0001f.](../images/pc0001f.png)<br>
-![pc0001g.](../images/pc0001g.png)<br>
-![pc0001h.](../images/pc0001h.png)<br>
-![pc0001i.](../images/pc0001i.png)<br>
-![pc0001j.](../images/pc0001j.png)<br>
-![pc0001k.](../images/pc0001k.png)<br>
-![pc0001l.](../images/pc0001l.png)<br>
-![pc0001m.](../images/pc0001m.png)<br>
-![pc0001n.](../images/pc0001n.png)
+![pc0001a](../images/pc0001a.png)<br>
+![pc0001b](../images/pc0001b.png)<br>
+![pc0001c](../images/pc0001c.png)<br>
+![pc0001d](../images/pc0001d.png)<br>
+![pc0001e](../images/pc0001e.png)<br>
+![pc0001f](../images/pc0001f.png)<br>
+![pc0001g](../images/pc0001g.png)<br>
+![pc0001h](../images/pc0001h.png)<br>
+![pc0001i](../images/pc0001i.png)<br>
+![pc0001j](../images/pc0001j.png)<br>
+![pc0001k](../images/pc0001k.png)<br>
+![pc0001l](../images/pc0001l.png)<br>
+![pc0001m](../images/pc0001m.png)<br>
+![pc0001n](../images/pc0001n.png)
 
 Next, see [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
 
diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index 7304a6b9c2..2534b0e7da 100644
--- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -44,7 +44,7 @@ On **CM01**:
 
 2.  Right-click the **MDT Production** deployment share, and click **Properties**. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and click **OK**.
 
-    ![Enable MDT monitoring for Configuration Manager.](../images/mdt-06-fig31.png)
+    ![Enable MDT monitoring for Configuration Manager](../images/mdt-06-fig31.png)
 
     Enable MDT monitoring for Configuration Manager
 
@@ -80,7 +80,7 @@ On **CM01**:
    ApplyGPOPack=NO
    ```
 
-   ![Settings package during deployment.](../images/fig30-settingspack.png)
+   ![Settings package during deployment](../images/fig30-settingspack.png)
 
    The Settings package, holding the rules and the Unattend.xml template used during deployment
 
@@ -99,7 +99,7 @@ On **CM01**:
 2.  In the Distribute Content Wizard, click **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard.
 3.  Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Do not continue until you see all the new packages being distributed successfully.
 
-   ![Content status.](../images/cm01-content-status1.png)
+   ![Content status](../images/cm01-content-status1.png)
 
    Content status
 
@@ -116,7 +116,7 @@ On **CM01**:
    * Purpose: Available
    * Make available to the following: Only media and PXE
 
-   ![Configure the deployment settings.](../images/mdt-06-fig33.png)
+   ![Configure the deployment settings](../images/mdt-06-fig33.png)
     
    Configure the deployment settings
 
@@ -125,7 +125,7 @@ On **CM01**:
 6. On the **Alerts** page, accept the default settings and click **Next**.
 7. On the **Distribution Points** page, accept the default settings, click **Next** twice, and then click **Close**.
 
-   ![Task sequence deployed.](../images/fig32-deploywiz.png)
+   ![Task sequence deployed](../images/fig32-deploywiz.png)
 
    The Windows 10 Enterprise x64 RTM task sequence deployed to the All Unknown Computers collections available for media and PXE
 
@@ -149,7 +149,7 @@ On **CM01**:
    >[!NOTE]
    >Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
    
-   ![Configure a collection variable.](../images/mdt-06-fig35.png)
+   ![Configure a collection variable](../images/mdt-06-fig35.png)
    
    Configure a collection variable
 
diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index 9217f5b5c5..dfb02baa06 100644
--- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -209,7 +209,7 @@ On **CM01**:
    * Site Server Name: CM01.contoso.com
    * Site code: PS1
 
-![figure 8.](../images/mdt-06-fig08.png)
+![figure 8](../images/mdt-06-fig08.png)
 
 MDT integration with Configuration Manager.
 
@@ -223,11 +223,11 @@ On **CM01**:
 2.  In the right pane, right-click **Default Client Settings** and then click **Properties**.
 3.  In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and click **OK**.
 
-![figure 9.](../images/mdt-06-fig10.png)
+![figure 9](../images/mdt-06-fig10.png)
 
 Configure the organization name in client settings.
 
-![figure 10.](../images/fig10-contosoinstall.png)
+![figure 10](../images/fig10-contosoinstall.png)
 
 The Contoso organization name displayed during deployment.
 
@@ -241,7 +241,7 @@ On **CM01**:
 2.  Right-click **PS1 - Primary Site 1**, point to **Configure Site Components**, and then select **Software Distribution**.
 3.  On the **Network Access Account** tab, select **Specify the account that accesses network locations** and add the *New Account* **CONTOSO\\CM\_NAA** as the Network Access account (password: pass@word1). Use the new **Verify** option to verify that the account can connect to the **\\\\DC01\\sysvol** network share.
 
-![figure 11.](../images/mdt-06-fig12.png)
+![figure 11](../images/mdt-06-fig12.png)
 
 Test the connection for the Network Access account.
 
@@ -261,7 +261,7 @@ On **CM01**:
     * Require a password when computers use PXE
     * Password and Confirm password: pass@word1
 
-    ![figure 12.](../images/mdt-06-fig13.png)
+    ![figure 12](../images/mdt-06-fig13.png)
 
     Configure the CM01 distribution point for PXE.
 
@@ -270,13 +270,13 @@ On **CM01**:
 
 4.  Using the CMTrace tool, review the C:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines.
 
-    ![figure 13.](../images/mdt-06-fig14.png)
+    ![figure 13](../images/mdt-06-fig14.png)
 
     The distmgr.log displays a successful configuration of PXE on the distribution point.
 
 5.  Verify that you have seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**.
 
-    ![figure 14.](../images/mdt-06-fig15.png)
+    ![figure 14](../images/mdt-06-fig15.png)
 
     The contents of the D:\\RemoteInstall\\SMSBoot\\x64 folder after you enable PXE.
 
@@ -341,7 +341,7 @@ The task sequence uses instructions that allow you to reduce the number of task
     MachineObjectOU=ou=desktops,ou=Contoso,dc=contoso,dc=com
     ```
 
-![figure 2.](../images/fig2-gather.png)
+![figure 2](../images/fig2-gather.png)
 
 The Gather action in the task sequence is reading the rules.
 
@@ -349,7 +349,7 @@ The Gather action in the task sequence is reading the rules.
 
 When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md).
 
-![figure 3.](../images/mdt-06-fig03.png)
+![figure 3](../images/mdt-06-fig03.png)
 
 The folder that contains the rules, a few scripts from MDT, and a custom script (Gather.ps1).
 
@@ -357,7 +357,7 @@ The folder that contains the rules, a few scripts from MDT, and a custom script
 
 With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information.
 
-![figure 4.](../images/mdt-06-fig04.png)
+![figure 4](../images/mdt-06-fig04.png)
 
 View the real-time monitoring data with PowerShell.
 
@@ -365,7 +365,7 @@ View the real-time monitoring data with PowerShell.
 
 For some deployment scenarios, you may need to prompt the user for information during deployment such as the computer name, the correct organizational unit (OU) for the computer, or which applications should be installed by the task sequence. With MDT integration, you can enable the User-Driven Installation (UDI) wizard to gather the required information, and customize the wizard using the UDI Wizard Designer.
 
-![figure 5.](../images/mdt-06-fig05.png)
+![figure 5](../images/mdt-06-fig05.png)
 
 The optional UDI wizard open in the UDI Wizard Designer.
 
diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 4c8dbad35e..b07364dbe5 100644
--- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -60,7 +60,7 @@ On **PC0003**:
 2. On the **Site** tab, click **Configure Settings**, then click **Find Site**.
 3. Verify that Configuration Manager has successfully found a site to manage this client is displayed. See the following example.
 
-![Found a site to manage this client.](../images/pc0003a.png)
+![Found a site to manage this client](../images/pc0003a.png)
 
 ## Create a device collection and add the PC0003 computer
 
@@ -124,16 +124,16 @@ On **PC0003**:
 2.  In the **Software Center** warning dialog box, click **Install Operating System**. 
 3. The client computer will run the Configuration Manager task sequence, boot into Windows PE, and install the new OS and applications. See the following examples:
 
-![Task sequence example 1.](../images/pc0003b.png)<br>
-![Task sequence example 2.](../images/pc0003c.png)<br>
-![Task sequence example 3.](../images/pc0003d.png)<br>
-![Task sequence example 4.](../images/pc0003e.png)<br>
-![Task sequence example 5.](../images/pc0003f.png)<br>
-![Task sequence example 6.](../images/pc0003g.png)<br>
-![Task sequence example 7.](../images/pc0003h.png)<br>
-![Task sequence example 8.](../images/pc0003i.png)<br>
-![Task sequence example 9.](../images/pc0003j.png)<br>
-![Task sequence example 10.](../images/pc0003k.png)
+![Task sequence example 1](../images/pc0003b.png)<br>
+![Task sequence example 2](../images/pc0003c.png)<br>
+![Task sequence example 3](../images/pc0003d.png)<br>
+![Task sequence example 4](../images/pc0003e.png)<br>
+![Task sequence example 5](../images/pc0003f.png)<br>
+![Task sequence example 6](../images/pc0003g.png)<br>
+![Task sequence example 7](../images/pc0003h.png)<br>
+![Task sequence example 8](../images/pc0003i.png)<br>
+![Task sequence example 9](../images/pc0003j.png)<br>
+![Task sequence example 10](../images/pc0003k.png)
 
 Next, see [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md).
 
diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index 43b188d08e..a30a182bb9 100644
--- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -69,7 +69,7 @@ On **CM01**:
     >[!NOTE]
     >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the **Client Replace Task Sequence** template when creating the task sequence.
 
-![The back-up only task sequence.](../images/mdt-06-fig42.png "The back-up only task sequence")
+![The back-up only task sequence](../images/mdt-06-fig42.png "The back-up only task sequence")
 
 The backup-only task sequence (named Replace Task Sequence).
 
@@ -91,7 +91,7 @@ On **CM01**:
     * MAC Address: &lt;the mac address that you wrote down&gt;
     * Source Computer: PC0004
 
-    ![Create the computer association.](../images/mdt-06-fig43.png "Create the computer association")
+    ![Create the computer association](../images/mdt-06-fig43.png "Create the computer association")
 
     Creating the computer association between PC0004 and PC0006.
 
@@ -160,7 +160,7 @@ On **PC0004**:
 4.  Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
 5.  Allow the Replace Task Sequence to complete. The PC0004 computer will gather user data, boot into Windows PE and gather more data, then boot back to the full OS. The entire process should only take a few minutes.
 
-![Task sequence example.](../images/pc0004b.png)
+![Task sequence example](../images/pc0004b.png)
 
 Capturing the user state
 
@@ -191,15 +191,15 @@ On **PC0006**:
 
 When the process is complete, you will have a new Windows 10 computer in your domain with user data and settings restored. See the following examples:
 
-![User data and setting restored example 1.](../images/pc0006a.png)<br>
-![User data and setting restored example 2.](../images/pc0006b.png)<br>
-![User data and setting restored example 3.](../images/pc0006c.png)<br>
-![User data and setting restored example 4.](../images/pc0006d.png)<br>
-![User data and setting restored example 5.](../images/pc0006e.png)<br>
-![User data and setting restored example 6.](../images/pc0006f.png)<br>
-![User data and setting restored example 7.](../images/pc0006g.png)<br>
-![User data and setting restored example 8.](../images/pc0006h.png)<br>
-![User data and setting restored example 9.](../images/pc0006i.png)
+![User data and setting restored example 1](../images/pc0006a.png)<br>
+![User data and setting restored example 2](../images/pc0006b.png)<br>
+![User data and setting restored example 3](../images/pc0006c.png)<br>
+![User data and setting restored example 4](../images/pc0006d.png)<br>
+![User data and setting restored example 5](../images/pc0006e.png)<br>
+![User data and setting restored example 6](../images/pc0006f.png)<br>
+![User data and setting restored example 7](../images/pc0006g.png)<br>
+![User data and setting restored example 8](../images/pc0006h.png)<br>
+![User data and setting restored example 9](../images/pc0006i.png)
 
 Next, see [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-configuraton-manager.md).
 
diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
index da8eb45f78..7d1c05e34c 100644
--- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
+++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
@@ -71,7 +71,7 @@ On **CM01**:
 4. Complete the wizard, and click **Close**.
 5. Review the Upgrade Task Sequence.
 
-![The upgrade task sequence.](../images/cm-upgrade-ts.png)
+![The upgrade task sequence](../images/cm-upgrade-ts.png)
 
 The Configuration Manager upgrade task sequence
 
@@ -127,13 +127,13 @@ On **PC0004**:
 4.  Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
 5.  Allow the Upgrade Task Sequence to complete. The PC0004 computer will download the install.wim file, perform an in-place upgrade, and install your added applications. See the following examples:
 
-![Upgrade task sequence example 1.](../images/pc0004-a.png)<br>
-![Upgrade task sequence example 2.](../images/pc0004-b.png)<br>
-![Upgrade task sequence example 3.](../images/pc0004-c.png)<br>
-![Upgrade task sequence example 4.](../images/pc0004-d.png)<br>
-![Upgrade task sequence example 5.](../images/pc0004-e.png)<br>
-![Upgrade task sequence example 6.](../images/pc0004-f.png)<br>
-![Upgrade task sequence example 7.](../images/pc0004-g.png)
+![Upgrade task sequence example 1](../images/pc0004-a.png)<br>
+![Upgrade task sequence example 2](../images/pc0004-b.png)<br>
+![Upgrade task sequence example 3](../images/pc0004-c.png)<br>
+![Upgrade task sequence example 4](../images/pc0004-d.png)<br>
+![Upgrade task sequence example 5](../images/pc0004-e.png)<br>
+![Upgrade task sequence example 6](../images/pc0004-f.png)<br>
+![Upgrade task sequence example 7](../images/pc0004-g.png)
 
 In-place upgrade with Configuration Manager
 
diff --git a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
index 427daf44e9..40992cf7a3 100644
--- a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
@@ -28,7 +28,7 @@ This topic will show you how to add applications to a role in the MDT database a
     2.  Applications / Lite Touch Applications:
     3.  Install - Adobe Reader XI - x86
 
-![figure 12.](../images/mdt-09-fig12.png)
+![figure 12](../images/mdt-09-fig12.png)
 
 Figure 12. The Standard PC role with the application added
 
@@ -39,7 +39,7 @@ After creating the role, you can associate it with one or more computer entries.
 2.  In the **Computers** node, double-click the **PC00075** entry, and add the following setting:
     -   Roles: Standard PC
 
-![figure 13.](../images/mdt-09-fig13.png)
+![figure 13](../images/mdt-09-fig13.png)
 
 Figure 13. The Standard PC role added to PC00075 (having ID 1 in the database).
 
@@ -120,7 +120,7 @@ When the database is populated, you can use the MDT simulation environment to si
 
     ```
 
-![figure 14.](../images/mdt-09-fig14.png)
+![figure 14](../images/mdt-09-fig14.png)
 
 Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe Reader XI application that would have been installed if you deployed this machine.
 
diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
index 06399d410a..67daeba302 100644
--- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
+++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
@@ -27,7 +27,7 @@ Four computers are used in this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a
 
 For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more details on the infrastructure setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
 
-![figure 1.](../images/mdt-10-fig01.png)
+![figure 1](../images/mdt-10-fig01.png)
 
 Computers used in this topic.
 
@@ -149,7 +149,7 @@ On **MDT01**:
 4. After the update is complete, use the Windows Deployment Services console on MDT01. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**.
 5. Browse and select the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings.
 
-   ![figure 5.](../images/mdt-10-fig05.png)
+   ![figure 5](../images/mdt-10-fig05.png)
 
    Replacing the updated boot image in WDS.
 
@@ -167,7 +167,7 @@ On **MDT01**:
 8. On the **Name and Domain** page, assign the **MDTProduction** name, and click **Next**.
 9. On the **Replication Group Members** page, click **Add**, add **MDT01** and **MDT02**, and then click **Next**.
 
-    ![figure 6.](../images/mdt-10-fig06.png)
+    ![figure 6](../images/mdt-10-fig06.png)
 
     Adding the Replication Group Members.
 
@@ -223,7 +223,7 @@ On **MDT02**:
 7. On the **Review Settings and Create Report** page, click **Create**.
 8. Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option.
 
-![figure 9.](../images/mdt-10-fig09.png)
+![figure 9](../images/mdt-10-fig09.png)
 
 The DFS Replication Health Report.
 
@@ -258,7 +258,7 @@ Now you should have a solution ready for deploying the Windows 10 client to the
     2.  Install applications.
     3.  Update the operating system using your local Windows Server Update Services (WSUS) server.
 
-![pc0001.](../images/pc0006.png)
+![pc0001](../images/pc0006.png)
 
 ## Related topics
 
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
index 5259d8bafe..9ec7f0adba 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
@@ -21,7 +21,7 @@ ms.topic: article
 One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
 For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
 
-![figure 1.](../images/mdt-09-fig01.png)
+![figure 1](../images/mdt-09-fig01.png)
 
 The computers used in this topic.
 
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index 33d92b8cc9..92bdcde554 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -31,7 +31,7 @@ For the purposes of this topic, we will use three computers: DC01, MDT01, and HV
    - MDT01 is a contoso.com domain member server.
    - HV01 is a Hyper-V server that will be used to build the reference image.
  
-   ![devices.](../images/mdt-08-fig01.png)
+   ![devices](../images/mdt-08-fig01.png)
 
    Computers used in this topic.
 
@@ -62,7 +62,7 @@ On **MDT01**:
 - Review the Summary page, click **Next**, wait for the deployment share to be created, then click **Finish**.
 - Verify that you can access the <b>\\\\MDT01\\MDTBuildLab$</b> share.
 
-   ![figure 2.](../images/mdt-08-fig02.png)
+   ![figure 2](../images/mdt-08-fig02.png)
 
    The Deployment Workbench with the MDT Build Lab deployment share.
 
@@ -101,7 +101,7 @@ On **MDT01**:
 
 1. Sign in as **contoso\\administrator** and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. The following example shows the files copied to the D:\\Downloads folder, but you can also choose to import the OS directly from an ISO or DVD.
 
-    ![ISO.](../images/iso-data.png)
+    ![ISO](../images/iso-data.png)
 
 2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**.
 3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
@@ -111,7 +111,7 @@ On **MDT01**:
     - Destination directory name: <b>W10EX64RTM</b>
 5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example.
 
-    ![Default image.](../images/deployment-workbench01.png)
+    ![Default image](../images/deployment-workbench01.png)
 
 >Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work.
 
@@ -188,7 +188,7 @@ Download all three items in this list to the D:\\Downloads folder on MDT01.
 
 3. Ensure the configuration.xml file is in the D:\\Downloads\\Office365 folder. See the following example of the extracted files plus the configuration.xml file in the Downloads\\Office365 folder:
 
-    ![folder.](../images/office-folder.png)
+    ![folder](../images/office-folder.png)
 
   Assuming you have named the file "configuration.xml" as shown above, we will use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Do not perform this step yet.
 
@@ -346,7 +346,7 @@ On **MDT01**:
         >[!IMPORTANT]
         >This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It is installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed.
          
-        ![task sequence.](../images/fig8-cust-tasks.png)
+        ![task sequence](../images/fig8-cust-tasks.png)
 
         The task sequence after creating the Custom Tasks (Pre-Windows Update) group and adding the Install - Microsoft NET Framework 3.5.1 action.
 
@@ -356,18 +356,18 @@ On **MDT01**:
     7.  Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Microsoft 365 Apps for enterprise as well.
 3. Click **OK**.
 
- ![apps.](../images/mdt-apps.png) 
+ ![apps](../images/mdt-apps.png) 
 
 
 ### Optional configuration: Add a suspend action
 
 The goal when creating a reference image is of course to automate everything. But sometimes you have a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you click the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine.
 
-   ![figure 8.](../images/fig8-suspend.png)
+   ![figure 8](../images/fig8-suspend.png)
 
    A task sequence with optional Suspend action (LTISuspend.wsf) added.
 
-   ![figure 9.](../images/fig9-resumetaskseq.png)
+   ![figure 9](../images/fig9-resumetaskseq.png)
 
    The Windows 10 desktop with the Resume Task Sequence shortcut.
 
@@ -402,7 +402,7 @@ On **MDT01**:
      - Note: If errors are reported that certain display values are incorrect, you can ignore this or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1.
 6. On the Windows 10 Enterprise x64 RTM Default Image Properties, click **OK**.
 
-    ![figure 10.](../images/fig10-unattend.png)
+    ![figure 10](../images/fig10-unattend.png)
 
     Windows System Image Manager with the Windows 10 Unattend.xml.
 
@@ -455,7 +455,7 @@ On **MDT01**:
     SkipFinalSummary=YES
     ```
 
-    ![figure 11.](../images/mdt-rules.png)
+    ![figure 11](../images/mdt-rules.png)
 
     The server-side rules for the MDT Build Lab deployment share.
  
@@ -642,7 +642,7 @@ On **HV01**:
        -   Location: \\\\MDT01\\MDTBuildLab$\\Captures
     3. File name: REFW10X64-001.wim
 
-        ![capture image.](../images/captureimage.png)
+        ![capture image](../images/captureimage.png)
 
         The Windows Deployment Wizard for the Windows 10 reference image.
 
@@ -657,7 +657,7 @@ On **HV01**:
 
 After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
 
-   ![image.](../images/image-captured.png)
+   ![image](../images/image-captured.png)
 
 ## Troubleshooting
 
@@ -666,7 +666,7 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully
 
 If you [enabled monitoring](#enable-monitoring), you can check the progress of the task sequence.
 
-   ![monitoring.](../images/mdt-monitoring.png)
+   ![monitoring](../images/mdt-monitoring.png)
 
 If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log.  From the command line in Windows PE you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$.
 
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index b6a311471f..5eec9e233a 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -34,7 +34,7 @@ For the purposes of this topic, we will use four computers: DC01, MDT01, HV01 an
 
 MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation.  HV01 used to test deployment of PC0005 in a virtual environment.
 
-   ![devices.](../images/mdt-07-fig01.png)
+   ![devices](../images/mdt-07-fig01.png)
 
 >[!NOTE]
 >For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
@@ -135,7 +135,7 @@ In these steps, we assume that you have completed the steps in the [Create a Win
 >The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image.
  
 
-![imported OS.](../images/fig2-importedos.png)
+![imported OS](../images/fig2-importedos.png)
 
 ## Step 4: Add an application
 
@@ -162,7 +162,7 @@ On **MDT01**:
 
 10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**.
 
-    ![acroread image.](../images/acroread.png)
+    ![acroread image](../images/acroread.png)
 
     The Adobe Reader application added to the Deployment Workbench.
 
@@ -238,7 +238,7 @@ wmic csproduct get name
 
 If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](/archive/blogs/deploymentguys/using-and-extending-model-aliases-for-hardware-specific-application-installation).
 
-![drivers.](../images/fig4-oob-drivers.png)
+![drivers](../images/fig4-oob-drivers.png)
 
 The Out-of-Box Drivers structure in the Deployment Workbench.
 
@@ -260,7 +260,7 @@ On **MDT01**:
     2.  Folders: Select the WinPE x64 folder in Out-of-Box Drivers.
     3.  Click **Next**, **Next** and **Finish**.
 
-    ![figure 5.](../images/fig5-selectprofile.png)
+    ![figure 5](../images/fig5-selectprofile.png)
 
     Creating the WinPE x64 selection profile.
 
@@ -284,7 +284,7 @@ On **MDT01**:
 For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6.
 
 > [!div class="mx-imgBorder"]
-> ![ThinkStation image.](../images/thinkstation.png)
+> ![ThinkStation image](../images/thinkstation.png)
 
 To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
 
@@ -386,7 +386,7 @@ On **MDT01**:
 
 3. Click **OK**.
 
-   ![drivergroup.](../images/fig6-taskseq.png)
+   ![drivergroup](../images/fig6-taskseq.png)
 
    The task sequence for production deployment.
 
@@ -488,7 +488,7 @@ On **MDT01**:
     >[!NOTE]
     >It will take a while for the Deployment Workbench to create the monitoring database and web service.
  
-    ![figure 8.](../images/mdt-07-fig08.png)
+    ![figure 8](../images/mdt-07-fig08.png)
 
     The Windows PE tab for the x64 boot image.
 
@@ -586,7 +586,7 @@ On **MDT01**:
 
 2. Install DaRT 10 (MSDaRT10.msi) using the default settings.
 
-   ![DaRT image.](../images/dart.png)
+   ![DaRT image](../images/dart.png)
 
 2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively.
 
@@ -596,7 +596,7 @@ On **MDT01**:
 
 5. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox.
 
-   ![DaRT selection.](../images/mdt-07-fig09.png)
+   ![DaRT selection](../images/mdt-07-fig09.png)
 
    Selecting the DaRT 10 feature in the deployment share.
 
@@ -633,7 +633,7 @@ On **MDT01**:
 
 3. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings.
 
-   ![figure 9.](../images/mdt-07-fig10.png)
+   ![figure 9](../images/mdt-07-fig10.png)
 
    The boot image added to the WDS console.
 
@@ -655,7 +655,7 @@ On **HV01**:
 
 2.  Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server.
 
-    ![figure 10.](../images/mdt-07-fig11.png)
+    ![figure 10](../images/mdt-07-fig11.png)
 
     The initial PXE boot process of PC0005.
 
@@ -671,13 +671,13 @@ On **HV01**:
     - Installs the added application.
     - Updates the operating system via your local Windows Server Update Services (WSUS) server.
 
-    ![pc0005 image1.](../images/pc0005-vm.png)
+    ![pc0005 image1](../images/pc0005-vm.png)
 
 ### Application installation
 
 Following OS installation, Microsoft Office 365 Pro Plus - x64 is installed automatically.
 
- ![pc0005 image2.](../images/pc0005-vm-office.png)
+ ![pc0005 image2](../images/pc0005-vm-office.png)
 
 ### Use the MDT monitoring feature
 
@@ -691,7 +691,7 @@ On **MDT01**:
 
 3.  Double-click PC0005, and review the information.
 
-    ![figure 11.](../images/mdt-07-fig13.png)
+    ![figure 11](../images/mdt-07-fig13.png)
 
     The Monitoring node, showing the deployment progress of PC0005.
 
@@ -699,7 +699,7 @@ On **MDT01**:
 
 When monitoring is enabled, MDT also writes information to the event viewer on MDT01. This information can be used to trigger notifications via scheduled tasks when deployment is completed. For example, you can configure scheduled tasks to send an email when a certain event is created in the event log.
 
-![figure 12.](../images/mdt-07-fig14.png)
+![figure 12](../images/mdt-07-fig14.png)
 
 The Event Viewer showing a successful deployment of PC0005.
 
@@ -723,7 +723,7 @@ On **MDT01**:
 3.  Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**.
 4.  After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created.
 
-    ![figure 13.](../images/mdt-07-fig15.png)
+    ![figure 13](../images/mdt-07-fig15.png)
 
     The newly created multicast namespace.
 
@@ -753,7 +753,7 @@ On **MDT01**:
       - Out-Of-Box Drivers / Windows 10 x64
       - Task Sequences / Windows 10
 
-      ![offline media.](../images/mdt-offline-media.png)
+      ![offline media](../images/mdt-offline-media.png)
 
 ### Create the offline media
 
@@ -831,7 +831,7 @@ Follow these steps to create a bootable USB stick from the offline media content
 
 As referenced in [Windows 10 deployment scenarios and tools](../windows-deployment-scenarios-and-tools.md), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UEFI.
 
-![figure 14.](../images/mdt-07-fig16.png)
+![figure 14](../images/mdt-07-fig16.png)
 
 The partitions when deploying an UEFI-based machine.
 
diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
index dc5907ae88..03e9e01012 100644
--- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
@@ -43,7 +43,7 @@ MDT has many useful features, such as:
 - **GPT support.** Supports deployment to machines that require the new GPT partition table format. This is related to UEFI.
 - **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts.
 
-    ![figure 2.](../images/mdt-05-fig02.png)
+    ![figure 2](../images/mdt-05-fig02.png)
 
     The deployment share mounted as a standard PSDrive allows for administration using PowerShell.
 
@@ -58,7 +58,7 @@ MDT has many useful features, such as:
 - **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time.
 - **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment.
 
-    ![figure 3.](../images/mdt-05-fig03.png)
+    ![figure 3](../images/mdt-05-fig03.png)
 
     The offline USMT backup in action.
 
@@ -76,7 +76,7 @@ Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An L
 
 When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command.
 
-![figure 4.](../images/mdt-05-fig04.png)
+![figure 4](../images/mdt-05-fig04.png)
 
 If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task.
 
@@ -93,7 +93,7 @@ The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The r
 - Regional settings
 You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](/mem/configmgr/mdt/).
 
-![figure 5.](../images/mdt-05-fig05.png)
+![figure 5](../images/mdt-05-fig05.png)
 
 Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number
 
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index 97d1ca6701..c1039d7404 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -75,7 +75,7 @@ The following generic credentials are used in this guide. You should replace the
 
 The following OU structure is used in this guide. Instructions are provided [below](#create-the-ou-structure) to help you create the required OUs.
 
-![figure 2.](../images/mdt-01-fig02.jpg)
+![figure 2](../images/mdt-01-fig02.jpg)
 
 ## Install the Windows ADK
 
@@ -182,7 +182,7 @@ Set-Location $home\Setup\Scripts
 
 This will create an OU structure as shown below.
 
-![OU structure.](../images/mdt-05-fig07.png)
+![OU structure](../images/mdt-05-fig07.png)
 
 To use the Active Directory Users and Computers console (instead of PowerShell):
 
@@ -233,18 +233,18 @@ On **MDT01**:
 
 See the following example:
 
-![Logs folder.](../images/mdt-05-fig08.png)
+![Logs folder](../images/mdt-05-fig08.png)
 
 ## Use CMTrace to read log files (optional)
 
 The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace ([CMTrace](/sccm/core/support/cmtrace)), which is available as part of the [Microsoft System 2012 R2 Center Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You should also download this tool.  
 You can use Notepad (example below):
 
-![figure 8.](../images/mdt-05-fig09.png)
+![figure 8](../images/mdt-05-fig09.png)
 
 Alternatively, CMTrace formatting makes the logs much easier to read. See the same log file below, opened in CMTrace:
 
-![figure 9.](../images/mdt-05-fig10.png)
+![figure 9](../images/mdt-05-fig10.png)
 
 After installing the ConfigMgrTools.msi file, you can search for **cmtrace** and pin the tool to your taskbar for easy access.
 
diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
index f1aa143648..2bba58db5a 100644
--- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
@@ -30,7 +30,7 @@ For the purposes of this topic, we will use three computers: DC01, MDT01, and PC
 
 Both DC01 and MDT01 are running Windows Server 2019; however any supported version of Windows Server can be used. For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
 
-![computers.](../images/mdt-04-fig01.png "Computers used in this topic")
+![computers](../images/mdt-04-fig01.png "Computers used in this topic")
 
 The computers used in this topic.
 
@@ -93,7 +93,7 @@ It is also assumed that you have a domain member client computer named PC0001 in
      >Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run.
    * Select one or more applications to install: Install - Adobe Reader
 
-     ![Computer refresh.](../images/fig2-taskseq.png "Start the computer refresh")
+     ![Computer refresh](../images/fig2-taskseq.png "Start the computer refresh")
 
 4. Setup starts and does the following:
     
@@ -105,7 +105,7 @@ It is also assumed that you have a domain member client computer named PC0001 in
 
 5. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example:
 
-     ![monitor deployment.](../images/monitor-pc0001.png)
+     ![monitor deployment](../images/monitor-pc0001.png)
 
 6. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated.
 
diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
index fb7cfe97e1..84daf20005 100644
--- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -32,7 +32,7 @@ For the purposes of this topic, we will use four computers: DC01, MDT01, PC0002,
 
 For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
 
-![The computers used in this topic.](../images/mdt-03-fig01.png)
+![The computers used in this topic](../images/mdt-03-fig01.png)
 
 The computers used in this topic.
 
@@ -73,7 +73,7 @@ On **MDT01**:
 
 4. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
 
-   ![The Backup Only Task Sequence action list.](../images/mdt-03-fig02.png "The Backup Only Task Sequence action list")
+   ![The Backup Only Task Sequence action list](../images/mdt-03-fig02.png "The Backup Only Task Sequence action list")
 
    The Backup Only Task Sequence action list.
 
@@ -103,13 +103,13 @@ On **PC0002**:
 
     The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the computer.
 
-    ![The new task sequence.](../images/mdt-03-fig03.png "The new task sequence")
+    ![The new task sequence](../images/mdt-03-fig03.png "The new task sequence")
 
     The new task sequence running the Capture User State action on PC0002.
 
 4.  On **MDT01**, verify that you have an USMT.MIG compressed backup file in the **D:\\MigData\\PC0002\\USMT** folder.
 
-    ![The USMT backup.](../images/mdt-03-fig04.png "The USMT backup")
+    ![The USMT backup](../images/mdt-03-fig04.png "The USMT backup")
 
     The USMT backup of PC0002.
 
@@ -130,7 +130,7 @@ On **HV01**:
 
 2.  Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from MDT01 (or MDT02 if at a remote site).
 
-    ![The initial PXE boot process.](../images/mdt-03-fig05.png "The initial PXE boot process")
+    ![The initial PXE boot process](../images/mdt-03-fig05.png "The initial PXE boot process")
 
     The initial PXE boot process of PC0007.
 
@@ -153,7 +153,7 @@ On **HV01**:
 
 You can view progress of the process by clicking the Monitoring node in the Deployment Workbrench on MDT01.
 
-![Monitor progress.](../images/mdt-replace.png)
+![Monitor progress](../images/mdt-replace.png)
 
 ## Related topics
 
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index 8d2743cfa3..62cb47a58a 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -52,7 +52,7 @@ To enable BitLocker to store the recovery key and TPM information in Active Dire
 
 In Windows Server version from 2008 R2 and later, you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.
 
-![figure 2.](../images/mdt-09-fig02.png)
+![figure 2](../images/mdt-09-fig02.png)
 
 The BitLocker Recovery information on a computer object in the contoso.com domain.
 
@@ -71,7 +71,7 @@ The BitLocker Drive Encryption Administration Utilities are added as features vi
     3. BitLocker Recovery Password Viewer
 7. On the **Confirm installation selections** page, click **Install**, and then click **Close**.
 
-![figure 3.](../images/mdt-09-fig03.png)
+![figure 3](../images/mdt-09-fig03.png)
 
 Selecting the BitLocker Drive Encryption Administration Utilities.
 
@@ -104,7 +104,7 @@ In addition to the Group Policy created previously, you need to configure permis
     cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
     ```
 
-![figure 4.](../images/mdt-09-fig04.png)
+![figure 4](../images/mdt-09-fig04.png)
 
 Running the Add-TPMSelfWriteACE.vbs script on DC01.
 
diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
index 4ec7b22c9d..e0c0bd23c1 100644
--- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
+++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
@@ -46,7 +46,7 @@ On **PC0001**:
 8. In the **C:\\MDT** folder, create a subfolder named **X64**.
 9. From the **\\\\MDT01\\MDTProduction$\\Tools\\X64** folder, copy the Microsoft.BDD.Utility.dll file to **C:\\MDT\\X64**.
 
-   ![files.](../images/mdt-09-fig06.png)
+   ![files](../images/mdt-09-fig06.png)
 
    The C:\\MDT folder with the files added for the simulation environment.
 
@@ -62,7 +62,7 @@ On **PC0001**:
     **Note**  
     Warnings or errors with regard to the Wizard.hta are expected. If the log file looks okay, you are ready to try a real deployment.
  
-   ![ztigather.](../images/mdt-09-fig07.png)
+   ![ztigather](../images/mdt-09-fig07.png)
 
    The ZTIGather.log file from PC0001.
 
diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
index 41cd6d8006..ad18311cbc 100644
--- a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -34,7 +34,7 @@ Three computers are used in this topic: DC01, MDT01, and PC0002.
 - MDT01 is a domain member server 
 - PC0002 is a domain member computer running Windows 7 SP1, targeted for the Windows 10 upgrade
 
- ![computers.](../images/mdt-upgrade.png)
+ ![computers](../images/mdt-upgrade.png)
 
  The computers used in this topic.
 
@@ -96,15 +96,15 @@ On **PC0002**:
 4. On the **Ready** tab, click **Begin** to start the task sequence.
    When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
 
-![upgrade1.](../images/upgrademdt-fig5-winupgrade.png)
+![upgrade1](../images/upgrademdt-fig5-winupgrade.png)
 
 <br>
 
-![upgrade2.](../images/mdt-upgrade-proc.png)
+![upgrade2](../images/mdt-upgrade-proc.png)
 
 <br>
 
-![upgrade3.](../images/mdt-post-upg.png)
+![upgrade3](../images/mdt-post-upg.png)
 
 After the task sequence completes, the computer will be fully upgraded to Windows 10.
 
diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
index 48516703b7..f948eab51d 100644
--- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
@@ -47,13 +47,13 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
    **Note**  
    Make sure File Explorer is configured to show known file extensions so the file is not named DeployLog.txt.txt.
      
-   ![figure 23.](../images/mdt-09-fig23.png)
+   ![figure 23](../images/mdt-09-fig23.png)
 
    Figure 23. The DeployLog.txt file.
 
 3. Using System Center 2012 R2 Orchestrator Runbook Designer, in the **Runbooks** node, create the **1.0 MDT** folder.
 
-   ![figure 24.](../images/mdt-09-fig24.png)
+   ![figure 24](../images/mdt-09-fig24.png)
 
    Figure 24. Folder created in the Runbooks node.
 
@@ -65,14 +65,14 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
    2.  Text File Management / Append Line
 8. Connect **Initialize Data** to **Append Line**.
 
-   ![figure 25.](../images/mdt-09-fig25.png)
+   ![figure 25](../images/mdt-09-fig25.png)
 
    Figure 25. Activities added and connected.
 
 9. Right-click the **Initialize Data** activity, and select **Properties**
 10. On **the Initialize Data Properties** page, click **Add**, change **Parameter 1** to **OSDComputerName**, and then click **Finish**.
 
-    ![figure 26.](../images/mdt-09-fig26.png)
+    ![figure 26](../images/mdt-09-fig26.png)
 
     Figure 26. The Initialize Data Properties window.
 
@@ -81,13 +81,13 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
 13. In the **File** encoding drop-down list, select **ASCII**.
 14. In the **Append** area, right-click inside the **Text** text box and select **Expand**.
 
-    ![figure 27.](../images/mdt-09-fig27.png)
+    ![figure 27](../images/mdt-09-fig27.png)
 
     Figure 27. Expanding the Text area.
 
 15. In the blank text box, right-click and select **Subscribe / Published Data**.
 
-    ![figure 28.](../images/mdt-09-fig28.png)
+    ![figure 28](../images/mdt-09-fig28.png)
 
     Figure 28. Subscribing to data.
 
@@ -95,7 +95,7 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
 17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**.
 18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and click **OK**.
 
-    ![figure 29.](../images/mdt-09-fig29.png)
+    ![figure 29](../images/mdt-09-fig29.png)
 
     Figure 29. The expanded text box after all subscriptions have been added.
 
@@ -109,7 +109,7 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
 23. Close the **Runbook Tester**.
 24. On the ribbon bar, click **Check In**.
 
-![figure 30.](../images/mdt-09-fig30.png)
+![figure 30](../images/mdt-09-fig30.png)
 
 Figure 30. All tests completed.
 
@@ -133,7 +133,7 @@ Figure 30. All tests completed.
     2.  Use Browse to select **1.0 MDT / MDT Sample**.
 8.  Click **OK**.
 
-![figure 31.](../images/mdt-09-fig31.png)
+![figure 31](../images/mdt-09-fig31.png)
 
 Figure 31. The ready-made task sequence.
 
@@ -157,7 +157,7 @@ Make sure the account you are using has permissions to run runbooks on the Orche
         3.  Domain: CONTOSO
 4.  Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated.
 
-![figure 32.](../images/mdt-09-fig32.png)
+![figure 32](../images/mdt-09-fig32.png)
 
 Figure 32. The ready-made task sequence.
 
diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
index 3c191c4712..aaad299ceb 100644
--- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
+++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
@@ -43,7 +43,7 @@ The MDT database is by default created and managed from the Deployment Workbench
 3.  On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and click **Next**.
 4.  On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and click **Next**. Click **Next** again and then click **Finish**.
 
-![figure 8.](../images/mdt-09-fig08.png)
+![figure 8](../images/mdt-09-fig08.png)
 
 Figure 8. The MDT database added to MDT01.
 
@@ -54,7 +54,7 @@ After creating the database, you need to assign permissions to it. In MDT, the a
 2.  In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and click **Connect**.
 3.  In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**.
 
-    ![figure 9.](../images/mdt-09-fig09.png)
+    ![figure 9](../images/mdt-09-fig09.png)
 
     Figure 9. The top-level Security node.
 
@@ -64,7 +64,7 @@ After creating the database, you need to assign permissions to it. In MDT, the a
     3.  public (default)
 5.  Click **OK**, and close SQL Server Management Studio.
 
-![figure 10.](../images/mdt-09-fig10.png)
+![figure 10](../images/mdt-09-fig10.png)
 
 Figure 10. Creating the login and settings permissions to the MDT database.
 
@@ -77,7 +77,7 @@ To start using the database, you add a computer entry and assign a description a
     2.  MacAddress: &lt;PC00075 MAC Address in the 00:00:00:00:00:00 format&gt;
     3.  Details Tab / OSDComputerName: PC00075
 
-![figure 11.](../images/mdt-09-fig11.png)
+![figure 11](../images/mdt-09-fig11.png)
 
 Figure 11. Adding the PC00075 computer to the database.
 
diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
index 68336c929b..2d1cffeadc 100644
--- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
@@ -33,7 +33,7 @@ In these steps we assume you have installed Microsoft Visual Studio Express 2013
     1.  Web.config
     2.  mdtsample.asmx
 
-![figure 15.](../images/mdt-09-fig15.png)
+![figure 15](../images/mdt-09-fig15.png)
 
 Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web.
 
@@ -49,7 +49,7 @@ This section assumes that you have enabled the Web Server (IIS) role on MDT01.
     4.  Select the **Start application pool immediately** check box.
     5.  Click **OK**.
 
-![figure 16.](../images/mdt-09-fig16.png)
+![figure 16](../images/mdt-09-fig16.png)
 
 Figure 16. The new MDTSample application.
 
@@ -60,7 +60,7 @@ Figure 16. The new MDTSample application.
     2.  Application pool: MDTSample
     3.  Physical Path: E:\\MDTSample
 
-    ![figure 17.](../images/mdt-09-fig17.png)
+    ![figure 17](../images/mdt-09-fig17.png)
 
     Figure 17. Adding the MDTSample web application.
 
@@ -68,7 +68,7 @@ Figure 16. The new MDTSample application.
     1.  Anonymous Authentication: Enabled
     2.  ASP.NET Impersonation: Disabled
 
-![figure 18.](../images/mdt-09-fig18.png)
+![figure 18](../images/mdt-09-fig18.png)
 
 Figure 18. Configuring Authentication for the MDTSample web service.
 
@@ -77,14 +77,14 @@ Figure 18. Configuring Authentication for the MDTSample web service.
 1.  On PC0001, using Internet Explorer, navigate to: **http://MDT01/MDTSample/mdtsample.asmx**.
 2.  Click the **GetComputerName** link.
 
-    ![figure 19.](../images/mdt-09-fig19.png)
+    ![figure 19](../images/mdt-09-fig19.png)
 
     Figure 19. The MDT Sample web service.
 3.  On the **GetComputerName** page, type in the following settings, and click **Invoke**:
     1.  Model: Hewlett-Packard
     2.  SerialNumber: 123456789
 
-![figure 20.](../images/mdt-09-fig20.png)
+![figure 20](../images/mdt-09-fig20.png)
 
 Figure 20. The result from the MDT Sample web service.
 
@@ -103,7 +103,7 @@ After verifying the web service using Internet Explorer, you are ready to do the
    Parameters=Model,SerialNumber
    OSDComputerName=string
    ```
-   ![figure 21.](../images/mdt-09-fig21.png)
+   ![figure 21](../images/mdt-09-fig21.png)
 
    Figure 21. The updated CustomSettings.ini file.
 
@@ -115,7 +115,7 @@ After verifying the web service using Internet Explorer, you are ready to do the
    ```
 4. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder.
 
-![figure 22.](../images/mdt-09-fig22.png)
+![figure 22](../images/mdt-09-fig22.png)
 
 Figure 22. The OSDCOMPUTERNAME value obtained from the web service.
 
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
index 1bb703d0bf..d938c4922b 100644
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@@ -67,7 +67,7 @@ landingContent:
           - text: What's new in Windows deployment
             url: deploy-whats-new.md
           - text: Windows 11 overview
-            url: /windows/whats-new/windows-11
+            url: /windows/whats-new/windows-11.md
           - text: Windows client deployment scenarios
             url: windows-10-deployment-scenarios.md
           - text: Basics of Windows updates, channels, and tools
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 879fa0f7f0..496c96e73b 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -376,7 +376,7 @@ Number Friendly Name      Serial Number        HealthStatus OperationalStatus To
 
 You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example:
 
-![Volumes.](images/mbr2gpt-volume.png)
+![Volumes](images/mbr2gpt-volume.png)
 
 
 If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example:
diff --git a/windows/deployment/planning/compatibility-administrator-users-guide.md b/windows/deployment/planning/compatibility-administrator-users-guide.md
index 9b6a2402c6..30dcd0de23 100644
--- a/windows/deployment/planning/compatibility-administrator-users-guide.md
+++ b/windows/deployment/planning/compatibility-administrator-users-guide.md
@@ -37,7 +37,7 @@ The Compatibility Administrator tool helps you resolve potential application-com
 
 The following flowchart shows the steps for using the Compatibility Administrator tool to create your compatibility fixes, compatibility modes, and AppHelp messages.
 
-![act compatibility admin flowchart.](images/dep-win8-l-act-compatadminflowchart.jpg)
+![act compatibility admin flowchart](images/dep-win8-l-act-compatadminflowchart.jpg)
 
 > [!IMPORTANT]
 > Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create and work with custom databases for 32-bit applications, and the 64-bit version to create and work with custom databases for 64-bit applications.
diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
index 51718fd6c5..704abaad66 100644
--- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
+++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
@@ -46,11 +46,11 @@ The following sections discuss the boot experience, deployment methods, and tool
 
 The following diagrams illustrate the two different methods you could use to provide Windows To Go drives to your users. The experiences differ depending on whether the user will be booting the device initially on-premises or off-premises:
 
-![initial boot on-premises.](images/wtg-first-boot-work.gif)
+![initial boot on-premises](images/wtg-first-boot-work.gif)
 
 When a Windows To Go workspace is first used at the workplace, the Windows To Go workspace can be joined to the domain through the normal procedures that occur when a new computer is introduced. It obtains a lease, applicable policies are applied and set, and user account tokens are placed appropriately. BitLocker protection can be applied and the BitLocker recovery key automatically stored in Active Directory Domain Services. The user can access network resources to install software and get access to data sources. When the workspace is subsequently booted at a different location either on or off premises, the configuration required for it to connect back to the work network using either DirectAccess or a virtual private network connection can be configured. It is not necessary to configure the workspace for offline domain join. DirectAccess can make connecting to organizational resources easier, but is not required.
 
-![initial boot off-premises.](images/wtg-first-boot-home.gif)
+![initial boot off-premises](images/wtg-first-boot-home.gif)
 
 When the Windows To Go workspace is going to be used first on an off-premises computer, such as one at the employee's home, then the IT professional preparing the Windows To Go drives should configure the drive to be able to connect to organizational resources and to maintain the security of the workspace. In this situation, the Windows To Go workspace needs to be configured for offline domain join and BitLocker needs to be enabled before the workspace has been initialized.
 
@@ -63,7 +63,7 @@ DirectAccess can be used to ensure that the user can log in with their domain cr
 
 The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using System Center 2012 Configuration Manager Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive.
 
-![windows to go image deployment.](images/wtg-image-deployment.gif)
+![windows to go image deployment](images/wtg-image-deployment.gif)
 
 The simplest way to provision a Windows To Go drive is to use the Windows To Go Creator. After a single Windows To Go workspace has been created, it can be duplicated as many times as necessary using widely available USB duplicator products as long as the device has not been booted. After the Windows To Go drive is initialized, it should not be duplicated. Alternatively, Windows To Go Workspace Creator can be run multiple times to create multiple Windows To Go drives.
 
@@ -265,13 +265,13 @@ If you are going to be using a Windows 7 computer as a host-PC, see the wiki art
 
 Windows supports two types of PC firmware: Unified Extensible Firmware Interface (UEFI), which is the new standard, and legacy BIOS firmware, which was used in most PCs shipping with Windows 7 or earlier version of Windows. Each firmware type has completely different Windows boot components that are incompatible with each other. Beyond the different boot components, Windows supports different partition styles and layout requirements for each type of firmware as shown in the following diagrams.
 
-![bios layout.](images/wtg-mbr-bios.gif)![uefi layout](images/wtg-gpt-uefi.gif)
+![bios layout](images/wtg-mbr-bios.gif)![uefi layout](images/wtg-gpt-uefi.gif)
 
 This presented a unique challenge for Windows To Go because the firmware type is not easily determined by end users—a UEFI computer looks just like a legacy BIOS computer and Windows To Go must boot on both types of firmware.
 
 To enable booting Windows To Go on both types of firmware, a new disk layout is provided for Windows 8 or later that contains both sets of boot components on a FAT32 system partition and a new command-line option was added to bcdboot.exe to support this configuration. The **/f** option is used with the **bcdboot /s** command to specify the firmware type of the target system partition by appending either **UEFI**, **BIOS** or **ALL**. When creating Windows To Go drives manually you must use the **ALL** parameter to provide the Windows To Go drive the ability to boot on both types of firmware. For example, on volume H: (your Windows To Go USB drive letter), you would use the command **bcdboot C:\\windows /s H: /f ALL**. The following diagram illustrates the disk layout that results from that command:
 
-![firmware roaming disk layout.](images/wtg-mbr-firmware-roaming.gif)
+![firmware roaming disk layout](images/wtg-mbr-firmware-roaming.gif)
 
 This is the only supported disk configuration for Windows To Go. With this disk configuration, a single Windows To Go drive can be booted on computers with UEFI and legacy BIOS firmware.
 
@@ -283,7 +283,7 @@ Windows To Go Startup Options is a setting available on Windows 10-based PCs tha
 
 1. On the Start screen, type, type **Windows To Go Startup Options**, click **Settings** and, then press Enter.
 
-  ![windows to go startup options.](images/wtg-startup-options.gif)
+  ![windows to go startup options](images/wtg-startup-options.gif)
 
 2. Select **Yes** to enable the startup options.
 
diff --git a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
index 2c76f871a0..fe43dd8983 100644
--- a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
+++ b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
@@ -33,11 +33,11 @@ The Compatibility Fix infrastructure uses the linking ability of APIs to redirec
 
 The Windows Portable Executable File Format includes headers that contain the data directories that are used to provide a layer of indirection between the application and the linked file. API calls to the external binary files take place through the Import Address Table (IAT), which then directly calls the Windows operating system, as shown in the following figure.
 
-![act app calls operating system through iat.](images/dep-win8-l-act-appcallosthroughiat.jpg)
+![act app calls operating system through iat](images/dep-win8-l-act-appcallosthroughiat.jpg)
 
 Specifically, the process modifies the address of the affected Windows function in the IAT to point to the compatibility fix code, as shown in the following figure.
 
-![act app redirect with compatibility fix.](images/dep-win8-l-act-appredirectwithcompatfix.jpg)
+![act app redirect with compatibility fix](images/dep-win8-l-act-appredirectwithcompatfix.jpg)
 
 >[!NOTE]
 >For statically linked DLLs, the code redirection occurs as the application loads. You can also fix dynamically linked DLLs by hooking into the GetProcAddress API.
diff --git a/windows/deployment/planning/using-the-sua-tool.md b/windows/deployment/planning/using-the-sua-tool.md
index 38f884b93d..e1293703ac 100644
--- a/windows/deployment/planning/using-the-sua-tool.md
+++ b/windows/deployment/planning/using-the-sua-tool.md
@@ -42,7 +42,7 @@ Before you can use the SUA tool, you must install Application Verifier. You must
 
 The following flowchart shows the process of using the SUA tool.
 
-![act sua flowchart.](images/dep-win8-l-act-suaflowchart.jpg)
+![act sua flowchart](images/dep-win8-l-act-suaflowchart.jpg)
 
 **To collect UAC-related issues by using the SUA tool**
 
diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md
index 4ee4675b0d..786d9d2fcf 100644
--- a/windows/deployment/planning/using-the-sua-wizard.md
+++ b/windows/deployment/planning/using-the-sua-wizard.md
@@ -38,7 +38,7 @@ You must install Application Verifier before you can use the SUA Wizard. If Appl
 
 The following flowchart shows the process of using the SUA Wizard.
 
-![act sua wizard flowchart.](images/dep-win8-l-act-suawizardflowchart.jpg)
+![act sua wizard flowchart](images/dep-win8-l-act-suawizardflowchart.jpg)
 
 **To test an application by using the SUA Wizard**
 
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index 005813b401..cbb4f663b4 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -68,7 +68,7 @@ Windows Server Update Services (WSUS) requires some additional configuration to
 2.  In the **Products** tree, select the **Windows 10** and **Windows 10 LTSB** products and any other Windows 10-related items that you want. Click **OK**.
 3.  From the **Synchronizations** node, right-click and choose **Synchronize Now**.
 
-![figure 1.](images/fig4-wsuslist.png)
+![figure 1](images/fig4-wsuslist.png)
 
 WSUS product list with Windows 10 choices
 
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index be1b44ecc6..9878ff1124 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -21,7 +21,7 @@ ms.custom: seo-marvel-apr2020
 
 S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS.
 
-![Configuration and features of S mode.](images/smodeconfig.png)
+![Configuration and features of S mode](images/smodeconfig.png)
 
 ## S mode key features
 
@@ -37,7 +37,7 @@ Start-ups are quick, and S mode is built to keep them that way. With Microsoft E
 
 Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](./windows-10-pro-in-s-mode.md) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below.
 
-![Switching out of S mode flow chart.](images/s-mode-flow-chart.png)
+![Switching out of S mode flow chart](images/s-mode-flow-chart.png)
 
 
 ## Deployment
diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md
index 64f85cf6f1..4a6d9ab0f1 100644
--- a/windows/deployment/update/PSFxWhitepaper.md
+++ b/windows/deployment/update/PSFxWhitepaper.md
@@ -45,17 +45,17 @@ its reverse differential back to the base version. Both forward and reverse
 differentials are then packaged as an update and distributed to the endpoints
 running the software to be updated. The update package contents can be symbolized as follows:
 
-![Symbolic representation of update package contents. A box containing two expressions: delta sub zero transform to sub N, followed delta sub N transform to sub zero.](images/PSF1.png)
+![Symbolic representation of update package contents. A box containing two expressions: delta sub zero transform to sub N, followed delta sub N transform to sub zero](images/PSF1.png)
 
 The endpoints that have the base version of the file (V<sub>0</sub>) hydrate the target
 revision (V<sub>N</sub>) by applying a simple transformation:
 
-![Equation: V sub zero + delta sub zero transform to sub N = V sub n.](images/PSF2.png)
+![Equation: V sub zero + delta sub zero transform to sub N = V sub n](images/PSF2.png)
 
 The endpoints that have revision N of the file (V<sub>N</sub>), hydrate the target revision
 (V<sub>R</sub>) by applying the following set of transformations:
 
-![Equation 1: V sub n + delta sub n transform to 0 = V sun 0; Equation 2: V sub zero + delta sub 0 transform to R = V sub R.](images/PSF3.png)
+![Equation 1: V sub n + delta sub n transform to 0 = V sun 0; Equation 2: V sub zero + delta sub 0 transform to R = V sub R](images/PSF3.png)
 
 The endpoints retain the reverse differentials for the software revision they
 are on, so that it can be used for hydrating and applying next revision update.
@@ -85,7 +85,7 @@ Windows 10 quality update packages will contain forward differentials from quali
 
 There can be cases where new files are added to the system during servicing. These files will not have RTM baselines, thus forward and reverse differentials cannot be used. In these scenarios, null differentials will be used to handle servicing. Null differentials are the slightly compressed and optimized version of the full binaries. Update packages can have either forward or reverse differentials, or null differential of any given binary in them. The following image symbolizes the content of a Windows 10 quality update installer:
 
-![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containing four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.).](images/PSF4.png)
+![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containing four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.)](images/PSF4.png)
 
 ### Hydration and installation 
 
diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md
index ae8c69d273..72ed75e2d8 100644
--- a/windows/deployment/update/WIP4Biz-intro.md
+++ b/windows/deployment/update/WIP4Biz-intro.md
@@ -37,7 +37,7 @@ Microsoft recommends that all organizations have at least a few devices enrolled
 
 The Windows Insider Program doesn't replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
 
-[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the Semi-Annual Channel Targeted ring for Pilot deployment, and the Semi-Annual Channel for broad deployment.](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)<br>
+[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the Semi-Annual Channel Targeted ring for Pilot deployment, and the Semi-Annual Channel for broad deployment](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)<br>
 Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments. 
 
 ## Explore new Windows 10 features in Insider Previews
diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md
index 753d519263..da5f9cb7a3 100644
--- a/windows/deployment/update/check-release-health.md
+++ b/windows/deployment/update/check-release-health.md
@@ -50,15 +50,15 @@ To be informed about the latest updates and releases, follow us on Twitter [@Win
 
    The **All versions** tab (the default view) shows all Windows products with access to their posted known issues.
 
-   ![View of current issues in release health.](images/WRH-menu.png)
+   ![View of current issues in release health](images/WRH-menu.png)
 
    A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The **Active and recently resolved** column provides a link to the **Known issues** tab filtered to the version selected. Selecting the **Known issues** tab will show known issues that are active or resolved within the last 30 days. 
    
-   ![View of known issues in release health.](images/WRH-known-issues-20H2.png)
+   ![View of known issues in release health](images/WRH-known-issues-20H2.png)
    
    The **History** tab shows the history of known issues that have been resolved for up to 6 months.
 
-   ![View of history issues in release health.](images/WRH-history-20H2.png)
+   ![View of history issues in release health](images/WRH-history-20H2.png)
 
    The known issue summary provides the following information:
 
@@ -70,7 +70,7 @@ To be informed about the latest updates and releases, follow us on Twitter [@Win
 
    Select the **Issue title** to access more information, including a link to the history of all status updates posted while we work on a solution. Here is an example:
 
-   ![A screenshot showing issue details.](images/WRH-known-issue-detail.png)
+   ![A screenshot showing issue details](images/WRH-known-issue-detail.png)
      
 ## Status definitions
 
@@ -91,11 +91,11 @@ In the **Windows release health** experience, every known issue is assigned as s
 
 The Windows release health page lets you view the history of all status updates posted for a specific known issue. To view all past updates posted for a given issue, select **View history** on the issue detail page.
   
-![Show link to view message history.](images/WRH-view-message-history-padded.png)
+![Show link to view message history](images/WRH-view-message-history-padded.png)
   
 A list of all status updates posted in the selected timeframe will be displayed, as shown below. You can expand any row to view the specific information provided in that status update.  
 
-![View message history.](images/WRH-message-history-example-padded.png)
+![View message history](images/WRH-message-history-example-padded.png)
   
 ## Frequently asked questions
 
diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md
index 4eca196e15..b7bccbb684 100644
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@@ -33,7 +33,7 @@ The service is privacy focused and backed by leading industry compliance certifi
 
 The deployment service complements existing Windows Update for Business capabilities, including existing device policies and [Update Compliance](update-compliance-monitor.md).
 
-:::image type="content" source="media/wufbds-product-large.png" alt-text="Elements in following text.":::
+:::image type="content" source="media/wufbds-product-large.png" alt-text="Elements in following text":::
 
 Windows Update for Business comprises three elements:
 - Client policy to govern update experiences and timing – available through Group Policy and CSPs
@@ -42,7 +42,7 @@ Windows Update for Business comprises three elements:
 
 Unlike existing client policy, the deployment service does not interact with devices directly. The service is native to the cloud and all operations take place between various Microsoft services. It creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an IT Pro.
 
-:::image type="content" source="media/wufbds-interaction-small.png" alt-text="Process described in following text.":::
+:::image type="content" source="media/wufbds-interaction-small.png" alt-text="Process described in following text":::
 
 Using the deployment service typically follows a common pattern:
 1. IT Pro uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app or a more complete management solution such as Microsoft Endpoint Manager.
diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md
index b034e4e658..a647e33fd6 100644
--- a/windows/deployment/update/get-started-updates-channels-tools.md
+++ b/windows/deployment/update/get-started-updates-channels-tools.md
@@ -72,12 +72,12 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi
 
 | Windows 10 edition | Semi-Annual Channel | Insider Program | Long-Term Servicing Channel |
 | --- | --- | --- | --- |
-| Home | ![yes.](images/checkmark.png)|![no](images/crossmark.png)    | ![no](images/crossmark.png)|
-| Pro | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) |  ![no](images/crossmark.png)|
-| Enterprise  | ![yes.](images/checkmark.png) |![yes](images/checkmark.png)  |  ![no](images/crossmark.png)|
-| Enterprise LTSB  | ![no.](images/crossmark.png) |![no](images/crossmark.png) |   ![yes](images/checkmark.png)|
-| Pro Education | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) |  ![no](images/crossmark.png)|
-| Education  | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) |  ![no](images/crossmark.png)|
+| Home | ![yes](images/checkmark.png)|![no](images/crossmark.png)    | ![no](images/crossmark.png)|
+| Pro | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |  ![no](images/crossmark.png)|
+| Enterprise  | ![yes](images/checkmark.png) |![yes](images/checkmark.png)  |  ![no](images/crossmark.png)|
+| Enterprise LTSB  | ![no](images/crossmark.png) |![no](images/crossmark.png) |   ![yes](images/checkmark.png)|
+| Pro Education | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |  ![no](images/crossmark.png)|
+| Education  | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |  ![no](images/crossmark.png)|
 
 ## Servicing tools
 
diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
index a926abfb28..44bbae9ebf 100644
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -49,7 +49,7 @@ The Windows Update workflow has four core areas of functionality:
 During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does these actions automatically, according to your settings, and silently so that doesn't disrupt your computer usage. 
 
 ## Scanning updates 
-![Windows Update scanning step.](images/update-scan-step.png)
+![Windows Update scanning step](images/update-scan-step.png)
 
 The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently.  
 
@@ -86,14 +86,14 @@ When users start scanning in Windows Update through the Settings panel, the foll
    - Updates are identified by the different IDs ("ID = 10", "ID = 11") and from the different thread ID numbers. 
    - Windows Update uses the thread ID filtering to concentrate on one particular task. 
 
-      ![Windows Update scan log 1.](images/update-scan-log-1.png)
+      ![Windows Update scan log 1](images/update-scan-log-1.png)
 
 #### Identifies service IDs
 
 - Service IDs indicate which update source is being scanned. 
 
 - The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates. 
-   ![Windows Update scan log 2.](images/update-scan-log-2.png)
+   ![Windows Update scan log 2](images/update-scan-log-2.png)
 - Common service IDs 
 
    > [!IMPORTANT]
@@ -120,10 +120,10 @@ Common update failure is caused due to network issues. To find the root of the i
    > If the search is against WSUS or Configuration Manager, you can ignore warning messages for the Service Locator Service. 
 
 - On sites that only use WSUS or Configuration Manager, the Service Locator Service might be blocked at the firewall. In this case the request will fail, and though the service can’t scan against Windows Update or Microsoft Update, it can still scan against WSUS or Configuration Manager, since it’s locally configured.
-   ![Windows Update scan log 3.](images/update-scan-log-3.png)
+   ![Windows Update scan log 3](images/update-scan-log-3.png)
    
 ## Downloading updates 
-![Windows Update download step.](images/update-download-step.png)
+![Windows Update download step](images/update-download-step.png)
 
 Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device.  
 
@@ -132,14 +132,14 @@ To ensure that your other downloads aren't affected or slowed down because updat
 For more information, see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). 
 
 ## Installing updates 
-![Windows Update install step.](images/update-install-step.png)
+![Windows Update install step](images/update-install-step.png)
 
 When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list".  
 
 The action list describes all the files needed from Windows Update, and what the installation agent (such as CBS or Setup) should do with them. The action list is provided to the installation agent along with the payload to begin the installation. 
  
 ## Committing Updates 
-![Windows Update commit step.](images/update-commit-step.png)
+![Windows Update commit step](images/update-commit-step.png)
 
 When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the device for you after installing the updates. It has to restart the device because it might be insecure, or not fully updated, until it restarts. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed.  
 
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 3758d0c313..49943752c3 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -40,7 +40,7 @@ Devices must be able to connect to the internet to obtain Dynamic Updates. In so
 
 You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. For example, you could enter *1809 Dynamic Update x64*, which would return results like this:
 
-![Table with columns labeled Title, Products, Classification, Last Updated, Version, and Size and four rows listing various dynamic updates and associated KB articles.](images/update-catalog.png)
+![Table with columns labeled Title, Products, Classification, Last Updated, Version, and Size and four rows listing various dynamic updates and associated KB articles](images/update-catalog.png)
 
 The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in **bold** the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
 
diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
index 1c557d6128..e232d88043 100644
--- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
+++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
@@ -55,20 +55,20 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi
 
 1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
 
-    ![Settings -> Accounts.](images/1-1.png)
+    ![Settings -> Accounts](images/1-1.png)
 
 2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
 
 3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
 
-    ![Entering account information when setting up a work or school account.](images/1-3.png)
+    ![Entering account information when setting up a work or school account](images/1-3.png)
 
 4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
 
     > [!NOTE]
     > Passwords should contain 8-16 characters, including at least one special character or number.
 
-    ![Update your password.](images/1-4.png)
+    ![Update your password](images/1-4.png)
 
 5. Read the **Terms and Conditions**. Click **Accept** to participate in the program.
 
@@ -94,24 +94,24 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi
 
 1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
 
-    ![Settings -> Accounts.](images/1-1.png)
+    ![Settings -> Accounts](images/1-1.png)
 
 2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
     
 3. Click **Connect**, then click **Join this device to Azure Active Directory**.
 
-    ![Joining device to Azure AD.]](images/2-3.png)
+    ![Joining device to Azure AD]](images/2-3.png)
 
 4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
 
-    ![Set up a work or school account.](images/2-4.png)
+    ![Set up a work or school account](images/2-4.png)
 
 5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
 
     > [!NOTE]
     > Passwords should contain 8-16 characters, including at least one special character or number.
 
-    ![Entering temporary password.](images/2-5.png)
+    ![Entering temporary password](images/2-5.png)
 
 6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
 
diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md
index c18d2b0576..bb67966504 100644
--- a/windows/deployment/update/plan-define-strategy.md
+++ b/windows/deployment/update/plan-define-strategy.md
@@ -26,7 +26,7 @@ You can use a calendar approach for either a faster twice-per-year cadence or an
 ### Annual
 Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Manager and Microsoft 365 Apps release cycles:
 
-[ ![Calendar showing an annual update cadence.](images/annual-calendar.png) ](images/annual-calendar.png#lightbox)
+[ ![Calendar showing an annual update cadence](images/annual-calendar.png) ](images/annual-calendar.png#lightbox)
 
 This approach provides approximately 12 months of use from each feature update before the next update is due to be installed. By aligning to the Windows 10, version H2 feature update, each release will be serviced for 30 months from the time of availability, giving you more flexibility when applying future feature updates.
 
@@ -41,7 +41,7 @@ This cadence might be most suitable for you if any of these conditions apply:
 ### Rapid
 This calendar shows an example schedule that installs each feature update as it is released, twice per year:
 
-[ ![Update calendar showing a faster update cadence.](images/rapid-calendar.png) ](images/rapid-calendar.png#lightbox)
+[ ![Update calendar showing a faster update cadence](images/rapid-calendar.png) ](images/rapid-calendar.png#lightbox)
 
 This cadence might be best for you if these conditions apply:
 
diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md
index 735acd6e97..ee1853ad2f 100644
--- a/windows/deployment/update/safeguard-holds.md
+++ b/windows/deployment/update/safeguard-holds.md
@@ -30,7 +30,7 @@ Queries identify Safeguard IDs for each affected device, giving IT admins a deta
 On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message:
 
 
-![Feature update message reading "The Windows 10 May 2020 Update is on its way. Once it's ready for your device, you'll see the update available on this page.](images/safeguard-hold-notification.png)
+![Feature update message reading "The Windows 10 May 2020 Update is on its way. Once it's ready for your device, you'll see the update available on this page](images/safeguard-hold-notification.png)
 
 If you see this message, it means one or more holds affect your device. When the issue is fixed and the update is safe to install, we’ll release the hold and the update can resume safely.
 
diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md
index 1c544e9fbb..b56a569d4c 100644
--- a/windows/deployment/update/update-compliance-delivery-optimization.md
+++ b/windows/deployment/update/update-compliance-delivery-optimization.md
@@ -17,7 +17,7 @@ ms.custom: seo-marvel-apr2020
 ---
 
 # Delivery Optimization in Update Compliance
-![DO status.](images/UC_workspace_DO_status.png)
+![DO status](images/UC_workspace_DO_status.png)
 The Update Compliance solution provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
 
 ## Delivery Optimization Status
diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md
index 4476c5c96d..12924ab50f 100644
--- a/windows/deployment/update/update-compliance-feature-update-status.md
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@@ -17,7 +17,7 @@ ms.custom: seo-marvel-apr2020
 
 # Feature Update Status
 
-[ ![The Feature Update Status report.](images/UC_workspace_FU_status.png) ](images/UC_workspace_FU_status.png#lightbox)
+[ ![The Feature Update Status report](images/UC_workspace_FU_status.png) ](images/UC_workspace_FU_status.png#lightbox)
 
 The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels). 
 
diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md
index 527be5a54e..514d07419f 100644
--- a/windows/deployment/update/update-compliance-need-attention.md
+++ b/windows/deployment/update/update-compliance-need-attention.md
@@ -14,7 +14,7 @@ ms.prod: w10
 ---
 
 # Needs attention!
-![Needs attention section.](images/UC_workspace_needs_attention.png)
+![Needs attention section](images/UC_workspace_needs_attention.png)
 
 The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. 
 
diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md
index 27a37f5e71..085e47d153 100644
--- a/windows/deployment/update/update-compliance-security-update-status.md
+++ b/windows/deployment/update/update-compliance-security-update-status.md
@@ -15,7 +15,7 @@ ms.custom: seo-marvel-apr2020
 
 # Security Update Status
 
-![The Security Update Status report.](images/UC_workspace_SU_status.png)
+![The Security Update Status report](images/UC_workspace_SU_status.png)
 
 The Security Update Status section provides information about [security updates](waas-quick-start.md#definitions) across all devices. The section tile within the [Overview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update available. Meanwhile, the blades within show the percentage of devices on the latest security update for each Windows 10 version and the deployment progress toward the latest two security updates.  
 
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index 26c96388b7..2c6c4c591f 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -30,23 +30,23 @@ Update Compliance:
 ## The Update Compliance tile
 After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you'll see this tile:
 
-![Update Compliance tile no data.](images/UC_tile_assessing.png)
+![Update Compliance tile no data](images/UC_tile_assessing.png)
 
 When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that belongs to the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary:
 
-![Update Compliance tile with data.](images/UC_tile_filled.png)
+![Update Compliance tile with data](images/UC_tile_filled.png)
 
 The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was refreshed.
 
 ## The Update Compliance workspace
 
-![Update Compliance workspace view.](images/UC_workspace_needs_attention.png)
+![Update Compliance workspace view](images/UC_workspace_needs_attention.png)
 
 When you select this tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview blade providing a hub from which to navigate to different reports of your devices' data. 
 
 ### Overview blade
 
-![The Overview blade.](images/UC_workspace_overview_blade.png)
+![The Overview blade](images/UC_workspace_overview_blade.png)
 
 Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items:
 * Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10.
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index d0c4ab43af..31c1ef07ab 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -56,7 +56,7 @@ With Windows Update for Business, you can set a device to be on either Windows I
 
 Starting with Windows 10, version 1703, users can configure the branch readiness level for their device by using **Settings > Update & security > Windows Update > Advanced options**.
 
-![Branch readiness level setting.](images/waas-wufb-settings-branch.jpg)
+![Branch readiness level setting](images/waas-wufb-settings-branch.jpg)
 
 >[!NOTE]
 >Users will not be able to change this setting if it was configured by policy.
diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md
index ef3f3040cc..ecd8ad8097 100644
--- a/windows/deployment/update/waas-delivery-optimization-setup.md
+++ b/windows/deployment/update/waas-delivery-optimization-setup.md
@@ -211,6 +211,6 @@ Log entries are written to the PowerShell pipeline as objects. To dump logs to a
 
 Update Compliance provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
 
-[ ![DO status.](images/UC_workspace_DO_status.png) ](images/UC_workspace_DO_status.png#lightbox)
+[ ![DO status](images/UC_workspace_DO_status.png) ](images/UC_workspace_DO_status.png#lightbox)
 
 For details, see [Delivery Optimization in Update Compliance](update-compliance-delivery-optimization.md).
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index ab8834382a..96b1bc810e 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -39,7 +39,7 @@ For information about setting up Delivery Optimization, including tips for the b
 
 - Enterprise network throttling: new settings have been added in Group Policy and mobile device management (MDM) to control foreground and background throttling as absolute values (Maximum Background Download Bandwidth in (in KB/s)). These settings are also available in the Windows user interface:
 
-  ![absolute bandwidth settings in delivery optimization interface.](images/DO-absolute-bandwidth.png)
+  ![absolute bandwidth settings in delivery optimization interface](images/DO-absolute-bandwidth.png)
 
 - Activity Monitor now identifies the cache server used for as the source for Microsoft Connected Cache. For more information about using Microsoft Connected Cache with Configuration Manager, see [Microsoft Connected Cache](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache).
 
diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
index 52a1ec6f2c..1e06d44fd8 100644
--- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
+++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
@@ -51,12 +51,12 @@ As Table 1 shows, each combination of servicing channel and deployment group is
 
 |&nbsp; |&nbsp; |
 | --- | --- |
-| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
-| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | Build deployment rings for Windows 10 updates (this topic) |
-| ![to do.](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-| ![to do.](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | Build deployment rings for Windows 10 updates (this topic) |
+| ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+| ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
 
 ## Related topics
 
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index 6460401d70..965dd5871a 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -88,7 +88,7 @@ In this example, the deferral behavior for updates to Office and other non-Windo
 
 For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
 
-![Example of unknown devices.](images/wufb-sccm.png)
+![Example of unknown devices](images/wufb-sccm.png)
 
 For more information, see [Integration with Windows Update for Business in Windows 10](/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10).
 
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index d6f97a6fae..1533a56a9b 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -62,7 +62,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin
 
 3. Right-click **Your_Domain**, and then select **Create a GPO in this domain, and Link it here**.
 
-   ![Example of UI.](images/waas-wsus-fig3.png) 
+   ![Example of UI](images/waas-wsus-fig3.png) 
     
    >[!NOTE]
    >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
@@ -75,13 +75,13 @@ When using WSUS to manage updates on Windows client devices, start by configurin
 
 7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**.
 
-   ![Example of UI.](images/waas-wsus-fig4.png)
+   ![Example of UI](images/waas-wsus-fig4.png)
     
 8. In the **Configure Automatic Updates** dialog box, select **Enable**.
 
 9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
 
-   ![Example of UI.](images/waas-wsus-fig5.png)
+   ![Example of UI](images/waas-wsus-fig5.png)
    
    >[!IMPORTANT]
    > Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations
@@ -98,7 +98,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin
     >[!NOTE]
     >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance.
     
-     ![Example of UI.](images/waas-wsus-fig6.png)
+     ![Example of UI](images/waas-wsus-fig6.png)
      
      >[!NOTE]
      >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. (The other options are 80 and 443; no other ports are supported.)
@@ -118,7 +118,7 @@ You can use computer groups to target a subset of devices that have specific qua
 
 2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**. 
 
-    ![Example of UI.](images/waas-wsus-fig7.png)
+    ![Example of UI](images/waas-wsus-fig7.png)
     
 3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**.
 
@@ -146,7 +146,7 @@ When new computers communicate with WSUS, they appear in the **Unassigned Comput
 
 2. Select both computers, right-click the selection, and then click **Change Membership**.
 
-    ![Example of UI.](images/waas-wsus-fig8.png)
+    ![Example of UI](images/waas-wsus-fig8.png)
 
 3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**.
 
@@ -164,7 +164,7 @@ Another way to add multiple computers to a deployment ring in the WSUS Administr
 
 3. In the search results, select the computers, right-click the selection, and then click **Change Membership**.
 
-    ![Example of UI.](images/waas-wsus-fig9.png)
+    ![Example of UI](images/waas-wsus-fig9.png)
     
 4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**.
 
@@ -181,7 +181,7 @@ The WSUS Administration Console provides a friendly interface from which you can
 
 1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**.
 
-     ![Example of UI.](images/waas-wsus-fig10.png)
+     ![Example of UI](images/waas-wsus-fig10.png)
      
 2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**.
 
@@ -205,7 +205,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
 
 5. Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**.
 
-    ![Example of UI.](images/waas-wsus-fig11.png)
+    ![Example of UI](images/waas-wsus-fig11.png)
     
 6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
 
@@ -215,7 +215,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
 
 9. In the **Target group name for this computer** box, type *Ring 4 Broad Business Users*. This is the name of the deployment ring in WSUS to which these computers will be added.
 
-    ![Example of UI.](images/waas-wsus-fig12.png)
+    ![Example of UI](images/waas-wsus-fig12.png)
 
 > [!WARNING]
 > The target group name must match the computer group name.
@@ -232,7 +232,7 @@ Now you’re ready to deploy this GPO to the correct computer security group for
 
 3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group.
 
-    ![Example of UI.](images/waas-wsus-fig13.png)
+    ![Example of UI](images/waas-wsus-fig13.png)
     
 The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring. 
 
@@ -252,7 +252,7 @@ For clients that should have their feature updates approved as soon as they’re
 
 3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes.
 
-     ![Example of UI.](images/waas-wsus-fig14.png)
+     ![Example of UI](images/waas-wsus-fig14.png)
      
 4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**.
 
@@ -266,7 +266,7 @@ For clients that should have their feature updates approved as soon as they’re
 
 8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**.
 
-    ![Example of UI.](images/waas-wsus-fig15.png)
+    ![Example of UI](images/waas-wsus-fig15.png)
     
 9. In the **Automatic Approvals** dialog box, click **OK**.
 
@@ -301,7 +301,7 @@ To simplify the manual approval process, start by creating a software update vie
     
 5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**.
 
-     ![Example of UI.](images/waas-wsus-fig16.png)
+     ![Example of UI](images/waas-wsus-fig16.png)
 
 Now that you have the **All Windows 10 Upgrades** view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
 
@@ -309,21 +309,21 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
 
 2. Right-click the feature update you want to deploy, and then click **Approve**.
 
-      ![Example of UI.](images/waas-wsus-fig17.png)  
+      ![Example of UI](images/waas-wsus-fig17.png)  
       
 3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**.
 
-      ![Example of UI.](images/waas-wsus-fig18.png) 
+      ![Example of UI](images/waas-wsus-fig18.png) 
       
 4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**. 
 
-      ![Example of UI.](images/waas-wsus-fig19.png) 
+      ![Example of UI](images/waas-wsus-fig19.png) 
       
 5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**.
 
     If the deployment is successful, you should receive a successful progress report.
     
-    ![Example of UI.](images/waas-wsus-fig20.png) 
+    ![Example of UI](images/waas-wsus-fig20.png) 
 
 6. In the **Approval Progress** dialog box, click **Close**.
 
@@ -333,12 +333,12 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
 
 |&nbsp; |&nbsp; |
 | --- | --- |
-| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
-| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or Deploy Windows 10 updates using Windows Server Update Services (this topic)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or Deploy Windows 10 updates using Windows Server Update Services (this topic)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
 
 
 
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 850d6cec44..1b52ddaf69 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -204,7 +204,7 @@ For the best experience with Windows Update, follow these guidelines:
 
 Update Compliance provides a holistic view of operating system update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This  service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without extra infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated.
 
-![Update Compliance Dashboard.](images/waas-wufb-update-compliance.png)
+![Update Compliance Dashboard](images/waas-wufb-update-compliance.png)
 
 For more information about Update Compliance, see [Monitor Windows Updates using Update Compliance](update-compliance-monitor.md).
 
@@ -213,9 +213,9 @@ For more information about Update Compliance, see [Monitor Windows Updates using
 
 | | |
 | --- | --- |
-| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
-| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | Deploy updates using Windows Update for Business (this topic) </br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
\ No newline at end of file
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | Deploy updates using Windows Update for Business (this topic) </br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
\ No newline at end of file
diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md
index 672e2ff5a9..4a9c314c35 100644
--- a/windows/deployment/update/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/update/waas-optimize-windows-10-updates.md
@@ -39,8 +39,8 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
 
 | Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager |
 | --- | --- | --- | --- | --- |
-| Delivery Optimization | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
-| BranchCache | ![no.](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
+| Delivery Optimization | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
+| BranchCache | ![no](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
 
 > [!NOTE]
 > Microsoft Endpoint Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Microsoft Endpoint Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](/configmgr/core/plan-design/hierarchy/client-peer-cache).
@@ -88,12 +88,12 @@ At this point, the download is complete and the update is ready to be installed.
 
 |&nbsp; |&nbsp; |
 | --- | --- |
-| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
-| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | Optimize update delivery for Windows 10 updates (this topic) |
-| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)<br/>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)<br/>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | Optimize update delivery for Windows 10 updates (this topic) |
+| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)<br/>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)<br/>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
 
 
 ## Related topics
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index d24139a1e4..d34bb385f6 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -92,7 +92,7 @@ In Windows 10, rather than receiving several updates each month and trying to fi
 
 **Figure 1**
 
-![Comparison of patch environment in enterprise compared to test.](images/waas-overview-patch.png)
+![Comparison of patch environment in enterprise compared to test](images/waas-overview-patch.png)
 
 
 
@@ -184,12 +184,12 @@ With all these options, which an organization chooses depends on the resources,
 
 |&nbsp; |&nbsp; |
 | --- | --- |
-| ![done.](images/checklistdone.png) | Learn about updates and servicing channels (this topic) |
-| ![to do.](images/checklistbox.gif) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-| ![to do.](images/checklistbox.gif) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![to do.](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-| ![to do.](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+| ![done](images/checklistdone.png) | Learn about updates and servicing channels (this topic) |
+| ![to do](images/checklistbox.gif) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+| ![to do](images/checklistbox.gif) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+| ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+| ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
 
 
 
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index 5f04e54883..62a5078e43 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -69,7 +69,7 @@ Administrators can use multiple ways to set active hours for managed devices:
 
 To configure active hours using Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours.
 
-![Use Group Policy to configure active hours.](images/waas-active-hours-policy.png)
+![Use Group Policy to configure active hours](images/waas-active-hours-policy.png)
 
 ### Configuring active hours with MDM
 
@@ -89,7 +89,7 @@ For a detailed description of these registry keys, see [Registry keys used to ma
 >[!NOTE]
 >To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**.
 >
->![Change active hours.](images/waas-active-hours.png)
+>![Change active hours](images/waas-active-hours.png)
 
 ### Configuring active hours max range
 
@@ -155,14 +155,13 @@ In the Group Policy editor, you will see a number of policy settings that pertai
 
 | Policy | Applies to Windows 10 | Notes |
 | --- | --- | --- |
-| Turn off auto-restart for updates during active hours | ![yes.](images/checkmark.png) | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled.  |
-| Always automatically restart at the scheduled time | ![yes.](images/checkmark.png) | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
-| Specify deadline before auto-restart for update installation | ![yes.](images/checkmark.png)  | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled.  |
-| No auto-restart with logged on users for scheduled automatic updates installations | ![yes.](images/checkmark.png) | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. <br>There is no equivalent MDM policy setting for Windows 10 Mobile. |
-| Re-prompt for restart with scheduled installations | ![no.](images/crossmark.png) |   |
-| Delay Restart for scheduled installations | ![no.](images/crossmark.png) |   |
-| Reschedule Automatic Updates scheduled installations | ![no.](images/crossmark.png) |   |
-
+| Turn off auto-restart for updates during active hours | ![yes](images/checkmark.png) | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled.  |
+| Always automatically restart at the scheduled time | ![yes](images/checkmark.png) | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
+| Specify deadline before auto-restart for update installation | ![yes](images/checkmark.png)  | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled.  |
+| No auto-restart with logged on users for scheduled automatic updates installations | ![yes](images/checkmark.png) | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. |
+| Re-prompt for restart with scheduled installations | ![no](images/crossmark.png) |   |
+| Delay Restart for scheduled installations | ![no](images/crossmark.png) |   |
+| Reschedule Automatic Updates scheduled installations | ![no](images/crossmark.png) |   |
 
 >[!NOTE]
 >You can only choose one path for restart behavior.
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 689b5381a6..51430aba0c 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -32,12 +32,12 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi
 
 | Windows 10 edition | Semi-Annual Channel | Long-Term Servicing Channel | Insider Program |
 | --- | --- | --- | --- |
-| Home | ![no.](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
-| Pro | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
-| Enterprise  | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
-| Enterprise LTSB  | ![no.](images/crossmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) |
-| Pro Education | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
-| Education  | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
+| Home | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
+| Pro | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
+| Enterprise  | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
+| Enterprise LTSB  | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) |
+| Pro Education | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
+| Education  | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
 
 
 >[!NOTE]
@@ -164,12 +164,12 @@ Administrators can disable the "Check for updates" option for users by enabling
 
 |&nbsp; |&nbsp; |
 | --- | --- |
-| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
-| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done.](images/checklistdone.png) | Assign devices to servicing channels for Windows 10 updates (this topic) |
-| ![to do.](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
+| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+| ![done](images/checklistdone.png) | Assign devices to servicing channels for Windows 10 updates (this topic) |
+| ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
 
 ## Related topics
 
diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md
index c240d7d1c1..8ed552de4e 100644
--- a/windows/deployment/update/waas-servicing-differences.md
+++ b/windows/deployment/update/waas-servicing-differences.md
@@ -42,7 +42,7 @@ This helps simplify servicing. Devices with the original Release to Market (RTM)
 Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security, and Internet Explorer 11 (IE11) fixes. A reboot of the device might be required to complete installation of the update.
 
 
-![High level cumulative update model.](images/servicing-cadence.png)
+![High level cumulative update model](images/servicing-cadence.png)
 *Figure 1.0 - High level cumulative update model*
 
 Another benefit of the LCU model is fewer steps. Devices that have the original Release to Market (RTM) version of a release can install the most recent LCU to get up to date in one step, rather than having to install multiple updates with reboots after each.
@@ -67,7 +67,7 @@ Customers saw the LCU model used for Windows 10 as having packages that were too
 
 The Monthly Rollup includes new non-security (if appropriate), security updates, Internet Explorer (IE) updates, and all updates from the previous month similar to the Windows 10 model. The Security-only package includes only new security updates for the month. This means that any security updates from any previous month are not included in current month's Security-Only Package. If a Security-Only update is missed, it is missed. Those updates will not appear in a future Security-Only update. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10.
 
-![Legacy OS security-only update model.](images/security-only-update.png)
+![Legacy OS security-only update model](images/security-only-update.png)
 *Figure 2.0 - Legacy OS security-only update model*
 
 Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments which have fully updated machines with Monthly Rollups are running the same baseline against which all legacy OS version updates are tested. These include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. Further, customers who are installing Security-Only Updates and potentially doing so inconsistently are also more fragmented than Microsoft's test environments for legacy OS version. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously.
@@ -99,7 +99,7 @@ Windows 10 version 1709:
 - (10B) October 9, 2018 Update Tuesday / B release includes all fixes included in 9B, all fixes in 9C and introduces new security fixes and IE updates. This update is qualified as "Required, Security" and requires a system reboot.
 All of these updates are cumulative and build on each other for Windows 10. This is in contrast to legacy OS versions, where the 9C release becomes part of the "Monthly Rollup," but not the "Security Only" update. In other words, a Window 7 SP1 9C update is part of the cumulative "Monthly Rollup" but not included in the "Security Only" update because the fixes are qualified as "non-security". This is an important variation to note on the two models. 
 
-![Preview releases in the Windows 10 LCU model.](images/servicing-previews.png)
+![Preview releases in the Windows 10 LCU model](images/servicing-previews.png)
 *Figure 3.0 - Preview releases within the Windows 10 LCU model*
 
 ## Previews vs. on-demand releases
diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index e22c1fd433..a9e7039ffb 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -25,7 +25,7 @@ ms.collection: m365initiative-coredeploy
 In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. This image illustrates the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years.
 
 
-![Compare traditional servicing to Windows 10.](images/waas-strategy-fig1a.png)
+![Compare traditional servicing to Windows 10](images/waas-strategy-fig1a.png)
 
 Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like:
 
@@ -52,12 +52,12 @@ Each time Microsoft releases a Windows 10 feature update, the IT department shou
 
 |&nbsp; |&nbsp; |
 | --- | --- |
-| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
-| ![done.](images/checklistdone.png) | Prepare servicing strategy for Windows 10 updates (this topic) |
-| ![to do.](images/checklistbox.gif) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![to do.](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-| ![to do.](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
+| ![done](images/checklistdone.png) | Prepare servicing strategy for Windows 10 updates (this topic) |
+| ![to do](images/checklistbox.gif) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+| ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+| ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
 
 
 ## Related topics
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index bdc0a8d662..ac652f7cbf 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -72,19 +72,19 @@ A Windows Update for Business administrator can defer or pause updates. You can
 
 In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of ten days.
 
-![illustration of devices divided into three rings.](images/waas-wufb-3-rings.png)
+![illustration of devices divided into three rings](images/waas-wufb-3-rings.png)
 
 When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates.
 
 ##### Five days later
 The devices in the fast ring are offered the quality update the next time they scan for updates.
 
-![illustration of devices with fast ring deployed.](images/waas-wufb-fast-ring.png)
+![illustration of devices with fast ring deployed](images/waas-wufb-fast-ring.png)
 
 ##### Ten days later
 Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates.
 
-![illustration of devices with slow ring deployed.](images/waas-wufb-slow-ring.png)
+![illustration of devices with slow ring deployed](images/waas-wufb-slow-ring.png)
 
 If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves.
 
@@ -92,11 +92,11 @@ If no problems occur, all of the devices that scan for updates will be offered t
 
 In this example, some problem is discovered during the deployment of the update to the "pilot" ring.
 
-![illustration of devices divided with pilot ring experiencing a problem.](images/waas-wufb-pilot-problem.png)
+![illustration of devices divided with pilot ring experiencing a problem](images/waas-wufb-pilot-problem.png)
 
 At this point, the IT administrator can set a policy to pause the update. In this example, the admin selects the **Pause quality updates** check box.
 
-![illustration of rings with pause quality update check box selected.](images/waas-wufb-pause.png)
+![illustration of rings with pause quality update check box selected](images/waas-wufb-pause.png)
 
 Now all devices are paused from updating for 35 days. When the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again.
 
@@ -153,21 +153,21 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
 
    - After this period, the user receives this dialog:
 
-     ![The notification users get for an impending restart prior to deadline.](images/wufb-update-deadline-warning.png)
+     ![The notification users get for an impending restart prior to deadline](images/wufb-update-deadline-warning.png)
 
    - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur:
 
-     ![The notification users get for an impending restart 15 minutes prior to restart.](images/wufb-restart-imminent-warning.png)
+     ![The notification users get for an impending restart 15 minutes prior to restart](images/wufb-restart-imminent-warning.png)
 
  - **If the restart is still pending after the deadline passes:**
  
    - Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching:
 
-     ![The notification users get for an approaching restart deadline.](images/wufb-pastdeadline-restart-warning.png)
+     ![The notification users get for an approaching restart deadline](images/wufb-pastdeadline-restart-warning.png)
 
    - Once the deadline has passed, the user is forced to restart to keep their devices in compliance and receives this notification:
 
-     ![The notification users get for an imminent restart after the deadline.](images/wufb-pastdeadline-restartnow.png)
+     ![The notification users get for an imminent restart after the deadline](images/wufb-pastdeadline-restartnow.png)
 
 #### I want to manage the notifications a user sees
 
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 3b2091e5fa..48776410ef 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -83,19 +83,19 @@ A Windows Update for Business administrator can defer or pause updates. You can
 
 In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of ten days.
 
-![illustration of devices divided into three rings.](images/waas-wufb-3-rings.png)
+![illustration of devices divided into three rings](images/waas-wufb-3-rings.png)
 
 When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates.
 
 ##### Five days later
 The devices in the fast ring are offered the quality update the next time they scan for updates.
 
-![illustration of devices with fast ring deployed.](images/waas-wufb-fast-ring.png)
+![illustration of devices with fast ring deployed](images/waas-wufb-fast-ring.png)
 
 ##### Ten days later
 Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates.
 
-![illustration of devices with slow ring deployed.](images/waas-wufb-slow-ring.png)
+![illustration of devices with slow ring deployed](images/waas-wufb-slow-ring.png)
 
 If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves.
 
@@ -103,11 +103,11 @@ If no problems occur, all of the devices that scan for updates will be offered t
 
 In this example, some problem is discovered during the deployment of the update to the "pilot" ring.
 
-![illustration of devices divided with pilot ring experiencing a problem.](images/waas-wufb-pilot-problem.png)
+![illustration of devices divided with pilot ring experiencing a problem](images/waas-wufb-pilot-problem.png)
 
 At this point, the IT administrator can set a policy to pause the update. In this example, the admin selects the **Pause quality updates** check box.
 
-![illustration of rings with pause quality update check box selected.](images/waas-wufb-pause.png)
+![illustration of rings with pause quality update check box selected](images/waas-wufb-pause.png)
 
 Now all devices are paused from updating for 35 days. When the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again.
 
@@ -150,21 +150,21 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
 
    - After this period, the user receives this dialog:
 
-     ![The notification users get for an impending restart prior to deadline.](images/wufb-update-deadline-warning.png)
+     ![The notification users get for an impending restart prior to deadline](images/wufb-update-deadline-warning.png)
 
    - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur:
 
-     ![The notification users get for an impending restart 15 minutes prior to restart.](images/wufb-restart-imminent-warning.png)
+     ![The notification users get for an impending restart 15 minutes prior to restart](images/wufb-restart-imminent-warning.png)
 
  - **If the restart is still pending after the deadline passes:**
  
    - Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching:
 
-     ![The notification users get for an approaching restart deadline.](images/wufb-pastdeadline-restart-warning.png)
+     ![The notification users get for an approaching restart deadline](images/wufb-pastdeadline-restart-warning.png)
 
    - Once the deadline has passed, the user is forced to restart to keep their devices in compliance and receives this notification:
 
-     ![The notification users get for an imminent restart after the deadline.](images/wufb-pastdeadline-restartnow.png)
+     ![The notification users get for an imminent restart after the deadline](images/wufb-pastdeadline-restartnow.png)
 
 #### I want to manage the notifications a user sees
 
diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md
index 8922733a56..804efbe96e 100644
--- a/windows/deployment/update/waas-wufb-intune.md
+++ b/windows/deployment/update/waas-wufb-intune.md
@@ -54,7 +54,7 @@ In this example, you use two security groups to manage your updates: **Ring 4 Br
 
 2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
 
-    ![Shows the UI for this step.](images/waas-wufb-intune-step2a.png)
+    ![Shows the UI for this step](images/waas-wufb-intune-step2a.png)
     
 3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
 
@@ -69,7 +69,7 @@ In this example, you use two security groups to manage your updates: **Ring 4 Br
     >[!NOTE]
     >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) for the proper syntax.
 
-    ![Settings for the RequireDeferUpgrade policy.](images/waas-wufb-intune-step7a.png)
+    ![Settings for the RequireDeferUpgrade policy](images/waas-wufb-intune-step7a.png)
     
 8. For this deployment ring, you're required to enable only CBB, so click **Save Policy**.
 
@@ -119,7 +119,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to e
 
     Three settings should appear in the **Windows Update for Business – CBB2** policy.
     
-    ![Settings for CBB2 policy.](images/waas-wufb-intune-step19a.png)
+    ![Settings for CBB2 policy](images/waas-wufb-intune-step19a.png)
     
 20. Click **Save Policy**, and then click **Yes** at the **Deploy Policy** prompt.
 
@@ -141,7 +141,7 @@ In this example, you use three security groups from Table 1 in [Build deployment
 
 2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
 
-    ![Shows the UI for this step.](images/waas-wufb-intune-step2a.png)
+    ![Shows the UI for this step](images/waas-wufb-intune-step2a.png)
     
 3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
 
@@ -156,7 +156,7 @@ In this example, you use three security groups from Table 1 in [Build deployment
     >[!NOTE]
     >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) for the proper syntax.
 
-    ![Settings for the BranchReadinessLevel policy.](images/waas-wufb-intune-cb2a.png)
+    ![Settings for the BranchReadinessLevel policy](images/waas-wufb-intune-cb2a.png)
     
 8. Because the **Ring 2 Pilot Business Users** deployment ring receives the CB feature updates after 28 days, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. 
 
@@ -164,7 +164,7 @@ In this example, you use three security groups from Table 1 in [Build deployment
 10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
 11. In the **Value** box, type **28**, and then click **OK**.
 
-    ![Settings for the DeferFeatureUpdatesPeriodInDays policy step 11.](images/waas-wufb-intune-step11a.png)
+    ![Settings for the DeferFeatureUpdatesPeriodInDays policy step 11](images/waas-wufb-intune-step11a.png)
 
 9. Click **Save Policy**.
 
@@ -181,7 +181,7 @@ You have now configured the **Ring 2 Pilot Business Users** deployment ring to e
 
 2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
 
-    ![Shows the UI for this step.](images/waas-wufb-intune-step2a.png)
+    ![Shows the UI for this step](images/waas-wufb-intune-step2a.png)
     
 3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
 
@@ -205,7 +205,7 @@ You have now configured the **Ring 2 Pilot Business Users** deployment ring to e
 
 11. In the **Value** box, type **0**, and then click **OK**.
 
-    ![Settings for the DeferFeatureUpdatesPeriodInDays policy for broad business.](images/waas-wufb-intune-cbb1a.png)
+    ![Settings for the DeferFeatureUpdatesPeriodInDays policy for broad business](images/waas-wufb-intune-cbb1a.png)
 
 12. Click **Save Policy**.
 
@@ -223,7 +223,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r
 
 2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
 
-    ![Shows the UI for this step.](images/waas-wufb-intune-step2a.png)
+    ![Shows the UI for this step](images/waas-wufb-intune-step2a.png)
     
 3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
 
@@ -255,7 +255,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r
 
 15. In the **Value** box, type **14**, and then click **OK**.
 
-    ![Settings for the DeferFeatureUpdatesPeriodInDays policy.](images/waas-wufb-intune-cbb2a.png)
+    ![Settings for the DeferFeatureUpdatesPeriodInDays policy](images/waas-wufb-intune-cbb2a.png)
 
 16. Click **Save Policy**.
 
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index 8ef6e625b4..d6489c143d 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -85,7 +85,7 @@ The time stamp indicates the time at which the logging occurs.
 - Messages are usually in chronological order, but there may be exceptions. 
 - A pause during a sync can indicate a network problem, even if the scan succeeds. 
 - A long pause near the end of a scan can indicate a supersedence chain issue.   
-   ![Windows Update time stamps.](images/update-time-log.png)
+   ![Windows Update time stamps](images/update-time-log.png)
 
 
 #### Process ID and thread ID  
@@ -93,7 +93,7 @@ The Process IDs and Thread IDs are random, and they can vary from log to log and
 - The first four hex digits are the process ID. 
 - The next four hex digits are the thread ID. 
 - Each component, such as the USO, Windows Update engine, COM API callers, and Windows Update installer handlers, has its own process ID.   
-   ![Windows Update process and thread IDs.](images/update-process-id.png)
+   ![Windows Update process and thread IDs](images/update-process-id.png)
 
 
 #### Component name  
@@ -106,7 +106,7 @@ Search for and identify the components that are associated with the IDs. Differe
 - DataStore - Caching update data locally 
 - IdleTimer - Tracking active calls, stopping service 
 
-![Windows Update component name.](images/update-component-name.png)
+![Windows Update component name](images/update-component-name.png)
 
 
 #### Update identifiers  
@@ -117,7 +117,7 @@ There are different identifiers for the same update in different contexts. It's
 - Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service 
 - Revision numbers are reused from one update to another (not a unique identifier). 
 - The update ID and revision number are often shown together as "{GUID}.revision." 
-   ![Windows Update update identifiers.](images/update-update-id.png)
+   ![Windows Update update identifiers](images/update-update-id.png)
 
 
 ##### Revision ID 
@@ -141,7 +141,7 @@ There are different identifiers for the same update in different contexts. It's
    - Small integers that appear alongside an update ID are revision numbers 
    - Large integers are typically revision IDs 
    - Small integers (especially in Datastore) can be local IDs 
-      ![Windows Update inconsisten terminology.](images/update-inconsistent.png)
+      ![Windows Update inconsisten terminology](images/update-inconsistent.png)
 
 ## Windows Setup log files analysis using SetupDiag tool
 SetupDiag is a diagnostic tool that can be used for analysis of logs related to installation of Windows Updates. For detailed information, see [SetupDiag](../upgrade/setupdiag.md).
\ No newline at end of file
diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md
index 696e499750..9706a55a92 100644
--- a/windows/deployment/update/windows-update-overview.md
+++ b/windows/deployment/update/windows-update-overview.md
@@ -32,7 +32,7 @@ Use the following information to get started with Windows Update:
 ## Unified Update Platform (UUP) architecture 
 To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms. 
 
-![Windows Update terminology.](images/update-terminology.png)
+![Windows Update terminology](images/update-terminology.png)
 
 - **Update UI** – The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**. 
 - **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update.  
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index e56e7a3b5b..f822925011 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -93,11 +93,11 @@ Once the device is in the pending restart state, it will attempt to restart the
 
 Notification users get for a quality update deadline:
 
-![The notification users get for an impending quality update deadline.](images/wufb-quality-notification.png)
+![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png)
 
 Notification users get for a feature update deadline:
 
-![The notification users get for an impending feature update deadline.](images/wufb-feature-notification.png)
+![The notification users get for an impending feature update deadline](images/wufb-feature-notification.png)
 
 ### Deadline with user engagement
 
@@ -130,17 +130,17 @@ Before the deadline the device will be in two states: auto-restart period and en
 
 Notification users get for quality update engaged deadline:
 
-![The notification users get for an impending engaged quality update deadline example.](images/wufb-quality-engaged-notification.png)
+![The notification users get for an impending engaged quality update deadline example](images/wufb-quality-engaged-notification.png)
 
 Notification users get for a quality update deadline:
 
-![The notification users get for an impending quality update deadline example.](images/wufb-quality-notification.png)
+![The notification users get for an impending quality update deadline example](images/wufb-quality-notification.png)
 
 Notification users get for a feature update engaged deadline:
 
-![The notification users get for an impending feature update engaged deadline example.](images/wufb-feature-update-engaged-notification.png)
+![The notification users get for an impending feature update engaged deadline example](images/wufb-feature-update-engaged-notification.png)
 
 Notification users get for a feature update deadline:
 
-![The notification users get for an impending feature update deadline example.](images/wufb-feature-update-deadline-notification.png)
+![The notification users get for an impending feature update deadline example](images/wufb-feature-update-deadline-notification.png)
 
diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md
index 8589495141..93a5ab27b7 100644
--- a/windows/deployment/update/wufb-manageupdate.md
+++ b/windows/deployment/update/wufb-manageupdate.md
@@ -40,7 +40,7 @@ If you don't need a wave deployment and have a small set of devices to manage, w
 |Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled|
 
 ## Suggested configuration for a wave deployment
-![Graphic showing a deployment divided into rings for a wave deployment.](images/wufb-wave-deployment.png)
+![Graphic showing a deployment divided into rings for a wave deployment](images/wufb-wave-deployment.png)
 
 ## Early validation and testing
 Depending on your organizational size and requirements you might be able to test feature updates earlier to identify if there are impacts to Line of Business applications. Our recommendation is to enroll a set of devices that are a good representation of your device ecosystem (for example, devices with accounting software or engineering software). Learn more about [different deployment rings](https://insider.windows.com/how-to-pc/#working-with-rings).
diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md
index 8aafc8f67d..e044463423 100644
--- a/windows/deployment/upgrade/quick-fixes.md
+++ b/windows/deployment/upgrade/quick-fixes.md
@@ -174,7 +174,7 @@ To check your system for unsigned drivers:
 5. Type **sigverif** and press ENTER. 
 6. The File Signature Verification tool will open. Click **Start**.
 
-    ![File Signature Verification.](../images/sigverif.png)
+    ![File Signature Verification](../images/sigverif.png)
 
 7. After the scanning process is complete, if you see **Your files have been scanned and verified as digitally signed** then you have no unsigned drivers. Otherwise, you will see **The following files have not been digitally signed** and a list will be provided with name, location, and version of all unsigned drivers.
 8. To view and save a log file, click **Advanced**, and then click **View Log**. Save the log file if desired.
@@ -268,7 +268,7 @@ To obtain the proper firmware drivers, search for the most updated driver versio
 
 When you begin a Windows Update, the setup process will ask you to **Get important updates**. Answer **Yes** if the computer you are updating is connected to the Internet. See the following example:
 
-![Get important updates.](../images/update.jpg)
+![Get important updates](../images/update.jpg)
 
 ### Verify disk space
 
@@ -280,13 +280,13 @@ In File Explorer, click on **Computer** or **This PC** on the left, then look un
 
 The amount of space available on the system drive will be displayed under the drive. See the following example:
 
-![System drive.](../images/drive.png)
+![System drive](../images/drive.png)
 
 In the previous example, there is 703 GB of available free space on the system drive (C:).
 
 To free up additional space on the system drive, begin by running Disk Cleanup. You can access Disk Cleanup by right-clicking the hard drive icon and then clicking Properties. See the following example:
 
-![Disk cleanup.](../images/cleanup.png)
+![Disk cleanup](../images/cleanup.png)
 
 For instructions to run Disk Cleanup and other suggestions to free up hard drive space, see [Tips to free up drive space on your PC](https://support.microsoft.com/help/17421/windows-free-up-drive-space).
 
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index 1e87d9bff7..9e7a29631c 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -25,14 +25,14 @@ ms.topic: article
 >This is a 300 level topic (moderate advanced).<br>
 >See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.<br>
 
-&nbsp;[![Download SetupDiag.](../images/download.png)](https://go.microsoft.com/fwlink/?linkid=870142)
+&nbsp;[![Download SetupDiag](../images/download.png)](https://go.microsoft.com/fwlink/?linkid=870142)
 
 ## About SetupDiag
 
-<I>Current downloadable version of SetupDiag: 1.6.2107.27002.</I> 
-> Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues.
+<I>Current downloadable version of SetupDiag: 1.6.2107.27002</I>
+>Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues.
 
-SetupDiag is a diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. 
+SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. 
 
 SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows 10. SetupDiag can be run on the computer that failed to update, or you can export logs from the computer to another location and run SetupDiag in offline mode.
 
@@ -344,10 +344,6 @@ Each rule name and its associated unique rule identifier are listed with a descr
 
 ## Release notes
 
-07/27/2021 - SetupDiag v1.6.2107.27002 is released with 61 rules, as a standalone tool available in the Download Center.
-- This version contains compliance updates and minor bug fixes.
-- With this release and subsequent releases, the version number of the downloadable SetupDiag tool is different from the one included with Windows Setup.
-
 05/06/2021 - SetupDiag v1.6.1.0 is released with 61 rules, as a standalone tool available in the Download Center.  
 - This version of SetupDiag is included with Windows 10, version 21H1.
 - A new rule is added: UserProfileSuffixMismatch.
@@ -567,7 +563,7 @@ Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" f
 
 ## Sample registry key
 
-![Example of Addreg.](./../images/addreg.png)
+![Example of Addreg](./../images/addreg.png)
 
 ## Related topics
 
diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md
index 1cde13e1eb..580a08b67c 100644
--- a/windows/deployment/upgrade/submit-errors.md
+++ b/windows/deployment/upgrade/submit-errors.md
@@ -61,7 +61,7 @@ Click **Submit** to send your feedback.
 
 See the following example:
 
-![feedback example.](../images/feedback.png) 
+![feedback example](../images/feedback.png) 
 
 After you click Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue.  You can check on your feedback periodically to see what solutions have been provided.
 
@@ -69,7 +69,7 @@ After you click Submit, that's all you need to do. Microsoft will receive your f
 
 After your feedback is submitted, you can email or post links to it by opening the Feedback Hub, clicking My feedback at the top, clicking the feedback item you submitted, clicking **Share**, then copying the short link that is displayed.
 
-![share.](../images/share.jpg) 
+![share link](../images/share.jpg) 
 
 ## Related topics
 
diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
index bdb7e4814a..842e478dcf 100644
--- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
+++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
@@ -59,31 +59,31 @@ When performing an operating system upgrade, Windows Setup uses phases described
 
 1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered.
 
-    ![downlevel phase.](../images/downlevel.png)  
+    ![downlevel phase](../images/downlevel.png)  
 
 2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017.
 
-    ![safeOS phase.](../images/safeos.png) 
+    ![safeOS phase](../images/safeos.png) 
 
 3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D.
 
-    ![first boot phase.](../images/firstboot.png) 
+    ![first boot phase](../images/firstboot.png) 
 
 4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017. 
 
     At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed.
 
-    ![second boot phase.](../images/secondboot.png) 
+    ![second boot phase](../images/secondboot.png) 
 
-    ![second boot phase.](../images/secondboot2.png) 
+    ![second boot phase](../images/secondboot2.png) 
 
-    ![second boot phase.](../images/secondboot3.png) 
+    ![second boot phase](../images/secondboot3.png) 
 
 5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015.
 
 **Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown):
 
-![Upgrade process.](../images/upgrade-process.png)
+![Upgrade process](../images/upgrade-process.png)
 
 DU = Driver/device updates.<br>
 OOBE = Out of box experience.<br>
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index c8a2c54c5a..57307ee3d0 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -33,9 +33,9 @@ The following table shows the methods and paths available to change the edition
 > [!TIP]
 > Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager.
 
-![not supported.](../images/x_blk.png) (X) = not supported</br>
-![supported, reboot required.](../images/check_grn.png) (green checkmark) = supported, reboot required</br>
-![supported, no reboot.](../images/check_blu.png) (blue checkmark) = supported, no reboot required<br>
+![not supported](../images/x_blk.png) (X) = not supported</br>
+![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required</br>
+![supported, no reboot](../images/check_blu.png) (blue checkmark) = supported, no reboot required<br>
 
 <!-- OLD TABLE and key
 X = unsupported <BR>
@@ -44,28 +44,28 @@ X = unsupported <BR>
 
 |Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile |
 |-------|-----------|-----------------|----------------|-----------------|----------------|--------|
-| Using mobile device management (MDM) |![unsupported.](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |
-| Using a provisioning package |![unsupported.](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |
-| Using a command-line tool |![unsupported.](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![unsupported](../images/x_blk.png) |
-| Entering a product key manually |![supported.](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![unsupported](../images/x_blk.png) |
-| Purchasing a license from the Microsoft Store |![supported.](../images/check_grn.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |
+| Using mobile device management (MDM) |![unsupported](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |
+| Using a provisioning package |![unsupported](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |
+| Using a command-line tool |![unsupported](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![unsupported](../images/x_blk.png) |
+| Entering a product key manually |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![unsupported](../images/x_blk.png) |
+| Purchasing a license from the Microsoft Store |![supported](../images/check_grn.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |
 -->
 
 | Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store |
 |-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |
-| **Home > Pro** | ![not supported.](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) |
-| **Home > Pro for Workstations** | ![not supported.](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) |
-| **Home > Pro Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Home > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Pro > Pro for Workstations** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) |
-| **Pro > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Pro > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro for Workstations > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro for Workstations > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Pro for Workstations > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro Education > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Enterprise > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
+| **Home > Pro** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) |
+| **Home > Pro for Workstations** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) |
+| **Home > Pro Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
+| **Home > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
+| **Pro > Pro for Workstations** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) |
+| **Pro > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
+| **Pro > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
+| **Pro > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
+| **Pro for Workstations > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
+| **Pro for Workstations > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
+| **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
+| **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
+| **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
 
 > [!NOTE]
 > - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md)
diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index 50aad1782d..08c4982f9c 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -63,7 +63,7 @@ Ten parameters are listed in the event:
 
 The event will also contain links to log files that can be used to perform a detailed diagnosis of the error.  An example of this event from a successful upgrade is shown below.
 
-![Windows Error Reporting.](../images/event.png)
+![Windows Error Reporting](../images/event.png)
 
 ## Related topics
 
diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md
index 52b489720f..84a87a0aac 100644
--- a/windows/deployment/usmt/migration-store-types-overview.md
+++ b/windows/deployment/usmt/migration-store-types-overview.md
@@ -49,7 +49,7 @@ You use a command-line option,**/hardlink** , to create a hard-link migration st
 
 The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store.
 
-![migration store comparison.](images/dep-win8-l-usmt-migrationcomparemigstores.gif)
+![migration store comparison](images/dep-win8-l-usmt-migrationcomparemigstores.gif)
 
 ## <a href="" id="bkmk-localvremote"></a>Local Store vs. Remote Store
 
diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md
index b94bc3041b..30930ac481 100644
--- a/windows/deployment/usmt/usmt-common-migration-scenarios.md
+++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md
@@ -49,7 +49,7 @@ The following diagram shows a PC-refresh migration, also known as a computer ref
 
  
 
-![usmt pc refresh scenario.](images/dep-win8-l-usmt-pcrefresh.jpg)
+![usmt pc refresh scenario](images/dep-win8-l-usmt-pcrefresh.jpg)
 
  
 
@@ -100,7 +100,7 @@ The following diagram shows a PC-replacement migration. First, the administrator
 
  
 
-![usmt pc replace scenario.](images/dep-win8-l-usmt-pcreplace.jpg)
+![usmt pc replace scenario](images/dep-win8-l-usmt-pcreplace.jpg)
 
  
 
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index 10e7c2e418..f32ee0d61e 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -55,7 +55,7 @@ The process proceeds as follows:
 3. Client computers are activated by receiving the activation object from a domain controller during startup.
 
     > [!div class="mx-imgBorder"]
-    > ![Active Directory-based activation flow.](../images/volumeactivationforwindows81-10.jpg)
+    > ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg)
 
     **Figure 10**. The Active Directory-based activation flow
 
@@ -80,31 +80,31 @@ When a reactivation event occurs, the client queries AD DS for the activation o
 
 3. Add the Volume Activation Services role, as shown in Figure 11.
 
-    ![Adding the Volume Activation Services role.](../images/volumeactivationforwindows81-11.jpg)
+    ![Adding the Volume Activation Services role](../images/volumeactivationforwindows81-11.jpg)
 
     **Figure 11**. Adding the Volume Activation Services role
 
 4. Click the link to launch the Volume Activation Tools (Figure 12).
 
-    ![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-12.jpg)
+    ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-12.jpg)
 
     **Figure 12**. Launching the Volume Activation Tools
 
 5. Select the **Active Directory-Based Activation** option (Figure 13).
 
-    ![Selecting Active Directory-Based Activation.](../images/volumeactivationforwindows81-13.jpg)
+    ![Selecting Active Directory-Based Activation](../images/volumeactivationforwindows81-13.jpg)
 
     **Figure 13**. Selecting Active Directory-Based Activation
 
 6. Enter your KMS host key and (optionally) a display name (Figure 14).
 
-    ![Choosing how to activate your product.](../images/volumeactivationforwindows81-15.jpg)
+    ![Choosing how to activate your product](../images/volumeactivationforwindows81-15.jpg)
 
     **Figure 14**. Entering your KMS host key
 
 7. Activate your KMS host key by phone or online (Figure 15).
 
-    ![Entering your KMS host key.](../images/volumeactivationforwindows81-14.jpg)
+    ![Entering your KMS host key](../images/volumeactivationforwindows81-14.jpg)
     
     **Figure 15**. Choosing how to activate your product
 
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index 5fa4723874..f9cfcf33ac 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -80,39 +80,39 @@ This scenario is commonly used in larger organizations that do not find the over
 2. Launch Server Manager.
 3. Add the Volume Activation Services role, as shown in Figure 4.
 
-   ![Adding the Volume Activation Services role in Server Manager.](../images/volumeactivationforwindows81-04.jpg)
+   ![Adding the Volume Activation Services role in Server Manager](../images/volumeactivationforwindows81-04.jpg)
 
    **Figure 4**. Adding the Volume Activation Services role in Server Manager
 
 4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5).
 
-   ![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-05.jpg)
+   ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-05.jpg)
 
    **Figure 5**. Launching the Volume Activation Tools
 
 5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
       This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
 
-   ![Configuring the computer as a KMS host.](../images/volumeactivationforwindows81-06.jpg)
+   ![Configuring the computer as a KMS host](../images/volumeactivationforwindows81-06.jpg)
 
    **Figure 6**. Configuring the computer as a KMS host
 
 6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
 
-   ![Installing your KMS host key.](../images/volumeactivationforwindows81-07.jpg)
+   ![Installing your KMS host key](../images/volumeactivationforwindows81-07.jpg)
 
    **Figure 7**. Installing your KMS host key
 
 7. If asked to confirm replacement of an existing key, click **Yes**.
 8. After the product key is installed, you must activate it. Click **Next** (Figure 8).
 
-   ![Activating the software.](../images/volumeactivationforwindows81-08.jpg)
+   ![Activating the software](../images/volumeactivationforwindows81-08.jpg)
 
    **Figure 8**. Activating the software
 
    The KMS key can be activated online or by phone. See Figure 9.
 
-   ![Choosing to activate online.](../images/volumeactivationforwindows81-09.jpg)
+   ![Choosing to activate online](../images/volumeactivationforwindows81-09.jpg)
 
    **Figure 9**. Choosing to activate online
 
diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
index 728b60519b..b88d65def4 100644
--- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
+++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
@@ -99,12 +99,12 @@ A MAK is used for one-time activation with Microsoft’s hosted activation servi
 You can activate computers by using a MAK in two ways:
 -   **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
 
-    ![MAK independent activation.](../images/volumeactivationforwindows81-16.jpg)
+    ![MAK independent activation](../images/volumeactivationforwindows81-16.jpg)
     
     **Figure 16**. MAK independent activation
 -   **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
 
-    ![MAK proxy activation with the VAMT.](../images/volumeactivationforwindows81-17.jpg)
+    ![MAK proxy activation with the VAMT](../images/volumeactivationforwindows81-17.jpg)
     
     **Figure 17**. MAK proxy activation with the VAMT
 
diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md
index e671e92d02..4e2248db96 100644
--- a/windows/deployment/volume-activation/add-remove-computers-vamt.md
+++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md
@@ -34,7 +34,7 @@ Before adding computers, ensure that the Windows Management Instrumentation (WMI
 5.  VAMT searches for the specified computers and adds them to the VAMT database. During the search, VAMT displays the **Finding computers** message shown below.
     To cancel the search, click **Cancel**. When the search is complete the names of the newly-discovered computers appear in the product list view in the center pane.
     
-    ![VAMT, Finding computers dialog box.](images/dep-win8-l-vamt-findingcomputerdialog.gif)
+    ![VAMT, Finding computers dialog box](images/dep-win8-l-vamt-findingcomputerdialog.gif)
     
     **Important**  
     This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function.
diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md
index 5cbd41f410..87cb8d7b0f 100644
--- a/windows/deployment/volume-activation/configure-client-computers-vamt.md
+++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md
@@ -45,7 +45,7 @@ Enable the VAMT to access client computers using the **Windows Firewall** Contro
 
 Enable the VAMT to access client computers across multiple subnets using the **Windows Firewall with Advanced Security** Control Panel:
 
-![VAMT Firewall configuration for multiple subnets.](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif)
+![VAMT Firewall configuration for multiple subnets](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif)
 
 1. Open the Control Panel and double-click **Administrative Tools**.
 2. Click **Windows Firewall with Advanced Security**.
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index 0b67293d6a..f462f8655f 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -49,7 +49,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
 
 5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. 
 
-    ![In this example, the instance name is SQLEXPRESS01.](images/sql-instance.png)
+    ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png)
 
 ### Install VAMT using the ADK
 
@@ -73,7 +73,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
 
 2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL.
 
-   ![Server name is .\SQLEXPRESS and database name is VAMT.](images/vamt-db.png)
+   ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png)
 
    For remote SQL Server, use `servername.yourdomain.com`.
 
diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md
index 91d2d8540b..45619726e9 100644
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@@ -45,7 +45,7 @@ VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type prod
 
 VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
 
-![VAMT in the enterprise.](images/dep-win8-l-vamt-image001-enterprise.jpg)
+![VAMT in the enterprise](images/dep-win8-l-vamt-image001-enterprise.jpg)
 
 In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
 The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.
@@ -54,7 +54,7 @@ The Isolated Lab environment is a workgroup that is physically separate from the
 
 The following screenshot shows the VAMT graphical user interface.
 
-![VAMT user interface.](images/vamtuserinterfaceupdated.jpg)
+![VAMT user interface](images/vamtuserinterfaceupdated.jpg)
 
 VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
 
diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
index 71d990f500..443e1e417b 100644
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@@ -120,7 +120,7 @@ In the core network, a centralized KMS solution is recommended. You can also use
 
 A typical core network that includes a KMS host is shown in Figure 1.
 
-![Typical core network.](../images/volumeactivationforwindows81-01.jpg)
+![Typical core network](../images/volumeactivationforwindows81-01.jpg)
 
 **Figure 1**. Typical core network
 
@@ -140,7 +140,7 @@ If the isolated network cannot communicate with the core network’s KMS server,
 
 If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network.
 
-![New KMS host in an isolated network.](../images/volumeactivationforwindows81-02.jpg)
+![New KMS host in an isolated network](../images/volumeactivationforwindows81-02.jpg)
 
 **Figure 2**. New KMS host in an isolated network
 
@@ -222,7 +222,7 @@ The flow of KMS activation is shown in Figure 3, and it follows this sequence:
 7.  If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host.
 8.  If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again.
 
-![KMS activation flow.](../images/volumeactivationforwindows81-03.jpg)
+![KMS activation flow](../images/volumeactivationforwindows81-03.jpg)
 
 **Figure 3**. KMS activation flow
 
diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md
index 118a656e49..2716a475b8 100644
--- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md
@@ -25,7 +25,7 @@ In this scenario, the Volume Activation Management Tool (VAMT) is deployed in th
 -   Retail
 The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
 
-![VAMT firewall configuration for multiple subnets.](images/dep-win8-l-vamt-makindependentactivationscenario.jpg)
+![VAMT firewall configuration for multiple subnets](images/dep-win8-l-vamt-makindependentactivationscenario.jpg)
 
 ## In This Topic
 -   [Install and start VAMT on a networked host computer](#bkmk-partone)
diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
index d3b906680d..84e0a8ea19 100644
--- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
@@ -19,7 +19,7 @@ ms.topic: article
 
 In this scenario, the Volume Activation Management Tool (VAMT) is used to activate products that are installed on workgroup computers in an isolated lab environment. For workgroups which are isolated from the larger network, you can perform proxy activation of Multiple Activation Keys (MAKs), KMS Host keys (CSVLKs), Generic Volume License Keys (GVLKs) (or KMS client keys), or retail keys. Proxy activation is performed by installing a second instance of VAMT on a computer in the isolated workgroup. You can then use removable media to transfer VAMT Computer Information Lists (CILXs) between the instance of VAMT in the isolated workgroup and another VAMT host that has Internet access. The following diagram shows a Multiple Activation Key (MAK) proxy activation scenario:
 
-![VAMT MAK proxy activation scenario.](images/dep-win8-l-vamt-makproxyactivationscenario.jpg)
+![VAMT MAK proxy activation scenario](images/dep-win8-l-vamt-makproxyactivationscenario.jpg)
 
 ## Step 1: Install VAMT on a Workgroup Computer in the Isolated Lab
 
diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
index 562251c0a9..c8e7913ed2 100644
--- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
+++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
@@ -51,7 +51,7 @@ You can use the VAMT to complete the activation process in products by using MAK
 
 The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing.
 
-![VAMT showing the licensing status of multiple computers.](../images/volumeactivationforwindows81-18.jpg)
+![VAMT showing the licensing status of multiple computers](../images/volumeactivationforwindows81-18.jpg)
 
 **Figure 18**. The VAMT showing the licensing status of multiple computers
 
@@ -59,7 +59,7 @@ The VAMT provides an overview of the activation and licensing status of computer
 
 The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage.
 
-![VAMT showing key types and usage.](../images/volumeactivationforwindows81-19.jpg)
+![VAMT showing key types and usage](../images/volumeactivationforwindows81-19.jpg)
 
 **Figure 19**. The VAMT showing key types and usage
 
diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md
index 55fd4c1684..844c46ba14 100644
--- a/windows/deployment/volume-activation/vamt-known-issues.md
+++ b/windows/deployment/volume-activation/vamt-known-issues.md
@@ -30,7 +30,7 @@ The current known issues with the Volume Activation Management Tool (VAMT), vers
 
 Another known issue is that when you try to add a Windows 10 Key Management Service (KMS) Host key (CSVLK) or a Windows Server 2012 R2 for Windows 10 CSVLK into VAMT 3.1 (version 10.0.10240.0), you receive the error message shown here.
 
-![VAMT error message.](./images/vamt-known-issue-message.png)
+![VAMT error message](./images/vamt-known-issue-message.png)
 
 This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key. To work around this issue, use one of the following methods.
 
diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md
index 2a0f0da2a9..3bda096ca5 100644
--- a/windows/deployment/windows-10-deployment-posters.md
+++ b/windows/deployment/windows-10-deployment-posters.md
@@ -26,13 +26,13 @@ The following posters step through various options for deploying Windows 10 with
 
 The Windows Autopilot poster is two pages in portrait mode (11x17). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10AutopilotFlowchart.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10Autopilotflowchart.vsdx) format.
 
-[![Deploy Windows 10 with Autopilot.](./media/windows10-autopilot-flowchart.png)](./media/Windows10AutopilotFlowchart.pdf)
+[![Deploy Windows 10 with Autopilot](./media/windows10-autopilot-flowchart.png)](./media/Windows10AutopilotFlowchart.pdf)
 
 ## Deploy Windows 10 with Microsoft Endpoint Configuration Manager
 
 The Configuration Manager poster is one page in landscape mode (17x11). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.vsdx) format.
 
-[![Deploy Windows 10 with Configuration Manager.](./media/windows10-deployment-config-manager.png)](./media/Windows10DeploymentConfigManager.pdf)
+[![Deploy Windows 10 with Configuration Manager](./media/windows10-deployment-config-manager.png)](./media/Windows10DeploymentConfigManager.pdf)
 
 ## See also
 
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
index 0e160f2943..a90baefd20 100644
--- a/windows/deployment/windows-10-media.md
+++ b/windows/deployment/windows-10-media.md
@@ -42,7 +42,7 @@ Windows 10, version 1709 is available starting on 10/17/2017 in all relevant dis
 
 For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can still search for the individual Windows editions. However, each of these editions (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) will point to the same ISO file, so you only need to download the ISO once. A single Windows image (WIM) file is included in the ISO that contains all the volume licensing images:
 
-![Images.](images/table01.png)
+![Images](images/table01.png)
 
 When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update.
 
@@ -69,7 +69,7 @@ This Semi-Annual Channel release of Windows 10 continues the Windows as a servic
 
 See the following example for Windows 10, version 1709:
 
-![Windows 10, version 1709 lang pack.](images/lang-pack-1709.png)
+![Windows 10, version 1709 lang pack](images/lang-pack-1709.png)
 
 ### Features on demand
 
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index 9d18e1af46..7e6d238721 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -284,7 +284,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
 
 10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example:
 
-    ![custom image.](images/image.png)
+    ![custom image](images/image.png)
 
 
 ### Create the deployment task sequence
@@ -459,7 +459,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
 7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed.
 8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes.  When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator.
     
-    ![finish.](images/deploy-finish.png)
+    ![finish](images/deploy-finish.png)
 
 
 This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section.
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index d69cc3b5db..603113f920 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -331,7 +331,7 @@ WDSUTIL /Set-Server /AnswerClients:None
    - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure.
 
      See the following example:
-     ![Config Mgr PXE.](images/configmgr-pxe.png)
+     ![Config Mgr PXE](images/configmgr-pxe.png)
 
 5. Click **OK**.
 6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
@@ -803,7 +803,7 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce
 
 >Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter.
 
-![contoso.com\Computers.](images/poc-computers.png)
+![contoso.com\Computers](images/poc-computers.png)
 
 In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer.
 
@@ -907,7 +907,7 @@ The **Client** column indicates that the Configuration Manager client is not cur
 
 14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example:
 
-    ![site.](images/configmgr-site.png)
+    ![site](images/configmgr-site.png)
 
     If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated.
 
@@ -915,7 +915,7 @@ The **Client** column indicates that the Configuration Manager client is not cur
 
 16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here.  See the following example:
 
-    ![client.](images/configmgr-client.png)
+    ![client](images/configmgr-client.png)
 
     >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**.
 
@@ -976,7 +976,7 @@ The **Client** column indicates that the Configuration Manager client is not cur
 
 11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example:
 
-    ![collection.](images/configmgr-collection.png)
+    ![collection](images/configmgr-collection.png)
 
 ### Create a device collection for PC1
 
@@ -1026,7 +1026,7 @@ In the Configuration Manager console, in the Software Library workspace under Op
 
 4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example:
 
-    ![software.](images/configmgr-software-cntr.png)
+    ![software](images/configmgr-software-cntr.png)
 
     >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available.
 
@@ -1064,17 +1064,17 @@ In the Configuration Manager console, in the Software Library workspace under Op
 3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**.
 4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example:
 
-    ![installOS.](images/configmgr-install-os.png)
+    ![installOS](images/configmgr-install-os.png)
 
     The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed.  See the following example:
 
-    ![asset.](images/configmgr-asset.png)
+    ![asset](images/configmgr-asset.png)
 
     You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**.
 
     When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system.
 
-    ![post-refresh.](images/configmgr-post-refresh.png) 
+    ![post-refresh](images/configmgr-post-refresh.png) 
 
 ## Related Topics
 
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index d4a667a65b..319121950d 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -150,7 +150,7 @@ Hardware requirements are displayed below:
 
 The lab architecture is summarized in the following diagram:
 
-![PoC diagram.](images/poc.png)
+![PoC diagram](images/poc.png)
 
 - Computer 1 is configured to host four VMs on a private, PoC network.
     - Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
@@ -224,9 +224,9 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
 
     >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
 
-    ![hyper-v features.](images/hyper-v-feature.png)
+    ![hyper-v features](images/hyper-v-feature.png)
 
-    ![hyper-v.](images/svr_mgr2.png)
+    ![hyper-v](images/svr_mgr2.png)
 
     <P>If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under <strong>Role Administration Tools\Hyper-V Management Tools</strong>.
 
@@ -449,7 +449,7 @@ Notes:<BR>
 3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
 4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example:
 
-    ![disk2vhd 1.](images/disk2vhd.png)
+    ![disk2vhd 1](images/disk2vhd.png)
 
     >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
 
@@ -482,7 +482,7 @@ Notes:<BR>
 
 5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example:
 
-    ![disk2vhd 2.](images/disk2vhd-gen2.png)
+    ![disk2vhd 2](images/disk2vhd-gen2.png)
 
     >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
 
@@ -506,7 +506,7 @@ Notes:<BR>
 3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later.
 4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example:
 
-    ![disk2vhd 3.](images/disk2vhd4.png)
+    ![disk2vhd 3](images/disk2vhd4.png)
 
     >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
 
@@ -821,7 +821,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 
 15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
 
-    ![PoC 1.](images/installing-drivers.png)
+    ![PoC 1](images/installing-drivers.png)
 
     >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease.
 
@@ -879,7 +879,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 
     See the following example:
 
-    ![ISE 1.](images/ISE.png)
+    ![ISE 1](images/ISE.png)
 
 19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
 20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 16e8c70c2a..447ea81cfb 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -65,7 +65,7 @@ To support Inherited Activation, both the host computer and the VM must be runni
 
 The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic.
 
-![Illustration of how Windows 10 deployment has evolved.](images/sa-evolution.png)
+![Illustration of how Windows 10 deployment has evolved](images/sa-evolution.png)
 
 - **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.<br>
 
@@ -117,11 +117,11 @@ If the device is running Windows 10, version 1809 or later:
 
 - When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
 
-   ![Subscription Activation with MFA example 1.](images/sa-mfa1.png)<br>
+   ![Subscription Activation with MFA example 1](images/sa-mfa1.png)<br>
 
-   ![Subscription Activation with MFA example 2.](images/sa-mfa2.png)<br>
+   ![Subscription Activation with MFA example 2](images/sa-mfa2.png)<br>
 
-   ![Subscription Activation with MFA example 3.](images/sa-mfa3.png)
+   ![Subscription Activation with MFA example 3](images/sa-mfa3.png)
 
 ### Windows 10 Education requirements
 
@@ -162,7 +162,7 @@ The device is AAD joined from **Settings > Accounts > Access work or school**.
 
 The IT administrator assigns Windows 10 Enterprise to a user. See the following figure.
 
-![Windows 10 Enterprise.](images/ent.png)
+![Windows 10 Enterprise](images/ent.png)
 
 When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user’s subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires.
 
@@ -171,10 +171,10 @@ Devices running Windows 10 Pro, version 1703 or Windows 10 Pro Education, versio
 The following figures summarize how the Subscription Activation model works:
 
 Before Windows 10, version 1903:<br>
-![1703.](images/before.png)
+![1703](images/before.png)
 
 After Windows 10, version 1903:<br>
-![1903.](images/after.png)
+![1903](images/after.png)
 
 > [!NOTE]
 > 
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 74e099fc82..d132aa99a6 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -115,9 +115,9 @@ When you are prompted to restart the computer, choose **Yes**. The computer migh
 
 Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
 
-   ![Hyper-V feature.](images/hyper-v-feature.png)
+   ![Hyper-V feature](images/hyper-v-feature.png)
 
-   ![Hyper-V.](images/svr_mgr2.png)
+   ![Hyper-V](images/svr_mgr2.png)
 
 <P>If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under <strong>Role Administration Tools\Hyper-V Management Tools</strong>.
 
@@ -232,21 +232,21 @@ PS C:\autopilot&gt;
 
 Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
 
-   ![Windows setup example 1.](images/winsetup1.png)
-   ![Windows setup example 2.](images/winsetup2.png)
-   ![Windows setup example 3.](images/winsetup3.png)
-   ![Windows setup example 4.](images/winsetup4.png)
-   ![Windows setup example 5.](images/winsetup5.png)
-   ![Windows setup example 6.](images/winsetup6.png)
+   ![Windows setup example 1](images/winsetup1.png)
+   ![Windows setup example 2](images/winsetup2.png)
+   ![Windows setup example 3](images/winsetup3.png)
+   ![Windows setup example 4](images/winsetup4.png)
+   ![Windows setup example 5](images/winsetup5.png)
+   ![Windows setup example 6](images/winsetup6.png)
 
 After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen.  This will offer the fastest way to the desktop. For example:
 
-   ![Windows setup example 7.](images/winsetup7.png)
+   ![Windows setup example 7](images/winsetup7.png)
 
 Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state.
 
    > [!div class="mx-imgBorder"]
-   > ![Windows setup example 8.](images/winsetup8.png)
+   > ![Windows setup example 8](images/winsetup8.png)
 
 To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
 
@@ -322,7 +322,7 @@ Follow these steps to run the PowerShell script:
    > [!NOTE]
    > Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
 
-   ![Serial number and hardware hash.](images/hwid.png)
+   ![Serial number and hardware hash](images/hwid.png)
 
    You will need to upload this data into Intune to register your device for Autopilot, so the next step is to transfer this file to the computer you will use to access the Azure portal.  If you are using a physical device instead of a VM, you can copy the file to a USB stick.  If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
 
@@ -338,11 +338,11 @@ With the hardware ID captured in a file, prepare your Virtual Machine for Window
 On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
 Select **Remove everything** and **Just remove my files**. If you are asked **How would you like to reinstall Windows**, select Local reinstall. Finally, click on **Reset**.
 
-![Reset this PC final prompt.](images/autopilot-reset-prompt.jpg)
+![Reset this PC final prompt](images/autopilot-reset-prompt.jpg)
 
 Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process.
 
-![Reset this PC screen capture.](images/autopilot-reset-progress.jpg)
+![Reset this PC screen capture](images/autopilot-reset-progress.jpg)
 
 ## Verify subscription level
 
@@ -350,13 +350,13 @@ For this lab, you need an AAD Premium subscription.  You can tell if you have a
 
 **Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**
 
-![MDM and Intune.](images/mdm-intune2.png)
+![MDM and Intune](images/mdm-intune2.png)
 
 If the configuration blade shown above does not appear, it's likely that you don't have a **Premium** subscription.  Auto-enrollment is a feature only available in AAD Premium.
 
 To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
 
-![License conversion option.](images/aad-lic1.png)
+![License conversion option](images/aad-lic1.png)
 
 ## Configure company branding
 
@@ -367,7 +367,7 @@ If you already have company branding configured in Azure Active Directory, you c
 
 Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
 
-![Configure company branding.](images/branding.png)
+![Configure company branding](images/branding.png)
 
 When you are finished, click **Save**.
 
@@ -382,7 +382,7 @@ Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com
 
 For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**.
 
-![MDM user scope in the Mobility blade.](images/ap-aad-mdm.png)
+![MDM user scope in the Mobility blade](images/ap-aad-mdm.png)
 
 ## Register your VM
 
@@ -392,14 +392,14 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
 
 1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**.
 
-    ![Intune device import.](images/enroll1.png)
+    ![Intune device import](images/enroll1.png)
 
     > [!NOTE]
     > If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI.  You might need to provide Intune configuration privileges in a challenge window that appeared.
 
 2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer.  The file should contain the serial number and 4K HH of your VM (or device).  It's okay if other fields (Windows Product ID) are left blank.
 
-    ![HWID CSV.](images/enroll2.png)
+    ![HWID CSV](images/enroll2.png)
 
     You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
 
@@ -407,7 +407,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
 
 4. Click **Refresh** to verify your VM or device has been added. See the following example.
 
-   ![Import HWID.](images/enroll3.png)
+   ![Import HWID](images/enroll3.png)
 
 ### Autopilot registration using MSfB
 
@@ -426,11 +426,11 @@ Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.
 
 Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:
 
-![Microsoft Store for Business.](images/msfb.png)
+![Microsoft Store for Business](images/msfb.png)
 
 Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added.
 
-![Microsoft Store for Business Devices.](images/msfb-device.png)
+![Microsoft Store for Business Devices](images/msfb-device.png)
 
 ## Create and assign a Windows Autopilot deployment profile
 
@@ -446,7 +446,7 @@ Pick one:
 > [!NOTE]
 > Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list.
 
-![Devices.](images/enroll4.png)
+![Devices](images/enroll4.png)
 
 #### Create a device group
 
@@ -463,7 +463,7 @@ The Autopilot deployment profile wizard will ask for a device group, so we must
 3. Click **Members** and add the Autopilot VM to the group. See the following example:
 
    > [!div class="mx-imgBorder"]
-   > ![add members.](images/group1.png)
+   > ![add members](images/group1.png)
 
 4. Click **Create**. 
 
@@ -472,12 +472,12 @@ The Autopilot deployment profile wizard will ask for a device group, so we must
 To create a Windows Autopilot profile, scroll back to the left hand pane and click **Devices**, then under **Enroll devices | Windows enrollment** select **Deployment Profiles**.
 
 > [!div class="mx-imgBorder"]
-> ![Deployment profiles.](images/dp.png)
+> ![Deployment profiles](images/dp.png)
 
 Click on **Create profile** and then select **Windows PC**.
 
 > [!div class="mx-imgBorder"]
-> ![Create deployment profile.](images/create-profile.png)
+> ![Create deployment profile](images/create-profile.png)
 
 On the **Create profile** blade, use the following values:
 
@@ -512,7 +512,7 @@ Click **Next** to continue with the **Assignments** settings:
 2. Click the **Autopilot Lab** group, and then click **Select**.
 3. Click **Next** to continue and then click **Create**. See the following example:
 
-![Deployment profile.](images/profile.png)
+![Deployment profile](images/profile.png)
 
 Click on **OK** and then click on **Create**.
 
@@ -529,7 +529,7 @@ First, sign in to the [Microsoft Store for Business](https://businessstore.micro
 
 Click **Manage** from the top menu, then click **Devices** from the left navigation tree.
 
-![MSfB manage.](images/msfb-manage.png)
+![MSfB manage](images/msfb-manage.png)
 
 Click the **Windows Autopilot Deployment Program** link in the **Devices** tile.
 
@@ -538,17 +538,17 @@ To CREATE the profile:
 Select your device from the **Devices** list:
 
 > [!div class="mx-imgBorder"]
-> ![MSfB create step 1.](images/msfb-create1.png)
+> ![MSfB create step 1](images/msfb-create1.png)
 
 On the Autopilot deployment dropdown menu, select **Create new profile**:
 
 > [!div class="mx-imgBorder"]
-> ![MSfB create step 2.](images/msfb-create2.png)
+> ![MSfB create step 2](images/msfb-create2.png)
 
 Name the profile, choose your desired settings, and then click **Create**:
 
 > [!div class="mx-imgBorder"]
-> ![MSfB create step 3.](images/msfb-create3.png)
+> ![MSfB create step 3](images/msfb-create3.png)
 
 The new profile is added to the Autopilot deployment list.
 
@@ -557,12 +557,12 @@ To ASSIGN the profile:
 To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
 
 > [!div class="mx-imgBorder"]
-> ![MSfB assign step 1.](images/msfb-assign1.png)
+> ![MSfB assign step 1](images/msfb-assign1.png)
 
 Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
 
 > [!div class="mx-imgBorder"]
-> ![MSfB assign step 2.](images/msfb-assign2.png)
+> ![MSfB assign step 2](images/msfb-assign2.png)
 
 > [!IMPORTANT]
 > The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
@@ -572,7 +572,7 @@ Confirm the profile was successfully assigned to the intended device by checking
 If you shut down your VM after the last reset, it's time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
 
 > [!div class="mx-imgBorder"]
-> ![Device status.](images/device-status.png)
+> ![Device status](images/device-status.png)
 
 Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
 
@@ -583,12 +583,12 @@ Also, make sure to wait at least 30 minutes from the time you've [configured com
 - Turn on the device
 - Verify that the appropriate OOBE screens (with appropriate Company Branding) appear.  You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
 
-![OOBE sign-in page.](images/autopilot-oobe.png)
+![OOBE sign-in page](images/autopilot-oobe.png)
 
 Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device.  Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
 
 > [!div class="mx-imgBorder"]
-> ![Device enabled.](images/devices1.png)
+> ![Device enabled](images/devices1.png)
 
 Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
 
@@ -606,7 +606,7 @@ To use the device (or VM) for other purposes after completion of this lab, you w
 You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into the MEM admin center, then navigate to **Intune > Devices > All Devices**.  Select the device you want to delete, then click the Delete button along the top menu.
 
 > [!div class="mx-imgBorder"]
-> ![Delete device step 1.](images/delete-device1.png)
+> ![Delete device step 1](images/delete-device1.png)
 
 This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
 
@@ -618,7 +618,7 @@ The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment
 To remove the device from the Autopilot program, select the device and click **Delete**. You will get a popup dialog box to confirm deletion.
 
 > [!div class="mx-imgBorder"]
-> ![Delete device.](images/delete-device2.png)
+> ![Delete device](images/delete-device2.png)
 
 At this point, your device has been unenrolled from Intune and also deregistered from Autopilot.  After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
 
@@ -686,7 +686,7 @@ Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-ms
 Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
 
 > [!div class="mx-imgBorder"]
-> ![Add app example.](images/app01.png)
+> ![Add app example](images/app01.png)
 
 After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
 
@@ -696,20 +696,20 @@ Log into the Azure portal and select **Intune**.
 
 Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
 
-![Add app step 1.](images/app02.png)
+![Add app step 1](images/app02.png)
 
 Under **App Type**, select **Windows app (Win32)**:
 
-![Add app step 2.](images/app03.png)
+![Add app step 2](images/app03.png)
 
 On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
 
 > [!div class="mx-imgBorder"]
-> ![Add app step 3.](images/app04.png)
+> ![Add app step 3](images/app04.png)
 
 On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
 
-![Add app step 4.](images/app05.png)
+![Add app step 4](images/app05.png)
 
 On the **Program Configuration** blade, supply the install and uninstall commands:
 
@@ -721,7 +721,7 @@ Uninstall:  msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
 > [!NOTE]
 > Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
 
-![Add app step 5.](images/app06.png)
+![Add app step 5](images/app06.png)
 
 Simply using an install command like "notepad++.exe /S" will not actually install Notepad++; it will only launch the app.  To actually install the program, we need to use the .msi file instead.  Notepad++ doesn't actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
 
@@ -730,23 +730,23 @@ Click **OK** to save your input and activate the **Requirements** blade.
 On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
 
 > [!div class="mx-imgBorder"]
-> ![Add app step 6.](images/app07.png)
+> ![Add app step 6](images/app07.png)
 
 Next, configure the **Detection rules**.  For our purposes, we will select manual format:
 
 > [!div class="mx-imgBorder"]
-> ![Add app step 7.](images/app08.png)
+> ![Add app step 7](images/app08.png)
 
 Click **Add** to define the rule properties.  For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
 
-![Add app step 8.](images/app09.png)
+![Add app step 8](images/app09.png)
 
 Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
 
 **Return codes**:  For our purposes, leave the return codes at their default values:
 
 > [!div class="mx-imgBorder"]
-> ![Add app step 9.](images/app10.png)
+> ![Add app step 9](images/app10.png)
 
 Click **OK** to exit.
 
@@ -757,12 +757,12 @@ Click the **Add** button to finalize and save your app package.
 Once the indicator message says the addition has completed.
 
 > [!div class="mx-imgBorder"]
-> ![Add app step 10.](images/app11.png)
+> ![Add app step 10](images/app11.png)
 
 You will be able to find your app in your app list:
 
 > [!div class="mx-imgBorder"]
-> ![Add app step 11.](images/app12.png)
+> ![Add app step 11](images/app12.png)
 
 #### Assign the app to your Intune profile
 
@@ -772,7 +772,7 @@ You will be able to find your app in your app list:
 In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade.  Then click **Assignments** from the menu:
 
 > [!div class="mx-imgBorder"]
-> ![Assign app step 1.](images/app13.png)
+> ![Assign app step 1](images/app13.png)
 
 Select **Add Group** to open the **Add group** pane that is related to the app.
 
@@ -783,10 +783,10 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu
 
 Select **Included Groups** and assign the groups you previously created that will use this app:
 
-![Assign app step 2.](images/app14.png)
+![Assign app step 2](images/app14.png)
 
 > [!div class="mx-imgBorder"]
-> ![Assign app step 3.](images/app15.png)
+> ![Assign app step 3](images/app15.png)
 
 In the **Select groups** pane, click the **Select** button.
 
@@ -797,7 +797,7 @@ In the **Add group** pane, select **OK**.
 In the app **Assignments** pane, select **Save**.
 
 > [!div class="mx-imgBorder"]
-> ![Assign app step 4.](images/app16.png)
+> ![Assign app step 4](images/app16.png)
 
 At this point, you have completed steps to add a Win32 app to Intune.
 
@@ -811,16 +811,16 @@ Log into the Azure portal and select **Intune**.
 
 Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
 
-![Create app step 1.](images/app17.png)
+![Create app step 1](images/app17.png)
 
 Under **App Type**, select **Office 365 Suite > Windows 10**:
 
-![Create app step 2.](images/app18.png)
+![Create app step 2](images/app18.png)
 
 Under the **Configure App Suite** pane, select the Office apps you want to install.  For the purposes of this labe we have only selected Excel:
 
 > [!div class="mx-imgBorder"]
-> ![Create app step 3.](images/app19.png)
+> ![Create app step 3](images/app19.png)
 
 Click **OK**.
 
@@ -829,13 +829,13 @@ In the **App Suite Information** pane, enter a <i>unique</i> suite name, and a s
 Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
 
 > [!div class="mx-imgBorder"]
-> ![Create app step 4.](images/app20.png)
+> ![Create app step 4](images/app20.png)
 
 Click **OK**.
 
 In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab).  Also select **Yes** for **Automatically accept the app end user license agreement**:
 
-![Create app step 5.](images/app21.png)
+![Create app step 5](images/app21.png)
 
 Click **OK** and then click **Add**.
 
@@ -847,7 +847,7 @@ Click **OK** and then click **Add**.
 In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade.  Then click **Assignments** from the menu:
 
 > [!div class="mx-imgBorder"]
-> ![Create app step 6.](images/app22.png)
+> ![Create app step 6](images/app22.png)
 
 Select **Add Group** to open the **Add group** pane that is related to the app.
 
@@ -857,10 +857,10 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu
 
 Select **Included Groups** and assign the groups you previously created that will use this app:
 
-![Create app step 7.](images/app23.png)
+![Create app step 7](images/app23.png)
 
 > [!div class="mx-imgBorder"]
-> ![Create app step 8.](images/app24.png)
+> ![Create app step 8](images/app24.png)
 
 In the **Select groups** pane, click the **Select** button.
 
@@ -870,7 +870,7 @@ In the **Add group** pane, select **OK**.
 
 In the app **Assignments** pane, select **Save**.
 
-![Create app step 9.](images/app25.png)
+![Create app step 9](images/app25.png)
 
 At this point, you have completed steps to add Office to Intune.
 
@@ -878,7 +878,7 @@ For more information on adding Office apps to Intune, see [Assign Office 365 app
 
 If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
 
-![Create app step 10.](images/app26.png)
+![Create app step 10](images/app26.png)
 
 ## Glossary
 
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index 04f798b127..0d04abd1e0 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -29,7 +29,7 @@ In this topic, you also learn about different types of reference images that you
 
 Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more details, see [Windows ADK for Windows 10](/windows-hardware/get-started/adk-install) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
 
-![figure 1.](images/win-10-adk-select.png)
+![figure 1](images/win-10-adk-select.png)
 
 The Windows 10 ADK feature selection page.
 
@@ -50,7 +50,7 @@ Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All
 -Source D:\Sources\SxS -LimitAccess
 ```
 
-![figure 2.](images/mdt-11-fig05.png)
+![figure 2](images/mdt-11-fig05.png)
 
 Using DISM functions in PowerShell.
 
@@ -77,7 +77,7 @@ In addition to these tools, there are also XML templates that manage which data
 -   **Custom templates.** Custom templates that you create.
 -   **Config template.** An optional template, called Config.xml, which you can use to exclude or include components in a migration without modifying the other standard XML templates.
 
-![figure 3.](images/mdt-11-fig06.png)
+![figure 3](images/mdt-11-fig06.png)
 
 A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files.
 
@@ -100,7 +100,7 @@ These are the settings migrated by the default MigUser.xml and MigApp.xml templa
 
 Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This is particularly useful for setting up new devices, without the need for re-imaging the device with a custom image.
 
-![figure 4.](images/windows-icd.png)
+![figure 4](images/windows-icd.png)
 
 Windows Imaging and Configuration Designer.
 
@@ -110,7 +110,7 @@ For more information, see [Windows Imaging and Configuration Designer](/windows/
 
 Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don’t need Windows SIM very often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall.
 
-![figure 7.](images/mdt-11-fig07.png)
+![figure 7](images/mdt-11-fig07.png)
 
 Windows answer file opened in Windows SIM.
 
@@ -120,7 +120,7 @@ For more information, see [Windows System Image Manager Technical Reference]( ht
 
 If you don’t use KMS, you can still manage your MAKs centrally with the Volume Activation Management Tool (VAMT). With this tool, you can install and manage product keys throughout the organization. VAMT also can activate on behalf of clients without Internet access, acting as a MAK proxy.
 
-![figure 6.](images/mdt-11-fig08.png)
+![figure 6](images/mdt-11-fig08.png)
 
 The updated Volume Activation Management Tool.
 
@@ -138,7 +138,7 @@ Windows PE is a “Lite” version of Windows 10 and was created to act as a dep
 
 The key thing to know about Windows PE is that, like the operating system, it needs drivers for at least network and storage devices in each PC. Luckily Windows PE includes the same drivers as the full Windows 10 operating system, which means much of your hardware will work out of the box.
 
-![figure 7.](images/mdt-11-fig09.png)
+![figure 7](images/mdt-11-fig09.png)
 
 A machine booted with the Windows ADK default Windows PE boot image.
 
@@ -149,7 +149,7 @@ For more details on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manuf
 
 Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you will see an automatic failover into Windows RE.
 
-![figure 8.](images/mdt-11-fig10.png)
+![figure 8](images/mdt-11-fig10.png)
 
 A Windows 10 client booted into Windows RE, showing Advanced options.
 
@@ -160,7 +160,7 @@ For more information on Windows RE, see [Windows Recovery Environment](/windows-
 
 Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you will use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker.
 
-![figure 9.](images/mdt-11-fig11.png)
+![figure 9](images/mdt-11-fig11.png)
 
 Windows Deployment Services using multicast to deploy three machines.
 
@@ -176,7 +176,7 @@ Also, there are a few new features related to TFTP performance:
 -   **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability.
 -   **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size.
 
-![figure 10.](images/mdt-11-fig12.png)
+![figure 10](images/mdt-11-fig12.png)
 
 TFTP changes are now easy to perform.
 
@@ -192,7 +192,7 @@ Lite Touch and Zero Touch are marketing names for the two solutions that MDT sup
 
  
 
-![figure 11.](images/mdt-11-fig13.png)
+![figure 11](images/mdt-11-fig13.png)
 
 The Deployment Workbench in, showing a task sequence.
 
@@ -203,7 +203,7 @@ For more information on MDT, see the [Microsoft Deployment Toolkit](/mem/configm
 
 [Microsoft SCM](https://go.microsoft.com/fwlink/p/?LinkId=619246) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer.
 
-![figure 12.](images/mdt-11-fig14.png)
+![figure 12](images/mdt-11-fig14.png)
 
 The SCM console showing a baseline configuration for a fictional client's computer security compliance.
 
@@ -228,7 +228,7 @@ For more information on the benefits of an MDOP subscription, see [Microsoft Des
 
 There has been a version of IEAK for every version of Internet Explorer since 3.0. It gives you the capability to customize Internet Explorer as you would like. The end result of using IEAK is an Internet Explorer package that can be deployed unattended. The wizard creates one .exe file and one .msi file.
 
-![figure 13.](images/mdt-11-fig15.png)
+![figure 13](images/mdt-11-fig15.png)
 
 The User Experience selection screen in IEAK 11.
 
@@ -239,7 +239,7 @@ To download IEAK 11, see the [Internet Explorer Administration Kit (IEAK) Inform
 
 WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment.
 
-![figure 14.](images/mdt-11-fig16.png)
+![figure 14](images/mdt-11-fig16.png)
 
 The Windows Server Update Services console.
 
diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md
index 5852e85928..930819c367 100644
--- a/windows/privacy/Microsoft-DiagnosticDataViewer.md
+++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md
@@ -64,7 +64,7 @@ Note that this setting does not control whether your device sends diagnostic dat
 
 2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option.
 
-    ![Location to turn on data viewing.](images/ddv-data-viewing.png)
+    ![Location to turn on data viewing](images/ddv-data-viewing.png)
 
 **To turn on data viewing through PowerShell**
 
@@ -134,7 +134,7 @@ When you're done reviewing your diagnostic data, we recommend turning off data v
 
 2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option.
 
-    ![Location to turn off data viewing.](images/ddv-settings-off.png)
+    ![Location to turn off data viewing](images/ddv-settings-off.png)
 
 **To turn off data viewing through PowerShell** 
 
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index dc9a127179..3b40651ee2 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -38,7 +38,7 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn
 
 2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option.
 
-    ![Location to turn on data viewing.](images/ddv-data-viewing.png)
+    ![Location to turn on data viewing](images/ddv-data-viewing.png)
 
 ### Download the Diagnostic Data Viewer
 Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
@@ -54,7 +54,7 @@ You can start this app from the **Settings** panel.
 
 2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button.
 
-    ![Location to turn on the Diagnostic Data Viewer.](images/ddv-settings-launch.png)<br><br>-OR-<br><br>
+    ![Location to turn on the Diagnostic Data Viewer](images/ddv-settings-launch.png)<br><br>-OR-<br><br>
     
     Go to **Start** and search for _Diagnostic Data Viewer_.
 
@@ -73,7 +73,7 @@ The Diagnostic Data Viewer provides you with the following features to view and
     >[!Important]
     >Seeing an event does not necessarily mean it has been uploaded yet. It’s possible that some events are still queued and will be uploaded at a later time.
 
-     ![View your diagnostic events.](images/ddv-event-view.jpg)
+     ![View your diagnostic events](images/ddv-event-view.jpg)
 
 - **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text. 
 
@@ -83,7 +83,7 @@ The Diagnostic Data Viewer provides you with the following features to view and
 
 - **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.
 
-    To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling.](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). 
+    To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). 
 
 - **Provide diagnostic event feedback.** The **Feedback** icon in the upper right corner of the window opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events.
 
@@ -99,7 +99,7 @@ The Diagnostic Data Viewer provides you with the following features to view and
     >[!Important]
     >This content is a reflection of the history of Windows data the app has stored. If you'd like to have extended analyses, please modify the storage capacity of Diagnostic Data Viewer. 
 
-    ![Look at an overview of what data you've shared with Microsoft through the 'About my data' page in Diagnostic Data Viewer.](images/ddv-analytics.png) 
+    ![Look at an overview of what data you've shared with Microsoft through the 'About my data' page in Diagnostic Data Viewer](images/ddv-analytics.png) 
 
 ## View Office Diagnostic Data
 By default, Diagnostic Data Viewer shows you Windows data. You can also view Office diagnostic data by enabling the feature in the app settings page. To learn more about how to view Office diagnostic data, please visit this [page](https://go.microsoft.com/fwlink/?linkid=2023830). 
@@ -112,7 +112,7 @@ When you're done reviewing your diagnostic data, you should turn of data viewing
 
 2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option.
 
-    ![Location to turn off data viewing.](images/ddv-settings-off.png)
+    ![Location to turn off data viewing](images/ddv-settings-off.png)
 
 ## Modifying the size of your data history
 By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first. 
@@ -139,7 +139,7 @@ You can also use the Windows Error Reporting tool available in the Control Panel
 
 Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer.  
 
-![Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer.](images/ddv-problem-reports.png)
+![Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer](images/ddv-problem-reports.png)
 
 **To view your Windows Error Reporting diagnostic data using the Control Panel**
 
@@ -147,7 +147,7 @@ Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Secu
 Go to **Start** and search for _Problem Reports_.
 The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft.
 
-![View problem reports tool with report statuses.](images/control-panel-problem-reports-screen.png)
+![View problem reports tool with report statuses](images/control-panel-problem-reports-screen.png)
 
 ## Known Issues with Diagnostic Data Viewer
 
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index f1f0d9469a..aad2616468 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -57,60 +57,60 @@ The following table lists management options for each setting, beginning with Wi
 
 | Setting | UI | Group Policy | Registry |
 | - | :-: | :-: | :-: |
-| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) |
-| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) |
-| [3. Date & Time](#bkmk-datetime) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) |
-| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) |
-| [5. Find My Device](#find-my-device) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) |
-| [6. Font streaming](#font-streaming) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) |
-| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) |
-| [8. Internet Explorer](#bkmk-ie) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) |
-| [9. License Manager](#bkmk-licmgr) | | |  ![Check mark.](images/checkmark.png) |
-| [10. Live Tiles](#live-tiles) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) |
-| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark.](images/checkmark.png) | | ![Check mark.](images/checkmark.png) |
-| [12. Microsoft Account](#bkmk-microsoft-account) | | |  ![Check mark.](images/checkmark.png) |
-| [13. Microsoft Edge](#bkmk-edge) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [16. OneDrive](#bkmk-onedrive) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [8. Internet Explorer](#bkmk-ie) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [9. License Manager](#bkmk-licmgr) | | |  ![Check mark](images/checkmark.png) |
+| [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) |
+| [12. Microsoft Account](#bkmk-microsoft-account) | | |  ![Check mark](images/checkmark.png) |
+| [13. Microsoft Edge](#bkmk-edge) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | |
 | [18. Settings > Privacy](#bkmk-settingssection) | | | |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.1 General](#bkmk-general) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.2 Location](#bkmk-priv-location) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.3 Camera](#bkmk-priv-camera) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.4 Microphone](#bkmk-priv-microphone) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.5 Notifications](#bkmk-priv-notifications) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png)|
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.6 Speech](#bkmk-priv-speech) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.7 Account info](#bkmk-priv-accounts) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.8 Contacts](#bkmk-priv-contacts) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.9 Calendar](#bkmk-priv-calendar) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.10 Call history](#bkmk-priv-callhistory) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.11 Email](#bkmk-priv-email) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.12 Messaging](#bkmk-priv-messaging) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.14 Radios](#bkmk-priv-radios) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.17 Background apps](#bkmk-priv-background) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.18 Motion](#bkmk-priv-motion) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.19 Tasks](#bkmk-priv-tasks) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark.](images/checkmark.png) | |  ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.22 Activity History](#bkmk-act-history) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.23 Voice Activation](#bkmk-voice-act) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
-| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [20. Storage Health](#bkmk-storage-health) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [22. Teredo](#bkmk-teredo) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [28. Delivery Optimization](#bkmk-updates) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [29. Windows Update](#bkmk-wu) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)|
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.6 Speech](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark](images/checkmark.png) | |  ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.22 Activity History](#bkmk-act-history) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.23 Voice Activation](#bkmk-voice-act) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
+| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [20. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) |  |
-| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 
 
 ### Settings for Windows Server 2016 with Desktop Experience
@@ -119,20 +119,20 @@ See the following table for a summary of the management settings for Windows Ser
 
 | Setting | UI | Group Policy | Registry |
 | - | :-: | :-: | :-: |
-| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [3. Date & Time](#bkmk-datetime) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [6. Font streaming](#font-streaming) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [8. Internet Explorer](#bkmk-ie) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [10. Live Tiles](#live-tiles) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [8. Internet Explorer](#bkmk-ie) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [12. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) |
-| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [16. OneDrive](#bkmk-onedrive) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [18. Settings > Privacy](#bkmk-settingssection) | | | |
-| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [22. Teredo](#bkmk-teredo) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
@@ -172,54 +172,54 @@ See the following table for a summary of the management settings for Windows Ser
 | - | :-: | :-: | :-: |
 | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [2. Cortana and Search](#bkmk-cortana) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [3. Date & Time](#bkmk-datetime) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [5. Find My Device](#find-my-device) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [8. Internet Explorer](#bkmk-ie) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark.](images/checkmark.png) | | ![Check mark](images/checkmark.png) |
+| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) |
 | [12. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) |
 | [13. Microsoft Edge](#bkmk-edge) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | |
 | [18. Settings > Privacy](#bkmk-settingssection) | | | |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.1 General](#bkmk-general) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.2 Location](#bkmk-priv-location) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.3 Camera](#bkmk-priv-camera) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.4 Microphone](#bkmk-priv-microphone) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.5 Notifications](#bkmk-priv-notifications) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)|
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.6 Speech](#bkmk-priv-speech) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.7 Account info](#bkmk-priv-accounts) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.8 Contacts](#bkmk-priv-contacts) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.9 Calendar](#bkmk-priv-calendar) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.10 Call history](#bkmk-priv-callhistory) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.11 Email](#bkmk-priv-email) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.12 Messaging](#bkmk-priv-messaging) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.14 Radios](#bkmk-priv-radios) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.17 Background apps](#bkmk-priv-background) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.18 Motion](#bkmk-priv-motion) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.19 Tasks](#bkmk-priv-tasks) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark.](images/checkmark.png) | |  ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.22 Activity History](#bkmk-act-history) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.23 Voice Activation](#bkmk-voice-act) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)|
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.6 Speech](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark](images/checkmark.png) | |  ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.22 Activity History](#bkmk-act-history) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.23 Voice Activation](#bkmk-voice-act) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
 | [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [20. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)  |
-| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) |
-| [28. Delivery Optimization](#bkmk-updates) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) |
+| [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) |  |
 | [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index 69dba47679..8ac3729427 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -592,7 +592,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s
 
     > **Note**&nbsp;&nbsp;You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx).
 
-    ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample1.gif)
+    ![Active Directory local accounts](images/adlocalaccounts-proc1-sample1.gif)
 
 3.  Close Active Directory Users and Computers.
 
@@ -600,13 +600,13 @@ In this procedure, the workstations are dedicated to domain administrators. By s
 
 5.  Right-click the new OU, and &gt; **Create a GPO in this domain, and Link it here**.
 
-    ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample2.png)
+    ![Active Directory local accounts](images/adlocalaccounts-proc1-sample2.png)
 
 6.  Name the GPO, and &gt; **OK**.
 
 7.  Expand the GPO, right-click the new GPO, and &gt; **Edit**.
 
-    ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample3.png)
+    ![Active Directory local accounts](images/adlocalaccounts-proc1-sample3.png)
 
 8.  Configure which members of accounts can log on locally to these administrative workstations as follows:
 
@@ -625,7 +625,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s
 
     5.  Click **Add User or Group**, type **Administrators**, and &gt; **OK**.
 
-        ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample4.png)
+        ![Active Directory local accounts](images/adlocalaccounts-proc1-sample4.png)
 
 9.  Configure the proxy configuration:
 
@@ -633,7 +633,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s
 
     2.  Double-click **Proxy Settings**, select the **Enable proxy settings** check box, type **127.0.0.1** (the network Loopback IP address) as the proxy address, and &gt; **OK**.
 
-        ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample5.png)
+        ![Active Directory local accounts](images/adlocalaccounts-proc1-sample5.png)
 
 10. Configure the loopback processing mode to enable the user Group Policy proxy setting to apply to all users on the computer as follows:
 
@@ -696,11 +696,11 @@ In this procedure, the workstations are dedicated to domain administrators. By s
 
     1.  Right-click **Windows Firewall with Advanced Security LDAP://path**, and &gt; **Properties**.
 
-        ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample6.png)
+        ![Active Directory local accounts](images/adlocalaccounts-proc1-sample6.png)
 
     2.  On each profile, ensure that the firewall is enabled and that inbound connections are set to **Block all connections**.
 
-        ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample7.png)
+        ![Active Directory local accounts](images/adlocalaccounts-proc1-sample7.png)
 
     3.  Click **OK** to complete the configuration.
 
@@ -738,11 +738,11 @@ For this procedure, do not link accounts to the OU that contain workstations for
 
 3.  Right-click **Group Policy Objects**, and &gt; **New**.
 
-    ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample1.png)
+    ![Active Directory local accounts](images/adlocalaccounts-proc2-sample1.png)
 
 4.  In the **New GPO** dialog box, name the GPO that restricts administrators from signing in to workstations, and &gt; **OK**.
 
-    ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample2.png)
+    ![Active Directory local accounts](images/adlocalaccounts-proc2-sample2.png)
 
 5.  Right-click **New GPO**, and &gt; **Edit**.
 
@@ -756,7 +756,7 @@ For this procedure, do not link accounts to the OU that contain workstations for
 
     3.  Click **Add User or Group**, click **Browse**, type **Domain Admins**, and &gt; **OK**.
 
-        ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample3.png)
+        ![Active Directory local accounts](images/adlocalaccounts-proc2-sample3.png)
 
         **Note**  
         You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
@@ -778,7 +778,7 @@ For this procedure, do not link accounts to the OU that contain workstations for
 
     3.  Click **Add User or Group** &gt; **Browse**, type **Domain Admins**, and &gt; **OK**.
 
-        ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample4.png)
+        ![Active Directory local accounts](images/adlocalaccounts-proc2-sample4.png)
 
         **Note**  
         You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
@@ -791,7 +791,7 @@ For this procedure, do not link accounts to the OU that contain workstations for
 
     6.  Click **Add User or Group** &gt; **Browse**, type **Domain Admins**, and &gt; **OK**.
 
-        ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample5.png)
+        ![Active Directory local accounts](images/adlocalaccounts-proc2-sample5.png)
 
         **Note**  
         You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
@@ -804,11 +804,11 @@ For this procedure, do not link accounts to the OU that contain workstations for
 
     1.  Right-click the workstation OU, and then &gt; **Link an Existing GPO**.
 
-        ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample6.png)
+        ![Active Directory local accounts](images/adlocalaccounts-proc2-sample6.png)
 
     2.  Select the GPO that you just created, and &gt; **OK**.
 
-        ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample7.png)
+        ![Active Directory local accounts](images/adlocalaccounts-proc2-sample7.png)
 
 10. Test the functionality of enterprise applications on workstations in the first OU and resolve any issues caused by the new policy.
 
@@ -831,7 +831,7 @@ It is a best practice to configure the user objects for all sensitive accounts i
 
 As with any configuration change, test this enabled setting fully to ensure that it performs correctly before you implement it.
 
-![Active Directory local accounts.](images/adlocalaccounts-proc3-sample1.png)
+![Active Directory local accounts](images/adlocalaccounts-proc3-sample1.png)
 
 ## <a href="" id="sec-secure-manage-dcs"></a>Secure and manage domain controllers
 
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index 6ad17afded..d67808e585 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -367,15 +367,15 @@ The following table shows the Group Policy and registry settings that are used t
 
 3.  In the console tree, right-click **Group Policy Objects**, and &gt; **New**.
 
-    ![local accounts 1.](images/localaccounts-proc1-sample1.png)
+    ![local accounts 1](images/localaccounts-proc1-sample1.png)
 
 4.  In the **New GPO** dialog box, type &lt;**gpo\_name**&gt;, and &gt; **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer.
 
-    ![local accounts 2.](images/localaccounts-proc1-sample2.png)
+    ![local accounts 2](images/localaccounts-proc1-sample2.png)
 
 5.  In the details pane, right-click &lt;**gpo\_name**&gt;, and &gt; **Edit**.
 
-    ![local accounts 3.](images/localaccounts-proc1-sample3.png)
+    ![local accounts 3](images/localaccounts-proc1-sample3.png)
 
 6.  Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by doing the following:
 
@@ -391,7 +391,7 @@ The following table shows the Group Policy and registry settings that are used t
 
     2.  Right-click **Registry**, and &gt; **New** &gt; **Registry Item**.
 
-        ![local accounts 4.](images/localaccounts-proc1-sample4.png)
+        ![local accounts 4](images/localaccounts-proc1-sample4.png)
 
     3.  In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**.
 
@@ -407,7 +407,7 @@ The following table shows the Group Policy and registry settings that are used t
 
     9.  Verify this configuration, and &gt; **OK**.
 
-        ![local accounts 5.](images/localaccounts-proc1-sample5.png)
+        ![local accounts 5](images/localaccounts-proc1-sample5.png)
 
 8.  Link the GPO to the first **Workstations** organizational unit (OU) by doing the following:
 
@@ -415,7 +415,7 @@ The following table shows the Group Policy and registry settings that are used t
 
     2.  Right-click the **Workstations** OU, and &gt; **Link an existing GPO**.
 
-        ![local accounts 6.](images/localaccounts-proc1-sample6.png)
+        ![local accounts 6](images/localaccounts-proc1-sample6.png)
 
     3.  Select the GPO that you just created, and &gt; **OK**.
 
@@ -495,11 +495,11 @@ The following table shows the Group Policy settings that are used to deny networ
 
 4.  In the **New GPO** dialog box, type &lt;**gpo\_name**&gt;, and then &gt; **OK** where *gpo\_name* is the name of the new GPO indicates that it is being used to restrict the local administrative accounts from interactively signing in to the computer.
 
-    ![local accounts 7.](images/localaccounts-proc2-sample1.png)
+    ![local accounts 7](images/localaccounts-proc2-sample1.png)
 
 5.  In the details pane, right-click &lt;**gpo\_name**&gt;, and &gt; **Edit**.
 
-    ![local accounts 8.](images/localaccounts-proc2-sample2.png)
+    ![local accounts 8](images/localaccounts-proc2-sample2.png)
 
 6.  Configure the user rights to deny network logons for administrative local accounts as follows:
 
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index be0a573f71..e770d29de4 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -52,7 +52,7 @@ SIDs always remain unique. Security authorities never issue the same SID twice,
 
 A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
 
-![Security identifier architecture.](images/security-identifider-architecture.jpg)
+![Security identifier architecture](images/security-identifider-architecture.jpg)
 
 The individual values of a SID are described in the following table.
 
diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md
index 293acd13c9..26564af45a 100644
--- a/windows/security/identity-protection/access-control/security-principals.md
+++ b/windows/security/identity-protection/access-control/security-principals.md
@@ -42,7 +42,7 @@ The following diagram illustrates the Windows authorization and access control
 
 **Authorization and access control process**
 
-![authorization and access control process.](images/authorizationandaccesscontrolprocess.gif)
+![authorization and access control process](images/authorizationandaccesscontrolprocess.gif)
 
 Security principals are closely related to the following components and technologies:
 
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index 9423de2923..f055141697 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -52,11 +52,11 @@ On the device, perform the following steps: (add select certificate)
 
 2.  Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone.
 
-	:::image type="content" alt-text="settings icon in mail app." source="images/mailsettings.png":::
+	:::image type="content" alt-text="settings icon in mail app" source="images/mailsettings.png":::
 
 3.  Tap **Email security**.
 
-	:::image type="content" alt-text="email security settings." source="images/emailsecurity.png":::
+	:::image type="content" alt-text="email security settings" source="images/emailsecurity.png":::
 
 4.  In **Select an account**, select the account for which you want to configure S/MIME options.
 
@@ -77,7 +77,7 @@ On the device, perform the following steps: (add select certificate)
 
 2.  Use **Sign** and **Encrypt** icons to turn on digital signature and encryption for this message.
 
-	:::image type="content" alt-text="sign or encrypt message." source="images/signencrypt.png":::
+	:::image type="content" alt-text="sign or encrypt message" source="images/signencrypt.png":::
 
 ## Read signed or encrypted messages
 
@@ -93,5 +93,5 @@ When you receive a signed email, the app provide feature to install correspondin
 
 3.  Tap **Install.**
 
-	:::image type="content" alt-text="message security information." source="images/installcert.png":::
+	:::image type="content" alt-text="message security information" source="images/installcert.png":::
  
\ No newline at end of file
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index b122158529..8d0219c5dd 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -33,7 +33,7 @@ When Windows Defender Credential Guard is enabled, Kerberos does not allow uncon
 
 Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
 
-![Windows Defender Credential Guard overview.](images/credguard.png)  
+![Windows Defender Credential Guard overview](images/credguard.png)  
 
 ## See also
 
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index 936172770d..c737034fd5 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -45,7 +45,7 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will
 
 5.  In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) for more details.
 
-    ![Windows Defender Credential Guard Group Policy setting.](images/credguard-gp-2.png)
+    ![Windows Defender Credential Guard Group Policy setting](images/credguard-gp-2.png)
 
 6.  Close the Group Policy Management Console.
 
@@ -168,7 +168,7 @@ You can view System Information to check that Windows Defender Credential Guard
     Here's an example:
 
     > [!div class="mx-imgBorder"]
-    > ![System Information.](images/credguard-msinfo32.png)
+    > ![System Information](images/credguard-msinfo32.png)
 
 You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
 
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index fea29a3fc3..8a678b6ff4 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -176,7 +176,7 @@ Certutil writes the binary information to the following registration location:
 | Value | Binary contents from the certificate pin rules certificate trust list file |
 | Data type | REG_BINARY |
 
-![Registry binary information.](images/enterprise-pinning-registry-binary-information.png)
+![Registry binary information](images/enterprise-pinning-registry-binary-information.png)
 
 ### Deploying Enterprise Pin Rule Settings using Group Policy
 
@@ -203,7 +203,7 @@ Sign-in to the reference computer using domain administrator equivalent credenti
 
 11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal).  Click **OK** to save your settings and close the dialog box.
 
-    ![PinRules Properties.](images/enterprise-certificate-pinning-pinrules-properties.png)
+    ![PinRules Properties](images/enterprise-certificate-pinning-pinrules-properties.png)
 
 12. Close the **Group Policy Management Editor** to save your settings.
 13. Link the **Enterprise Certificate Pinning Rules** Group Policy object to apply to computers that run Windows 10, version 1703 in your enterprise. When these domain-joined computers apply Group Policy, the registry information configured in the Group Policy object is applied to the computer.
@@ -258,7 +258,7 @@ These dates must be properly formatted and represented in UTC.
 You can use Windows PowerShell to format these dates.  
 You can then copy and paste the output of the cmdlet into the XML file. 
 
-![Representing a date.](images/enterprise-certificate-pinning-representing-a-date.png)
+![Representing a date](images/enterprise-certificate-pinning-representing-a-date.png)
 
 For simplicity, you can truncate decimal point (.) and the numbers after it. 
 However, be certain to append the uppercase “Z” to the end of the XML date string.
@@ -272,7 +272,7 @@ However, be certain to append the uppercase “Z” to the end of the XML date s
 
 You can also use Windows PowerShell to validate convert an XML date into a human readable date to validate it’s the correct date.
 
-![Converting an XML date.](images/enterprise-certificate-pinning-converting-an-xml-date.png)
+![Converting an XML date](images/enterprise-certificate-pinning-converting-an-xml-date.png)
 
 ## Representing a Duration in XML
 
@@ -280,13 +280,13 @@ Some elements may be configured to use a duration rather than a date.
 You must represent the duration as an XML timespan data type. 
 You can use Windows PowerShell to properly format and validate durations (timespans) and copy and paste them into your XML file.
 
-![Representing a duration.](images/enterprise-certificate-pinning-representing-a-duration.png)
+![Representing a duration](images/enterprise-certificate-pinning-representing-a-duration.png)
 
 ## Converting an XML Duration
 
 You can convert a XML formatted timespan into a timespan variable that you can read. 
 
-![Converting an XML duration.](images/enterprise-certificate-pinning-converting-a-duration.png)
+![Converting an XML duration](images/enterprise-certificate-pinning-converting-a-duration.png)
 
 ## Certificate Trust List XML Schema Definition (XSD)
 
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index f80ffec25c..b7018e4477 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -372,11 +372,11 @@ The Group Policy object contains the policy settings needed to trigger Windows H
 
 7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
 
-   ![Group Policy Editor.](images/multifactorUnlock/gpme.png)
+   ![Group Policy Editor](images/multifactorUnlock/gpme.png)
    
 8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**.  The **Options** section populates the policy setting with default values.
 
-   ![Multifactor Policy Setting.](images/multifactorUnlock/gp-setting.png)
+   ![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png)
    
 9. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configuring-unlock-factors).
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 25d27e28d3..16be1aa6bc 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -38,23 +38,23 @@ Determining an adequate number of Windows Server domain controllers is important
 
 Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following:
 
-![dc-chart1.](images/plan/dc-chart1.png)
+![dc-chart1](images/plan/dc-chart1.png)
 
 The environment changes. The first change includes DC1 upgraded to Windows Server 2016 or later to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following:
 
-![dc-chart2.](images/plan/dc-chart2.png)
+![dc-chart2](images/plan/dc-chart2.png)
 
 The Windows Server 2016 or later domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of password authentication. Why? This behavior occurs because domain controllers 2 - 10 only support password and certificate trust authentication; only a Windows Server 2016 and above domain controller supports public key trust authentication. The Windows Server 2016 and above domain controller still understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 or later domain controller is added, but without deploying Windows Hello for Business to any more clients?
 
-![dc-chart3.](images/plan/dc-chart3.png)
+![dc-chart3](images/plan/dc-chart3.png)
 
 Upgrading another domain controller to Windows Server 2016 or later distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load.  But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016 or later, but the number of WHFB clients remains the same.
 
-![dc-chart4.](images/plan/dc-chart4.png)
+![dc-chart4](images/plan/dc-chart4.png)
 
 Domain controllers 1 through 5 now share the public key trust authentication load where each domain controller handles 20 percent of the public key trust load but they each still handle 10 percent of the password and certificate trust authentication. These domain controllers still have a heavier load than domain controllers 6 through 10; however, the load is adequately distributed. Now look the scenario when half of the client computers are upgraded to Windows Hello for Business using a key-trust deployment.
 
-![dc-chart5.](images/plan/dc-chart5.png)
+![dc-chart5](images/plan/dc-chart5.png)
 
 You'll notice the distribution did not change.  Each Windows Server 2016 or later domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume of 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentications decreased across the older domain controllers.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index f354ae19d4..ab73eab4f9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -91,7 +91,7 @@ Sign-in the federation server with domain administrator equivalent credentials.
 5. Click **Next** on the **Select Certificate Enrollment Policy** page.
 6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link   
-    ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/hello-internal-web-server-cert.png)
+    ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png)
 8. Under **Subject name**, select **Common Name** from the **Type** list.  Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**.  
 9. Under **Alternative name**, select **DNS** from the **Type** list.  Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role.  Click **Add**. Repeat the same to add device registration service name (*enterpriseregistration.contoso.com*) as another alternative name. Click **OK** when finished.
 10. Click **Enroll**.
@@ -184,7 +184,7 @@ Sign-in the federation server with _domain administrator_ equivalent credentials
 
 1. Start **Server Manager**.
 2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
-![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png)
+![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png)
 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
 4. Click **Next** on the **Connect to Active Directory Domain Services** page.
 5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list.  The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*.
@@ -204,7 +204,7 @@ Sign-in the federation server with _domain administrator_ equivalent credentials
 
 1. Start **Server Manager**.
 2. Click the notification flag in the upper right corner.  Click **Configure federation services on this server**.
-![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png)
+![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png)
 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
 4. Click **Next** on the **Connect to Active Directory Domain Services** page.
 5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net.
@@ -456,7 +456,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
 6. On the **Select server roles** page, click **Next**.
 7. Select **Network Load Balancing** on the **Select features** page.
 8. Click **Install** to start the feature installation.
-   ![Feature selection screen with NLB selected.](images/hello-nlb-feature-install.png)
+   ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png)
 
 ### Configure Network Load Balancing for AD FS
 
@@ -465,25 +465,25 @@ Before you can load balance all the nodes in the AD FS farm, you must first crea
 Sign-in a node of the federation farm with _Admin_ equivalent credentials.
 
 1. Open **Network Load Balancing Manager** from **Administrative Tools**.
-    ![NLB Manager user interface.](images/hello-nlb-manager.png)
+    ![NLB Manager user interface](images/hello-nlb-manager.png)
 2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**.
 3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**.
-    ![NLB Manager - Connect to new Cluster screen.](images/hello-nlb-connect.png)
+    ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png)
 4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.)
 5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**.
 6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**.
-    ![NLB Manager - Add IP to New Cluster screen.](images/hello-nlb-add-ip.png)
+    ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png)
 7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster.
-    ![NLB Manager - Cluster IP Configuration screen.](images/hello-nlb-cluster-ip-config.png)
+    ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png)
 8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**.
 9. In Port Rules, click Edit to modify the default port rules to use port 443.
-    ![NLB Manager - Add\Edit Port Rule screen.](images/hello-nlb-cluster-port-rule.png)
+    ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png)
 
 ### Additional AD FS Servers
 
 1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**.
 2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same.
-    ![NLB Manager - Cluster with nodes.](images/hello-nlb-cluster.png)
+    ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png)
 
 ## Configure DNS for Device Registration
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 57f12a0692..0686de8a9a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -34,7 +34,7 @@ To locate the schema master role holder, open and command prompt and type:
 
 ```Netdom query fsmo | findstr -i “schema”```
 
-![Netdom example output.](images/hello-cmd-netdom.png)
+![Netdom example output](images/hello-cmd-netdom.png)
 
 The command should return the name of the domain controller where you need to adprep.exe.  Update the schema locally on the domain controller hosting the Schema master role.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index 0bbce98b00..bafde6afc2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -51,7 +51,7 @@ Three approaches are documented here:
 
 1. Right-click the **Smartcard Logon** template and click **Duplicate Template**
 
-    ![Duplicating Smartcard Template.](images/rdpcert/duplicatetemplate.png)
+    ![Duplicating Smartcard Template](images/rdpcert/duplicatetemplate.png)
 
 1. On the **Compatibility** tab:
     1. Clear the **Show resulting changes** check box
@@ -109,7 +109,7 @@ Three approaches are documented here:
 
 1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue**
 
-    ![Selecting Certificate Template to Issue.](images/rdpcert/certificatetemplatetoissue.png)
+    ![Selecting Certificate Template to Issue](images/rdpcert/certificatetemplatetoissue.png)
 
 1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list.
 
@@ -123,7 +123,7 @@ Three approaches are documented here:
 
 1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…**
 
-    ![Request a new certificate.](images/rdpcert/requestnewcertificate.png)
+    ![Request a new certificate](images/rdpcert/requestnewcertificate.png)
 
 1. On the Certificate Enrollment screen, click **Next**.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 48a0d130df..476aed7683 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -29,7 +29,7 @@ When you set up Windows Hello in Windows 10, you may get an error during the **
 
 The following image shows an example of an error during **Create a PIN**.
 
-![PIN error.](images/pinerror.png)
+![PIN error](images/pinerror.png)
 
 ## Error mitigations
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 2fbed0b012..0ecc622ba4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -97,20 +97,20 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
 
 1. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account.
 
-   ![PIN reset service application in Azure.](images/pinreset/pin-reset-service-prompt.png)
+   ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png)
 
 1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
 
 1. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
 
-   ![PIN reset client application in Azure.](images/pinreset/pin-reset-client-prompt.png)
+   ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png)
 
    > [!NOTE]
    > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
 
 1. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
 
-   :::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications.png":::
+   :::image type="content" alt-text="PIN reset service permissions page" source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications.png":::
 
 ### Configure Windows devices to use PIN reset using Group Policy
 
@@ -210,7 +210,7 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au
     - **Data type:** String
     - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be _signin.contoso.com;portal.contoso.com_ (without quotation marks)
 
-    :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png":::
+    :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy" source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png":::
 
 1. Click the Save button to save the custom configuration.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index b5361a656c..30dc6c78e6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -55,7 +55,7 @@ Windows Hello for Business emulates a smart card for application compatibility.
 Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates.  You can relax knowing a Group Policy setting and a [MDM URI](/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
 
 > [!div class="mx-imgBorder"]
-> ![WHFB Certificate GP Setting.](images/rdpbio/rdpbiopolicysetting.png)
+> ![WHFB Certificate GP Setting](images/rdpbio/rdpbiopolicysetting.png)
 
 > [!IMPORTANT]
 > The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials.  Microsoft continues to investigate supporting the feature.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index 1efcc90b24..a90f1587c2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -31,7 +31,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
 
 
 ## Azure AD join authentication to Azure Active Directory
-![Azure AD join authentication to Azure Active Directory.](images/howitworks/auth-aadj-cloud.png)
+![Azure AD join authentication to Azure Active Directory](images/howitworks/auth-aadj-cloud.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -42,7 +42,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
 |E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| 
 
 ## Azure AD join authentication to Active Directory using a Key
-![Azure AD join authentication to Active Directory using a Key.](images/howitworks/auth-aadj-keytrust-kerb.png)
+![Azure AD join authentication to Active Directory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png)
 
 
 | Phase  | Description  |
@@ -56,7 +56,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
 
 
 ## Azure AD join authentication to Active Directory using a Certificate
-![Azure AD join authentication to Active Directory using a Certificate.](images/howitworks/auth-aadj-certtrust-kerb.png)
+![Azure AD join authentication to Active Directory using a Certificate](images/howitworks/auth-aadj-certtrust-kerb.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -69,7 +69,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
 
 
 ## Hybrid Azure AD join authentication using a Key
-![Hybrid Azure AD join authentication using a Key.](images/howitworks/auth-haadj-keytrust.png)
+![Hybrid Azure AD join authentication using a Key](images/howitworks/auth-haadj-keytrust.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -85,7 +85,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
 > In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time.
 
 ## Hybrid Azure AD join authentication using a Certificate
-![Hybrid Azure AD join authentication using a Certificate.](images/howitworks/auth-haadj-certtrust.png)
+![Hybrid Azure AD join authentication using a Certificate](images/howitworks/auth-haadj-certtrust.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 20008e7565..0fb161ccb5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -37,7 +37,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 
 
 ## Azure AD joined provisioning in a Managed environment
-![Azure AD joined provisioning in a Managed environment.](images/howitworks/prov-aadj-managed.png)
+![Azure AD joined provisioning in a Managed environment](images/howitworks/prov-aadj-managed.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -48,7 +48,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 
 [Return to top](#windows-hello-for-business-provisioning)
 ## Azure AD joined provisioning in a Federated environment
-![Azure AD joined provisioning in a Managed environment.](images/howitworks/prov-aadj-federated.png)
+![Azure AD joined provisioning in a Managed environment](images/howitworks/prov-aadj-federated.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -58,7 +58,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 
 [Return to top](#windows-hello-for-business-provisioning)
 ## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment
-![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment.](images/howitworks/prov-haadj-keytrust-managed.png)
+![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment](images/howitworks/prov-haadj-keytrust-managed.png)
 
 
 | Phase | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
@@ -76,7 +76,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 
 [Return to top](#windows-hello-for-business-provisioning)
 ## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment
-![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment.](images/howitworks/prov-haadj-instant-certtrust-federated.png)
+![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](images/howitworks/prov-haadj-instant-certtrust-federated.png)
 
 
 | Phase | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
@@ -94,7 +94,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 
 [Return to top](#windows-hello-for-business-provisioning)
 ## Domain joined provisioning in an On-premises Key Trust deployment
-![Domain joined provisioning in an On-premises Key Trust deployment.](images/howitworks/prov-onprem-keytrust.png)
+![Domain joined provisioning in an On-premises Key Trust deployment](images/howitworks/prov-onprem-keytrust.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -105,7 +105,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 
 [Return to top](#windows-hello-for-business-provisioning)
 ## Domain joined provisioning in an On-premises Certificate Trust deployment
-![Domain joined provisioning in an On-premises Certificate Trust deployment.](images/howitworks/prov-onprem-certtrust.png)
+![Domain joined provisioning in an On-premises Certificate Trust deployment](images/howitworks/prov-onprem-certtrust.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index 13246cec6f..8e0a208a86 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -40,19 +40,19 @@ Before adding Azure Active Directory (Azure AD) joined devices to your existing
 Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure.  To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate.  Ensure you have Azure AD Connect installed and functioning properly.  To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect).
 
 If you upgraded your Active Directory schema to the Windows Server 2016 schema after installing Azure AD Connect, run Azure AD Connect and run **Refresh directory schema** from the list of tasks.
-![Azure AD Connect Schema Refresh.](images/aadj/aadconnectschema.png)
+![Azure AD Connect Schema Refresh](images/aadj/aadconnectschema.png)
 
 ### Azure Active Directory Device Registration
 A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration.  A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory.  For more information about device registration, read [Introduction to device management in Azure Active Directory](/azure/active-directory/devices/overview).
 
 You can use the **dsregcmd.exe** command to determine if your device is registered to Azure Active Directory.
-![dsregcmd output.](images/aadj/dsregcmd.png)
+![dsregcmd output](images/aadj/dsregcmd.png)
 
 ### CRL Distribution Point (CDP)
 
 Certificates issued by a certificate authority can be revoked.  When a certificate authority revokes as certificate, it writes information about the certificate into a revocation list.  During certificate validation, Windows 10 consults the CRL distribution point within the certificate to get a list of revoked certificates.  Validation compares the current certificate with information in the certificate revocation list to determine if the certificate remains valid.  
 
-![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png)
+![Domain Controller Certificate with LDAP CDP](images/aadj/Certificate-CDP.png)
 
 The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory.  You can determine this because the value in the URL begins with **ldap**.  Using Active Directory for domain joined devices provides a highly available CRL distribution point.  However, Azure Active Directory joined devices and users on Azure Active Directory joined devices cannot read data from Active Directory, and certificate validation does not provide an opportunity to authenticate prior to reading the certificate revocation list.  This becomes a circular problem as the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user cannot read Active Directory because they have not authenticated.
 
@@ -122,16 +122,16 @@ You need to host your new certificate revocation list of a web server so Azure A
 1. From **Windows Administrative Tools**, Open **Internet Information Services (IIS) Manager**.
 2. Expand the navigation pane to show **Default Web Site**.  Select and then right-click **Default Web site** and click **Add Virtual Directory...**.
 3. In the **Add Virtual Directory** dialog box, type **cdp** in **alias**.  For physical path, type or browse for the physical file location where you will host the certificate revocation list.  For this example, the path **c:\cdp** is used. Click **OK**.
-   ![Add Virtual Directory.](images/aadj/iis-add-virtual-directory.png) 
+   ![Add Virtual Directory](images/aadj/iis-add-virtual-directory.png) 
    > [!NOTE]
    > Make note of this path as you will use it later to configure share and file permissions.
 
 4. Select **CDP** under **Default Web Site** in the navigation pane.  Double-click **Directory Browsing** in the content pane.  Click **Enable** in the details pane.
 5. Select **CDP** under **Default Web Site** in the navigation pane.  Double-click **Configuration Editor**.
 6. In the **Section** list, navigate to **system.webServer/security/requestFiltering**.
-   ![IIS Configuration Editor requestFiltering.](images/aadj/iis-config-editor-requestFiltering.png)   
+   ![IIS Configuration Editor requestFiltering](images/aadj/iis-config-editor-requestFiltering.png)   
    In the list of named value-pairs in the content pane, configure **allowDoubleEscaping** to **True**.  Click **Apply** in the actions pane.
-   ![IIS Configuration Editor double escaping.](images/aadj/iis-config-editor-allowDoubleEscaping.png)
+   ![IIS Configuration Editor double escaping](images/aadj/iis-config-editor-allowDoubleEscaping.png)
 7. Close **Internet Information Services (IIS) Manager**. 
 
 #### Create a DNS resource record for the CRL distribution point URL 
@@ -139,7 +139,7 @@ You need to host your new certificate revocation list of a web server so Azure A
 1. On your DNS server or from an administrative workstation, open **DNS Manager** from **Administrative Tools**.
 2. Expand **Forward Lookup Zones** to show the DNS zone for your domain.  Right-click your domain name in the navigation pane and click **New Host (A or AAAA)...**.
 3. In the **New Host** dialog box, type **crl** in **Name**.  Type the IP address of the web server you configured in **IP Address**. Click **Add Host**.  Click **OK** to close the **DNS** dialog box.  Click **Done**.
-![Create DNS host record.](images/aadj/dns-new-host-dialog.png)
+![Create DNS host record](images/aadj/dns-new-host-dialog.png)
 4. Close the **DNS Manager**. 
 
 ### Prepare a file share to host the certificate revocation list
@@ -151,12 +151,12 @@ These procedures configure NTFS and share permissions on the web server to allow
 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
 2. Right-click the **cdp** folder and click **Properties**.  Click the **Sharing** tab.  Click **Advanced Sharing**.
 3. Select **Share this folder**. Type **cdp$** in **Share name**. Click **Permissions**.
-![cdp sharing.](images/aadj/cdp-sharing.png)
+![cdp sharing](images/aadj/cdp-sharing.png)
 4. In the **Permissions for cdp$** dialog box, click **Add**.
 5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**.  In the **Object Types** dialog box, select **Computers**, and then click **OK**.
 7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then click **Check Names**. Click **OK**.
 8. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**.
-![CDP Share Permissions.](images/aadj/cdp-share-permissions.png)
+![CDP Share Permissions](images/aadj/cdp-share-permissions.png)
 9. In the **Advanced Sharing** dialog box, click **OK**.
 
 > [!Tip]
@@ -166,7 +166,7 @@ These procedures configure NTFS and share permissions on the web server to allow
 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
 2. Right-click the **cdp** folder and click **Properties**.  Click the **Sharing** tab.  Click **Advanced Sharing**.
 3. Click **Caching**. Select **No files or programs from the shared folder are available offline**.
-![CDP disable caching.](images/aadj/cdp-disable-caching.png)
+![CDP disable caching](images/aadj/cdp-disable-caching.png)
 4. Click **OK**. 
 
 #### Configure NTFS permission for the CDP folder
@@ -175,7 +175,7 @@ These procedures configure NTFS and share permissions on the web server to allow
 2. Right-click the **cdp** folder and click **Properties**.  Click the **Security** tab.
 3. On the **Security** tab, click Edit.
 5. In the **Permissions for cdp** dialog box, click **Add**.
-![CDP NTFS Permissions.](images/aadj/cdp-ntfs-permissions.png)
+![CDP NTFS Permissions](images/aadj/cdp-ntfs-permissions.png)
 6. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**.  In the **Object Types** dialog box, select **Computers**. Click **OK**.
 7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then click **Check Names**. Click **OK**.
 8. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**.
@@ -192,11 +192,11 @@ The web server is ready to host the CRL distribution point.  Now, configure the
 2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
 3. Click **Extensions**.  On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
 4. On the **Extensions** tab, click **Add**. Type <b>http://crl.[domainname]/cdp/</b> in **location**.  For example, *<http://crl.corp.contoso.com/cdp/>* or *<http://crl.contoso.com/cdp/>* (do not forget the trailing forward slash). 
-   ![CDP New Location dialog box.](images/aadj/cdp-extension-new-location.png)
+   ![CDP New Location dialog box](images/aadj/cdp-extension-new-location.png)
 5. Select **\<CaName>** from the **Variable** list and click **Insert**.  Select **\<CRLNameSuffix>** from the **Variable** list and click **Insert**.  Select **\<DeltaCRLAllowed>** from the **Variable** list and click **Insert**.
 6. Type **.crl** at the end of the text in **Location**. Click **OK**.
 7. Select the CDP you just created.
-   ![CDP complete http.](images/aadj/cdp-extension-complete-http.png)
+   ![CDP complete http](images/aadj/cdp-extension-complete-http.png)
 8. Select **Include in CRLs.  Clients use this to find Delta CRL locations**.
 9. Select **Include in the CDP extension of issued certificates**.
 10. Click **Apply** save your selections.  Click **No** when ask to restart the service.
@@ -213,7 +213,7 @@ The web server is ready to host the CRL distribution point.  Now, configure the
 5. Select **\<CaName>** from the **Variable** list and click **Insert**.  Select **\<CRLNameSuffix>** from the **Variable** list and click **Insert**.  Select **\<DeltaCRLAllowed>** from the **Variable** list and click **Insert**.
 6. Type **.crl** at the end of the text in **Location**. Click **OK**.
 7. Select the CDP you just created.
-   ![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png)
+   ![CDP publishing location](images/aadj/cdp-extension-complete-unc.png)
 8. Select **Publish CRLs to this location**.
 9. Select **Publish Delta CRLs to this location**.
 10. Click **Apply** save your selections.  Click **Yes** when ask to restart the service.  Click **OK** to close the properties dialog box.
@@ -222,7 +222,7 @@ The web server is ready to host the CRL distribution point.  Now, configure the
 
 1. On the issuing certificate authority, sign-in as a local administrator.  Start the **Certificate Authority** console from **Administrative Tools**.
 2. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and click **Publish**
-![Publish a New CRL.](images/aadj/publish-new-crl.png)
+![Publish a New CRL](images/aadj/publish-new-crl.png)
 3. In the **Publish CRL** dialog box, select **New CRL** and click **OK**.
 
 #### Validate CDP Publishing
@@ -230,7 +230,7 @@ The web server is ready to host the CRL distribution point.  Now, configure the
 Validate your new CRL distribution point is working. 
 
 1. Open a web browser. Navigate to <b>http://crl.[yourdomain].com/cdp</b>.  You should see two files created from publishing your new CRL.
-   ![Validate the new CRL.](images/aadj/validate-cdp-using-browser.png)
+   ![Validate the new CRL](images/aadj/validate-cdp-using-browser.png)
 
 ### Reissue domain controller certificates
 
@@ -239,9 +239,9 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
 1. Sign-in a domain controller using administrative credentials.
 2. Open the **Run** dialog box.  Type **certlm.msc** to open the **Certificate Manager** for the local computer.
 3. In the navigation pane, expand **Personal**.  Click **Certificates**.  In the details pane, select the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
-![Certificate Manager Personal store.](images/aadj/certlm-personal-store.png)
+![Certificate Manager Personal store](images/aadj/certlm-personal-store.png)
 4. Right-click the selected certificate.  Hover over **All Tasks** and then select **Renew Certificate with New Key...**.  In the **Certificate Enrollment** wizard, click **Next**.
-![Renew with New key.](images/aadj/certlm-renew-with-new-key.png) 
+![Renew with New key](images/aadj/certlm-renew-with-new-key.png) 
 5. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available.  Click **Enroll**.
 6. After the enrollment completes, click **Finish** to close the wizard. 
 7. Repeat this procedure on all your domain controllers.
@@ -259,7 +259,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
 3. In the navigation pane, expand **Personal**.  Click **Certificates**.  In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
 4. Click the **Details** tab.  Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list.  Select **CRL Distribution Point**.
 5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate.  Click **OK**.</br>
-![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png)
+![New Certificate with updated CDP](images/aadj/dc-cert-with-new-cdp.png)
 
 
 ## Configure and Assign a Trusted Certificate Device Configuration Profile
@@ -276,13 +276,13 @@ Steps you will perform include:
 2. Open the **Run** dialog box.  Type **certlm.msc** to open the **Certificate Manager** for the local computer.
 3. In the navigation pane, expand **Personal**.  Click **Certificates**.  In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
 4. Click the **Certification Path** tab.  In the **Certification path** view, select the top most node and click **View Certificate**.
-![Certificate Path.](images/aadj/certlm-cert-path-tab.png)
+![Certificate Path](images/aadj/certlm-cert-path-tab.png)
 5. In the new **Certificate** dialog box, click the **Details** tab. Click **Copy to File**.
-![Details tab and copy to file.](images/aadj/certlm-root-cert-details-tab.png)
+![Details tab and copy to file](images/aadj/certlm-root-cert-details-tab.png)
 6. In the **Certificate Export Wizard**, click **Next**.  
 7. On the **Export File Format** page of the wizard, click **Next**.  
 8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box.
-![Export root certificate.](images/aadj/certlm-export-root-certificate.png)
+![Export root certificate](images/aadj/certlm-export-root-certificate.png)
 9. Click **OK**  two times to return to the **Certificate Manager** for the local computer.  Close the **Certificate Manager**.
 
 ### Create and Assign a Trust Certificate Device Configuration Profile
@@ -291,12 +291,12 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted
 
 1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**.
 2. Click **Device configuration**.  In the **Device Configuration** blade, click **Create profile**.
-![Intune Create Profile.](images/aadj/intune-create-device-config-profile.png)
+![Intune Create Profile](images/aadj/intune-create-device-config-profile.png)
 3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**.  Provide a description.  Select **Windows 10 and later** from the **Platform** list.  Select **Trusted certificate** from the **Profile type** list.  Click **Configure**.
 4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate).  Click **OK**.  Click **Create**.
-![Intune Trusted Certificate Profile.](images/aadj/intune-create-trusted-certificate-profile.png)
+![Intune Trusted Certificate Profile](images/aadj/intune-create-trusted-certificate-profile.png)
 5. In the **Enterprise Root Certificate** blade, click **Assignments**.  In the **Include** tab, select **All Devices** from the **Assign to** list.  Click **Save**.
-![Intune Profile assignment.](images/aadj/intune-device-config-enterprise-root-assignment.png)
+![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png)
 6. Sign out of the Microsoft Azure Portal.
 > [!NOTE]
 > After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same.
@@ -310,7 +310,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 3. Choose **Enroll devices**.
 4. Select **Windows enrollment**.
 5. Under **Windows enrollment**, select **Windows Hello for Business**.
-   ![Create Windows Hello for Business Policy.](images/aadj/MEM.png)
+   ![Create Windows Hello for Business Policy](images/aadj/MEM.png)
 6. Select **Enabled** from the **Configure Windows Hello for Business** list.
 7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys.
 8. Enter the desired **Minimum PIN length** and **Maximum PIN length**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index e4ada9da90..b8ce7af3da 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -82,7 +82,7 @@ The easiest way to verify the onPremisesDistingushedNamne attribute is synchroni
 2. Click **Login** and provide Azure credentials
 3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory.  Click **Go**
 4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute.  Ensure the attribute has a value and the value is accurate for the given user.
-   ![Azure AD Connect On-Prem DN Attribute.](images/aadjcert/aadconnectonpremdn.png)
+   ![Azure AD Connect On-Prem DN Attribute](images/aadjcert/aadconnectonpremdn.png)
 
 ## Prepare the Network Device Enrollment Services (NDES) Service Account
 
@@ -259,15 +259,15 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
 1. Open **Server Manager** on the NDES server.
 2. Click **Manage**.  Click **Add Roles and Features**.
 3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**.  Select **Role-based or feature-based installation** on the **Select installation type** page.  Click **Next**.  Click **Select a server from the server pool**.  Select the local server from the **Server Pool** list.  Click **Next**.
-   ![Server Manager destination server.](images/aadjCert/servermanager-destination-server-ndes.png)
+   ![Server Manager destination server](images/aadjCert/servermanager-destination-server-ndes.png)
 4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list.
-   ![Server Manager AD CS Role.](images/aadjCert/servermanager-adcs-role.png)
+   ![Server Manager AD CS Role](images/aadjCert/servermanager-adcs-role.png)
    Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Click **Next**.
-   ![Server Manager Add Features.](images/aadjcert/serverManager-adcs-add-features.png)
+   ![Server Manager Add Features](images/aadjcert/serverManager-adcs-add-features.png)
 5. On the **Features** page, expand **.NET Framework 3.5 Features**.  Select **HTTP Activation**.  Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Expand **.NET Framework 4.5 Features**.  Expand **WCF Services**.  Select **HTTP Activation**.  Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Click **Next**.
-   ![Server Manager Feature HTTP Activation.](images/aadjcert/servermanager-adcs-http-activation.png)
+   ![Server Manager Feature HTTP Activation](images/aadjcert/servermanager-adcs-http-activation.png)
 6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**.  Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**.
-   ![Server Manager ADCS NDES Role.](images/aadjcert/servermanager-adcs-ndes-role-checked.png)
+   ![Server Manager ADCS NDES Role](images/aadjcert/servermanager-adcs-ndes-role-checked.png)
 7. Click **Next** on the **Web Server Role (IIS)** page.
 8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**.
    * **Web Server > Security > Request Filtering**
@@ -275,11 +275,11 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
    * **Web Server > Application Development > ASP.NET 4.5**.   .
    * **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility**
    * **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
-   ![Server Manager Web Server Role.](images/aadjcert/servermanager-adcs-webserver-role.png)
+   ![Server Manager Web Server Role](images/aadjcert/servermanager-adcs-webserver-role.png)
 9. Click **Install**. When the installation completes, continue with the next procedure.  **Do not click Close**.
    > [!IMPORTANT]
    > .NET Framework 3.5 is not included in the typical installation.  If the server is connected to the Internet, the installation attempts to get the files using Windows Update.  If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \<driveLetter>:\\Sources\SxS\
-   ![.NET Side by Side.](images/aadjcert/dotNet35sidebyside.png)
+   ![.NET Side by Side](images/aadjcert/dotNet35sidebyside.png)
 
 ### Configure the NDES service account
 This task adds the NDES service account to the local IIS_USRS group.  The task also configures the NDES service account for Kerberos authentication and delegation
@@ -308,7 +308,7 @@ Sign-in the NDES server with access equivalent to _Domain Admins_.
 > [!NOTE]
 > If you use the same service account for multiple NDES Servers, repeat the following task for each NDES server under which the NDES service runs.
 
-![Set SPN command prompt.](images/aadjcert/setspn-commandprompt.png)
+![Set SPN command prompt](images/aadjcert/setspn-commandprompt.png)
 
 #### Configure the NDES Service account for delegation
 The NDES service enrolls certificates on behalf of users.  Therefore, you want to limit the actions it can perform on behalf of the user. You do this through delegation.
@@ -317,16 +317,16 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
 
 1. Open **Active Directory Users and Computers**
 2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab.
-   ![NDES Delegation Tab.](images/aadjcert/ndessvcdelegationtab.png)
+   ![NDES Delegation Tab](images/aadjcert/ndessvcdelegationtab.png)
 3. Select **Trust this user for delegation to specified services only**.
 4. Select **Use any authentication protocol**.
 5. Click **Add**.
 6. Click **Users or Computers...**  Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices.  From the **Avaiable services** list, select **HOST**.  Click **OK**.
-   ![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png)
+   ![NDES Service delegation to NDES host](images/aadjcert/ndessvcdelegation-host-ndes-spn.png)
 7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**.
 8. Click **Users or computers...**  Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices.  From the **Available services** list, select **dcom**.  Hold the **CTRL** key and select **HOST**. Click **OK**.
 9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
-   ![NDES Service delegation complete.](images/aadjcert/ndessvcdelegation-host-ca-spn.png)
+   ![NDES Service delegation complete](images/aadjcert/ndessvcdelegation-host-ca-spn.png)
 10. Click **OK**.  Close **Active Directory Users and Computers**.
 
 ### Configure the NDES Role and Certificate Templates
@@ -338,21 +338,21 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
 > [!NOTE]
 > If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point.
 
-![Server Manager Post-Install Yellow flag.](images/aadjcert/servermanager-post-ndes-yellowactionflag.png)
+![Server Manager Post-Install Yellow flag](images/aadjcert/servermanager-post-ndes-yellowactionflag.png)
 
 1. Click the **Configure Active Directory Certificate Services on the destination server** link.
 2. On the **Credentials** page, click **Next**.
-   ![NDES Installation Credentials.](images/aadjcert/ndesconfig01.png)
+   ![NDES Installation Credentials](images/aadjcert/ndesconfig01.png)
 3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next**
-   ![NDES Role Services.](images/aadjcert/ndesconfig02.png)
+   ![NDES Role Services](images/aadjcert/ndesconfig02.png)
 4. On the **Service Account for NDES** page, select **Specify service account (recommended)**.  Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box.  Click **Next**.
-   ![NDES Service Account for NDES.](images/aadjcert/ndesconfig03b.png)
+   ![NDES Service Account for NDES](images/aadjcert/ndesconfig03b.png)
 5. On the **CA for NDES** page, select **CA name**. Click **Select...**.  Select the issuing certificate authority from which the NDES server requests certificates.  Click **Next**.
-   ![NDES CA selection.](images/aadjcert/ndesconfig04.png)
+   ![NDES CA selection](images/aadjcert/ndesconfig04.png)
 6. On the **RA Information**, click **Next**.
 7. On the **Cryptography for NDES** page, click **Next**.
 8. Review the **Confirmation** page.  Click **Configure**.
-   ![NDES Confirmation.](images/aadjcert/ndesconfig05.png)
+   ![NDES Confirmation](images/aadjcert/ndesconfig05.png)
 8. Click **Close** after the configuration completes.
 
 #### Configure Certificate Templates on NDES
@@ -407,18 +407,18 @@ Sign-in a workstation with access equivalent to a _domain user_.
 2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, Click **Azure Active Directory**.
 3. Under **MANAGE**, click **Application proxy**.
 4. Click **Download connector service**.  Click **Accept terms & Download**.  Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain.
-   ![Azure Application Proxy Connectors.](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png)
+   ![Azure Application Proxy Connectors](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png)
 5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
    > [!IMPORTANT]
    > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy.  Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability.  Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
 
 6. Start **AADApplicationProxyConnectorInstaller.exe**.
 7. Read the license terms and then select **I agree to the license terms and conditions**.  Click **Install**.
-   ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-01.png)
+   ![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-01.png)
 8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**.
-   ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-02.png)
+   ![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-02.png)
 9. When the installation completes. Read the information regarding outbound proxy servers.  Click **Close**.
-   ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-03.png)
+   ![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-03.png)
 10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments.
 
 #### Create a Connector Group
@@ -427,9 +427,9 @@ Sign-in a workstation with access equivalent to a _domain user_.
 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
 2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, Click **Azure Active Directory**.
 3. Under **MANAGE**, click **Application proxy**.
-   ![Azure Application Proxy Connector groups.](images/aadjcert/azureconsole-applicationproxy-connectors-default.png)
+   ![Azure Application Proxy Connector groups](images/aadjcert/azureconsole-applicationproxy-connectors-default.png)
 4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**.
-   ![Azure Application New Connector Group.](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png)
+   ![Azure Application New Connector Group](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png)
 5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests.
 6. Click **Save**.
 
@@ -443,7 +443,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**.  Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server.  Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
 6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy.  For example, https://ndes.corp.mstepdemo.net).  You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
 7. Under **Internal URL**, select **https://** from the first list.  In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy.  In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy.  It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
-   ![Azure NDES Application Proxy Configuration.](images/aadjcert/azureconsole-appproxyconfig.png)
+   ![Azure NDES Application Proxy Configuration](images/aadjcert/azureconsole-appproxyconfig.png)
 8. Select **Passthrough** from the **Pre Authentication** list.
 9. Select **NDES WHFB Connectors** from the **Connector Group** list.
 10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**.  Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
@@ -465,7 +465,7 @@ Sign-in the NDES server with access equivalent to _local administrators_.
 5. Click **Next** on the **Select Certificate Enrollment Policy** page.
 6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box.
 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
-   ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png)
+   ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png)
 8. Under **Subject name**, select **Common Name** from the **Type** list.  Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**.
 9. Under **Alternative name**, select **DNS** from the **Type** list.  Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**).  Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished.
 9. Click **Enroll**
@@ -478,12 +478,12 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 
 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
 2. Expand the node that has the name of the NDES server.  Expand **Sites** and select **Default Web Site**.
-   ![NDES IIS Console.](images/aadjcert/ndes-iis-console.png)
+   ![NDES IIS Console](images/aadjcert/ndes-iis-console.png)
 3. Click **Bindings...*** under **Actions**.  Click **Add**.
-   ![NDES IIS Console.](images/aadjcert/ndes-iis-bindings.png)
+   ![NDES IIS Console](images/aadjcert/ndes-iis-bindings.png)
 4. Select **https** from **Type**. Confirm the value for **Port** is **443**.
 5. Select the certificate you previously enrolled from the **SSL certificate** list.  Select **OK**.
-   ![NDES IIS Console.](images/aadjcert/ndes-iis-bindings-add-443.png)
+   ![NDES IIS Console](images/aadjcert/ndes-iis-bindings-add-443.png)
 6. Select **http** from the **Site Bindings** list.  Click **Remove**.
 7. Click **Close** on the **Site Bindings** dialog box.
 8. Close **Internet Information Services (IIS) Manager**.
@@ -509,10 +509,10 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 
 A web page similar to the following should appear in your web browser.  If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights.  You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
 
-![NDES IIS Console.](images/aadjcert/ndes-https-website-test-01.png)
+![NDES IIS Console](images/aadjcert/ndes-https-website-test-01.png)
 
 Confirm the web site uses the server authentication certificate.
-![NDES IIS Console.](images/aadjcert/ndes-https-website-test-01-show-cert.png)
+![NDES IIS Console](images/aadjcert/ndes-https-website-test-01-show-cert.png)
 
 
 ## Configure Network Device Enrollment Services to work with Microsoft Intune
@@ -527,7 +527,7 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
 2. Expand the node that has the name of the NDES server.  Expand **Sites** and select **Default Web Site**.
 3. In the content pane, double-click **Request Filtering**.  Click **Edit Feature Settings...** in the action pane.
-   ![Intune NDES Request filtering.](images/aadjcert/NDES-IIS-RequestFiltering.png)
+   ![Intune NDES Request filtering](images/aadjcert/NDES-IIS-RequestFiltering.png)
 4. Select **Allow unlisted file name extensions**.
 5. Select **Allow unlisted verbs**.
 6. Select **Allow high-bit characters**.
@@ -554,7 +554,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
 2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**.
 3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section.
-   ![Intune Certificate Authority.](images/aadjcert/profile01.png)
+   ![Intune Certificate Authority](images/aadjcert/profile01.png)
 4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
 5. Sign-out of the Microsoft Endpoint Manager admin center.
 
@@ -564,26 +564,26 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
 1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server.
 2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server.
 3. On the **Microsoft Intune** page, click **Next**.
-   ![Intune Connector Install 01.](images/aadjcert/intunecertconnectorinstall-01.png)
+   ![Intune Connector Install 01](images/aadjcert/intunecertconnectorinstall-01.png)
 4. Read the **End User License Agreement**.  Click **Next** to accept the agreement and to proceed with the installation.
 5. On the **Destination Folder** page, click **Next**.
 6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**.
-   ![Intune Connector Install 03.](images/aadjcert/intunecertconnectorinstall-03.png)
+   ![Intune Connector Install 03](images/aadjcert/intunecertconnectorinstall-03.png)
 7. On the **Client certificate for Microsoft Intune** page, Click **Select**.  Select the certificate previously enrolled for the NDES server. Click **Next**.
-   ![Intune Connector Install 05.](images/aadjcert/intunecertconnectorinstall-05.png)
+   ![Intune Connector Install 05](images/aadjcert/intunecertconnectorinstall-05.png)
 
    > [!NOTE]
    > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate.  However, the application rembers the selection and shows it in the next page.
 
 8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**.
 9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.
-   ![Intune Connector Install 06.](images/aadjcert/intunecertconnectorinstall-06.png)
+   ![Intune Connector Install 06](images/aadjcert/intunecertconnectorinstall-06.png)
 
    > [!NOTE]
    > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder.
 
 10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task.
-    ![Intune Connector install 07.](images/aadjcert/intunecertconnectorinstall-07.png)
+    ![Intune Connector install 07](images/aadjcert/intunecertconnectorinstall-07.png)
 
 ### Configure the Intune Certificate Connector
 Sign-in the NDES server with access equivalent to _domain administrator_.
@@ -594,10 +594,10 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
    > If the **NDES Connector** user interface is not open, you can start it from **\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**.
 
 2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect.  Click **Apply**
-   ![Intune Certificate Connector Configuration 01.](images/aadjcert/intunecertconnectorconfig-01.png)
+   ![Intune Certificate Connector Configuration 01](images/aadjcert/intunecertconnectorconfig-01.png)
 
 3. Click **Sign-in**.  Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role.
-   ![Intune Certificate Connector Configuration 02.](images/aadjcert/intunecertconnectorconfig-02.png)
+   ![Intune Certificate Connector Configuration 02](images/aadjcert/intunecertconnectorconfig-02.png)
 
    > [!IMPORTANT]
    > The user account must have a valid Intune license assigned.  If the user account does not have a valid Intune license, the sign-in fails.
@@ -614,7 +614,7 @@ Sign-in the certificate authority used by the NDES Connector with access equival
 1. Start the **Certification Authority** management console.
 2. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
 3. Click the **Security** tab.  Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account).  Click *Check Names*. Click **OK**.  Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission.  Click **OK**.
-   ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png)
+   ![Configure Intune certificate revocation 02](images/aadjcert/intuneconfigcertrevocation-02.png)
 4. Close the **Certification Authority**
 
 #### Enable the NDES Connector for certificate revocation
@@ -622,7 +622,7 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
 
 1. Open the **NDES Connector** user interface (**\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**).
 2. Click the **Advanced** tab.  Select **Specify a different account username and password**.  Type the NDES service account username and password.  Click **Apply**.  Click **OK** to close the confirmation dialog box.  Click **Close**.
-   ![Intune Connector cert revocation configuration 04.](images/aadjcert/intunecertconnectorconfig-04.png)
+   ![Intune Connector cert revocation configuration 04](images/aadjcert/intunecertconnectorconfig-04.png)
 3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**.
 
 ### Test the NDES Connector
@@ -641,7 +641,7 @@ Sign-in the NDES server with access equivalent to _domain admin_.
    ```
    where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
    A web page showing a 403 error (similar to the following) should appear in your web browser.  If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights.  You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
-   ![NDES web site test after Intune Certificate Connector.](images/aadjcert/ndes-https-website-test-after-intune-connector.png)
+   ![NDES web site test after Intune Certificate Connector](images/aadjcert/ndes-https-website-test-after-intune-connector.png)
 6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**.
 
 ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile
@@ -656,7 +656,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 5. Under **Group Name**, type the name of the group.  For example, **AADJ WHFB Certificate Users**.
 6. Provide a **Group description**, if applicable.
 7. Select **Assigned** from the **Membership type** list.
-   ![Azure AD new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png)
+   ![Azure AD new group creation](images/aadjcert/azureadcreatewhfbcertgroup.png)
 8. Click **Members**.  Use the  **Select members** pane to add members to this group. When finished click **Select**.
 9. Click **Create**.
 
@@ -666,7 +666,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
 2. Select **Devices**, and then click **Configuration Profiles**.
 3. Select **Create Profile**.
-   ![Intune Device Configuration Create Profile.](images/aadjcert/profile02.png)
+   ![Intune Device Configuration Create Profile](images/aadjcert/profile02.png)
 4. Select **Windows 10 and later** from the **Platform** list.
 5. Choose **SCEP certificate** from the **Profile** list, and select **Create**.
 6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**.
@@ -689,7 +689,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile.
 15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
-    ![WHFB SCEP certificate Profile EKUs.](images/aadjcert/profile03.png)
+    ![WHFB SCEP certificate Profile EKUs](images/aadjcert/profile03.png)
 17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
 18. Click **Next**.
 19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**.
@@ -702,7 +702,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 3. Click **WHFB Certificate Enrollment**.
 4. Select **Properties**, and then click **Edit** next to the **Assignments** section.
 5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list.  Click **Select groups to include**.
-   ![WHFB SCEP Profile Assignment.](images/aadjcert/profile04.png)
+   ![WHFB SCEP Profile Assignment](images/aadjcert/profile04.png)
 6. Select the **AADJ WHFB Certificate Users** group. Click **Select**.
 7. Click **Review + Save**, and then **Save**.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index 9e100bc146..e80dc75f72 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -70,7 +70,7 @@ To locate the schema master role holder, open and command prompt and type:
 
 ```Netdom query fsmo | findstr -i schema```
 
-![Netdom example output.](images/hello-cmd-netdom.png)
+![Netdom example output](images/hello-cmd-netdom.png)
 
 The command should return the name of the domain controller where you need to run adprep.exe.  Update the schema locally on the domain controller hosting the Schema master role.
 
@@ -114,14 +114,14 @@ When you are ready to install, follow the **Configuring federation with AD FS**
 ### Create AD objects for AD FS Device Authentication  
 If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.  
 
-![Device Registration.](images/hybridct/device1.png)
+![Device Registration](images/hybridct/device1.png)
 
 > [!NOTE]
 > The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below.  Otherwise you can skip step 1.  
 
 1.  Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**.
 
-![Device Registration.](images/hybridct/device2.png)
+![Device Registration](images/hybridct/device2.png)
 
 2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt.  Then, run the following commands:  
 
@@ -132,7 +132,7 @@ If your AD FS farm is not already configured for Device Authentication (you can
 > [!NOTE]
 > If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$"
 
-![Device Registration.](images/hybridct/device3.png)  
+![Device Registration](images/hybridct/device3.png)  
 
 The above PSH creates the following objects:  
 
@@ -140,11 +140,11 @@ The above PSH creates the following objects:
 - Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration  
 - Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration  
 
-![Device Registration.](images/hybridct/device4.png)  
+![Device Registration](images/hybridct/device4.png)  
 
 4. Once this is done, you will see a successful completion message.
 
-![Device Registration.](images/hybridct/device5.png) 
+![Device Registration](images/hybridct/device5.png) 
 
 ### Create Service Connection Point (SCP) in Active Directory  
 If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS  
@@ -155,13 +155,13 @@ If you plan to use Windows 10 domain join (with automatic registration to Azure
 > [!NOTE]
 > If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server.  This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep
 
-![Device Registration.](images/hybridct/device6.png)   
+![Device Registration](images/hybridct/device6.png)   
 
 2. Provide your Azure AD global administrator credentials  
 
     `PS C:>$aadAdminCred = Get-Credential`
 
-![Device Registration.](images/hybridct/device7.png) 
+![Device Registration](images/hybridct/device7.png) 
 
 3. Run the following PowerShell command 
 
@@ -517,7 +517,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
 - Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;
 - Container Device Registration Service DKM under the above container
 
-![Device Registration.](images/hybridct/device8.png) 
+![Device Registration](images/hybridct/device8.png) 
 
 - object of type serviceConnectionpoint at CN=&lt;guid&gt;, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;  
   - read/write access to the specified AD connector account name on the new object 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 35bd16ed3e..cfaf049efd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -27,22 +27,22 @@ ms.reviewer:
 ## Provisioning
 The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop.  Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
 
-![Event358 from User Device Registration log showing Windows Hello for Business prerequisite check result.](images/Event358.png)
+![Event358 from User Device Registration log showing Windows Hello for Business prerequisite check result](images/Event358.png)
 
 The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears.  Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**.
 
 
 Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name.  The user clicks **Setup a PIN**.
 
-![Setup a PIN Provisioning.](images/setupapin.png)
+![Setup a PIN Provisioning](images/setupapin.png)
 
 The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment.  Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA.  The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry.
   
-![MFA prompt during provisioning.](images/mfa.png)
+![MFA prompt during provisioning](images/mfa.png)
 
 After a successful MFA, the provisioning flow asks the user to create and validate a PIN.  This PIN must observe any PIN complexity requirements that you deployed to the environment.
 
-![Create a PIN during provisioning.](images/createPin.png)
+![Create a PIN during provisioning](images/createPin.png)
 
 The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment.
 * A successful single factor authentication (username and password at sign-in)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index e60e0b15f0..9caf362da6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -27,22 +27,22 @@ ms.reviewer:
 ## Provisioning
 The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop.  Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
 
-![Event358.](images/Event358-2.png)
+![Event358](images/Event358-2.png)
 
 The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears.  Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**.
 
 
 Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name.  The user clicks **Setup a PIN**.
 
-![Setup a PIN Provisioning.](images/setupapin.png)
+![Setup a PIN Provisioning](images/setupapin.png)
 
 The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment.  Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA.  The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry.
   
-![MFA prompt during provisioning.](images/mfa.png)
+![MFA prompt during provisioning](images/mfa.png)
 
 After a successful MFA, the provisioning flow asks the user to create and validate a PIN.  This PIN must observe any PIN complexity requirements that you deployed to the environment.
 
-![Create a PIN during provisioning.](images/createPin.png)
+![Create a PIN during provisioning](images/createPin.png)
 
 The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment.
 * A successful single factor authentication (username and password at sign-in)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index 4e83f31ec3..99491fb5c3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -73,7 +73,7 @@ Sign-in the federation server with domain administrator equivalent credentials.
 5. Click **Next** on the **Select Certificate Enrollment Policy** page.
 6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link   
-    ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/hello-internal-web-server-cert.png)
+    ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png)
 8. Under **Subject name**, select **Common Name** from the **Type** list.  Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**.  Under **Alternative name**, select **DNS** from the **Type** list.  Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role.  Click **Add**. Click **OK** when finished.
 9. Click **Enroll**.
 
@@ -155,7 +155,7 @@ Use the following procedures to configure AD FS when your environment uses **Win
 Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
 1. Start **Server Manager**.
 2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.   
-   ![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png)
+   ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png)
 
 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
 4. Click **Next** on the **Connect to Active Directory Domain Services** page.
@@ -175,7 +175,7 @@ Use the following procedures to configure AD FS when your environment uses **Win
 Sign-in the federation server with _Domain Admin_ equivalent credentials.  These instructions assume you are configuring the first federation server in a federation server farm.
 1. Start **Server Manager**.
 2. Click the notification flag in the upper right corner.  Click **Configure federation services on this server**.   
-    ![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png)
+    ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png)
 
 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
 4. Click **Next** on the **Connect to Active Directory Domain Services** page.
@@ -262,7 +262,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
 6. On the **Select server roles** page, click **Next**.
 7. Select **Network Load Balancing** on the **Select features** page.
 8. Click **Install** to start the feature installation   
-    ![Feature selection screen with NLB selected.](images/hello-nlb-feature-install.png)
+    ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png)
 
 ### Configure Network Load Balancing for AD FS
 
@@ -270,25 +270,25 @@ Before you can load balance all the nodes in the AD FS farm, you must first crea
 
 Sign-in a node of the federation farm with _Admin_ equivalent credentials.
 1. Open **Network Load Balancing Manager** from **Administrative Tools**.   
-    ![NLB Manager user interface.](images/hello-nlb-manager.png)
+    ![NLB Manager user interface](images/hello-nlb-manager.png)
 2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**.
 3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**.   
-    ![NLB Manager - Connect to new Cluster screen.](images/hello-nlb-connect.png)
+    ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png)
 4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.)
 5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**.
 6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**.   
-    ![NLB Manager - Add IP to New Cluster screen.](images/hello-nlb-add-ip.png)
+    ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png)
 7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster.   
-    ![NLB Manager - Cluster IP Configuration screen.](images/hello-nlb-cluster-ip-config.png)
+    ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png)
 8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**.
 9. In Port Rules, click Edit to modify the default port rules to use port 443.   
-    ![NLB Manager - Add\Edit Port Rule screen.](images/hello-nlb-cluster-port-rule.png)
+    ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png)
 
 ### Additional AD FS Servers
 
 1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**.
 2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same.   
-    ![NLB Manager - Cluster with nodes.](images/hello-nlb-cluster.png)
+    ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png)
 
 ## Configure DNS for Device Registration
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 1a2b17c308..00fa16c254 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -69,7 +69,7 @@ In Windows 10, Windows Hello replaces passwords. When the identity provider sup
 >[!NOTE]
 >Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password.
 
-![How authentication works in Windows Hello.](images/authflow.png)
+![How authentication works in Windows Hello](images/authflow.png)
 
 Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index e7d6a0cea8..3ff85f511f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -35,11 +35,11 @@ People who are currently using virtual or physical smart cards for authenticatio
 
 When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**.
 
-![who owns this pc.](images/corpown.png)
+![who owns this pc](images/corpown.png)
 
 Next, they select a way to connect. Tell the people in your enterprise which option they should pick here.
 
-![choose how you'll connect.](images/connect.png)
+![choose how you'll connect](images/connect.png)
 
 They sign in, and are then asked to verify their identity. People have options to choose from a text message, phone call, or the authentication application. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length.
 
@@ -55,7 +55,7 @@ People can go to **Settings** &gt; **Accounts** &gt; **Work or school**, select
 
 If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it.
 
-![sign in to windows, apps, and services using fingerprint or face.](images/hellosettings.png)
+![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png)
 
 
 
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 2b1c101fc0..87e71bc747 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -21,7 +21,7 @@ ms.reviewer:
 ## Four steps to password freedom
 
 Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password freedom.
-![Passwordless approach.](images/four-steps-passwordless.png)
+![Passwordless approach](images/four-steps-passwordless.png)
 
 
 ### 1. Develop a password replacement offering
@@ -203,24 +203,24 @@ Windows provides two ways to prevent your users from using passwords. You can us
 
 ##### Security Policy
 You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**.  The name of the policy setting depends on the version of the operating systems you use to configure Group Policy.
-![securityPolicyLocation.](images/passwordless/00-securityPolicy.png)
+![securityPolicyLocation](images/passwordless/00-securityPolicy.png)
 
 **Windows Server 2016 and earlier**
 The policy name for these operating systems is **Interactive logon: Require smart card**.
-![securityPolicyBefore2016.](images/passwordless/00-securitypolicy-2016.png)
+![securityPolicyBefore2016](images/passwordless/00-securitypolicy-2016.png)
 
 **Windows 10, version 1703 or later using Remote Server Administrator Tools**
 The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**.
-![securityPolicyRSAT.](images/passwordless/00-updatedsecuritypolicytext.png)
+![securityPolicyRSAT](images/passwordless/00-updatedsecuritypolicytext.png)
 
 When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
 
 #### Excluding the password credential provider
 You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**
-![HideCredProvPolicy.](images/passwordless/00-hidecredprov.png)
+![HideCredProvPolicy](images/passwordless/00-hidecredprov.png)
 
 The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**.
-![HideCredProvPolicy2.](images/passwordless/01-hidecredprov.png)
+![HideCredProvPolicy2](images/passwordless/01-hidecredprov.png)
 
 Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs.
 
@@ -261,7 +261,7 @@ The account options on a user account includes an option -- **Smart card is requ
 > [!NOTE]
 > Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller.
 
-![SCRIL setting on AD Users and Computers.](images/passwordless/00-scril-dsa.png)
+![SCRIL setting on AD Users and Computers](images/passwordless/00-scril-dsa.png)
 **SCRIL setting for a user on Active Directory Users and Computers.**
 
 When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because:
@@ -270,13 +270,13 @@ When you configure a user account for SCRIL, Active Directory changes the affect
 - the user is not asked to change their password
 - domain controllers do not allow passwords for interactive authentication
 
-![SCRIL setting from ADAC on Windows Server 2012.](images/passwordless/01-scril-adac-2012.png)
+![SCRIL setting from ADAC on Windows Server 2012](images/passwordless/01-scril-adac-2012.png)
 **SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012.**
 
 > [!NOTE]
 > Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password. However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically.
 
-![SCRIL setting from ADAC on Windows Server 2016.](images/passwordless/01-scril-adac-2016.png)
+![SCRIL setting from ADAC on Windows Server 2016](images/passwordless/01-scril-adac-2016.png)
 **SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016.**
 
 > [!NOTE]
@@ -286,7 +286,7 @@ When you configure a user account for SCRIL, Active Directory changes the affect
 Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users.
 
 In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or any authentication outages.
-![Rotate Password 2016.](images/passwordless/02-rotate-scril-2016.png)
+![Rotate Password 2016](images/passwordless/02-rotate-scril-2016.png)
 
 > [!NOTE]
 > Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely.
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
index 2ad3bb1f3b..5e24e71b64 100644
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -54,7 +54,7 @@ It’s important to keep in mind that there are no physical containers on disk,
 
 The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container.
  
-![Each logical container holds one or more sets of keys.](../images/passport-fig3-logicalcontainer.png)
+![Each logical container holds one or more sets of keys](../images/passport-fig3-logicalcontainer.png)
 
 Containers can contain several types of key material:
 
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 65fa656745..57bbf194fc 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -34,13 +34,13 @@ Administrator credentials are highly privileged and must be protected. By using
 
 The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works:
 
-![RDP connection to a server without Windows Defender Remote Credential Guard.png.](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png)
+![RDP connection to a server without Windows Defender Remote Credential Guard.png](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png)
 
 <br />
 
 The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option:
 
-![Windows Defender Remote Credential Guard.](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png)
+![Windows Defender Remote Credential Guard](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png)
 
 <br />
 As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection.
@@ -152,7 +152,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
 
 2. Double-click **Restrict delegation of credentials to remote servers**.
 
-    ![Windows Defender Remote Credential Guard Group Policy.](images/remote-credential-guard-gp.png)
+    ![Windows Defender Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
 
 3. Under **Use the following restricted mode**:
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index d5c9651f0f..635a9631d6 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -34,7 +34,7 @@ Smart card support is required to enable many Remote Desktop Services scenarios.
 
 In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card sign-in scenario, the smart card service on the remote server redirects to the smart card reader that is connected to the local computer where the user is trying to sign in.
 
-![Smart card service redirects to smart card reader.](images/sc-image101.png)
+![Smart card service redirects to smart card reader](images/sc-image101.png)
 
 **Remote Desktop redirection**
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 63cbad9b26..0663f9a479 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -52,7 +52,7 @@ Interactive sign-in in Windows begins when the user presses CTRL+ALT+DEL. The CT
 
 After receiving the SAS, the UI then generates the sign-in tile from the information received from the registered credential providers. The following graphic shows the architecture for credential providers in the Windows operating system.
 
-![Credential provider architecture.](images/sc-image201.gif)
+![Credential provider architecture](images/sc-image201.gif)
 
 **Figure 1**&nbsp;&nbsp;**Credential provider architecture**
 
@@ -88,7 +88,7 @@ Vendors provide smart cards and smart card readers, and in many cases the vendor
 
 Figure 2 illustrates the relationship between the CryptoAPI, CSPs, the Smart Card Base Cryptographic Service Provider (Base CSP), and smart card minidrivers.
 
-![Base CSP and smart card minidriver architecture.](images/sc-image203.gif)
+![Base CSP and smart card minidriver architecture](images/sc-image203.gif)
 
 **Figure 2**&nbsp;&nbsp;**Base CSP and smart card minidriver architecture**
 
@@ -236,7 +236,7 @@ Applications can call the Base CSP with CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL, set
 
 In some of the following scenarios, the user can be prompted to insert a smart card. If the user context is silent, this operation fails and no UI is displayed. Otherwise, in response to the UI, the user can insert a smart card or click **Cancel**. If the user cancels the operation, the operation fails. The flow chart in Figure 3 shows the selection steps performed by the Windows operating system.
 
-![Smart card selection process.](images/sc-image205.png)
+![Smart card selection process](images/sc-image205.png)
 
 **Figure 3**&nbsp;&nbsp;**Smart card selection behavior**
 
@@ -314,7 +314,7 @@ For other operations, the caller may be able to acquire a "verify" context again
 
 Figure 4 shows the Cryptography architecture that is used by the Windows operating system.
 
-![Cryptography architecture.](images/sc-image206.gif)
+![Cryptography architecture](images/sc-image206.gif)
 
 **Figure 4**&nbsp;&nbsp;**Cryptography architecture**
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index dbcf86ee67..ae671b4ace 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -38,7 +38,7 @@ The following figure shows the flow of the certificate propagation service. The
 
 **Certificate propagation service**
 
-![Certificate propagation service.](images/sc-image302.gif)
+![Certificate propagation service](images/sc-image302.gif)
 
 1.  A signed-in user inserts a smart card.
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index a220e7e658..ef209588b9 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -89,7 +89,7 @@ If you enable the **Allow signature keys valid for Logon** credential provider p
 
 The following diagram illustrates how smart card sign-in works in the supported versions of Windows.
 
-![Smart card sign-in flow.](images/sc-image402.png)
+![Smart card sign-in flow](images/sc-image402.png)
 
 **Smart card sign-in flow**
 
@@ -206,21 +206,21 @@ SSL/TLS can map certificates that do not have SAN, and the mapping is done by us
 
 **Certificate revocation list distribution points**
 
-![Certificate revocation list distribution points.](images/sc-image403.png)
+![Certificate revocation list distribution points](images/sc-image403.png)
 
 **UPN in Subject Alternative Name field**
 
-![UPN in Subject Alternative Name field.](images/sc-image404.png)
+![UPN in Subject Alternative Name field](images/sc-image404.png)
 
 **Subject and Issuer fields**
 
-![Subject and Issuer fields.](images/sc-image405.png)
+![Subject and Issuer fields](images/sc-image405.png)
 
 This account mapping is supported by the KDC in addition to six other mapping methods. The following figure demonstrates a flow of user account mapping logic that is used by the KDC.
 
 **High-level flow of certificate processing for sign-in**
 
-![High-level flow of certificate processing for sign-in.](images/sc-image406.png)
+![High-level flow of certificate processing for sign-in](images/sc-image406.png)
 
 The certificate object is parsed to look for content to perform user account mapping.
 
@@ -236,7 +236,7 @@ The following figure illustrates the process of mapping user accounts for sign-i
 
 **Certificate processing logic**
 
-![Certificate processing logic.](images/sc-image407.png)
+![Certificate processing logic](images/sc-image407.png)
 
 NT\_AUTH policy is best described in the CERT\_CHAIN\_POLICY\_NT\_AUTH parameter section of the CertVerifyCertificateChainPolicy function. For more information, see [CertVerifyCertificateChainPolicy](/windows/win32/api/wincrypt/nf-wincrypt-certverifycertificatechainpolicy).
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index 3f72307e25..fa36cf563f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -26,7 +26,7 @@ The smart card removal policy service is applicable when a user has signed in wi
 
 **Smart card removal policy service**
 
-![Smart card removal policy service.](images/sc-image501.gif)
+![Smart card removal policy service](images/sc-image501.gif)
 
 The numbers in the previous figure represent the following actions:
 
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index 76159c664d..10ffd31a84 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -34,7 +34,7 @@ In order to better understand how this process happens, let's look at the Window
 
 The following shows how the logon process for an administrator differs from the logon process for a standard user.
 
-![uac windows logon process.](images/uacwindowslogonprocess.gif)
+![uac windows logon process](images/uacwindowslogonprocess.gif)
 
 By default, standard users and administrators access resources and run apps in the security context of standard users. When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges.
 
@@ -56,7 +56,7 @@ With UAC enabled, Windows 10 prompts for consent or prompts for credentials of
 
 The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is an example of the UAC consent prompt.
 
-![uac consent prompt.](images/uacconsentprompt.gif)
+![uac consent prompt](images/uacconsentprompt.gif)
 
 **The credential prompt**
 
@@ -64,7 +64,7 @@ The credential prompt is presented when a standard user attempts to perform a ta
 
 The following is an example of the UAC credential prompt.
 
-![uac credential prompt.](images/uaccredentialprompt.gif)
+![uac credential prompt](images/uaccredentialprompt.gif)
 
 **UAC elevation prompts**
 
@@ -81,7 +81,7 @@ The elevation prompt color-coding is as follows:
 
 Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the **Date and Time Properties** Control Panel item.
 
-![uac shield icon.](images/uacshieldicon.png)
+![uac shield icon](images/uacshieldicon.png)
 
 The shield icon on the **Change date and time** button indicates that the process requires a full administrator access token and will display a UAC elevation prompt.
 
@@ -99,7 +99,7 @@ While malware could present an imitation of the secure desktop, this issue canno
 
 The following diagram details the UAC architecture.
 
-![uac architecture.](images/uacarchitecture.gif)
+![uac architecture](images/uacarchitecture.gif)
 
 To better understand each component, review the table below:
 
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index 4468785ff0..badf574468 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -24,7 +24,7 @@ This topic for the IT professional discusses the factors to consider when you de
 
 Traditional identity devices, such as physical smart cards, follow a predictable lifecycle in any deployment, as shown in the following diagram.
 
-![Diagram of physical smart card lifecycle.](images/vsc-physical-smart-card-lifecycle.png)
+![Diagram of physical smart card lifecycle](images/vsc-physical-smart-card-lifecycle.png)
 
 Physical devices are created by a dedicated manufacturer and then purchased by the corporation that will ultimately deploy it. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. To provision the device, it is loaded with the required certificates, such as a sign-in certificate. After you provision the device, it is ready for use. The device must simply be maintained. For example, you must replace cards when they are lost or stolen and reset PINs when users forget them. Finally, you’ll retire devices when they exceed their intended lifetime or when employees leave the company.
 
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
index 044f7c1fe1..6fb462eb81 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
@@ -28,7 +28,7 @@ A crucial aspect of TPM virtual smart cards is their ability to securely store a
 
 The following diagram illustrates the secure key hierarchy and the process of accessing the user key.
 
-![Diagram of the process of accessing the user key.](images/vsc-process-of-accessing-user-key.png)
+![Diagram of the process of accessing the user key](images/vsc-process-of-accessing-user-key.png)
 
 The following keys are stored on the hard disk:
 
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index c6ad4e0710..6810a79d95 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -62,21 +62,21 @@ On your domain server, you need to create a template for the certificate that yo
 
 2. Click **File**, and then click **Add/Remove Snap-in**.
 
-   ![Add or remove snap-in.](images/vsc-02-mmc-add-snap-in.png)
+   ![Add or remove snap-in](images/vsc-02-mmc-add-snap-in.png)
 
 3. In the available snap-ins list, click **Certificate Templates**, and then click **Add**.
 
-   ![Add Certificate Templates snap-in.](images/vsc-03-add-certificate-templates-snap-in.png)
+   ![Add Certificate Templates snap-in](images/vsc-03-add-certificate-templates-snap-in.png)
 
 4. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates.
 
 5. Right-click the **Smartcard Logon** template, and click **Duplicate Template**.
 
-   ![Duplicating the Smartcard Logon template.](images/vsc-04-right-click-smartcard-logon-template.png)
+   ![Duplicating the Smartcard Logon template](images/vsc-04-right-click-smartcard-logon-template.png)
 
 6. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed.
 
-   ![Compatibility tab, certification authority setting.](images/vsc-05-certificate-template-compatibility.png)
+   ![Compatibility tab, certification authority setting](images/vsc-05-certificate-template-compatibility.png)
 
 7. On the **General** tab:
 
@@ -102,23 +102,23 @@ On your domain server, you need to create a template for the certificate that yo
 
 12. Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**.
 
-    ![Add Certification Authority snap-in.](images/vsc-06-add-certification-authority-snap-in.png)
+    ![Add Certification Authority snap-in](images/vsc-06-add-certification-authority-snap-in.png)
 
 13. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
 
 14. Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
 
-    ![Right-click menu for Certificate Templates.](images/vsc-07-right-click-certificate-templates.png)
+    ![Right-click menu for Certificate Templates](images/vsc-07-right-click-certificate-templates.png)
 
 15. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**.
 
     > **Note**&nbsp;&nbsp;It can take some time for your template to replicate to all servers and become available in this list.
 
-    ![Selecting a certificate template.](images/vsc-08-enable-certificate-template.png)
+    ![Selecting a certificate template](images/vsc-08-enable-certificate-template.png)
 
 16. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
 
-    ![Stopping and starting the service.](images/vsc-09-stop-service-start-service.png)
+    ![Stopping and starting the service](images/vsc-09-stop-service-start-service.png)
 
 ## Step 2: Create the TPM virtual smart card
 
@@ -128,7 +128,7 @@ In this step, you will create the virtual smart card on the client computer by u
 
 1.  On a domain-joined computer, open a Command Prompt window with Administrative credentials.
 
-    ![Cmd prompt, Run as administrator.](images/vsc-10-cmd-run-as-administrator.png)
+    ![Cmd prompt, Run as administrator](images/vsc-10-cmd-run-as-administrator.png)
 
 2.  At the command prompt, type the following, and then press ENTER:
 
@@ -150,11 +150,11 @@ The virtual smart card must be provisioned with a sign-in certificate for it to
 
 2.  Right-click **Personal**, click **All Tasks**, and then click **Request New Certificate**.
 
-    ![Request New Certificate.](images/vsc-11-certificates-request-new-certificate.png)
+    ![Request New Certificate](images/vsc-11-certificates-request-new-certificate.png)
 
 3.  Follow the prompts and when offered a list of templates, select the **TPM Virtual Smart Card Logon** check box (or whatever you named the template in Step 1).
 
-    ![Certificate enrollment, select certificate.](images/vsc-12-certificate-enrollment-select-certificate.png)
+    ![Certificate enrollment, select certificate](images/vsc-12-certificate-enrollment-select-certificate.png)
 
 4.  If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created in the previous section. It displays as **Identity Device (Microsoft Profile)**.
 
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index 4d3f59ff0a..789da743aa 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -74,7 +74,7 @@ For more information about these Windows APIs, see:
 
 To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign in, and on other screens that require the user to enter the PIN for a virtual smart card.
 
-![Icon for a virtual smart card.](images/vsc-virtual-smart-card-icon.png)
+![Icon for a virtual smart card](images/vsc-virtual-smart-card-icon.png)
 
 A TPM-based virtual smart card is labeled **Security Device** in the user interface.
 
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index 2c0a581e8d..9665848076 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -51,7 +51,7 @@ See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EA
 
 The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).
 
-![EAP XML configuration in Intune profile.](images/vpn-eap-xml.png)
+![EAP XML configuration in Intune profile](images/vpn-eap-xml.png)
 
 ## Related topics
 
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 44b05da541..2c1405d9e0 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -89,11 +89,11 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
 
 The following image shows associating an app to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
 
-![Add an app for the VPN connection.](images/vpn-app-trigger.png)
+![Add an app for the VPN connection](images/vpn-app-trigger.png)
 
 After you add an associated app, if you select the **Only these apps can use this VPN connection (per-app VPN)** checkbox, the app becomes available in **Corporate Boundaries**, where you can configure rules for the app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details. 
 
-![Configure rules for the app.](images/vpn-app-rules.png)
+![Configure rules for the app](images/vpn-app-rules.png)
 
 ## Related topics
 
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index 66baa88e46..393bf3b90b 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -87,7 +87,7 @@ Two client-side configuration service providers are leveraged for VPN device com
 The VPN client side connection flow works as follows:
 
 > [!div class="mx-imgBorder"]
-> ![Device compliance workflow when VPN client attempts to connect.](images/vpn-device-compliance.png)
+> ![Device compliance workflow when VPN client attempts to connect](images/vpn-device-compliance.png)
  
 When a VPNv2 Profile is configured with \<DeviceCompliance> \<Enabled>true<\/Enabled> the VPN client uses this connection flow:
 
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
index 465f79924f..e65b9b6d8b 100644
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@@ -23,7 +23,7 @@ Virtual private networks (VPNs) are point-to-point connections across a private
 
 There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured. 
 
-![VPN connection types.](images/vpn-connection.png)
+![VPN connection types](images/vpn-connection.png)
 
 ## Built-in VPN client
 
@@ -67,12 +67,12 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
 The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune:
 
 > [!div class="mx-imgBorder"]
-> ![Available connection types.](images/vpn-connection-intune.png)
+> ![Available connection types](images/vpn-connection-intune.png)
      
 In Intune, you can also include custom XML for third-party plug-in profiles:
 
 > [!div class="mx-imgBorder"]
-> ![Custom XML.](images/vpn-custom-xml-intune.png)
+> ![Custom XML](images/vpn-custom-xml-intune.png)
 
 
 ## Related topics
diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
index 70cec8d554..fcc360257b 100644
--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md
@@ -64,7 +64,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
 
 The following image shows name resolution options in a VPN Profile configuration policy using Microsoft Intune.
 
-![Add DNS rule.](images/vpn-name-intune.png)
+![Add DNS rule](images/vpn-name-intune.png)
 
 The fields in **Add or edit DNS rule** in the Intune profile correspond to the XML settings shown in the following table.
 
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index 96eae8c6ac..69940276c8 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -312,7 +312,7 @@ After you configure the settings that you want using ProfileXML, you can apply i
 10. Set Data type to **String (XML file)**.
 11. Upload the profile XML file.
 12. Click **OK**.
-    ![Custom VPN profile.](images/custom-vpn-profile.png)
+    ![Custom VPN profile](images/custom-vpn-profile.png)
 13. Click **OK**, then **Create**.
 14. Assign the profile.
 
diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
index ea0cb1c3ae..a33e2b0f3f 100644
--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ b/windows/security/identity-protection/vpn/vpn-routing.md
@@ -53,11 +53,11 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
 
 When you configure a VPN profile in Microsoft Intune, you select a checkbox to enable split tunnel configuration.
 
-![split tunnel.](images/vpn-split.png)
+![split tunnel](images/vpn-split.png)
 
 Next, in **Corporate Boundaries**, you add the routes that should use the VPN connection.   
   
-![add route for split tunnel.](images/vpn-split-route.png)
+![add route for split tunnel](images/vpn-split-route.png)
 
 
 ## Related topics
diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
index c84ab32cb0..bd1a32dde4 100644
--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ b/windows/security/identity-protection/vpn/vpn-security-features.md
@@ -59,7 +59,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
 
 The following image shows the interface to configure traffic rules in a VPN Profile configuration policy, using Microsoft Intune.
 
-![Add a traffic rule.](images/vpn-traffic-rules.png)
+![Add a traffic rule](images/vpn-traffic-rules.png)
 
 
 ## LockDown VPN
diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
index 62a4cf6cf0..2c1a02b8db 100644
--- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
@@ -31,7 +31,7 @@ This guide explains how credential theft attacks occur and the strategies and co
 - Respond to suspicious activity
 - Recover from a breach
 
-![Security stages.](images/security-stages.png)
+![Security stages](images/security-stages.png)
 
 ## Attacks that steal credentials
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index 23b9d93073..fc9b15fdef 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -89,7 +89,7 @@ On computers with a compatible TPM, operating system drives that are BitLocker-p
 
 In the following Group Policy example, TPM + PIN is required to unlock an operating system drive:
 
-![Pre-boot authentication setting in Group Policy.](images/pre-boot-authentication-group-policy.png)
+![Pre-boot authentication setting in Group Policy](images/pre-boot-authentication-group-policy.png)
 
 Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. 
 Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured. 
@@ -110,7 +110,7 @@ This Kernel DMA Protection is available only for new systems beginning with Wind
 
 You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled: 
 
-![Kernel DMA protection.](images/kernel-dma-protection.png)
+![Kernel DMA protection](images/kernel-dma-protection.png)
 
 If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index cd0b6543e6..4864bdf4d4 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -34,31 +34,31 @@ This article depicts the BitLocker deployment comparison chart.
 |Supported domain-joined status     |     Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined    |   Active Directory joined, hybrid Azure AD joined      |     Active Directory joined    |
 |Permissions required to manage policies     |    Endpoint security manager or custom     |   Full administrator or custom      |     Domain Admin or Delegated GPO access    |
 |Cloud or on premises      |     Cloud    |  On premises     |    On premises     |
-|Server components required?      |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+|Server components required?      |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
 |Additional agent required?     |     No (device enrollment only)    |   Configuration Manager client      |     MBAM client    |
 |Administrative plane     | Microsoft Endpoint Manager admin center        |    Configuration Manager console     |    Group Policy Management Console and MBAM sites     |
-|Administrative portal installation required     |         |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
-|Compliance reporting capabilities     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
-|Force encryption     |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::   |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::   | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
-|Encryption for storage cards (mobile)      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |         |
-|Allow recovery password      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
-|Manage startup authentication     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |
-|Select cipher strength and algorithms for fixed drives      |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
-|Select cipher strength and algorithms for removable drives     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
-|Select cipher strength and algorithms for operating environment drives     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
+|Administrative portal installation required     |         |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |
+|Compliance reporting capabilities     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
+|Force encryption     |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::   |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::   | :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
+|Encryption for storage cards (mobile)      |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |         |
+|Allow recovery password      |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |
+|Manage startup authentication     |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |     :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |     :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |
+|Select cipher strength and algorithms for fixed drives      |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     | :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |
+|Select cipher strength and algorithms for removable drives     |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
+|Select cipher strength and algorithms for operating environment drives     |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |
 |Standard recovery password storage location     |     Azure AD or Active Directory    |     Configuration Manager site database    |    MBAM database     |
 |Store recovery password for operating system and fixed drives to Azure AD or Active Directory     |    Yes (Active Directory and Azure AD)     | Yes (Active Directory only)      |   Yes (Active Directory only)      |
-|Customize preboot message and recovery link     | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::         | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::        |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
-|Allow/deny key file creation     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
-|Deny Write permission to unprotected drives     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
-|Can be administered outside company network     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |         |
-|Support for organization unique IDs     |         |      :::image type="content" source="images/yes-icon.png" alt-text="supported.":::   |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |
-|Self-service recovery      |    Yes (through Azure AD or Company Portal app)     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
-|Recovery password rotation for fixed and operating environment drives     |   Yes (Windows 10, version 1909 and later)     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
-|Wait to complete encryption until recovery information is backed up to Azure AD      |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |       |        |
-|Wait to complete encryption until recovery information is backed up to Active Directory      |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
-|Allow or deny Data Recovery Agent     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
-|Unlock a volume using certificate with custom object identifier     |         |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |
-|Prevent memory overwrite on restart     |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
-|Configure custom Trusted Platform Module Platform Configuration Register profiles     |         |       | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::        |
-|Manage auto-unlock functionality     |         |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::        |
+|Customize preboot message and recovery link     | :::image type="content" source="images/yes-icon.png" alt-text="supported":::         | :::image type="content" source="images/yes-icon.png" alt-text="supported":::        |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |
+|Allow/deny key file creation     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |
+|Deny Write permission to unprotected drives     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
+|Can be administered outside company network     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |         |
+|Support for organization unique IDs     |         |      :::image type="content" source="images/yes-icon.png" alt-text="supported":::   |     :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |
+|Self-service recovery      |    Yes (through Azure AD or Company Portal app)     |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |
+|Recovery password rotation for fixed and operating environment drives     |   Yes (Windows 10, version 1909 and later)     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
+|Wait to complete encryption until recovery information is backed up to Azure AD      |     :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |       |        |
+|Wait to complete encryption until recovery information is backed up to Active Directory      |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |
+|Allow or deny Data Recovery Agent     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
+|Unlock a volume using certificate with custom object identifier     |         |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |     :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |
+|Prevent memory overwrite on restart     |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
+|Configure custom Trusted Platform Module Platform Configuration Register profiles     |         |       | :::image type="content" source="images/yes-icon.png" alt-text="supported":::        |
+|Manage auto-unlock functionality     |         |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     | :::image type="content" source="images/yes-icon.png" alt-text="supported":::        |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index a72324edf4..eaccfb9c9f 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -298,18 +298,18 @@ This policy can be configured using GPO under **Computer Configuration** > **Adm
 It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP:
 *\<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage\</LocURI>*
 
-![Custom URL.](./images/bl-intune-custom-url.png)
+![Custom URL](./images/bl-intune-custom-url.png)
 
 Example of customized recovery screen:
 
-![Customized BitLocker Recovery Screen.](./images/bl-password-hint1.png)
+![Customized BitLocker Recovery Screen](./images/bl-password-hint1.png)
 
 
 ### BitLocker recovery key hints
 
 BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.
 
-![Customized BitLocker recovery screen.](./images/bl-password-hint2.png)
+![Customized BitLocker recovery screen](./images/bl-password-hint2.png)
 
 > [!IMPORTANT]
 > We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account.
@@ -339,7 +339,7 @@ There are rules governing which hint is shown during the recovery (in order of p
 
 **Result:** The hint for the Microsoft Account and the custom URL are displayed.
 
-![Example 1 of Customized BitLocker recovery screen.](./images/rp-example1.png)
+![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.png)
 
 
 #### Example 2 (single recovery key with single backup)
@@ -354,7 +354,7 @@ There are rules governing which hint is shown during the recovery (in order of p
 
 **Result:** Only the custom URL is displayed.
 
-![Example 2 of customized BitLocker recovery screen.](./images/rp-example2.png)
+![Example 2 of customized BitLocker recovery screen](./images/rp-example2.png)
 
 
 #### Example 3 (single recovery key with multiple backups)
@@ -369,7 +369,7 @@ There are rules governing which hint is shown during the recovery (in order of p
 
 **Result:** Only the Microsoft Account hint is displayed.
 
-![Example 3 of customized BitLocker recovery screen.](./images/rp-example3.png)
+![Example 3 of customized BitLocker recovery screen](./images/rp-example3.png)
 
 
 #### Example 4  (multiple recovery passwords)
@@ -399,7 +399,7 @@ There are rules governing which hint is shown during the recovery (in order of p
 
 **Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key.
 
-![Example 4 of customized BitLocker recovery screen.](./images/rp-example4.png)
+![Example 4 of customized BitLocker recovery screen](./images/rp-example4.png)
 
 
 #### Example 5  (multiple recovery passwords)
@@ -429,7 +429,7 @@ There are rules governing which hint is shown during the recovery (in order of p
 
 **Result:** The hint for the most recent key is displayed.
 
-![Example 5 of customized BitLocker recovery screen.](./images/rp-example5.png)
+![Example 5 of customized BitLocker recovery screen](./images/rp-example5.png)
 
 
 ## <a href="" id="bkmk-usingaddrecovery"></a>Using additional recovery information
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index e8045e225c..c6483a8057 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -52,7 +52,7 @@ manage-bde -status
 ```
 This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume:
 
-![Using manage-bde to check encryption status.](images/manage-bde-status.png)
+![Using manage-bde to check encryption status](images/manage-bde-status.png)
 
 The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.
 
diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
index 664fb40db0..2a08e910d0 100644
--- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
@@ -58,7 +58,7 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in
 
    The output of such a command resembles the following.
 
-   ![Display of events that is produced by using Get-WinEvent and a BitLocker filter.](./images/psget-winevent-1.png)
+   ![Display of events that is produced by using Get-WinEvent and a BitLocker filter](./images/psget-winevent-1.png)
 
 - To export BitLocker-related information:
    ```ps
@@ -77,7 +77,7 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in
 
    The output of such a command resembles the following.
 
-   ![Display of events that is produced by using Get-WinEvent and a TPM filter.](./images/psget-winevent-2.png)
+   ![Display of events that is produced by using Get-WinEvent and a TPM filter](./images/psget-winevent-2.png)
 
 > [!NOTE]
 > If you intend to contact Microsoft Support, we recommend that you export the logs listed in this section.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
index 6268e09343..d41b2c7bf1 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
@@ -82,11 +82,11 @@ To verify that this issue has occurred, follow these steps:
 
 1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring?view=powershell-6) command in the PowerShell window, as follows.
 
-   ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE.](./images/ts-bitlocker-usb-sddl.png)
+   ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE](./images/ts-bitlocker-usb-sddl.png)
 
    If you see NT AUTHORITY\INTERACTIVE (as highlighted), in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following:
 
-   ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users.](./images/ts-bitlocker-usb-default-sddl.png)
+   ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users](./images/ts-bitlocker-usb-default-sddl.png)
 
 > [!NOTE]
 > GPOs that change the security descriptors of services have been known to cause this issue.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
index 1def746b1f..bab9c21e3e 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
@@ -45,11 +45,11 @@ To install the tool, follow these steps:
 
 1. Accept the default installation path.
 
-   ![Specify Location page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-1.png)
+   ![Specify Location page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-1.png)
 
 1. Under **Select the features you want to install**, select **Windows Hardware Lab Kit&mdash;Controller + Studio**.
 
-   ![Select features page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-2.png)
+   ![Select features page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-2.png)
 
 1. Finish the installation.
 
@@ -60,7 +60,7 @@ To use TBSLogGenerator, follow these steps:
 
    This folder contains the TBSLogGenerator.exe file.
 
-   ![Properties and location of the TBSLogGenerator.exe file.](./images/ts-tpm-3.png)
+   ![Properties and location of the TBSLogGenerator.exe file](./images/ts-tpm-3.png)
 
 1. Run the following command:
    ```cmd
@@ -78,19 +78,19 @@ To use TBSLogGenerator, follow these steps:
     TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
     ```
 
-   ![Command Prompt window that shows an example of how to use TBSLogGenerator.](./images/ts-tpm-4.png)
+   ![Command Prompt window that shows an example of how to use TBSLogGenerator](./images/ts-tpm-4.png)
 
    The command produces a text file that uses the specified name. In the case of the example, the file is **0000000005-0000000000.txt**. The file is located in the same folder as the original .log file.
 
-   ![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png)
+   ![Windows Explorer window that shows the text file that TBSLogGenerator produces](./images/ts-tpm-5.png)
 
 The content of this text file resembles the following.
 
-![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png)
+![Contents of the text file, as shown in NotePad](./images/ts-tpm-6.png)
 
 To find the PCR information, go to the end of the file.
 
-   ![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png)
+   ![View of NotePad that shows the PCR information at the end of the text file](./images/ts-tpm-7.png)
 
 ## Use PCPTool to decode Measured Boot logs
 
@@ -114,4 +114,4 @@ where the variables represent the following values:
 
 The content of the XML file resembles the following.
 
-![Command Prompt window that shows an example of how to use PCPTool.](./images/pcptool-output.jpg)
+![Command Prompt window that shows an example of how to use PCPTool](./images/pcptool-output.jpg)
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
index 611dc64098..60c34a7bb6 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
@@ -20,7 +20,7 @@ ms.custom: bitlocker
 
 This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.
 
-![The BitLocker status indictors on the Intune portal.](./images/4509189-en-1.png)
+![The BitLocker status indictors on the Intune portal](./images/4509189-en-1.png)
 
 To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages:
 
@@ -43,7 +43,7 @@ For information about how to verify that Intune policies are enforcing BitLocker
 
 Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device does not appear to have a TPM. The event information resembles the following:
 
-![Details of event ID 853 (TPM is not available, cannot find TPM).](./images/4509190-en-1.png)
+![Details of event ID 853 (TPM is not available, cannot find TPM)](./images/4509190-en-1.png)
 
 ### Cause
 
@@ -64,7 +64,7 @@ For more information, see [Troubleshoot the TPM](../tpm/initialize-and-configure
 
 In this case, you see event ID 853, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following.
 
-![Details of event ID 853 (TPM is not available, bootable media found).](./images/4509191-en-1.png)
+![Details of event ID 853 (TPM is not available, bootable media found)](./images/4509191-en-1.png)
 
 ### Cause
 
@@ -100,7 +100,7 @@ You can resolve this issue by verifying the configuration of the disk partitions
 
 The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 10 automatically creates a recovery partition that contains the Winre.wim file. The partition configuration resembles the following.
 
-![Default disk partitions, including the recovery partition.](./images/4509194-en-1.png)
+![Default disk partitions, including the recovery partition](./images/4509194-en-1.png)
 
 To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands:
 
@@ -108,11 +108,11 @@ To verify the configuration of the disk partitions, open an elevated Command Pro
 diskpart 
 list volume
 ```
-![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png)
+![Output of the list volume command in the Diskpart app](./images/4509195-en-1.png)
 
 If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager).
 
-![Windows image configuration in Microsoft Endpoint Configuration Manager.](./images/configmgr-imageconfig.jpg)
+![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/configmgr-imageconfig.jpg)
 
 #### Step 2: Verify the status of WinRE
 
@@ -123,7 +123,7 @@ reagentc /info
 ```
 The output of this command resembles the following.
 
-![Output of the reagentc /info command.](./images/4509193-en-1.png)
+![Output of the reagentc /info command](./images/4509193-en-1.png)
 
 If the **Windows RE status** is not **Enabled**, run the following command to enable it:
 
@@ -141,7 +141,7 @@ bcdedit /enum all
 
 The output of this command resembles the following.
 
-![Output of the bcdedit /enum all command.](./images/4509196-en-1.png)
+![Output of the bcdedit /enum all command](./images/4509196-en-1.png)
 
 In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.
 
@@ -163,7 +163,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes
 
 1. Select **Start**, and enter **msinfo32** in the **Search** box.
 1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**.  
-   ![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png)
+   ![System Information app, showing the BIOS Mode setting](./images/4509198-en-1.png)
 1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device.
    > [!NOTE]
    > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device.
@@ -192,11 +192,11 @@ Manage-bde -protectors -get %systemdrive%
 
 In the TPM section of the output of this command, verify that the **PCR Validation Profile** setting includes **7**, as follows.
 
-![Output of the manage-bde command.](./images/4509199-en-1.png)
+![Output of the manage-bde command](./images/4509199-en-1.png)
 
 If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then Secure Boot is not turned on.
 
-![Output of the manage-bde command when PCR 7 is not present.](./images/4509200-en-1.png)
+![Output of the manage-bde command when PCR 7 is not present](./images/4509200-en-1.png)
 
 #### 2. Verify the Secure Boot state
 
@@ -204,9 +204,9 @@ To verify the Secure Boot state, use the System Information app. To do this, fol
 
 1. Select **Start**, and enter **msinfo32** in the **Search** box.
 1. Verify that the **Secure Boot State** setting is **On**, as follows:  
-   ![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png)
+   ![System Information app, showing a supported Secure Boot State](./images/4509201-en-1.png)
 1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device.  
-   ![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png)
+   ![System Information app, showing a unsupported Secure Boot State](./images/4509202-en-1.png)
 
 > [!NOTE]
 > You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command:
@@ -290,7 +290,7 @@ If your device runs Windows 10 version 1703 or later, supports Modern Standby (a
 
 If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker Drive Encryption. The settings for this policy should resemble the following:
 
-![Intune policy settings.](./images/4509186-en-1.png)
+![Intune policy settings](./images/4509186-en-1.png)
 
 The OMA-URI references for these settings are as follows:
 
@@ -316,7 +316,7 @@ The Intune 1901 release provides settings that you can use to configure automati
 - Support Modern Standby
 - Use Windows 10 version 1803 or later
 
-![Intune policy setting.](./images/4509188-en-1.png)
+![Intune policy setting](./images/4509188-en-1.png)
 
 The OMA-URI references for these settings are as follows:
 
@@ -331,17 +331,17 @@ The OMA-URI references for these settings are as follows:
 
 During regular operations, BitLocker Drive Encryption generates events such as Event ID 796 and Event ID 845.
 
-![Event ID 796, as shown in Event Viewer.](./images/4509203-en-1.png)
+![Event ID 796, as shown in Event Viewer](./images/4509203-en-1.png)
 
-![Event ID 845, as shown in Event Viewer.](./images/4509204-en-1.png)
+![Event ID 845, as shown in Event Viewer](./images/4509204-en-1.png)
 
 You can also determine whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section.
 
-![BitLocker recovery information as viewed in Azure AD.](./images/4509205-en-1.png)
+![BitLocker recovery information as viewed in Azure AD](./images/4509205-en-1.png)
 
 On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys:
 
 - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\BitLocker**
 - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device**  
 
-![Registry subkeys that relate to Intune policy.](./images/4509206-en-1.png)
\ No newline at end of file
+![Registry subkeys that relate to Intune policy](./images/4509206-en-1.png)
\ No newline at end of file
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 768d8cdd75..31fc1097a4 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -53,7 +53,7 @@ By default, peripherals with DMA Remapping incompatible drivers will be blocked
 
 ## User experience
 
-![Kernel DMA protection user experience.](images/kernel-dma-protection-user-experience.png)
+![Kernel DMA protection user experience](images/kernel-dma-protection-user-experience.png)
 
 By default, peripherals with DMA remapping compatible device drivers will be automatically enumerated and started. Peripherals with DMA Remapping incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. 
 The peripheral will continue to function normally if the user locks the screen or logs out of the system.
@@ -77,7 +77,7 @@ Systems running Windows 10 version 1803 that do support Kernel DMA Protection do
 
 Beginning with Windows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**.
 
-![Kernel DMA protection in Security Center.](bitlocker/images/kernel-dma-protection-security-center.png)
+![Kernel DMA protection in Security Center](bitlocker/images/kernel-dma-protection-security-center.png)
 
 ### Using System information
 
@@ -85,7 +85,7 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if
 
 2. Check the value of **Kernel DMA Protection**.
 
-   ![Kernel DMA protection in System Information.](bitlocker/images/kernel-dma-protection.png)
+   ![Kernel DMA protection in System Information](bitlocker/images/kernel-dma-protection.png)
    
 3. If the current state of **Kernel DMA Protection** is OFF and **Hyper-V - Virtualization Enabled in Firmware** is NO:
 
@@ -113,11 +113,11 @@ No, Kernel DMA Protection only protects against drive-by DMA attacks after the O
 DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (i.e. the device driver does not support DMA-remapping).
 Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
 
-![Kernel DMA protection user experience.](images/device_details_tab_1903.png)
+![Kernel DMA protection user experience](images/device_details_tab_1903.png)
 
 *For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image. 
 
-![Kernel DMA protection user experience.](images/device-details-tab.png)
+![Kernel DMA protection user experience](images/device-details-tab.png)
 
 ### What should I do if the drivers for my PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping?
 
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index 3d8754473d..721ae1e1e3 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -55,7 +55,7 @@ Windows 10 supports four features to help prevent rootkits and bootkits from lo
 Figure 1 shows the Windows 10 startup process.
 
 
-![Windows 10 startup process.](./images/dn168167.boot_process(en-us,MSDN.10).png)
+![Windows 10 startup process](./images/dn168167.boot_process(en-us,MSDN.10).png)
 
 **Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage**
 
@@ -115,7 +115,7 @@ Depending on the implementation and configuration, the server can now determine
 Figure 2 illustrates the Measured Boot and remote attestation process.
 
 
-![Measured Boot and remote attestation process.](./images/dn168167.measure_boot(en-us,MSDN.10).png)
+![Measured Boot and remote attestation process](./images/dn168167.measure_boot(en-us,MSDN.10).png)
 
 
 **Figure 2. Measured Boot proves the PC’s health to a remote server**
diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index dd9e12558e..06d8c54066 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -84,7 +84,7 @@ Identity providers have flexibility in how they provision credentials on client
 
 •	**Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
 
-![TPM Capabilities.](images/tpm-capabilities.png)
+![TPM Capabilities](images/tpm-capabilities.png)
 
 *Figure 1:  TPM Cryptographic Key Management*
 
@@ -126,7 +126,7 @@ The TPM provides the following way for scenarios to use the measurements recorde
 
 When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state.
 
-![Process to Create Evidence of Boot Software and Configuration Using TPM.](images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png)
+![Process to Create Evidence of Boot Software and Configuration Using TPM](images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png)
 
 *Figure 2:  Process used to create evidence of boot software and configuration using a TPM*
 
diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index 5a5e12feb9..4a5ddd2df2 100644
--- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -91,7 +91,7 @@ It's possible that you might revoke data from an unenrolled device only to later
 
    To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**.
    
-   ![Robocopy in S mode.](images/robocopy-s-mode.png)
+   ![Robocopy in S mode](images/robocopy-s-mode.png)
 
    If the employee performed a clean installation and there is no user profile, you need to recover the keys from the System Volume folder in each drive. Type: 
     
diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index 909073181d..a605d96688 100644
--- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -34,11 +34,11 @@ Follow these steps to associate your WIP policy with your organization's existin
 
 2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**.
 
-    ![Microsoft Intune, Create a new policy using the portal.](images/wip-azure-vpn-device-policy.png)
+    ![Microsoft Intune, Create a new policy using the portal](images/wip-azure-vpn-device-policy.png)
 
 3.  In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**.
 
-    ![Microsoft Intune, Create a new policy using the Create Profile blade.](images/wip-azure-vpn-configure-policy.png)
+    ![Microsoft Intune, Create a new policy using the Create Profile blade](images/wip-azure-vpn-configure-policy.png)
 
 4. In the **Custom OMA-URI Settings** blade, click **Add**.
 
@@ -54,7 +54,7 @@ Follow these steps to associate your WIP policy with your organization's existin
     
     - **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_.
 
-        ![Microsoft Intune, Add your OMA-URI settings.](images/wip-azure-vpn-custom-omauri.png)
+        ![Microsoft Intune, Add your OMA-URI settings](images/wip-azure-vpn-custom-omauri.png)
 
 6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy.
 
@@ -73,7 +73,7 @@ After you’ve created your VPN policy, you'll need to deploy it to the same gro
 
     The policy is deployed to the selected users' devices.
 
-    ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed.](images/wip-azure-add-user-groups.png)
+    ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png)
 
 >[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
index 32511b9cd5..f13e30a044 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@@ -36,12 +36,12 @@ After you've installed and set up Configuration Manager for your organization, y
 
 1.  Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
 
-    ![Configuration Manager, Configuration Items screen.](images/wip-configmgr-addpolicy.png)
+    ![Configuration Manager, Configuration Items screen](images/wip-configmgr-addpolicy.png)
 
 2.  Click the **Create Configuration Item** button.<p>
 The **Create Configuration Item Wizard** starts.
 
-    ![Create Configuration Item wizard, define the configuration item and choose the configuration type.](images/wip-configmgr-generalscreen.png)
+    ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-configmgr-generalscreen.png)
 
 3.  On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
 
@@ -55,11 +55,11 @@ The **Create Configuration Item Wizard** starts.
 
 5.  On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
 
-    ![Create Configuration Item wizard, choose the supported platforms for the policy.](images/wip-configmgr-supportedplat.png)
+    ![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-configmgr-supportedplat.png)
 
 6.  On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**.
 
-    ![Create Configuration Item wizard, choose the Windows Information Protection settings.](images/wip-configmgr-devicesettings.png)
+    ![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-configmgr-devicesettings.png)
 
 The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization.
 
@@ -81,7 +81,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap
 
     The **Add app rule** box appears.
 
-    ![Create Configuration Item wizard, add a universal store app.](images/wip-configmgr-adduniversalapp.png)
+    ![Create Configuration Item wizard, add a universal store app](images/wip-configmgr-adduniversalapp.png)
 
 2.  Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*.
 
@@ -141,7 +141,7 @@ For this example, we're going to add Internet Explorer, a desktop app, to the **
 
     The **Add app rule** box appears.
 
-    ![Create Configuration Item wizard, add a classic desktop app.](images/wip-configmgr-adddesktopapp.png)
+    ![Create Configuration Item wizard, add a classic desktop app](images/wip-configmgr-adddesktopapp.png)
 
 2.  Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*.
 
@@ -218,7 +218,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
 
 2.  In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
 
-    ![Local security snap-in, showing the Packaged app Rules.](images/intune-local-security-snapin.png)
+    ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png)
 
 3.  Right-click in the right-hand pane, and then click **Create New Rule**.
 
@@ -226,33 +226,33 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
 
 4. On the **Before You Begin** page, click **Next**.
 
-    ![Create a Packaged app Rules wizard and showing the Before You Begin page.](images/intune-applocker-before-begin.png)
+    ![Create a Packaged app Rules wizard and showing the Before You Begin page](images/intune-applocker-before-begin.png)
 
 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
 
-    ![Create Packaged app Rules wizard, set action to Allow.](images/intune-applocker-permissions.png)
+    ![Create Packaged app Rules wizard, set action to Allow](images/intune-applocker-permissions.png)
 
 6.  On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
 
-    ![Create Packaged app Rules wizard, select use an installed packaged app.](images/intune-applocker-publisher.png)
+    ![Create Packaged app Rules wizard, select use an installed packaged app](images/intune-applocker-publisher.png)
 
 7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos.
 
-    ![Create Packaged app Rules wizard, select application and click ok.](images/intune-applocker-select-apps.png)
+    ![Create Packaged app Rules wizard, select application and click ok](images/intune-applocker-select-apps.png)
 
 8. On the updated **Publisher** page, click **Create**.
 
-    ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page.](images/intune-applocker-publisher-with-app.png)
+    ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png)
 
 9. Review the Local Security Policy snap-in to make sure your rule is correct.
 
-    ![Local security snap-in, showing the new rule.](images/intune-local-security-snapin-updated.png)
+    ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png)
 
 10. In the left pane, right-click on **AppLocker**, and then click **Export policy**.
 
     The **Export policy** box opens, letting you export and save your new policy as XML.
 
-    ![Local security snap-in, showing the Export Policy option.](images/intune-local-security-export.png)
+    ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png)
 
 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
 
@@ -286,7 +286,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
 
     The **Add app rule** box appears.
 
-    ![Create Configuration Item wizard, add an AppLocker policy.](images/wip-configmgr-addapplockerfile.png)
+    ![Create Configuration Item wizard, add an AppLocker policy](images/wip-configmgr-addapplockerfile.png)
 
 2.  Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*.
 
@@ -353,7 +353,7 @@ You can specify multiple domains owned by your enterprise by separating them wit
 
 - Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
 
-    ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity.](images/wip-configmgr-corp-identity.png)
+    ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-configmgr-corp-identity.png)
 
 ## Choose where apps can access enterprise data
 After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
@@ -372,7 +372,7 @@ There are no default locations included with WIP, you must add each of your netw
 
 2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
 
-   ![Add or edit corporate network definition box, Add your enterprise network locations.](images/wip-configmgr-add-network-domain.png)
+   ![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-configmgr-add-network-domain.png)
 
    <table>
        <tr>
@@ -431,7 +431,7 @@ There are no default locations included with WIP, you must add each of your netw
 
 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
 
-   ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate.](images/wip-configmgr-dra.png)
+   ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-configmgr-dra.png)
 
    After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. 
 
@@ -440,7 +440,7 @@ There are no default locations included with WIP, you must add each of your netw
 ## Choose your optional WIP-related settings
 After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings.
 
-![Create Configuration Item wizard, Choose any additional, optional settings.](images/wip-configmgr-additionalsettings.png)
+![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-configmgr-additionalsettings.png)
 
 **To set your optional settings**
 1.  Choose to set any or all of the optional settings:
@@ -467,7 +467,7 @@ After you've finished configuring your policy, you can review all of your info o
 **To view the Summary screen**
 - Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
 
-    ![Create Configuration Item wizard, Summary screen for all of your policy choices.](images/wip-configmgr-summaryscreen.png)
+    ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-configmgr-summaryscreen.png)
 
     A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
 
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 0442c3778a..17dcaff4f3 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -50,7 +50,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
 
 3. Click **Restore Default URLs** or enter the settings for MDM or MAM user scope and click **Save**:
 
-   ![Configure MDM or MAM provider.](images/mobility-provider.png)
+   ![Configure MDM or MAM provider](images/mobility-provider.png)
 
 ## Create a WIP policy
 
@@ -58,7 +58,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
 
 2. Open Microsoft Intune and click **Apps** > **App protection policies** > **Create policy**.
 
-   ![Open Client apps.](images/create-app-protection-policy.png)
+   ![Open Client apps](images/create-app-protection-policy.png)
 
 3. In the **App policy** screen, click **Add a policy**, and then fill out the fields:
 
@@ -70,11 +70,11 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
 
    - **Enrollment state.** Choose **Without enrollment** for MAM or **With enrollment** for MDM.
 
-   ![Add a mobile app policy.](images/add-a-mobile-app-policy.png)
+   ![Add a mobile app policy](images/add-a-mobile-app-policy.png)
 
 4. Click **Protected apps** and then click **Add apps**.
 
-   ![Add protected apps.](images/add-protected-apps.png)
+   ![Add protected apps](images/add-protected-apps.png)
 
    You can add these types of apps:
 
@@ -89,7 +89,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
 
 Select **Recommended apps** and select each app you want to access your enterprise data or select them all, and click **OK**.
 
-![Microsoft Intune management console: Recommended apps.](images/recommended-apps.png)    
+![Microsoft Intune management console: Recommended apps](images/recommended-apps.png)    
 
 ### Add Store apps 
 
@@ -99,7 +99,7 @@ Select **Store apps**, type the app product name and publisher, and click **OK**
 - **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
 - **Product Name**: `Microsoft.MicrosoftPowerBIForWindows`
 
-![Add Store app.](images/add-a-protected-store-app.png)
+![Add Store app](images/add-a-protected-store-app.png)
 
 To add multiple Store apps, click the ellipsis **…**. 
 
@@ -201,7 +201,7 @@ To add **Desktop apps**, complete the following fields, based on what results yo
 
 To add another Desktop app, click the ellipsis **…**. After you’ve entered the info into the fields, click **OK**.
 
-![Microsoft Intune management console: Adding Desktop app info.](images/wip-azure-add-desktop-apps.png)
+![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png)
  
 If you’re unsure about what to include for the publisher, you can run this PowerShell command:
 
@@ -242,7 +242,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
     
 2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
 
-    ![Local security snap-in, showing the Packaged app Rules.](images/wip-applocker-secpol-1.png)
+    ![Local security snap-in, showing the Packaged app Rules](images/wip-applocker-secpol-1.png)
 
 3. Right-click in the right-hand blade, and then click **Create New Rule**.
 
@@ -250,7 +250,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
 
 4.  On the **Before You Begin** page, click **Next**.
 
-    ![Screenshot of the Before You Begin tab.](images/wip-applocker-secpol-wizard-1.png)
+    ![Screenshot of the Before You Begin tab](images/wip-applocker-secpol-wizard-1.png)
 
 5.  On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
 
@@ -262,25 +262,25 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
 
 7.  In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Dynamics 365.
 
-    ![Screenshot of the Select applications list.](images/wip-applocker-secpol-wizard-4.png)
+    ![Screenshot of the Select applications list](images/wip-applocker-secpol-wizard-4.png)
 
 8.  On the updated **Publisher** page, click **Create**.
 
-    ![Screenshot of the Publisher tab.](images/wip-applocker-secpol-wizard-5.png)
+    ![Screenshot of the Publisher tab](images/wip-applocker-secpol-wizard-5.png)
 
 9.  Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy.
 
-    ![Screenshot of AppLocker warning.](images/wip-applocker-default-rule-warning.png)
+    ![Screenshot of AppLocker warning](images/wip-applocker-default-rule-warning.png)
 
 9.  Review the Local Security Policy snap-in to make sure your rule is correct.
 
-    ![Local security snap-in, showing the new rule.](images/wip-applocker-secpol-create.png)
+    ![Local security snap-in, showing the new rule](images/wip-applocker-secpol-create.png)
 
 10. In the left blade, right-click on **AppLocker**, and then click **Export policy**.
 
     The **Export policy** box opens, letting you export and save your new policy as XML.
 
-    ![Local security snap-in, showing the Export Policy option.](images/wip-applocker-secpol-export.png)
+    ![Local security snap-in, showing the Export Policy option](images/wip-applocker-secpol-export.png)
 
 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
 
@@ -320,7 +320,7 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
 
 3. Right-click **Executable Rules** > **Create New Rule**.
 
-   ![Local security snap-in, showing the Executable Rules.](images/create-new-path-rule.png)
+   ![Local security snap-in, showing the Executable Rules](images/create-new-path-rule.png)
 
 4. On the **Before You Begin** page, click **Next**.
 
@@ -328,11 +328,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
 
 6. On the **Conditions** page, click **Path** and then click **Next**.
 
-    ![Screenshot with Path conditions selected in the Create Executable Rules wizard.](images/path-condition.png)
+    ![Screenshot with Path conditions selected in the Create Executable Rules wizard](images/path-condition.png)
 
 7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, we’re using "C:\Program Files".
 
-    ![Screenshot of the Path field of the Create Executable Rules wizard.](images/select-path.png)
+    ![Screenshot of the Path field of the Create Executable Rules wizard](images/select-path.png)
 
 8. On the **Exceptions** page, add any exceptions and then click **Next**.
 
@@ -351,11 +351,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
 
 1. In **Protected apps**, click **Import apps**.
 
-    ![Import protected apps.](images/import-protected-apps.png)
+    ![Import protected apps](images/import-protected-apps.png)
     
     Then import your file.
     
-    ![Microsoft Intune, Importing your AppLocker policy file using Intune.](images/wip-azure-import-apps.png)
+    ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/wip-azure-import-apps.png)
 
 2. Browse to your exported AppLocker policy file, and then click **Open**.
 
@@ -366,7 +366,7 @@ If your app is incompatible with WIP, but still needs to be used with enterprise
 
 1. In **Client apps - App protection policies**, click **Exempt apps**.
     
-    ![Exempt apps.](images/exempt-apps.png)
+    ![Exempt apps](images/exempt-apps.png)
 
 2. In **Exempt apps**, click **Add apps**.
 
@@ -391,7 +391,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
 
 1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings**.
 
-    ![Microsoft Intune, Required settings blade showing Windows Information Protection mode.](images/wip-azure-required-settings-protection-mode.png)
+    ![Microsoft Intune, Required settings blade showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png)
 
     |Mode |Description |
     |-----|------------|
@@ -413,11 +413,11 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
 
 2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. 
 
-   ![Microsoft Intune, Set your corporate identity for your organization.](images/wip-azure-required-settings-corp-identity.png)
+   ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png)
 
 3. To add domains, such your email domain names, click **Configure Advanced settings** > **Add network boundary** and select **Protected domains**.
 
-   ![Add protected domains.](images/add-protected-domains.png)
+   ![Add protected domains](images/add-protected-domains.png)
 
 ## Choose where apps can access enterprise data
 After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations. 
@@ -426,7 +426,7 @@ There are no default locations included with WIP, you must add each of your netw
 
 To define the network boundaries, click **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**.
 
-![Microsoft Intune, Set where your apps can access enterprise data on your network.](images/wip-azure-advanced-settings-network.png)
+![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png)
 
 Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the options covered in the following subsections, and then click **OK**.
 
@@ -558,7 +558,7 @@ Decide if you want Windows to look for additional network settings:
 
 - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you turn this off, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
 
-![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise.](images/wip-azure-advanced-settings-network-autodetect.png)
+![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png)
 
 ## Upload your Data Recovery Agent (DRA) certificate
 After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
@@ -573,12 +573,12 @@ After you create and deploy your WIP policy to your employees, Windows begins to
 
 2.  In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
 
-    ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate.](images/wip-azure-advanced-settings-efsdra.png)
+    ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png)
 
 ## Choose your optional WIP-related settings
 After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings.
 
-![Advanced optional settings.](images/wip-azure-advanced-settings-optional.png)
+![Advanced optional settings](images/wip-azure-advanced-settings-optional.png)
    
 **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
     
@@ -613,7 +613,7 @@ After you've decided where your protected apps can access enterprise data on you
 
 You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. 
 
-![WIP encrypted file extensions.](images/wip-encrypted-file-extensions.png)
+![WIP encrypted file extensions](images/wip-encrypted-file-extensions.png)
 
 ## Related topics
 
diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
index 8d929e1db4..524199cf73 100644
--- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
@@ -34,7 +34,7 @@ After you’ve created your Windows Information Protection (WIP) policy, you'll
 
    The policy is deployed to the selected users' devices.
 
-   ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed.](images/wip-azure-add-user-groups.png)
+   ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png)
 
 
 >[!NOTE]
diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
index dd3fb2529e..b54cc7cbe1 100644
--- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -36,13 +36,13 @@ You need to add the Enterprise Context column to the **Details** tab of the Task
 
     The **Select columns** box appears.
 
-    ![Task Manager, Select column box with Enterprise Context option selected.](images/wip-select-column.png)
+    ![Task Manager, Select column box with Enterprise Context option selected](images/wip-select-column.png)
 
 3. Scroll down and check the **Enterprise Context** option, and then click **OK** to close the box.
 
     The **Enterprise Context** column should now be available in Task Manager.
 
-    ![Task Manager, Enterprise Context column highlighted.](images/wip-taskmgr.png)
+    ![Task Manager, Enterprise Context column highlighted](images/wip-taskmgr.png)
 
 ## Review the Enterprise Context
 The **Enterprise Context** column shows you what each app can do with your enterprise data:
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index e2f9ce0a1f..1e97616ee8 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -38,11 +38,11 @@ In the **Website learning report**, you can view a summary of the devices that h
 
 1. Click **Intune** > **Client apps** > **App protection status** > **Reports**.
 
-   ![Image showing the UI path to the WIP report.](images/access-wip-learning-report.png) 
+   ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) 
 
 1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**. 
 
-   ![Image showing the UI with for app and website learning reports.](images/wip-learning-select-report.png) 
+   ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) 
 
 Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. 
 
@@ -75,7 +75,7 @@ The information needed for the following steps can be found using Device Health,
 
 4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app). 
 
-    ![View of drop down menu for Store or desktop apps.](images/wip-learning-choose-store-or-desktop-app.png)
+    ![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png)
 
 5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above.
 
@@ -87,7 +87,7 @@ The information needed for the following steps can be found using Device Health,
 
     `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US`
 
-    ![View of Add Apps app info entry boxes.](images/wip-learning-app-info.png)
+    ![View of Add Apps app info entry boxes](images/wip-learning-app-info.png)
 
 6. Type the name of the product in **PRODUCT NAME** (required)  (this will probably be the same as what you typed for **NAME**).
 
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index ea4b252a30..1ede3ef4ed 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -58,7 +58,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
 3. Double-click **Turn on Virtualization Based Security**.
 4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
 
-   ![Enable HVCI using Group Policy.](../images/enable-hvci-gp.png)
+   ![Enable HVCI using Group Policy](../images/enable-hvci-gp.png)
 
 5. Click **Ok** to close the editor.
 
@@ -279,7 +279,7 @@ This field lists the computer name. All valid values for computer name.
 
 Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section.
 
-![Windows Defender Device Guard properties in the System Summary.](../images/dg-fig11-dgproperties.png)
+![Windows Defender Device Guard properties in the System Summary](../images/dg-fig11-dgproperties.png)
 
 ## Troubleshooting
 
diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
index def1ec0b93..6e6173e36d 100644
--- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
+++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
@@ -17,7 +17,7 @@ ms.technology: mde
 ---
 # Coordinated Malware Eradication
 
-![coordinated-malware-eradication.](images/CoordinatedMalware.png)
+![coordinated-malware-eradication](images/CoordinatedMalware.png)
 
 Coordinated Malware Eradication (CME) aims to bring organizations in cybersecurity and in other industries together to change the game against malware. While the cybersecurity industry today is effective at disrupting malware families through individual efforts, those disruptions rarely lead to eradication since malware authors quickly adapt their tactics to survive.
 
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
index b125773d18..e2029f3c2c 100644
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@@ -25,7 +25,7 @@ Attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) fo
 
 For clarity, fileless threats are grouped into different categories.
 
-![Comprehensive diagram of fileless malware.](images/fileless-malware.png)<br>
+![Comprehensive diagram of fileless malware](images/fileless-malware.png)<br>
 *Figure 1. Comprehensive diagram of fileless malware*
 
 Fileless threats can be classified by their entry point, which indicates how fileless malware can arrive on a machine. They can arrive via an exploit, through compromised hardware, or via regular execution of applications and scripts.
@@ -56,7 +56,7 @@ It’s possible to carry out such installation via command line without requirin
 
 Some malware can have a sort of fileless persistence, but not without using files to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. Opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe.
 
-![Image of Kovter's registry key.](images/kovter-reg-key.png)<br>
+![Image of Kovter's registry key](images/kovter-reg-key.png)<br>
 *Figure 2. Kovter’s registry key*
 
 When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an autorun key configured to open such file when the machine starts.
diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md
index 3b37bdf391..ef4a133061 100644
--- a/windows/security/threat-protection/intelligence/malware-naming.md
+++ b/windows/security/threat-protection/intelligence/malware-naming.md
@@ -20,7 +20,7 @@ ms.technology: mde
 
 We name the malware and unwanted software that we detect according to the Computer Antivirus Research Organization (CARO) malware naming scheme. The scheme uses the following format:
 
-![coordinated-malware-eradication.](images/NamingMalware1.png)
+![coordinated-malware-eradication](images/NamingMalware1.png)
 
 When our analysts research a particular threat, they'll determine what each of the components of the name will be.
 
diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md
index 01c216b8fe..1f997dac95 100644
--- a/windows/security/threat-protection/intelligence/phishing.md
+++ b/windows/security/threat-protection/intelligence/phishing.md
@@ -35,7 +35,7 @@ Here are several telltale signs of a phishing scam:
 
 * The links or URLs provided in emails are **not pointing to the correct location** or are pointing to a third-party site not affiliated with the sender of the email. For example, in the image below the URL provided doesn't match the URL that you'll be taken to.
 
-    ![example of how exploit kits work.](./images/URLhover.png)
+    ![example of how exploit kits work](./images/URLhover.png)
 
 * There's a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email.
 
diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
index ae7c0e8363..00eafc82ce 100644
--- a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
+++ b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
@@ -33,7 +33,7 @@ This process requires a global or application admin in the tenant.
  2. Select **Grant admin consent for organization**.
  3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant.
 
-    ![grant consent image.](images/msi-grant-admin-consent.jpg)
+    ![grant consent image](images/msi-grant-admin-consent.jpg)
 
   4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.
   
@@ -43,13 +43,13 @@ This process requires a global or application admin in the tenant.
 
 Azure Active Directory admins will need to allow for users to request admin consent to apps. Verify the setting is configured to **Yes** in [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/).
 
-![Enterprise applications user settings.](images/msi-enterprise-app-user-setting.jpg)
+![Enterprise applications user settings](images/msi-enterprise-app-user-setting.jpg)
 
 More information is available in [Configure Admin consent workflow](/azure/active-directory/manage-apps/configure-admin-consent-workflow).
 
 Once this setting is verified, users can go through the enterprise customer sign-in at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission), and submit a request for admin consent, including justification.
 
-![Contoso sign in flow.](images/msi-contoso-approval-required.png)
+![Contoso sign in flow](images/msi-contoso-approval-required.png)
 
 Admin will be able to review and approve the application permissions [Azure admin consent requests](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AccessRequests/menuId/).
 
@@ -58,7 +58,7 @@ After providing consent, all users in the tenant will be able to use the applica
 ## Option 2 Provide admin consent by authenticating the application as an admin 
 This process requires that global admins go through the Enterprise customer sign-in flow at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission).
 
-![Consent sign in flow.](images/msi-microsoft-permission-required.jpg)
+![Consent sign in flow](images/msi-microsoft-permission-required.jpg)
 
 Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and then select **Accept**.
 
@@ -70,20 +70,20 @@ If neither of these options resolve the issue, try the following steps (as an ad
 1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b)
 and select **delete**.
 
-   ![Delete app permissions.](images/msi-properties.png)
+   ![Delete app permissions](images/msi-properties.png)
 
 2. Capture TenantID from [Properties](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties).
 
 3. Replace {tenant-id} with the specific tenant that needs to grant consent to this application in the URL below. Copy this URL into browser. The rest of the parameters are already completed. 
 ``https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent?client_id=f0cf43e5-8a9b-451c-b2d5-7285c785684d&state=12345&redirect_uri=https%3a%2f%2fwww.microsoft.com%2fwdsi%2ffilesubmission&scope=openid+profile+email+offline_access``
 
-   ![Permissions needed.](images/msi-microsoft-permission-requested-your-organization.png)
+   ![Permissions needed](images/msi-microsoft-permission-requested-your-organization.png)
 
 4. Review the permissions required by the application, and then select **Accept**. 
 
 5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051).
 
-   ![Review that permissions are applied.](images/msi-permissions.jpg)
+   ![Review that permissions are applied](images/msi-permissions.jpg)
    
 6. Sign in to [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission) as an enterprise user with a non-admin account to see if you have access.
 
diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md
index 2aa32ed8f6..ed4e5aaf84 100644
--- a/windows/security/threat-protection/intelligence/worms-malware.md
+++ b/windows/security/threat-protection/intelligence/worms-malware.md
@@ -39,7 +39,7 @@ Both Bondat and Gamarue have clever ways of obscuring themselves to evade detect
 
 This image shows how a worm can quickly spread through a shared USB drive.
 
-![Worm example.](./images/WormUSB-flight.png) 
+![Worm example](./images/WormUSB-flight.png) 
 
 ### *Figure worm spreading from a shared USB drive*
 
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
index 83a6f5e00b..f0c6938382 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -29,8 +29,8 @@ For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with Po
  
 For example:
  
-[![VBS script.](images/vbs-example.png)](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) 
-[![PowerShell script.](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) 
+[![VBS script](images/vbs-example.png)](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) 
+[![PowerShell script](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) 
   
 The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
 The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index 3b18ab25d3..994ade09de 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -45,7 +45,7 @@ Applies to:
 You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container.
 
 The following diagram shows the flow between the host PC and the isolated container.
-![Flowchart for movement between Microsoft Edge and Application Guard.](images/application-guard-container-v-host.png)
+![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png)
 
 ## Install Application Guard
 
@@ -55,7 +55,7 @@ Application Guard functionality is turned off by default. However, you can quick
 
 1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**.
 
-    ![Windows Features, turning on Microsoft Defender Application Guard.](images/turn-windows-features-on-off.png)
+    ![Windows Features, turning on Microsoft Defender Application Guard](images/turn-windows-features-on-off.png)
 
 2. Select the check box next to **Microsoft Defender Application Guard** and then click **OK**.
 
@@ -86,7 +86,7 @@ Application Guard functionality is turned off by default. However, you can quick
 > [!IMPORTANT]
 > Make sure your organization's devices meet [requirements](reqs-md-app-guard.md) and are [enrolled in Intune](/mem/intune/enrollment/device-enrollment).
 
-:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune.":::
+:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune":::
 
 1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in.
 
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index 4ad66674a9..de798293db 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -29,7 +29,7 @@ For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrus
 For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
 
 
-![Hardware isolation diagram.](images/appguard-hardware-isolation.png)
+![Hardware isolation diagram](images/appguard-hardware-isolation.png)
 
 ### What types of devices should use Application Guard?
 
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index d8ff39f397..74525211f8 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -33,7 +33,7 @@ You can see how an employee would use standalone mode with Application Guard.
 
 2. Restart the device, start Microsoft Edge, and then select **New Application Guard window** from the menu.
 
-    ![New Application Guard window setting option.](images/appguard-new-window.png)
+    ![New Application Guard window setting option](images/appguard-new-window.png)
 
 3. Wait for Application Guard to set up the isolated environment.
 
@@ -42,7 +42,7 @@ You can see how an employee would use standalone mode with Application Guard.
 
 4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues.
 
-    ![Untrusted website running in Application Guard.](images/appguard-visual-cues.png)
+    ![Untrusted website running in Application Guard](images/appguard-visual-cues.png)
 
 ## Application Guard in Enterprise-managed mode
 
@@ -64,19 +64,19 @@ Before you can use Application Guard in managed mode, you must install Windows 1
 
    c.  For the purposes of this scenario, type `.microsoft.com` into the **Enterprise cloud resources** box.
 
-   ![Group Policy editor with Enterprise cloud resources setting.](images/appguard-gp-network-isolation.png)
+   ![Group Policy editor with Enterprise cloud resources setting](images/appguard-gp-network-isolation.png)
 
    d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting.
 
    e. For the purposes of this scenario, type `bing.com` into the **Neutral resources** box.
 
-   ![Group Policy editor with Neutral resources setting.](images/appguard-gp-network-isolation-neutral.png)
+   ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png)
 
 4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting.
 
 5. Click **Enabled**, choose Option **1**, and click **OK**.
 
-   ![Group Policy editor with Turn On/Off setting.](images/appguard-gp-turn-on.png)
+   ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png)
 
    >[!NOTE]
    >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario.
@@ -85,13 +85,13 @@ Before you can use Application Guard in managed mode, you must install Windows 1
 
     After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard.
 
-    ![Trusted website running on Microsoft Edge.](images/appguard-turned-on-with-trusted-site.png)
+    ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png)
 
 7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists.
 
    After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.
 
-   ![Untrusted website running in Application Guard.](images/appguard-visual-cues.png)
+   ![Untrusted website running in Application Guard](images/appguard-visual-cues.png)
 
 ### Customize Application Guard
 
@@ -118,7 +118,7 @@ You have the option to change each of these settings to work with your enterpris
 
 2. Click **Enabled** and click **OK**.
 
-    ![Group Policy editor clipboard options.](images/appguard-gp-clipboard.png)
+    ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png)
 
 3. Choose how the clipboard works:
 
@@ -144,7 +144,7 @@ You have the option to change each of these settings to work with your enterpris
 
 2. Click **Enabled** and click **OK**.
 
-    ![Group Policy editor Print options.](images/appguard-gp-print.png)
+    ![Group Policy editor Print options](images/appguard-gp-print.png)
 
 3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing.
 
@@ -156,7 +156,7 @@ You have the option to change each of these settings to work with your enterpris
 
 2. Click **Enabled** and click **OK**.
 
-    ![Group Policy editor Data Persistence options.](images/appguard-gp-persistence.png)
+    ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png)
 
 3. Open Microsoft Edge and browse to an untrusted, but safe URL.
 
@@ -186,7 +186,7 @@ You have the option to change each of these settings to work with your enterpris
 
 2. Click **Enabled** and click **OK**.
 
-    ![Group Policy editor Download options.](images/appguard-gp-download.png)
+    ![Group Policy editor Download options](images/appguard-gp-download.png)
 
 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
 
@@ -200,7 +200,7 @@ You have the option to change each of these settings to work with your enterpris
 
 2. Click **Enabled** and click **OK**.
 
-    ![Group Policy editor hardware acceleration options.](images/appguard-gp-vgpu.png)
+    ![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png)
 
 3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session.
 
@@ -217,7 +217,7 @@ You have the option to change each of these settings to work with your enterpris
 
 2. Click **Enabled**, set **Options** to 2, and click **OK**.
 
-    ![Group Policy editor File trust options.](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png)
+    ![Group Policy editor File trust options](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png)
 
 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
 
@@ -231,7 +231,7 @@ You have the option to change each of these settings to work with your enterpris
 
 2. Click **Enabled** and click **OK**.
 
-    ![Group Policy editor Camera and microphone options.](images/appguard-gp-allow-camera-and-mic.png)
+    ![Group Policy editor Camera and microphone options](images/appguard-gp-allow-camera-and-mic.png)
 
 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
 
@@ -245,7 +245,7 @@ You have the option to change each of these settings to work with your enterpris
 
 2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**.
 
-    ![Group Policy editor Root certificate options.](images/appguard-gp-allow-root-certificates.png)
+    ![Group Policy editor Root certificate options](images/appguard-gp-allow-root-certificates.png)
 
 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
 
@@ -258,10 +258,10 @@ Once a user has the extension and its companion app installed on their enterpris
 1. Open either Firefox or Chrome — whichever browser you have the extension installed on.
 
 2. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
-   ![The evaluation page displayed while the page is being loaded, explaining that the user must wait.](images/app-guard-chrome-extension-evaluation-page.png)
+   ![The evaluation page displayed while the page is being loaded, explaining that the user must wait](images/app-guard-chrome-extension-evaluation-page.png)
 
 3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
-   ![A non-enterprise website being redirected to an Application Guard container -- the text displayed explains that the page is being opened in Application Guard for Microsoft Edge.](images/app-guard-chrome-extension-launchIng-edge.png)
+   ![A non-enterprise website being redirected to an Application Guard container -- the text displayed explains that the page is being opened in Application Guard for Microsoft Edge](images/app-guard-chrome-extension-launchIng-edge.png)
 
 4. Open a new Application Guard window, by select the Microsoft Defender Application Guard icon, then **New Application Guard Window**
    ![The "New Application Guard Window" option is highlighted in red](images/app-guard-chrome-extension-new-app-guard-page.png)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index 146b20c787..80486846fb 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -61,7 +61,7 @@ If you believe a warning or block was incorrectly shown for a file or applicatio
 
 When submitting Microsoft Defender SmartScreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu.
 
-![Windows Security, Microsoft Defender SmartScreen controls.](images/Microsoft-defender-smartscreen-submission.png)
+![Windows Security, Microsoft Defender SmartScreen controls](images/Microsoft-defender-smartscreen-submission.png)
 
 ## Viewing Microsoft Defender SmartScreen anti-phishing events
 
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
index 89c036958f..85c404a314 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
@@ -60,7 +60,7 @@ Starting with Windows 10, version 1703, users can use Windows Security to set up
         
      - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
 
-       ![Windows Security, Microsoft Defender SmartScreen controls.](images/windows-defender-smartscreen-control-2020.png)
+       ![Windows Security, Microsoft Defender SmartScreen controls](images/windows-defender-smartscreen-control-2020.png)
 
 ## How Microsoft Defender SmartScreen works when a user tries to run an app
 Microsoft Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Microsoft Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization.
diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
index c2a1d31b98..c792222c8a 100644
--- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
+++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
@@ -41,7 +41,7 @@ The following procedure describes how to use Group Policy to override individual
 
 1. Open your Group Policy editor and go to the **Administrative Templates\System\Mitigation Options\Process Mitigation Options** setting.
 
-    ![Group Policy editor: Process Mitigation Options with setting enabled and Show button active.](images/gp-process-mitigation-options.png)
+    ![Group Policy editor: Process Mitigation Options with setting enabled and Show button active](images/gp-process-mitigation-options.png)
 
 2. Click **Enabled**, and then in the **Options** area, click **Show** to open the **Show Contents** box, where you’ll be able to add your apps and the appropriate bit flag values, as shown in the [Setting the bit field](#setting-the-bit-field) and [Example](#example) sections of this topic.
 
@@ -52,12 +52,12 @@ The following procedure describes how to use Group Policy to override individual
     
        **Note**<br>Setting bit flags in positions not specified here to anything other than ? might cause undefined behavior.
 
-     ![Group Policy editor: Process Mitigation Options with Show Contents box and example text.](images/gp-process-mitigation-options-show.png)
+     ![Group Policy editor: Process Mitigation Options with Show Contents box and example text](images/gp-process-mitigation-options-show.png)
 
 ## Setting the bit field
 Here’s a visual representation of the bit flag locations for the various Process Mitigation Options settings:
 
-![Visual representation of the bit flag locations for the Process Mitigation Options settings.](images/gp-process-mitigation-options-bit-flag-image.png)
+![Visual representation of the bit flag locations for the Process Mitigation Options settings](images/gp-process-mitigation-options-bit-flag-image.png)
 
 Where the bit flags are read from right to left and are defined as:
 
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index 0a9058b91d..f98634584d 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -130,7 +130,7 @@ You can now see which processes have DEP enabled.
 
 <!-- This might be a good place to mention the cmdlet that lets you see the same kind of output. -->
 
-![Processes with DEP enabled in Windows 10.](images/security-fig5-dep.png)
+![Processes with DEP enabled in Windows 10](images/security-fig5-dep.png)
 
 *Figure 2.&nbsp;&nbsp;Processes on which DEP has been enabled in Windows 10*
 
@@ -168,7 +168,7 @@ One of the most common techniques used to gain access to a system is to find a v
 
 Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts.
 
-![ASLR at work.](images/security-fig4-aslr.png)
+![ASLR at work](images/security-fig4-aslr.png)
 
 **Figure 3.&nbsp;&nbsp;ASLR at work**
 
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index e24bb48367..220c774696 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -56,13 +56,13 @@ Because mobile devices are increasingly being used to access corporate informati
 
 Devices that are used to access corporate resources must be trusted. An efficient end-to-end security approach is able to evaluate device health and use the current security state when granting access to a high-value asset.
 
-:::image type="content" alt-text="figure 1." source="images/hva-fig1-endtoend1.png":::
+:::image type="content" alt-text="figure 1" source="images/hva-fig1-endtoend1.png":::
 
 A robust design needs to establish the user’s identity, strengthen the authentication method if needed, and learn behavior like the network location the user regularly connects from. Also, a modern approach must be able to release sensitive content only if user devices are determined to be healthy and secure.
 
 The following figure shows a solution built to assess device health from the cloud. The device authenticates the user through a connection to an identity provider in the cloud. If the managed asset contains highly confidential information, the conditional access engine of the identity provider may elect to verify the security compliance of the mobile device before access is granted. The user’s device is able to prove its health status that can be sent at any time or when mobile device management (MDM) requests it.
 
-:::image type="content" alt-text="figure 2." source="images/hva-fig2-assessfromcloud2.png":::
+:::image type="content" alt-text="figure 2" source="images/hva-fig2-assessfromcloud2.png":::
 
 Windows devices can be protected from low-level rootkits and bootkits by using low-level hardware technologies such as Unified Extensible Firmware Interface (UEFI) Secure Boot.
 
@@ -94,7 +94,7 @@ In Windows 10, there are three pillars of investments:
 
 This section is an overview that describes different parts of the end-to-end security solution that helps protect high-value assets and information from attackers and malware.
 
-:::image type="content" alt-text="figure 3." source="images/hva-fig3-endtoendoverview3.png":::
+:::image type="content" alt-text="figure 3" source="images/hva-fig3-endtoendoverview3.png":::
 
 | Number | Part of the solution | Description |
 | - | - | - |
@@ -115,7 +115,7 @@ This section describes what Windows 10 offers in terms of security defenses and
 The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start.
 Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-req) section.
 
-:::image type="content" alt-text="figure 4." source="images/hva-fig4-hardware.png":::
+:::image type="content" alt-text="figure 4" source="images/hva-fig4-hardware.png":::
 
 Windows 10 supports features to help prevent sophisticated low-level malware like rootkits and bootkits from loading during the startup process:
 
@@ -230,7 +230,7 @@ The following Windows 10 services are protected with virtualization-based securi
 
 The schema below is a high-level view of Windows 10 with virtualization-based security.
 
-:::image type="content" alt-text="figure 5." source="images/hva-fig5-virtualbasedsecurity.png":::
+:::image type="content" alt-text="figure 5" source="images/hva-fig5-virtualbasedsecurity.png":::
 
 ### Credential Guard
 
@@ -425,11 +425,11 @@ The antimalware software can search to determine whether the boot sequence conta
 
 Health attestation logs the measurements in various TPM Platform Configuration Registers (PCRs) and TCG logs during the boot process.
 
-:::image type="content" alt-text="figure 6." source="images/hva-fig6-logs.png":::
+:::image type="content" alt-text="figure 6" source="images/hva-fig6-logs.png":::
 
 When starting a device equipped with TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log.
 
-:::image type="content" alt-text="figure 7." source="images/hva-fig7-measurement.png":::
+:::image type="content" alt-text="figure 7" source="images/hva-fig7-measurement.png":::
 
 The health attestation process works as follows:
 
@@ -459,7 +459,7 @@ The following process describes how health boot measurements are sent to the hea
 
 4.  The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter.
 
-:::image type="content" alt-text="figure 8." source="images/hva-fig8a-healthattest8a.png":::
+:::image type="content" alt-text="figure 8" source="images/hva-fig8a-healthattest8a.png":::
 
 ### Device health attestation components
 
@@ -632,7 +632,7 @@ A solution that leverages MDM and the Health Attestation Service consists of thr
 2.  After this is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
 3.  At any point after this, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it’s been attested.
 
-    :::image type="content" alt-text="figure 9." source="images/hva-fig8-evaldevicehealth8.png":::
+    :::image type="content" alt-text="figure 9" source="images/hva-fig8-evaldevicehealth8.png":::
 
 Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows:
 
@@ -671,7 +671,7 @@ The remote device health attestation process uses measured boot data to verify t
 
 The figure below shows how the Health Attestation Service is expected to work with Microsoft’s cloud-based Intune MDM service.
 
-:::image type="content" alt-text="figure 10." source="images/hva-fig9-intune.png":::
+:::image type="content" alt-text="figure 10" source="images/hva-fig9-intune.png":::
 
 An MDM solution can then leverage health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware free, its antimalware system is functional and up to date, the 
 firewall is running, and the devices patch state is compliant.
@@ -705,7 +705,7 @@ If the device is not registered, the user will get a message with instructions o
 
 **Azure AD** authenticates the user and the device, **MDM** manages the compliance and conditional access policies, and the **Health Attestation Service** reports about the health of the device in an attested way.
 
-:::image type="content" alt-text="figure 11." source="images/hva-fig10-conditionalaccesscontrol.png":::
+:::image type="content" alt-text="figure 11" source="images/hva-fig10-conditionalaccesscontrol.png":::
 
 ### <a href="" id="office-365-conditional-access-control-"></a>Office 365 conditional access control
 
@@ -725,7 +725,7 @@ The user will be denied access to services when sign-in credentials are changed,
 
 Depending on the type of email application that employees use to access Exchange online, the path to establish secured access to email can be slightly different. However, the key components: Azure AD, Office 365/Exchange Online, and Intune, are the same. The IT experience and end-user experience also are similar.
 
-:::image type="content" alt-text="figure 12." source="images/hva-fig11-office365.png":::
+:::image type="content" alt-text="figure 12" source="images/hva-fig11-office365.png":::
 
 Clients that attempt to access Office 365 will be evaluated for the following properties:
 
@@ -758,7 +758,7 @@ For on-premises applications there are two options to enable conditional access
 -   For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more details, see the [Azure AD Conditional Access preview updated: Now supports On-Premises and Custom LOB apps](https://go.microsoft.com/fwlink/p/?LinkId=691618) blog post.
 -   Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
 
-:::image type="content" alt-text="figure 13." source="images/hva-fig12-conditionalaccess12.png":::
+:::image type="content" alt-text="figure 13" source="images/hva-fig12-conditionalaccess12.png":::
 
 The following process describes how Azure AD conditional access works:
 
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
index ce251bc758..eb88a41772 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
@@ -36,7 +36,7 @@ Beginning with Windows 10 version 1607, new functionality was added to Windows 1
 This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
 The Privacy setting is off by default, which hides the details.
 
-![Privacy setting.](images/privacy-setting-in-sign-in-options.png)
+![Privacy setting](images/privacy-setting-in-sign-in-options.png)
 
 The **Interactive logon: Display user information when the session is locked** Group Policy setting controls the same functionality.
 
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index 7a58b942a4..426d291c10 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -157,7 +157,7 @@ The following diagram shows Security Settings and related features.
 
 #### Security Settings Policies and Related Features
 
-![components related to security policies.](images/secpol-components.gif)
+![components related to security policies](images/secpol-components.gif)
 
 - **Scesrv.dll**
 
@@ -181,7 +181,7 @@ The Security Settings extension of the Local Group Policy Editor is part of the
 
 **Security Settings Architecture**
 
-![architecture of security policy settings.](images/secpol-architecture.gif)
+![architecture of security policy settings](images/secpol-architecture.gif)
 
 The security settings configuration and analysis tools include a security configuration engine, which provides local computer (non-domain member) and Group Policy−based configuration and analysis of security settings policies. The security configuration engine also supports the creation of security policy files. The primary features of the security configuration engine are scecli.dll and scesrv.dll.
 
@@ -321,7 +321,7 @@ In the context of Group Policy processing, security settings policy is processed
 
    **Multiple GPOs and Merging of Security Policy**
 
-   ![multiple gpos and merging of security policy.](images/secpol-multigpomerge.gif)
+   ![multiple gpos and merging of security policy](images/secpol-multigpomerge.gif)
 
 1. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb.
 1. The security settings policies are applied to devices.
@@ -329,7 +329,7 @@ The following figure illustrates the security settings policy processing.
 
 **Security Settings Policy Processing**
 
-![process and interactions of security policy settings.](images/secpol-processes.gif)
+![process and interactions of security policy settings](images/secpol-processes.gif)
 
 ### Merging of security policies on domain controllers
 
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index a8362c5bda..277bc347d1 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -380,9 +380,9 @@ This can easily be extended to other Auto-Execution Start Points keys in the reg
 
 Use the following figures to see how you can configure those registry keys.
 
-![default acl for run key.](images/runkey.png)
+![default acl for run key](images/runkey.png)
 
-![default acl for runonce key.](images/runoncekey.png)
+![default acl for runonce key](images/runoncekey.png)
 
 ## <a href="" id="bkmk-appendixc"></a>Appendix C - Event channel settings (enable and channel access) methods
 
@@ -399,7 +399,7 @@ The following GPO snippet performs the following:
 -   Enables the **Microsoft-Windows-DriverFrameworks-UserMode/Operational** event channel.
 -   Sets the maximum file size for **Microsoft-Windows-DriverFrameworks-UserMode/Operational** to 50MB.
 
-![configure event channels.](images/capi-gpo.png)
+![configure event channels](images/capi-gpo.png)
 
 ## <a href="" id="bkmk-appendixd"></a>Appendix D - Minimum GPO for WEF Client configuration
 
@@ -409,7 +409,7 @@ Here are the minimum steps for WEF to operate:
 2.  Start the WinRM service.
 3.  Add the Network Service account to the built-in Event Log Readers security group. This allows reading from secured event channel, such as the security event channel.
 
-![configure the wef client.](images/wef-client-config.png)
+![configure the wef client](images/wef-client-config.png)
 
 ## <a href="" id="bkmk-appendixe"></a>Appendix E – Annotated baseline subscription event query
 
diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md
index 11b4c1a58b..9b1eb730a6 100644
--- a/windows/security/threat-protection/windows-10-mobile-security-guide.md
+++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md
@@ -299,7 +299,7 @@ One of the most common techniques used by attackers to gain access to a system i
 
 Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. The below diagram illustrates how ASLR works, showing how the locations of different critical Windows components can change in memory between restarts.
 
-![figure 3.](images/mobile-security-guide-figure3.png)
+![figure 3](images/mobile-security-guide-figure3.png)
 
 Microsoft has substantively improved the ASLR implementation in Windows 10 Mobile over previous versions, applying it across the entire system rather than only in specific apps. With 64bit system and application processes that can take advantage of a vastly increased memory space, it is even more difficult for malware to predict where Windows 10 Mobile stores vital data. When used on systems that have TPMs, ASLR memory randomization becomes increasingly unique across devices, adding additional degrees of difficulty for repurposing successful exploits to another system.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index 582297f71b..ab40f94622 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -37,7 +37,7 @@ Refer to the below video for an overview and brief demo.
 > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mlcp]
 
 ## Policy Authorization Process
-![Policy Authorization.](images/wdac-intune-policy-authorization.png)
+![Policy Authorization](images/wdac-intune-policy-authorization.png)
 The general steps for expanding the S mode base policy on your Intune-managed devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups. Because you need access to WDAC PowerShell cmdlets to generate your supplemental policy, you should create and manage your policies on a non-S mode device. Once the policy has been uploaded to Intune, we recommend assigning it to a single test S-mode device to verify expected functioning before deploying the policy more broadly.
 
 1. Generate a supplemental policy with WDAC tooling
@@ -89,11 +89,11 @@ The general steps for expanding the S mode base policy on your Intune-managed de
 > When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps&preserve-view=true) for information on setting the version number.
 
 ## Standard Process for Deploying Apps through Intune
-![Deploying Apps through Intune.](images/wdac-intune-app-deployment.png)
+![Deploying Apps through Intune](images/wdac-intune-app-deployment.png)
 Refer to [Intune Standalone - Win32 app management](/intune/apps-win32-app-management)  for guidance on the existing procedure of packaging signed catalogs and app deployment.
 
 ## Optional: Process for Deploying Apps using Catalogs
-![Deploying Apps using Catalogs.](images/wdac-intune-app-catalogs.png)
+![Deploying Apps using Catalogs](images/wdac-intune-app-catalogs.png)
 Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don't want to allow as well.
 
 Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
index af49d0b081..f197b8f4b2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
@@ -61,7 +61,7 @@ AppLocker can be configured to display the default message but with a custom URL
 
 The following image shows an example of the error message for a blocked app. You can use the **Set a support web link** policy setting to customize the **More information** link.
 
-![applocker blocked application error message.](images/blockedappmsg.gif)
+![applocker blocked application error message](images/blockedappmsg.gif)
 
 For steps to display a custom URL for the message, see [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md).
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
index 9ffaf2b82c..5350f5c843 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
@@ -44,7 +44,7 @@ Because a computer's effective policy includes rules from each linked GPO, dupli
 
 The following figure demonstrates how AppLocker rule enforcement is applied through linked GPOs.
 
-![applocker rule enforcement inheritance chart.](images/applocker-plan-inheritance.gif)
+![applocker rule enforcement inheritance chart](images/applocker-plan-inheritance.gif)
 
 In the preceding illustration, note that all GPOs linked to Contoso are applied in order as configured. The rules that are not configured are also applied. For example, the result of the Contoso and Human Resources GPOs is 33 rules enforced, as shown in the client HR-Term1. The Human Resources GPO contains 10 non-configured rules. When the rule collection is configured for **Audit only**, no rules are enforced.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
index a51539d046..0f909bdf3d 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
@@ -30,7 +30,7 @@ To successfully deploy AppLocker policies, you need to identify your application
 
 The following diagram shows the main points in the design, planning, and deployment process for AppLocker.
 
-![applocker quick reference guide.](images/applocker-plandeploy-quickreference.gif)
+![applocker quick reference guide](images/applocker-plandeploy-quickreference.gif)
 
 ## Resources to support the deployment process
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
index 671bd29bf1..bc1218b82c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
@@ -46,7 +46,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
 
    **Figure 1. Exceptions to the deployed WDAC policy** <br>
 
-   ![Event showing exception to WDAC policy.](images/dg-fig23-exceptionstocode.png)
+   ![Event showing exception to WDAC policy](images/dg-fig23-exceptionstocode.png)
 
 3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
index 706f2e6d6a..cb94565bff 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
@@ -45,7 +45,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
 2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md).
 
    **Figure 1. Exceptions to the deployed WDAC policy**
-   ![Event showing exception to WDAC policy.](images/dg-fig23-exceptionstocode.png)
+   ![Event showing exception to WDAC policy](images/dg-fig23-exceptionstocode.png)
 
 3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
index 761ea31822..b9ca84a296 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
@@ -39,7 +39,7 @@ ECDSA is not supported.
 
 2.  When connected, right-click **Certificate Templates**, and then click **Manage** to open the Certification Templates Console.
 
-    ![CA snap-in showing Certificate Templates.](images/dg-fig27-managecerttemp.png)
+    ![CA snap-in showing Certificate Templates](images/dg-fig27-managecerttemp.png)
 
     Figure 1. Manage the certificate templates
 
@@ -55,7 +55,7 @@ ECDSA is not supported.
 
 8.  In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2.
 
-    ![Edit Basic Constraints Extension.](images/dg-fig29-enableconstraints.png)
+    ![Edit Basic Constraints Extension](images/dg-fig29-enableconstraints.png)
 
     Figure 2. Select constraints on the new template
 
@@ -71,7 +71,7 @@ When this certificate template has been created, you must publish it to the CA p
 
 1.  In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then click **Certificate Template to Issue**, as shown in Figure 3.
 
-    ![Select Certificate Template to Issue.](images/dg-fig30-selectnewcert.png)
+    ![Select Certificate Template to Issue](images/dg-fig30-selectnewcert.png)
 
     Figure 3. Select the new certificate template to issue
 
@@ -89,7 +89,7 @@ Now that the template is available to be issued, you must request one from the c
 
 4.  In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4.
 
-    ![Request Certificates: more information required.](images/dg-fig31-getmoreinfo.png)
+    ![Request Certificates: more information required](images/dg-fig31-getmoreinfo.png)
 
     Figure 4. Get more information for your code signing certificate
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index bdb0bb25f6..52cac752d2 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -142,7 +142,7 @@ To sign the existing catalog file, copy each of the following commands into an e
     
 4. Verify the catalog file digital signature. Right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1.
 
-   ![Digital Signature list in file Properties.](images/dg-fig12-verifysigning.png)
+   ![Digital Signature list in file Properties](images/dg-fig12-verifysigning.png)
 
    Figure 1. Verify that the signing certificate exists
 
@@ -182,7 +182,7 @@ To simplify the management of catalog files, you can use Group Policy preference
    > [!NOTE]
    > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate).
 
-   ![Group Policy Management, create a GPO.](images/dg-fig13-createnewgpo.png)
+   ![Group Policy Management, create a GPO](images/dg-fig13-createnewgpo.png)
 
    Figure 2. Create a new GPO
 
@@ -192,7 +192,7 @@ To simplify the management of catalog files, you can use Group Policy preference
 
 5. Within the selected GPO, navigate to Computer Configuration\\Preferences\\Windows Settings\\Files. Right-click **Files**, point to **New**, and then click **File**, as shown in Figure 3.
 
-   ![Group Policy Management Editor, New File.](images/dg-fig14-createnewfile.png)
+   ![Group Policy Management Editor, New File](images/dg-fig14-createnewfile.png)
 
    Figure 3. Create a new file
 
@@ -202,7 +202,7 @@ To simplify the management of catalog files, you can use Group Policy preference
 
 7. To keep versions consistent, in the **New File Properties** dialog box (Figure 4), select **Replace** from the **Action** list so that the newest version is always used.
 
-   ![File Properties, Replace option.](images/dg-fig15-setnewfileprops.png)
+   ![File Properties, Replace option](images/dg-fig15-setnewfileprops.png)
 
    Figure 4. Set the new file properties
 
@@ -235,7 +235,7 @@ As an alternative to Group Policy, you can use Configuration Manager to deploy c
 
 3.  Name the package, set your organization as the manufacturer, and select an appropriate version number.
 
-    ![Create Package and Program Wizard.](images/dg-fig16-specifyinfo.png)
+    ![Create Package and Program Wizard](images/dg-fig16-specifyinfo.png)
 
     Figure 5. Specify information about the new package
 
@@ -257,7 +257,7 @@ As an alternative to Group Policy, you can use Configuration Manager to deploy c
 
     -   From the **Drive mode** list, select **Runs with UNC name**.
 
-    ![Standard Program page of wizard.](images/dg-fig17-specifyinfo.png)
+    ![Standard Program page of wizard](images/dg-fig17-specifyinfo.png)
 
     Figure 6. Specify information about the standard program
 
@@ -285,7 +285,7 @@ After you create the deployment package, deploy it to a collection so that the c
 
     -   Select the **Commit changes at deadline or during a maintenance window (requires restarts)** check box.
 
-    ![Deploy Software Wizard, User Experience page.](images/dg-fig18-specifyux.png)
+    ![Deploy Software Wizard, User Experience page](images/dg-fig18-specifyux.png)
 
     Figure 7. Specify the user experience
 
@@ -310,13 +310,13 @@ When catalog files have been deployed to the computers within your environment,
 
 3.  Name the new policy, and under **Select and then configure the custom settings for client devices**, select the **Software Inventory** check box, as shown in Figure 8.
 
-    ![Create Custom Client Device Settings.](images/dg-fig19-customsettings.png)
+    ![Create Custom Client Device Settings](images/dg-fig19-customsettings.png)
 
     Figure 8. Select custom settings
 
 4.  In the navigation pane, click **Software Inventory**, and then click **Set Types**, as shown in Figure 9.
 
-    ![Software Inventory settings for devices.](images/dg-fig20-setsoftwareinv.png)
+    ![Software Inventory settings for devices](images/dg-fig20-setsoftwareinv.png)
 
     Figure 9. Set the software inventory
 
@@ -329,7 +329,7 @@ When catalog files have been deployed to the computers within your environment,
 
 7.  In the **Path Properties** dialog box, select **Variable or path name**, and then type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}** in the box, as shown in Figure 10.
 
-    ![Path Properties, specifying a path.](images/dg-fig21-pathproperties.png)
+    ![Path Properties, specifying a path](images/dg-fig21-pathproperties.png)
 
     Figure 10. Set the path properties
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
index dea3b62b33..d20e96958f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
@@ -43,7 +43,7 @@ To deploy and manage a WDAC policy with Group Policy:
    > [!NOTE]
    > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control policy management](plan-windows-defender-application-control-management.md).
 
-   ![Group Policy Management, create a GPO.](images/dg-fig24-creategpo.png)
+   ![Group Policy Management, create a GPO](images/dg-fig24-creategpo.png)
 
 3. Name the new GPO. You can choose any name.
 
@@ -51,7 +51,7 @@ To deploy and manage a WDAC policy with Group Policy:
 
 5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
 
-    ![Edit the Group Policy for Windows Defender Application Control.](images/wdac-edit-gp.png)
+    ![Edit the Group Policy for Windows Defender Application Control](images/wdac-edit-gp.png)
 
 6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path.
 
@@ -60,7 +60,7 @@ To deploy and manage a WDAC policy with Group Policy:
     > [!NOTE]
     > This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
 
-    ![Group Policy called Deploy Windows Defender Application Control.](images/dg-fig26-enablecode.png)
+    ![Group Policy called Deploy Windows Defender Application Control](images/dg-fig26-enablecode.png)
 
     > [!NOTE]
     > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 29fbbe9431..250600e081 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -71,7 +71,7 @@ The steps to use Intune's custom OMA-URI functionality are:
     - **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
 
     > [!div class="mx-imgBorder"]
-    > ![Configure custom WDAC.](images/wdac-intune-custom-oma-uri.png)
+    > ![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png)
 
 > [!NOTE]
 > For the _Policy GUID_ value, do not include the curly brackets.
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index 0c319af7e6..848bfe1e62 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -45,7 +45,7 @@ Most WDAC policies will evolve over time and proceed through a set of identifiab
 6. Deploy the enforced mode policy to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly.
 7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes.  
 
-![Recommended WDAC policy deployment process.](images/policyflow.png)
+![Recommended WDAC policy deployment process](images/policyflow.png)
 
 ### Keep WDAC policies in a source control or document management solution
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
index 4915d3faea..2c5382e43b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
@@ -43,7 +43,7 @@ Each of the template policies has a unique set of policy allow list rules that w
 
 More information about the Default Windows Mode and Allow Microsoft Mode policies can be accessed through the [Example WDAC base policies article](example-wdac-base-policies.md). 
 
-![Selecting a base template for the policy.](images/wdac-wizard-template-selection.png)
+![Selecting a base template for the policy](images/wdac-wizard-template-selection.png)
 
 Once the base template is selected, give the policy a name and choose where to save the application control policy on disk.
 
@@ -69,7 +69,7 @@ A description of each policy rule, beginning with the left-most column, is provi
 | **User Mode Code Integrity** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. |
 
 > [!div class="mx-imgBorder"]
-> ![Rule options UI for Windows Allowed mode policy.](images/wdac-wizard-rule-options-UI-advanced-collapsed.png)
+> ![Rule options UI for Windows Allowed mode policy](images/wdac-wizard-rule-options-UI-advanced-collapsed.png)
 
 ### Advanced Policy Rules Description
 
@@ -84,7 +84,7 @@ Selecting the **+ Advanced Options** label will show another column of policy ru
 | **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.| 
 | **Require EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. |
 
-![Rule options UI for Windows Allowed mode.](images/wdac-wizard-rule-options-UI.png)
+![Rule options UI for Windows Allowed mode](images/wdac-wizard-rule-options-UI.png)
 
 > [!NOTE]
 > We recommend that you **enable Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. For this reason, all templates have Audit Mode enabled by default. 
@@ -105,7 +105,7 @@ The Publisher file rule type uses properties in the code signing certificate cha
 | **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate as well as a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
 
 
-![Custom filepublisher file rule creation.](images/wdac-wizard-custom-publisher-rule.png)
+![Custom filepublisher file rule creation](images/wdac-wizard-custom-publisher-rule.png)
 
 ### Filepath Rules
 
@@ -123,7 +123,7 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c
 | **Internal name** | Specifies the internal name of the binary. |
 
 > [!div class="mx-imgBorder"]
-> ![Custom file attributes rule.](images/wdac-wizard-custom-file-attribute-rule.png)
+> ![Custom file attributes rule](images/wdac-wizard-custom-file-attribute-rule.png)
 
 ### File Hash Rules
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
index 5f96c11702..bca81708e6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
@@ -33,15 +33,15 @@ Prerequisite information about application control can be accessed through the [
 
 Once the Supplemental Policy type is chosen on the New Policy page, policy name and file dialog fields can be used to name and save the supplemental policy. The next step requires selecting a base policy to expand. To expand a base policy, the base must allow supplemental policies. The WDAC Wizard will verify if the base policy allows supplementals and will show the following confirmation. 
 
-![Base policy allows supplemental policies.](images/wdac-wizard-supplemental-expandable.png)
+![Base policy allows supplemental policies](images/wdac-wizard-supplemental-expandable.png)
 
 If the base policy is not configured for supplemental policies, the Wizard will attempt to convert the policy to one that can be supplemented. Once successful, the Wizard will show a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed.  
 
-![Wizard confirms modification of base policy.](images/wdac-wizard-confirm-base-policy-modification.png)
+![Wizard confirms modification of base policy](images/wdac-wizard-confirm-base-policy-modification.png)
 
 Policies that cannot be supplemented, for instance, a supplemental policy, will be detected by the Wizard and will show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-windows-defender-application-control-policies.md).
 
-![Wizard detects a bad base policy.](images/wdac-wizard-supplemental-not-base.png)
+![Wizard detects a bad base policy](images/wdac-wizard-supplemental-not-base.png)
 
 ## Configuring Policy Rules
 
@@ -60,7 +60,7 @@ There are only three policy rules that can be configured by the supplemental pol
 | **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
 | **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. |
 
-![Rule options UI for Windows Allowed mode.](images/wdac-wizard-supplemental-policy-rule-options-UI.png)
+![Rule options UI for Windows Allowed mode](images/wdac-wizard-supplemental-policy-rule-options-UI.png)
 
 ## Creating custom file rules
 
@@ -78,7 +78,7 @@ The Publisher file rule type uses properties in the code signing certificate cha
 | **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
 
 
-![Custom filepublisher file rule creation.](images/wdac-wizard-custom-publisher-rule.png)
+![Custom filepublisher file rule creation](images/wdac-wizard-custom-publisher-rule.png)
 
 ### Filepath Rules
 
@@ -96,7 +96,7 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c
 | **Internal name** | Specifies the internal name of the binary. |
 
 
-![Custom file attributes rule.](images/wdac-wizard-custom-file-attribute-rule.png)
+![Custom file attributes rule](images/wdac-wizard-custom-file-attribute-rule.png)
 
 ### File Hash Rules
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md
index 09c88d84aa..2b94c7f004 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md
@@ -36,7 +36,7 @@ The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShe
 
 The `Policy Rules` page will load with the in-edit policy rules configured per the set rules. Selecting the `+ Advanced Options` button will reveal the advanced policy rule options panel. This grouping of rules contains additional policy rule options that are less common to the majority of users. To edit any of the rules, flip the corresponding policy rule state.  For instance, to disable Audit Mode and enable Enforcement Mode in the figure below, the button beside the `Audit Mode` label needs only to be pressed. Once the policy rules are configured, select the Next button to continue the next stage of editing: [Adding File Rules](#adding-file-rules).
 
-![Configuring the policy rules.](images/wdac-wizard-edit-policy-rules.png)
+![Configuring the policy rules](images/wdac-wizard-edit-policy-rules.png)
 
 A description of the policy rule is shown at the bottom of the page when the cursor is placed over the rule title. For a complete list of the policy rules and their capabilities, see the [Windows Defender Application Control policy rules table](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules).
 
@@ -50,7 +50,7 @@ Selecting the `+ Custom Rules` button will open the Custom Rules panel. For more
 
 The WDAC Wizard makes deleting file rules from an existing policy quick and easy. To remove any type of file rule: publisher rule, path rule, filename rule, or a hash rule, select the rule in the `Policy Signing Rules List` table on the left-hand side of the page. Selecting the rule will highlight the entire row. Once the row is highlighted, select the remove icon underneath the table. The Wizard will prompt for user confirmation before removing the file rule. Once removed, the rule will no longer appear in the policy or the table. 
 
-![Removing file rule from policy during edit.](images/wdac-wizard-edit-remove-file-rule.png)
+![Removing file rule from policy during edit](images/wdac-wizard-edit-remove-file-rule.png)
 
 **Note:** removing a publisher rule will also remove the associated File Attribute rules. For instance, in the xml block below, removing ID_SIGNER_CONTOSO_PUBLISHER would also remove the rules ID_FILEATTRIB_LOB_APP_1 and ID_FILEATTRIB_LOB_APP_2. 
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md
index 66ad01329f..ec6e988048 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md
@@ -30,4 +30,4 @@ Select the policies you wish to merge into one policy using the `+ Add Policy` b
 
 Lastly, select a filepath save location for the final merged policy using the `Browse` button. If a minimum of two policies are selected, and the save location is specified, select the `Next` button to build the policy. 
 
-![Merging WDAC policies into a final WDAC policy.](images/wdac-wizard-merge.png)
+![Merging WDAC policies into a final WDAC policy](images/wdac-wizard-merge.png)
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
index ed1a7fe460..6da28ad681 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
@@ -57,4 +57,4 @@ This can only be done in Group Policy.
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
\ No newline at end of file
+>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
index 544e90142e..80d025f7ac 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
@@ -76,4 +76,4 @@ This can only be done in Group Policy.
 > [!NOTE]
 > If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >
-> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
\ No newline at end of file
+> ![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
index 969d80c8bf..1bfddcc3f2 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -32,11 +32,11 @@ ms.technology: mde
 
 You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
 
-![The security center custom fly-out.](images/security-center-custom-flyout.png)
+![The security center custom fly-out](images/security-center-custom-flyout.png)
 
 This information will also be shown in some enterprise-specific notifications (including notifications for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)).
 
-![A security center notification.](images/security-center-custom-notif.png)
+![A security center notification](images/security-center-custom-notif.png)
 
 Users can select the displayed information to initiate a support request:
 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
index 13fce0f2d5..919f2cb7a2 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
@@ -56,4 +56,4 @@ This can only be done in Group Policy.
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
\ No newline at end of file
+>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
index f4d3053cd9..f0627d2869 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
@@ -50,7 +50,7 @@ This can only be done in Group Policy.
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
 
 ## Disable the Clear TPM button
 If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
index 274c66bd66..c7d0fb4944 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
@@ -55,4 +55,4 @@ This can only be done in Group Policy.
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
\ No newline at end of file
+>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
index 3a14dc7c26..5cf74d9fdf 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -52,5 +52,5 @@ This can only be done in Group Policy.
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
index 87960171d1..762e9c7402 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
@@ -63,7 +63,7 @@ This can only be done in Group Policy.
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+>![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
 
 ## Hide the Ransomware protection area
 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
index 30cc06c3d0..146bdcc78e 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
@@ -34,7 +34,7 @@ Windows 10 in S mode is streamlined for tighter security and superior performanc
 
 The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically.
 
-![Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode.](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png)
+![Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png)
 
 For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode).
 
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index fe03727f33..17eb0a98fd 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -31,7 +31,7 @@ In Windows 10, version 1709 and later, the app also shows information from third
 
 In Windows 10, version 1803, the app has two new areas, **Account protection** and **Device security**.
 
-![Screenshot of the Windows Security app showing that the device is protected and five icons for each of the features.](images/security-center-home.png)
+![Screenshot of the Windows Security app showing that the device is protected and five icons for each of the features](images/security-center-home.png)
 
 > [!NOTE]
 > The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
@@ -55,19 +55,19 @@ You can find more information about each section, including options for configur
 > [!NOTE]
 > If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >
-> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
+> ![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
 
 ## Open the Windows Security app
 
 - Click the icon in the notification area on the taskbar.
 
-    ![Screenshot of the icon for the Windows Security app on the Windows task bar.](images/security-center-taskbar.png)
+    ![Screenshot of the icon for the Windows Security app on the Windows task bar](images/security-center-taskbar.png)
 - Search the Start menu for **Windows Security**.
 
-    ![Screenshot of the Start menu showing the results of a search for the Windows Security app, the first option with a large shield symbol is selected.](images/security-center-start-menu.png)
+    ![Screenshot of the Start menu showing the results of a search for the Windows Security app, the first option with a large shield symbol is selected](images/security-center-start-menu.png)
 - Open an area from Windows **Settings**.
 
-    ![Screenshot of Windows Settings showing the different areas available in the Windows Security.](images/settings-windows-defender-security-center-areas.png)
+    ![Screenshot of Windows Settings showing the different areas available in the Windows Security](images/settings-windows-defender-security-center-areas.png)
 
 > [!NOTE]
 > Settings configured with management tools, such as Group Policy, Microsoft Intune, or Microsoft Endpoint Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products.
diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
index 848345ef8b..8b55c05b3e 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -52,7 +52,7 @@ DRTM lets the system freely boot into untrusted code initially, but shortly afte
 This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
 
 
-![System Guard Secure Launch.](images/system-guard-secure-launch.png)
+![System Guard Secure Launch](images/system-guard-secure-launch.png)
 
 Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly. 
 
@@ -82,7 +82,7 @@ While Windows Defender System Guard provides advanced protection that will help
 As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch will not support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. 
 
 
-![Boot time integrity.](images/windows-defender-system-guard-boot-time-integrity.png)
+![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png)
 
 After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
 
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index 55321967df..14695d80d0 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -38,13 +38,13 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM)
 
 2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**.
 
-    ![Secure Launch Configuration.](images/secure-launch-group-policy.png)
+    ![Secure Launch Configuration](images/secure-launch-group-policy.png)
 
 ### Windows Security Center
 
 Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**.
 
-  ![Windows Security Center.](images/secure-launch-security-app.png)
+  ![Windows Security Center](images/secure-launch-security-app.png)
   
 ### Registry
 
@@ -58,13 +58,13 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** >
 
 5. Double-click **Enabled**, change the value to **1**, and click **OK**.
 
-    ![Secure Launch Registry.](images/secure-launch-registry.png)
+    ![Secure Launch Registry](images/secure-launch-registry.png)
 
 ## How to verify System Guard Secure Launch is configured and running
 
 To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.
 
-![Verifying Secure Launch is running in the Windows Security Center.](images/secure-launch-msinfo.png)
+![Verifying Secure Launch is running in the Windows Security Center](images/secure-launch-msinfo.png)
 
 > [!NOTE]
 > To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
index 5819f886fd..71f0392376 100644
--- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
+++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
@@ -38,7 +38,7 @@ type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](./op
 
 When you open the Windows Defender Firewall for the first time, you can see the default settings applicable to the local computer. The Overview panel displays security settings for each type of network to which the device can connect.
 
-![Windows Defender Firewall with Advanced Security first time opening.](images/fw01-profiles.png)
+![Windows Defender Firewall with Advanced Security first time opening](images/fw01-profiles.png)
 
 *Figure 1: Windows Defender Firewall*
 
@@ -55,7 +55,7 @@ View detailed settings for each profile by right-clicking the top-level **Window
 Maintain the default settings in Windows Defender
 Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections. 
 
-![A screenshot of a cell phone Description automatically generated.](images/fw03-defaults.png)
+![A screenshot of a cell phone Description automatically generated](images/fw03-defaults.png)
 
 *Figure 2: Default inbound/outbound settings*
 
@@ -70,7 +70,7 @@ In many cases, a next step for administrators will be to customize these profile
 
 This can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this:
 
-![Rule creation wizard.](images/fw02-createrule.png)
+![Rule creation wizard](images/fw02-createrule.png)
 
 *Figure 3: Rule Creation Wizard*
 
@@ -131,7 +131,7 @@ To determine why some applications are blocked from communicating in the network
 
 Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy.
 
-![Windows Firewall prompt.](images/fw04-userquery.png)
+![Windows Firewall prompt](images/fw04-userquery.png)
 
 *Figure 4: Dialog box to allow access*
 
@@ -148,7 +148,7 @@ Rule merging settings control how rules from different policy sources can be com
 
 The rule merging settings either allow or prevent local admins from creating their own firewall rules in addition to those obtained from Group Policy.
 
-![Customize settings.](images/fw05-rulemerge.png)
+![Customize settings](images/fw05-rulemerge.png)
 
 *Figure 5: Rule merging setting*
 
@@ -180,11 +180,11 @@ An important firewall feature you can use to mitigate damage during an active at
 Shields up can be achieved by checking **Block all
 incoming connections, including those in the list of allowed apps** setting found in either the Windows Settings app or the legacy file *firewall.cpl*.
 
-![Incoming connections.](images/fw06-block.png)
+![Incoming connections](images/fw06-block.png)
 
 *Figure 6: Windows settings App/Windows Security/Firewall Protection/Network Type*
 
-![Firewall cpl.](images/fw07-legacy.png)
+![Firewall cpl](images/fw07-legacy.png)
 
 *Figure 7: Legacy firewall.cpl*
 
diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md
index 37d7edb647..0e67454be2 100644
--- a/windows/security/threat-protection/windows-firewall/boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md
@@ -32,7 +32,7 @@ The GPOs you build for the boundary zone include IPsec or connection security ru
 
 Because these boundary zone devices can receive unsolicited inbound communications from untrusted devices that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision.
 
-![design flowchart.](images/wfas-designflowchart1.gif)
+![design flowchart](images/wfas-designflowchart1.gif)
 
 The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied.
 
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index 479b2e67af..bf9a3f7d47 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -28,7 +28,7 @@ ms.technology: mde
 To get started, open Device Configuration in Intune, then create a new profile. 
 Choose Windows 10 as the platform, and Endpoint Protection as the profile type. 
 Select Windows Defender Firewall.
-![Windows Defender Firewall in Intune.](images/windows-firewall-intune.png)
+![Windows Defender Firewall in Intune](images/windows-firewall-intune.png)
 
 >[!IMPORTANT]
 >A single Endpoint Protection profile may contain up to a maximum of 150 firewall rules. If a client device requires more than 150 rules, then multiple profiles must be assigned to it.
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
index 8f27c49ab5..0e7f47576b 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
@@ -32,7 +32,7 @@ In addition to the basic protection provided by the firewall rules in the previo
 
 The following illustration shows the traffic protection needed for this design example.
 
-![domain isolation policy design.](images/wfas-design2example1.gif)
+![domain isolation policy design](images/wfas-design2example1.gif)
 
 1.  All devices on the Woodgrove Bank corporate network that are Active Directory domain members must authenticate inbound network traffic as coming from another computer that is a member of the domain. Unless otherwise specified in this section, Woodgrove Bank's devices reject all unsolicited inbound network traffic that is not authenticated. If the basic firewall design is also implemented, even authenticated inbound network traffic is dropped unless it matches an inbound firewall rule.
 
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
index 659827d1c6..6c13157e59 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
@@ -34,7 +34,7 @@ By using connection security rules based on IPsec, you provide a logical barrier
 
 The design is shown in the following illustration, with the arrows that show the permitted communication paths.
 
-![isolated domain boundary zone.](images/wfasdomainisoboundary.gif)
+![isolated domain boundary zone](images/wfasdomainisoboundary.gif)
 
 Characteristics of this design, as shown in the diagram, include the following:
 
diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
index 718505a9d7..90d5fd2514 100644
--- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
+++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
@@ -22,7 +22,7 @@ Debugging packet drops is a continuous issue to Windows customers. In the past,
 
 Typically, when investigating packet drop events, a customer would use the field `Filter Run-Time ID` from Windows Filtering Platform (WFP) audits 5157 or 5152. 
 
-![Event properties.](images/event-properties-5157.png)
+![Event properties](images/event-properties-5157.png)
 
 The filter ID uniquely identifies the filter that caused the packet drop. The filter ID can be searched in the WFP state dump output to trace back to the Firewall rule where the filter originated from. 
 
@@ -73,7 +73,7 @@ To enable a specific audit event, run the corresponding command in an administra
 
 As the audit surfaces `Filter Origin` and `Interface Index`, the network admin can determine the root cause of the network packet drop and the interface it happened on.
 
-![Event audit.](images/event-audit-5157.png)
+![Event audit](images/event-audit-5157.png)
 
 The next sections are divided by `Filter Origin` type, the value is either a rule name or the name of one of the default block filters. If the filter origin is one of the default block filters, skip to the section, **Firewall default block filters**. Otherwise, continue to the section **Firewall rules**.
 
@@ -86,7 +86,7 @@ Get-NetFirewallRule -Name “<Filter Origin>”
 Get-NetFirewallRule -Name " {A549B7CF-0542-4B67-93F9-EEBCDD584377} "
 ```
 
-![Firewall rule.](images/firewallrule.png)
+![Firewall rule](images/firewallrule.png)
 
 After identifying the rule that caused the drop, the network admin can now modify/disable the rule to allow the traffic they want through command prompt or using the Windows Defender UI. The network admin can find the rule in the UI with the rule’s `DisplayName`.
 
@@ -118,7 +118,7 @@ Get-NetIPInterface –InterfaceIndex <Interface Index>
 Get-NetIPInterface –InterfaceIndex 5
 ```
 
-![Quarantine default block filter.](images/quarantine-default-block-filter.png)
+![Quarantine default block filter](images/quarantine-default-block-filter.png)
 
 To learn more about the quarantine feature, see [Quarantine behavior](quarantine.md).
 
@@ -139,7 +139,7 @@ To generate a list of all the query user block rules, you can run the following
 Get-NetFirewallRule | Where {$_.Name -like "*Query User*"}
 ```
 
-![Query user default block filter.](images/query-user-default-block-filters.png)
+![Query user default block filter](images/query-user-default-block-filters.png)
 
 The query user pop-up feature is enabled by default. 
 
diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
index 5a6acfea96..8c8fb36ee5 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
@@ -38,7 +38,7 @@ The network administrators want to implement Windows Defender Firewall with Adva
 
 The following illustration shows the traffic protection needs for this design example.
 
-![design example 1.](images/wfas-designexample1.gif)
+![design example 1](images/wfas-designexample1.gif)
 
 1.  The network infrastructure servers that are running services, such as Active Directory, DNS, DHCP, or WINS, can receive unsolicited inbound requests from network clients. The network clients can receive the responses from the infrastructure servers.
 
diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
index 265019f489..7b95852c3d 100644
--- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
+++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
@@ -41,7 +41,7 @@ The following are important factors in the implementation of your Windows Defend
 
 The next step in implementing your design is to determine in what order each of the deployment steps must be performed. This guide uses checklists to help you accomplish the various deployment tasks that are required to implement your design plan. As the following diagram shows, checklists and subchecklists are used as necessary to provide the end-to-end procedure for deploying a design.
 
-![wfas implementation.](images/wfas-implement.gif)
+![wfas implementation](images/wfas-implement.gif)
 
 Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Defender Firewall with Advanced Security design.
 
diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md
index bd087a2124..87bab115a6 100644
--- a/windows/security/threat-protection/windows-firewall/quarantine.md
+++ b/windows/security/threat-protection/windows-firewall/quarantine.md
@@ -196,7 +196,7 @@ Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /s
 
 Sample drop audit with `filterOrigin` as `Quarantine Default`.
 
-![Quarantine default.](images/quarantine-default1.png)
+![Quarantine default](images/quarantine-default1.png)
 
 Once the drop’s filter origin has been identified as the quarantine default inbound block filter, the interface should be further investigated. To find the relevant interface, use the `InterfaceIndex` value from the `netEvent` or event audit in the following PowerShell command to generate more information about the interface:
 
@@ -205,7 +205,7 @@ Get-NetIPInterface –InterfaceIndex <Interface Index>
 Get-NetIPInterface –InterfaceIndex 5
 ```
 
-![Quarantine Interfaceindex.](images/quarantine-interfaceindex1.png)
+![Quarantine Interfaceindex](images/quarantine-interfaceindex1.png)
 
 Using the interface name, event viewer can be searched for any interface related changes. 
 
diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
index 8fbeb35412..81a548b4ee 100644
--- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
+++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
@@ -30,7 +30,7 @@ For devices that share sensitive information over the network, Windows Defender
 
 The following illustration shows an encryption zone in an isolated domain. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory.
 
-![encryption zone in an isolated domain.](images/wfas-domainisoencrypt.gif)
+![encryption zone in an isolated domain](images/wfas-domainisoencrypt.gif)
 
 This goal provides the following benefits:
 
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
index 1a7c288575..a50232fe28 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
@@ -34,7 +34,7 @@ You can restrict access by specifying either computer or user credentials.
 
 The following illustration shows an isolated server, and examples of devices that can and cannot communicate with it. Devices that are outside the Woodgrove corporate network, or computers that are in the isolated domain but are not members of the required NAG, cannot communicate with the isolated server.
 
-![isolated domain with network access groups.](images/wfas-domainnag.gif)
+![isolated domain with network access groups](images/wfas-domainnag.gif)
 
 This goal, which corresponds to [Server Isolation Policy Design](server-isolation-policy-design.md), provides the following features:
 
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
index 5285e56ad9..d7de7d8963 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
@@ -35,7 +35,7 @@ The protection provided by domain isolation can help you comply with regulatory
 
 The following illustration shows an isolated domain, with one of the zones that are optionally part of the design. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory.
 
-![domain isolation.](images/wfas-domainiso.gif)
+![domain isolation](images/wfas-domainiso.gif)
 
 These goals, which correspond to [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md), provide the following benefits:
 
diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
index 8cb2a35d50..4c6f3f4fb7 100644
--- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
+++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
@@ -59,7 +59,7 @@ These procedures assume that you already have a public key infrastructure (PKI)
 
 The following Windows PowerShell script establishes a connection security rule that uses IKEv2 for communication between two computers (CLIENT1 and SERVER1) that are joined to the corp.contoso.com domain as shown in Figure 1.
 
-![the contoso corporate network.](images/corpnet.gif)
+![the contoso corporate network](images/corpnet.gif)
 
 **Figure 1** The Contoso corporate network
 
@@ -77,7 +77,7 @@ This script does the following:
 
 -   Creates the IKEv2 connection security rule called **My IKEv2 Rule**.
 
-![powershell logo.](images/powershelllogosmall.gif)**Windows PowerShell commands**
+![powershell logo](images/powershelllogosmall.gif)**Windows PowerShell commands**
 
 Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
 
@@ -117,7 +117,7 @@ Use a Windows PowerShell script similar to the following to create a local IPsec
 
 >**Important:**  The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
 
-![powershell logo.](images/powershelllogosmall.gif)**Windows PowerShell commands**
+![powershell logo](images/powershelllogosmall.gif)**Windows PowerShell commands**
 
 Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
 
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
index a0070cf114..0e2b6ce11e 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
@@ -46,7 +46,7 @@ In addition to the protection provided by the firewall rules and domain isolatio
 
 The following illustration shows the traffic protection needs for this design example.
 
-![isolated server example.](images/wfas-design3example1.gif)
+![isolated server example](images/wfas-design3example1.gif)
 
 1.  Access to the SQL Server devices must be restricted to only those computer or user accounts that have a business requirement to access the data. This includes the service accounts that are used by the WGBank front-end servers, and administrators of the SQL Server devices. In addition, access is only granted when it is sent from an authorized computer. Authorization is determined by membership in a network access group (NAG).
 
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
index 7d44e7c17c..f4d452b4cf 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
@@ -32,7 +32,7 @@ You can implement a server isolation design without using domain isolation. To d
 
 The design is shown in the following illustration, with arrows that show the permitted communication paths.
 
-![isolated domain with isolated server.](images/wfas-domainisohighsec.gif)
+![isolated domain with isolated server](images/wfas-domainisohighsec.gif)
 
 Characteristics of this design include the following:
 
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
index bf70a3a3b7..3e383743a4 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -328,7 +328,7 @@ Windows PowerShell can create powerful, complex IPsec policies like in Netsh and
 
 In Netsh, the authentication and cryptographic sets were specified as a list of comma-separated tokens in a specific format. In Windows PowerShell, rather than using default settings, you first create your desired authentication or cryptographic proposal objects and bundle them into lists in your preferred order. Then, you create one or more IPsec rules that reference these sets. The benefit of this model is that programmatic access to the information in the rules is much easier. See the following sections for clarifying examples.
 
-![object model for creating a single ipsec rule.](images/createipsecrule.gif)
+![object model for creating a single ipsec rule](images/createipsecrule.gif)
 
 ### Create IPsec rules
 
@@ -353,7 +353,7 @@ If you want to create a custom set of quick-mode proposals that includes both AH
 
 You can then use the newly created custom quick-mode policies when you create IPsec rules. The cryptography set object is linked to an IPsec rule object.
 
-![crypto set object.](images/qmcryptoset.gif)
+![crypto set object](images/qmcryptoset.gif)
 
 In this example, we build on the previously created IPsec rule by specifying a custom quick-mode crypto set. The final IPsec rule requires outbound traffic to be authenticated by the specified cryptography method.
 
diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md
index 8e719f1364..f18a5180db 100644
--- a/windows/security/threat-protection/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-baselines.md
@@ -61,12 +61,12 @@ You can download the security baselines from the [Microsoft Download Center](htt
 
 The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. 
 
-[![Security Compliance Toolkit.](images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) 
-[![Get Support.](images/get-support.png)](get-support-for-security-baselines.md) 
+[![Security Compliance Toolkit](images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) 
+[![Get Support](images/get-support.png)](get-support-for-security-baselines.md) 
 
 ## Community
 
-[![Microsoft Security Guidance Blog.](images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines) 
+[![Microsoft Security Guidance Blog](images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines) 
 
 ## Related Videos
 
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
index 170918a4fa..cfb7427cbc 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@@ -60,12 +60,12 @@ You can download the security baselines from the [Microsoft Download Center](htt
 
 The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. 
 
-[![Security Compliance Toolkit.](./../images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) 
-[![Get Support.](./../images/get-support.png)](get-support-for-security-baselines.md) 
+[![Security Compliance Toolkit](./../images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) 
+[![Get Support](./../images/get-support.png)](get-support-for-security-baselines.md) 
 
 ## Community
 
-[![Microsoft Security Guidance Blog.](./../images/community.png)](/archive/blogs/secguide/) 
+[![Microsoft Security Guidance Blog](./../images/community.png)](/archive/blogs/secguide/) 
 
 ## Related Videos
 
diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md
index b99b7a48ad..1387997652 100644
--- a/windows/whats-new/contribute-to-a-topic.md
+++ b/windows/whats-new/contribute-to-a-topic.md
@@ -38,7 +38,7 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner
 
 1. Go to the article that you want to update, and then click **Edit**.
 
-    ![GitHub Web, showing the Edit link.](images/contribute-link.png)
+    ![GitHub Web, showing the Edit link](images/contribute-link.png)
 
 2. Sign into (or sign up for) a GitHub account.
     
@@ -46,7 +46,7 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner
 
 3. Click the **Pencil** icon (in the red box) to edit the content.
 
-    ![GitHub Web, showing the Pencil icon in the red box.](images/pencil-icon.png)
+    ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png)
 
 4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
    - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring)
@@ -55,11 +55,11 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner
 
 5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct.
 
-      ![GitHub Web, showing the Preview Changes tab.](images/preview-changes.png)
+      ![GitHub Web, showing the Preview Changes tab](images/preview-changes.png)
 
 6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change**.
 
-    ![GitHub Web, showing the Propose file change button.](images/propose-file-change.png)
+    ![GitHub Web, showing the Propose file change button](images/propose-file-change.png)
 
     The **Comparing changes** screen shows the changes between your version of the article and the original content.
 
@@ -67,7 +67,7 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner
 
    If there are no problems, you’ll see the message, **Able to merge**.
 
-   ![GitHub Web, showing the Comparing changes screen.](images/compare-changes.png)
+   ![GitHub Web, showing the Comparing changes screen](images/compare-changes.png)
 
 8. Click **Create pull request**.
 
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 256dad7a3a..83e1c6b032 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -48,7 +48,7 @@ This version of Window 10 includes security improvements for threat protection,
 
 The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. 
 
-![Microsoft Defender for Endpoint.](../images/wdatp.png)
+![Microsoft Defender for Endpoint](../images/wdatp.png)
 
 ##### Attack surface reduction 
 
@@ -275,7 +275,7 @@ The WSC service now requires antivirus products to run as a protected process to
 
 WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
 
-![Security at a glance.](../images/defender.png "Windows Security Center")
+![Security at a glance](../images/defender.png "Windows Security Center")
 
 #### Group Policy Security Options
 
@@ -288,7 +288,7 @@ A new security policy setting
 
 We’ve continued to work on the **Current threats** area in  [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: 
 
-![S mode settings.](../images/virus-and-threat-protection.png "Virus & threat protection settings")
+![S mode settings](../images/virus-and-threat-protection.png "Virus & threat protection settings")
 
 ## Deployment
 
@@ -387,7 +387,7 @@ If you have shared devices deployed in your work place, **Fast sign-in** enables
 
 3. Sign-in to a shared PC with your account. You'll notice the difference!
 
-   ![fast sign-in.](../images/fastsignin.png "fast sign-in")
+   ![fast sign-in](../images/fastsignin.png "fast sign-in")
 
 ### Web sign-in to Windows 10
 
@@ -402,7 +402,7 @@ Until now, Windows logon only supported the use of identities federated to ADFS
 3. On the lock screen, select web sign-in under sign-in options.
 4. Click the “Sign in” button to continue.
 
-![Sign-in option.](../images/websignin.png "web sign-in")
+![Sign-in option](../images/websignin.png "web sign-in")
 
 ## Windows Analytics
 
@@ -470,7 +470,7 @@ The OS uninstall period is a length of time that users are given when they can o
 
 Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
 
-![get bulk token action in wizard.](../images/bulk-token.png)
+![get bulk token action in wizard](../images/bulk-token.png)
 
 ### Windows Spotlight
 
@@ -636,7 +636,7 @@ If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, t
 
 We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
 
-![Reg editor.](../images/regeditor.png "Registry editor dropdown")
+![Reg editor](../images/regeditor.png "Registry editor dropdown")
 
 ## Remote Desktop with Biometrics
 
@@ -650,9 +650,9 @@ To get started, sign into your device using Windows Hello for Business. Bring up
 
 See the following example:
 
-![Enter your credentials.](../images/RDPwBioTime.png "Windows Hello")
-![Provide credentials.](../images/RDPwBio2.png "Windows Hello personal")
-![Microsoft Hyper-V Server 2016.](../images/hyper-v.png "Microsoft Hyper-V Server 2016")
+![Enter your credentials](../images/RDPwBioTime.png "Windows Hello")
+![Provide credentials](../images/RDPwBio2.png "Windows Hello personal")
+![Microsoft Hyper-V Server 2016](../images/hyper-v.png "Microsoft Hyper-V Server 2016")
 
 ## See Also
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index 48bf6b509b..b05bba2289 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -31,11 +31,11 @@ Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool
 
 Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to make it easier to create provisioning packages.
 
-![wizards for desktop, mobile, kiosk, Surface Hub.](images/wcd-options.png)
+![wizards for desktop, mobile, kiosk, Surface Hub](images/wcd-options.png)
 
 Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new [CleanPC configuration service provider (CSP)](/windows/client-management/mdm/cleanpc-csp).
 
-![remove pre-installed software option.](images/wcd-cleanpc.png)
+![remove pre-installed software option](images/wcd-cleanpc.png)
 
 [Learn more about Windows Configuration Designer.](/windows/configuration/provisioning-packages/provisioning-packages)
 
@@ -44,7 +44,7 @@ Both the desktop and kiosk wizards include an option to remove pre-installed sof
 
 Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
 
-![get bulk token action in wizard.](images/bulk-token.png)
+![get bulk token action in wizard](images/bulk-token.png)
 
 
 ### Windows Spotlight
@@ -279,7 +279,7 @@ Learn about the new Group Policies that were added in Windows 10, version 1703.
 
 The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](/windows/configuration/mobile-devices/lockdown-xml).
 
-![Lockdown Designer app in Store.](images/ldstore.png)
+![Lockdown Designer app in Store](images/ldstore.png)
 
 [Learn more about the Lockdown Designer app.](/windows/configuration/mobile-devices/mobile-lockdown-designer)
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index 6410248ff6..e73c5af9bc 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -46,7 +46,7 @@ To learn more about Autopilot self-deploying mode and to see step-by-step instru
 We’ve continued to work on the **Current threats** area in  [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: 
 
 > [!div class="mx-imgBorder"]
-> ![Virus & threat protection settings.](images/virus-and-threat-protection.png "Virus & threat protection settings")
+> ![Virus & threat protection settings](images/virus-and-threat-protection.png "Virus & threat protection settings")
 
 With controlled folder access you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
 
@@ -109,16 +109,16 @@ To try this:
 See the following example:
 
 > [!div class="mx-imgBorder"]
-> ![Security at a glance.](images/1_AppBrowser.png "app and browser control")
+> ![Security at a glance](images/1_AppBrowser.png "app and browser control")
 
 > [!div class="mx-imgBorder"]
-> ![Isolated browser.](images/2_InstallWDAG.png "isolated browsing")
+> ![Isolated browser](images/2_InstallWDAG.png "isolated browsing")
 
 > [!div class="mx-imgBorder"]
-> ![change WDAG settings.](images/3_ChangeSettings.png "change settings")
+> ![change WDAG settings](images/3_ChangeSettings.png "change settings")
 
 > [!div class="mx-imgBorder"]
-> ![view WDAG settings.](images/4_ViewSettings.jpg "view settings")
+> ![view WDAG settings](images/4_ViewSettings.jpg "view settings")
 
 ### Windows Security Center
 
@@ -130,7 +130,7 @@ The WSC service now requires antivirus products to run as a protected process to
 
 WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
 
-![alt text.](images/defender.png "Windows Security Center")
+![alt text](images/defender.png "Windows Security Center")
 
 ### Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes
 
@@ -195,7 +195,7 @@ We introduced a simplified assigned access configuration experience in **Setting
 
 To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. 
 
-![set up a kiosk.](images/kiosk-mode.png "set up a kiosk")
+![set up a kiosk](images/kiosk-mode.png "set up a kiosk")
 
 Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types.
 
@@ -203,7 +203,7 @@ Microsoft Edge kiosk mode running in single-app assigned access has two kiosk ty
 
 2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity.
 
-![single app assigned access.](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access")
+![single app assigned access](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access")
 
 Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. 
 
@@ -212,11 +212,11 @@ Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk typ
 
 **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows.
 
-![multi-app assigned access.](images/Multi-app_kiosk_inFrame.png "multi-app assigned access")
+![multi-app assigned access](images/Multi-app_kiosk_inFrame.png "multi-app assigned access")
 
 **Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books.
 
-![normal mode.](images/Normal_inFrame.png "normal mode")
+![normal mode](images/Normal_inFrame.png "normal mode")
 
 Learn more about [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy).
 
@@ -224,7 +224,7 @@ Learn more about [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-ed
 
 We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
 
-![Registry editor dropdown.](images/regeditor.png "Registry editor dropdown")
+![Registry editor dropdown](images/regeditor.png "Registry editor dropdown")
 
 ## Faster sign-in to a Windows 10 shared pc
 
@@ -237,7 +237,7 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables
 
 3. Sign-in to a shared PC with your account. You'll notice the difference!
 
-    ![fast sign-in.](images/fastsignin.png "fast sign-in")
+    ![fast sign-in](images/fastsignin.png "fast sign-in")
 
 >[!NOTE]
 >This is a private preview feature and therefore not meant or recommended for production purposes.
@@ -259,7 +259,7 @@ Until now, Windows logon only supported the use of identities federated to ADFS
 4. Click the **Sign in** button to continue.
 
    > [!div class="mx-imgBorder"]
-   > ![Web sign-in.](images/websignin.png "web sign-in")
+   > ![Web sign-in](images/websignin.png "web sign-in")
 
 >[!NOTE]
 >This is a private preview feature and therefore not meant or recommended for production purposes.
@@ -271,7 +271,7 @@ Android phone users, you can finally stop emailing yourself photos. With Your Ph
 For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing–-read, watch, or browse-- with all the benefits of a bigger screen. 
 
 > [!div class="mx-imgBorder"]
-> ![your phone.](images/your-phone.png "your phone")
+> ![your phone](images/your-phone.png "your phone")
 
 The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**. 
 
@@ -283,7 +283,7 @@ One of the things we’ve heard from you is that it’s hard to know when you’
 * Video mode increases the screen-to-screen latency to ensure the video on the big screen plays back smoothly
 * Productivity modes strikes a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often.
 
-![wireless projection banner.](images/beaming.png "wireless projection banner")
+![wireless projection banner](images/beaming.png "wireless projection banner")
 
 ## Remote Desktop with Biometrics
 
@@ -293,6 +293,6 @@ To get started, sign into your device using Windows Hello for Business. Bring up
 
 See the following example:
 
-![Enter your credentials.](images/RDPwBioTime.png "Windows Hello")
-![Enter your credentials.](images/RDPwBio2.png "Windows Hello personal")
-![Microsoft Hyper-V Server 2016.](images/hyper-v.png "Microsoft Hyper-V Server 2016")
+![Enter your credentials](images/RDPwBioTime.png "Windows Hello")
+![Enter your credentials](images/RDPwBio2.png "Windows Hello personal")
+![Microsoft Hyper-V Server 2016](images/hyper-v.png "Microsoft Hyper-V Server 2016")
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index 74eb1725e2..371bf97c95 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -125,7 +125,7 @@ The draft release of the [security configuration baseline settings](/archive/blo
 
 This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly:
 
-![System Guard.](images/system-guard.png "SMM Firmware Measurement")
+![System Guard](images/system-guard.png "SMM Firmware Measurement")
 
 ### Identity Protection
 
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
index 692871b1c3..ac0d4984f2 100644
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -43,7 +43,7 @@ In this release,  [Windows Defender System Guard](/windows/security/threat-prote
 
 With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon.
 
- ![System Guard.](images/system-guard2.png)
+ ![System Guard](images/system-guard2.png)
 
 ### Windows Defender Application Guard
 

From de364ca11502abb8d95f93847f7662f557d00144 Mon Sep 17 00:00:00 2001
From: Alekhya Jupudi <v-aljupudi@microsoft.com>
Date: Fri, 27 Aug 2021 12:01:28 +0530
Subject: [PATCH 4/6] Revert "Revert "Merge branch 'master' into
 aljupudi-w11defender-branch01""

This reverts commit e87ef8501d40b3c702f8ea2aea542b91cc179bf2.
---
 CONTRIBUTING.md                               |  10 +-
 ...ct-data-using-enterprise-site-discovery.md |  14 +-
 ...rprise-mode-logging-and-data-collection.md |  18 +-
 ...-on-enterprise-mode-and-use-a-site-list.md |   4 +-
 ...control-and-logging-for-enterprise-mode.md |   4 +-
 ...ct-data-using-enterprise-site-discovery.md |  14 +-
 .../deprecated-document-modes.md              |   2 +-
 ...doc-modes-and-enterprise-mode-site-list.md |   6 +-
 .../out-of-date-activex-control-blocking.md   |   6 +-
 ...-the-default-browser-using-group-policy.md |   2 +-
 ...rprise-mode-logging-and-data-collection.md |  18 +-
 ...s-and-tricks-to-manage-ie-compatibility.md |   4 +-
 ...-on-enterprise-mode-and-use-a-site-list.md |   4 +-
 ...control-and-logging-for-enterprise-mode.md |   4 +-
 .../licensing-version-and-features-ieak11.md  |  52 ++---
 .../educator-tib-get-started.md               |  62 +++---
 education/trial-in-a-box/index.md             |   4 +-
 .../trial-in-a-box/itadmin-tib-get-started.md |  46 ++---
 education/trial-in-a-box/support-options.md   |  12 +-
 education/windows/autopilot-reset.md          |   8 +-
 education/windows/change-to-pro-education.md  |  20 +-
 .../windows/chromebook-migration-guide.md     |   4 +-
 .../configure-windows-for-education.md        |  10 +-
 .../deploy-windows-10-in-a-school-district.md |  16 +-
 .../windows/deploy-windows-10-in-a-school.md  |  14 +-
 .../windows/edu-deployment-recommendations.md |  12 +-
 .../education-scenarios-store-for-business.md |   4 +-
 .../windows/get-minecraft-for-education.md    |   6 +-
 education/windows/index.md                    |  10 +-
 education/windows/school-get-minecraft.md     |  46 ++---
 .../set-up-school-pcs-azure-ad-join.md        |   2 +-
 .../set-up-students-pcs-to-join-domain.md     |   2 +-
 .../windows/set-up-students-pcs-with-apps.md  |  26 +--
 education/windows/set-up-windows-10.md        |   2 +-
 education/windows/take-a-test-multiple-pcs.md |  14 +-
 education/windows/take-a-test-single-pc.md    |   4 +-
 education/windows/take-tests-in-windows-10.md |   2 +-
 education/windows/teacher-get-minecraft.md    |  22 +-
 .../windows/use-set-up-school-pcs-app.md      |   2 +-
 smb/cloud-mode-business-setup.md              |  92 ++++-----
 smb/index.md                                  |   6 +-
 ...quire-apps-microsoft-store-for-business.md |   2 +-
 .../billing-understand-your-invoice-msfb.md   |   6 +-
 ...or-business-education-powershell-module.md |   2 +-
 ...oubleshoot-microsoft-store-for-business.md |  10 +-
 ...-new-microsoft-store-business-education.md |   4 +-
 .../working-with-line-of-business-apps.md     |   2 +-
 ...ation-publishing-and-client-interaction.md |   6 +-
 .../app-v/appv-deployment-checklist.md        |   6 +-
 .../app-v/appv-install-the-sequencer.md       |   2 +-
 .../app-v/appv-planning-checklist.md          |  12 +-
 ...enterprise-background-activity-controls.md |   6 +-
 .../per-user-services-in-windows.md           |  14 +-
 .../svchost-service-refactoring.md            |   8 +-
 .../administrative-tools-in-windows-10.md     |   4 +-
 ...nced-troubleshooting-802-authentication.md |  20 +-
 .../advanced-troubleshooting-boot-problems.md |   2 +-
 ...eshooting-wireless-network-connectivity.md |   4 +-
 ...t-removal-policy-external-storage-media.md |   2 +-
 .../connect-to-remote-aadj-pc.md              |   4 +-
 .../client-management/img-boot-sequence.md    |   2 +-
 .../introduction-page-file.md                 |   6 +-
 ...e-device-installation-with-group-policy.md |  38 ++--
 .../manage-settings-app-with-group-policy.md  |   2 +-
 ...-in-your-organization-modern-management.md |   2 +-
 .../mandatory-user-profile.md                 |  16 +-
 .../mdm/accountmanagement-csp.md              |   2 +-
 ...ure-ad-tenant-and-azure-ad-subscription.md |  32 +--
 .../client-management/mdm/applocker-csp.md    |   6 +-
 .../mdm/appv-deploy-and-config.md             |   2 +-
 ...e-active-directory-integration-with-mdm.md |   6 +-
 ...omatic-mdm-enrollment-in-the-new-portal.md |   4 +-
 .../client-management/mdm/bootstrap-csp.md    |   2 +-
 .../mdm/browserfavorite-csp.md                |   2 +-
 ...ollment-using-windows-provisioning-tool.md |  16 +-
 .../mdm/cellularsettings-csp.md               |   2 +-
 .../mdm/cm-cellularentries-csp.md             |   2 +-
 ...onfiguration-service-provider-reference.md |  60 +++---
 .../mdm/device-update-management.md           |  14 +-
 .../mdm/deviceinstanceservice-csp.md          |   2 +-
 .../client-management/mdm/devicelock-csp.md   |   2 +-
 .../diagnose-mdm-failures-in-windows-10.md    |  20 +-
 .../disconnecting-from-mdm-unenrollment.md    |   2 +-
 .../mdm/eap-configuration.md                  |  22 +-
 .../mdm/enable-admx-backed-policies-in-mdm.md |  12 +-
 ...dded-8-1-handheld-devices-to-windows-10.md |  44 ++--
 ...device-automatically-using-group-policy.md |  44 ++--
 .../mdm/enterprise-app-management.md          |   2 +-
 .../mdm/enterpriseappmanagement-csp.md        |   2 +-
 .../client-management/mdm/filesystem-csp.md   |   2 +-
 .../mdm/healthattestation-csp.md              |   2 +-
 windows/client-management/mdm/hotspot-csp.md  |   2 +-
 ...rver-side-mobile-application-management.md |   2 +-
 ...ent-tool-for-windows-store-for-business.md |   6 +-
 .../mdm/mdm-enrollment-of-windows-devices.md  |  76 +++----
 .../client-management/mdm/messaging-csp.md    |   2 +-
 .../mdm/mobile-device-enrollment.md           |   2 +-
 windows/client-management/mdm/napdef-csp.md   |   4 +-
 ...ew-in-windows-mdm-enrollment-management.md |  10 +-
 .../mdm/passportforwork-csp.md                |   4 +-
 .../policy-configuration-service-provider.md  |   2 +-
 .../mdm/policy-csp-deviceinstallation.md      |   8 +-
 .../mdm/policy-csp-mixedreality.md            |  28 +--
 .../mdm/policy-csp-system.md                  |  15 +-
 .../mdm/push-notification-windows-mdm.md      |  16 +-
 .../client-management/mdm/pxlogical-csp.md    |   4 +-
 ...ree-azure-active-directory-subscription.md |   6 +-
 .../mdm/securitypolicy-csp.md                 |   2 +-
 .../mdm/understanding-admx-backed-policies.md |   4 +-
 .../mdm/unifiedwritefilter-csp.md             |   2 +-
 windows/client-management/mdm/vpn-csp.md      |   2 +-
 .../mdm/w4-application-csp.md                 |   2 +-
 .../mdm/w7-application-csp.md                 |   2 +-
 windows/client-management/mdm/wifi-csp.md     |   2 +-
 .../mdm/windows-mdm-enterprise-settings.md    |   2 +-
 .../windowsadvancedthreatprotection-csp.md    |   2 +-
 .../mdm/wmi-providers-supported-in-windows.md |  60 +++---
 windows/client-management/quick-assist.md     |   2 +-
 .../troubleshoot-inaccessible-boot-device.md  |  16 +-
 .../troubleshoot-stop-errors.md               |   4 +-
 .../troubleshoot-tcpip-connectivity.md        |  16 +-
 .../troubleshoot-tcpip-netmon.md              |   8 +-
 .../troubleshoot-tcpip-port-exhaust.md        |  18 +-
 .../troubleshoot-tcpip-rpc-errors.md          |  10 +-
 .../windows-version-search.md                 |  10 +-
 .../configure-windows-10-taskbar.md           |  16 +-
 .../cortana-at-work/cortana-at-work-crm.md    |   4 +-
 .../cortana-at-work-powerbi.md                |  26 +--
 .../cortana-at-work-voice-commands.md         |   2 +-
 .../customize-and-export-start-layout.md      |   2 +-
 ...-10-start-screens-by-using-group-policy.md |   4 +-
 ...-by-using-provisioning-packages-and-icd.md |   2 +-
 ...ation-user-model-id-of-an-installed-app.md |   2 +-
 windows/configuration/kiosk-methods.md        |  12 +-
 windows/configuration/kiosk-prepare.md        |   4 +-
 windows/configuration/kiosk-shelllauncher.md  |   2 +-
 windows/configuration/kiosk-single-app.md     |  10 +-
 windows/configuration/kiosk-troubleshoot.md   |   2 +-
 .../lock-down-windows-10-applocker.md         |   8 +-
 .../lock-down-windows-10-to-specific-apps.md  |  14 +-
 .../manage-wifi-sense-in-enterprise.md        |   6 +-
 .../mobile-devices/lockdown-xml.md            |  30 +--
 .../mobile-lockdown-designer.md               |  28 +--
 .../provisioning-configure-mobile.md          |   6 +-
 .../mobile-devices/provisioning-nfc.md        |   2 +-
 ...kiosk-for-windows-10-for-mobile-edition.md |  12 +-
 .../mobile-devices/start-layout-xml-mobile.md |   2 +-
 windows/configuration/provisioning-apn.md     |   4 +-
 ...can-use-configuration-service-providers.md |  10 +-
 .../provision-pcs-for-initial-deployment.md   |   6 +-
 ...rovision-pcs-with-apps-and-certificates.md |   8 +-
 .../provision-pcs-with-apps.md                |  10 +-
 .../provisioning-apply-package.md             |  14 +-
 .../provisioning-create-package.md            |  10 +-
 .../provisioning-install-icd.md               |   2 +-
 .../provisioning-multivariant.md              |   2 +-
 .../provisioning-packages.md                  |   2 +-
 .../provisioning-script-to-install-app.md     |   4 +-
 .../set-up-shared-or-guest-pc.md              |   8 +-
 .../start-layout-troubleshoot.md              |  14 +-
 .../configuration/start-secondary-tiles.md    |   8 +-
 .../uev-deploy-uev-for-custom-applications.md |   2 +-
 windows/configuration/ue-v/uev-for-windows.md |   4 +-
 .../ue-v/uev-prepare-for-deployment.md        |  16 +-
 .../uev-upgrade-uev-from-previous-releases.md |   2 +-
 .../configuration/wcd/wcd-admxingestion.md    |   4 +-
 ...ws-10-start-layout-options-and-policies.md |   4 +-
 windows/configuration/windows-spotlight.md    |   8 +-
 windows/deployment/TOC.yml                    |   2 +
 .../deployment/deploy-enterprise-licenses.md  |   6 +-
 windows/deployment/deploy-m365.md             |   4 +-
 windows/deployment/deploy-whats-new.md        |   2 +-
 ...ystem-image-using-configuration-manager.md |   4 +-
 ...-windows-pe-using-configuration-manager.md |  16 +-
 ...e-boot-image-with-configuration-manager.md |  10 +-
 ...ence-with-configuration-manager-and-mdt.md |   4 +-
 ...-windows-10-using-configuration-manager.md |   4 +-
 ...-10-using-pxe-and-configuration-manager.md |  30 +--
 ...0-deployment-with-configuration-manager.md |  12 +-
 ...f-windows-10-with-configuration-manager.md |  22 +-
 ...-windows-10-using-configuration-manager.md |  22 +-
 ...-windows-10-using-configuration-manager.md |  24 +--
 ...to-windows-10-with-configuraton-manager.md |  16 +-
 .../assign-applications-using-roles-in-mdt.md |   6 +-
 ...d-environment-for-windows-10-deployment.md |  10 +-
 .../configure-mdt-settings.md                 |   2 +-
 .../create-a-windows-10-reference-image.md    |  28 +--
 .../deploy-a-windows-10-image-using-mdt.md    |  38 ++--
 ...d-with-the-microsoft-deployment-toolkit.md |   8 +-
 ...prepare-for-windows-deployment-with-mdt.md |  10 +-
 ...sh-a-windows-7-computer-with-windows-10.md |   6 +-
 ...s-7-computer-with-a-windows-10-computer.md |  12 +-
 .../set-up-mdt-for-bitlocker.md               |   6 +-
 ...ows-10-deployment-in-a-test-environment.md |   4 +-
 ...0-with-the-microsoft-deployment-toolkit.md |   8 +-
 .../use-orchestrator-runbooks-with-mdt.md     |  20 +-
 ...stage-windows-10-deployment-information.md |   8 +-
 .../use-web-services-in-mdt.md                |  16 +-
 windows/deployment/index.yml                  |   2 +-
 windows/deployment/mbr-to-gpt.md              |   2 +-
 ...compatibility-administrator-users-guide.md |   2 +-
 ...oyment-considerations-for-windows-to-go.md |  12 +-
 ...rstanding-and-using-compatibility-fixes.md |   4 +-
 .../deployment/planning/using-the-sua-tool.md |   2 +-
 .../planning/using-the-sua-wizard.md          |   2 +-
 .../windows-10-infrastructure-requirements.md |   2 +-
 windows/deployment/s-mode.md                  |   4 +-
 windows/deployment/update/PSFxWhitepaper.md   |   8 +-
 windows/deployment/update/WIP4Biz-intro.md    |   2 +-
 .../deployment/update/check-release-health.md |  12 +-
 .../update/deployment-service-overview.md     |   4 +-
 .../get-started-updates-channels-tools.md     |  12 +-
 .../update/how-windows-update-works.md        |  14 +-
 .../deployment/update/media-dynamic-update.md |   2 +-
 .../olympia/olympia-enrollment-guidelines.md  |  14 +-
 .../deployment/update/plan-define-strategy.md |   4 +-
 windows/deployment/update/safeguard-holds.md  |   2 +-
 ...update-compliance-delivery-optimization.md |   2 +-
 ...update-compliance-feature-update-status.md |   2 +-
 .../update-compliance-need-attention.md       |   2 +-
 ...pdate-compliance-security-update-status.md |   2 +-
 .../update/update-compliance-using.md         |   8 +-
 .../deployment/update/waas-configure-wufb.md  |   2 +-
 .../waas-delivery-optimization-setup.md       |   2 +-
 .../update/waas-delivery-optimization.md      |   2 +-
 ...aas-deployment-rings-windows-10-updates.md |  12 +-
 .../deployment/update/waas-integrate-wufb.md  |   2 +-
 .../update/waas-manage-updates-wsus.md        |  48 ++---
 .../update/waas-manage-updates-wufb.md        |  14 +-
 .../waas-optimize-windows-10-updates.md       |  16 +-
 windows/deployment/update/waas-overview.md    |  14 +-
 windows/deployment/update/waas-restart.md     |  19 +-
 ...s-servicing-channels-windows-10-updates.md |  24 +--
 .../update/waas-servicing-differences.md      |   6 +-
 ...s-servicing-strategy-windows-10-updates.md |  14 +-
 .../deployment/update/waas-wufb-csp-mdm.md    |  18 +-
 .../update/waas-wufb-group-policy.md          |  18 +-
 windows/deployment/update/waas-wufb-intune.md |  20 +-
 .../deployment/update/windows-update-logs.md  |  10 +-
 .../update/windows-update-overview.md         |   2 +-
 .../update/wufb-compliancedeadlines.md        |  12 +-
 .../deployment/update/wufb-manageupdate.md    |   2 +-
 windows/deployment/upgrade/quick-fixes.md     |   8 +-
 windows/deployment/upgrade/setupdiag.md       |  14 +-
 windows/deployment/upgrade/submit-errors.md   |   4 +-
 .../upgrade/troubleshoot-upgrade-errors.md    |  14 +-
 .../upgrade/windows-10-edition-upgrades.md    |  42 ++--
 .../upgrade/windows-error-reporting.md        |   2 +-
 .../usmt/migration-store-types-overview.md    |   2 +-
 .../usmt/usmt-common-migration-scenarios.md   |   4 +-
 ...ctive-directory-based-activation-client.md |  12 +-
 ...ivate-using-key-management-service-vamt.md |  12 +-
 .../activate-windows-10-clients-vamt.md       |   4 +-
 .../add-remove-computers-vamt.md              |   2 +-
 .../configure-client-computers-vamt.md        |   2 +-
 .../volume-activation/install-vamt.md         |   4 +-
 .../volume-activation/introduction-vamt.md    |   4 +-
 .../plan-for-volume-activation-client.md      |   6 +-
 .../scenario-online-activation-vamt.md        |   2 +-
 .../scenario-proxy-activation-vamt.md         |   2 +-
 ...olume-activation-management-tool-client.md |   4 +-
 .../volume-activation/vamt-known-issues.md    |   2 +-
 .../windows-10-deployment-posters.md          |   4 +-
 windows/deployment/windows-10-media.md        |   4 +-
 windows/deployment/windows-10-poc-mdt.md      |   4 +-
 .../windows-10-poc-sc-config-mgr.md           |  18 +-
 windows/deployment/windows-10-poc.md          |  16 +-
 .../windows-10-subscription-activation.md     |  14 +-
 .../demonstrate-deployment-on-vm.md           | 128 ++++++------
 .../windows-deployment-scenarios-and-tools.md |  28 +--
 .../privacy/Microsoft-DiagnosticDataViewer.md |   4 +-
 .../diagnostic-data-viewer-overview.md        |  16 +-
 ...system-components-to-microsoft-services.md | 192 +++++++++---------
 .../active-directory-accounts.md              |  30 +--
 .../access-control/local-accounts.md          |  16 +-
 .../access-control/security-identifiers.md    |   2 +-
 .../access-control/security-principals.md     |   2 +-
 .../identity-protection/configure-s-mime.md   |   8 +-
 .../credential-guard-how-it-works.md          |   2 +-
 .../credential-guard-manage.md                |   4 +-
 .../enterprise-certificate-pinning.md         |  12 +-
 .../feature-multifactor-unlock.md             |   4 +-
 .../hello-adequate-domain-controllers.md      |  10 +-
 .../hello-cert-trust-adfs.md                  |  20 +-
 .../hello-cert-trust-validate-ad-prereq.md    |   2 +-
 .../hello-deployment-rdp-certs.md             |   6 +-
 .../hello-errors-during-pin-creation.md       |   2 +-
 .../hello-feature-pin-reset.md                |   8 +-
 .../hello-feature-remote-desktop.md           |   2 +-
 .../hello-how-it-works-authentication.md      |  10 +-
 .../hello-how-it-works-provisioning.md        |  12 +-
 .../hello-hybrid-aadj-sso-base.md             |  52 ++---
 .../hello-hybrid-aadj-sso-cert.md             |  94 ++++-----
 .../hello-hybrid-cert-trust-devreg.md         |  18 +-
 .../hello-hybrid-cert-whfb-provision.md       |   8 +-
 .../hello-hybrid-key-whfb-provision.md        |   8 +-
 .../hello-key-trust-adfs.md                   |  20 +-
 .../hello-for-business/hello-overview.md      |   2 +-
 .../hello-prepare-people-to-use.md            |   6 +-
 .../passwordless-strategy.md                  |  20 +-
 .../retired/hello-how-it-works.md             |   2 +-
 .../remote-credential-guard.md                |   6 +-
 .../smart-card-and-remote-desktop-services.md |   2 +-
 .../smart-cards/smart-card-architecture.md    |   8 +-
 ...rt-card-certificate-propagation-service.md |   2 +-
 ...ertificate-requirements-and-enumeration.md |  12 +-
 .../smart-card-removal-policy-service.md      |   2 +-
 .../how-user-account-control-works.md         |  10 +-
 ...l-smart-card-deploy-virtual-smart-cards.md |   2 +-
 .../virtual-smart-card-evaluate-security.md   |   2 +-
 .../virtual-smart-card-get-started.md         |  22 +-
 ...tual-smart-card-use-virtual-smart-cards.md |   2 +-
 .../vpn/vpn-authentication.md                 |   2 +-
 .../vpn/vpn-auto-trigger-profile.md           |   4 +-
 .../vpn/vpn-conditional-access.md             |   2 +-
 .../vpn/vpn-connection-type.md                |   6 +-
 .../vpn/vpn-name-resolution.md                |   2 +-
 .../vpn/vpn-profile-options.md                |   2 +-
 .../identity-protection/vpn/vpn-routing.md    |   4 +-
 .../vpn/vpn-security-features.md              |   2 +-
 ...dential-theft-mitigation-guide-abstract.md |   2 +-
 .../bitlocker/bitlocker-countermeasures.md    |   4 +-
 .../bitlocker-deployment-comparison.md        |  48 ++---
 .../bitlocker-recovery-guide-plan.md          |  16 +-
 ...ve-encryption-tools-to-manage-bitlocker.md |   2 +-
 .../bitlocker/troubleshoot-bitlocker.md       |   4 +-
 .../ts-bitlocker-cannot-encrypt-issues.md     |   4 +-
 .../ts-bitlocker-decode-measured-boot-logs.md |  16 +-
 .../bitlocker/ts-bitlocker-intune-issues.md   |  38 ++--
 .../kernel-dma-protection-for-thunderbolt.md  |  10 +-
 .../secure-the-windows-10-boot-process.md     |   4 +-
 .../tpm/how-windows-uses-the-tpm.md           |   4 +-
 ...reate-and-verify-an-efs-dra-certificate.md |   2 +-
 ...e-vpn-and-wip-policy-using-intune-azure.md |   8 +-
 .../create-wip-policy-using-configmgr.md      |  40 ++--
 .../create-wip-policy-using-intune-azure.md   |  56 ++---
 .../deploy-wip-policy-using-intune-azure.md   |   2 +-
 .../wip-app-enterprise-context.md             |   4 +-
 .../wip-learning.md                           |   8 +-
 ...tion-based-protection-of-code-integrity.md |   4 +-
 .../coordinated-malware-eradication.md        |   2 +-
 .../intelligence/fileless-threats.md          |   4 +-
 .../intelligence/malware-naming.md            |   2 +-
 .../intelligence/phishing.md                  |   2 +-
 .../portal-submission-troubleshooting.md      |  14 +-
 .../intelligence/worms-malware.md             |   2 +-
 .../mbsa-removal-and-guidance.md              |   4 +-
 .../install-md-app-guard.md                   |   6 +-
 .../md-app-guard-overview.md                  |   2 +-
 .../test-scenarios-md-app-guard.md            |  34 ++--
 ...microsoft-defender-smartscreen-overview.md |   2 +-
 ...ender-smartscreen-set-individual-device.md |   2 +-
 ...tions-for-app-related-security-policies.md |   6 +-
 ...iew-of-threat-mitigations-in-windows-10.md |   4 +-
 ...-the-health-of-windows-10-based-devices.md |  26 +--
 ...-information-when-the-session-is-locked.md |   2 +-
 .../security-policy-settings.md               |   8 +-
 ...arding-to-assist-in-intrusion-detection.md |   8 +-
 .../windows-10-mobile-security-guide.md       |   2 +-
 .../LOB-win32-apps-on-s.md                    |   6 +-
 .../plan-for-applocker-policy-management.md   |   2 +-
 ...ent-setting-inheritance-in-group-policy.md |   2 +-
 ...the-applocker-policy-deployment-process.md |   2 +-
 ...s-defender-application-control-policies.md |   2 +-
 ...s-defender-application-control-policies.md |   2 +-
 ...or-windows-defender-application-control.md |   8 +-
 ...rt-windows-defender-application-control.md |  20 +-
 ...ion-control-policies-using-group-policy.md |   6 +-
 ...plication-control-policies-using-intune.md |   2 +-
 ...defender-application-control-management.md |   2 +-
 .../wdac-wizard-create-base-policy.md         |  10 +-
 .../wdac-wizard-create-supplemental-policy.md |  12 +-
 .../wdac-wizard-editing-policy.md             |   4 +-
 .../wdac-wizard-merging-policies.md           |   2 +-
 .../wdsc-account-protection.md                |   2 +-
 .../wdsc-app-browser-control.md               |   2 +-
 .../wdsc-customize-contact-information.md     |   4 +-
 .../wdsc-device-performance-health.md         |   2 +-
 .../wdsc-device-security.md                   |   2 +-
 .../wdsc-family-options.md                    |   2 +-
 .../wdsc-firewall-network-protection.md       |   2 +-
 .../wdsc-virus-threat-protection.md           |   2 +-
 .../wdsc-windows-10-in-s-mode.md              |   2 +-
 .../windows-defender-security-center.md       |  10 +-
 ...sed-root-of-trust-helps-protect-windows.md |   4 +-
 ...-guard-secure-launch-and-smm-protection.md |   8 +-
 .../best-practices-configuring.md             |  14 +-
 .../windows-firewall/boundary-zone.md         |   2 +-
 ...create-windows-firewall-rules-in-intune.md |   2 +-
 .../domain-isolation-policy-design-example.md |   2 +-
 .../domain-isolation-policy-design.md         |   2 +-
 .../filter-origin-documentation.md            |  10 +-
 .../firewall-policy-design-example.md         |   2 +-
 ...wall-with-advanced-security-design-plan.md |   2 +-
 .../windows-firewall/quarantine.md            |   4 +-
 ...n-accessing-sensitive-network-resources.md |   2 +-
 ...cess-to-only-specified-users-or-devices.md |   2 +-
 ...restrict-access-to-only-trusted-devices.md |   2 +-
 ...to-end-ipsec-connections-by-using-ikev2.md |   6 +-
 .../server-isolation-policy-design-example.md |   2 +-
 .../server-isolation-policy-design.md         |   2 +-
 ...-administration-with-windows-powershell.md |   4 +-
 .../windows-security-baselines.md             |   6 +-
 .../windows-security-baselines.md             |   6 +-
 windows/whats-new/contribute-to-a-topic.md    |  10 +-
 .../ltsc/whats-new-windows-10-2019.md         |  20 +-
 .../whats-new-windows-10-version-1703.md      |   8 +-
 .../whats-new-windows-10-version-1809.md      |  36 ++--
 .../whats-new-windows-10-version-1903.md      |   2 +-
 .../whats-new-windows-10-version-2004.md      |   2 +-
 410 files changed, 2137 insertions(+), 2121 deletions(-)

diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 75cb7255c8..ef3a69ff52 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -20,7 +20,7 @@ We've tried to make editing an existing, public file as simple as possible.
 
 1. Go to the page on docs.microsoft.com that you want to update, and then click **Edit**.
 
-    ![GitHub Web, showing the Edit link](images/contribute-link.png)
+    ![GitHub Web, showing the Edit link.](images/contribute-link.png)
 
 2. Log into (or sign up for) a GitHub account.
     
@@ -28,7 +28,7 @@ We've tried to make editing an existing, public file as simple as possible.
 
 3. Click the **Pencil** icon (in the red box) to edit the content.
 
-    ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png)
+    ![GitHub Web, showing the Pencil icon in the red box.](images/pencil-icon.png)
 
 4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
     - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring)
@@ -37,11 +37,11 @@ We've tried to make editing an existing, public file as simple as possible.
 
 5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct.
 
-    ![GitHub Web, showing the Preview Changes tab](images/preview-changes.png)
+    ![GitHub Web, showing the Preview Changes tab.](images/preview-changes.png)
 
 6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change** to create a fork in your personal GitHub account.
 
-    ![GitHub Web, showing the Propose file change button](images/propose-file-change.png)
+    ![GitHub Web, showing the Propose file change button.](images/propose-file-change.png)
 
     The **Comparing changes** screen appears to see what the changes are between your fork and the original content.
 
@@ -49,7 +49,7 @@ We've tried to make editing an existing, public file as simple as possible.
 
     If there are no problems, you’ll see the message, **Able to merge**.
     
-    ![GitHub Web, showing the Comparing changes screen](images/compare-changes.png)
+    ![GitHub Web, showing the Comparing changes screen.](images/compare-changes.png)
 
 8. Click **Create pull request**.
 
diff --git a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
index 4fc4fb1ecc..d4f9600d8b 100644
--- a/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/enterprise-mode/collect-data-using-enterprise-site-discovery.md
@@ -34,11 +34,11 @@ Before you start, you need to make sure you have the following:
 
     1.  Go to the [Microsoft Security Bulletin](https://go.microsoft.com/fwlink/p/?LinkID=718223) page, and change the filter to **Windows Internet Explorer 11**.
 
-        ![microsoft security bulletin techcenter](images/securitybulletin-filter.png)
+        ![microsoft security bulletin techcenter.](images/securitybulletin-filter.png)
 
     2.  Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table.
 
-        ![affected software section](images/affectedsoftware.png)
+        ![affected software section.](images/affectedsoftware.png)
 
     3.  Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section.
 
@@ -280,13 +280,13 @@ You can collect your hardware inventory using the MOF Editor, while you’re con
 
 1.  From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
 
-    ![Configuration Manager, showing the hardware inventory settings for client computers](images/configmgrhardwareinventory.png)
+    ![Configuration Manager, showing the hardware inventory settings for client computers.](images/configmgrhardwareinventory.png)
 
 2.  Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes.
 
 3.  Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**.
 
-    ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box](images/ie11-inventory-addclassconnectscreen.png)
+    ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box.](images/ie11-inventory-addclassconnectscreen.png)
 
 4.  Select the check boxes next to the following classes, and then click **OK**:
 
@@ -393,12 +393,12 @@ The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sam
 ### SCCM Report Sample – ActiveX.rdl
 Gives you a list of all of the ActiveX-related sites visited by the client computer.
 
-![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer](images/configmgractivexreport.png)
+![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer.](images/configmgractivexreport.png)
 
 ### SCCM Report Sample – Site Discovery.rdl
 Gives you a list of all of the sites visited by the client computer.
 
-![Site Discovery.rdl report, lists all websites visited by the client computer](images/ie-site-discovery-sample-report.png)
+![Site Discovery.rdl report, lists all websites visited by the client computer.](images/ie-site-discovery-sample-report.png)
 
 ## View the collected XML data
 After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like:
@@ -436,7 +436,7 @@ You can import this XML data into the correct version of the Enterprise Mode Sit
 
 1.  Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**.
 
-    ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png)
+    ![Enterprise Mode Site List Manager with Bulk add from file option.](images/bulkadd-emiesitelistmgr.png)
 
 2.  Go to your XML file to add the included sites to the tool, and then click **Open**.<br>Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
 
diff --git a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md
index 47322f0c03..923d4dfe04 100644
--- a/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/enterprise-mode/set-up-enterprise-mode-logging-and-data-collection.md
@@ -27,11 +27,11 @@ ms.date: 07/27/2017
 
 Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu.
 
-![enterprise mode option on the tools menu](images/ie-emie-toolsmenu.png)
+![enterprise mode option on the tools menu.](images/ie-emie-toolsmenu.png)
 
 The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic.
 
-![group policy to turn on enterprise mode](images/ie-emie-grouppolicy.png)
+![group policy to turn on enterprise mode.](images/ie-emie-grouppolicy.png)
 
 Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system.
 
@@ -47,11 +47,11 @@ This lets you create an ASP form that accepts the incoming POST messages.
 
 3.  Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port.
 
-    ![IIS Manager, editing website bindings](images/ie-emie-editbindings.png)
+    ![IIS Manager, editing website bindings.](images/ie-emie-editbindings.png)
 
 4.  Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box.
 
-    ![IIS Manager, setting logging options](images/ie-emie-logging.png)
+    ![IIS Manager, setting logging options.](images/ie-emie-logging.png)
 
 5.  Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.<p>
 Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users.
@@ -72,7 +72,7 @@ This code logs your POST fields to your IIS log file, where you can review all o
 ### IIS log file information
 This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode.
 
-![Enterprise Mode log file](images/ie-emie-logfile.png)
+![Enterprise Mode log file.](images/ie-emie-logfile.png)
 
 
 ## Using the GitHub sample to collect your data
@@ -99,14 +99,14 @@ The required packages are automatically downloaded and included in the solution.
 
 1.  Right-click on the name, PhoneHomeSample, and click **Publish**.
 
-    ![Visual Studio, Publish menu](images/ie-emie-publishsolution.png)
+    ![Visual Studio, Publish menu.](images/ie-emie-publishsolution.png)
 
 2.  In the **Publish Web** wizard, pick the publishing target and options that work for your organization.
 
    **Important**<br>
    Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website. 
 
-    ![Visual Studio, Publish Web wizard](images/ie-emie-publishweb.png)
+    ![Visual Studio, Publish Web wizard.](images/ie-emie-publishweb.png)
 
    After you finish the publishing process, you need to test to make sure the app deployed successfully.
 
@@ -131,7 +131,7 @@ The required packages are automatically downloaded and included in the solution.
 -   Go to `https://<deploy_URL>/List` to see the report results.<p>
 If you’re already on the webpage, you’ll need to refresh the page to see the results.
 
-    ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png)
+    ![Enterprise Mode Result report with details.](images/ie-emie-reportwdetails.png)
 
 
 ### Troubleshooting publishing errors
@@ -141,7 +141,7 @@ If you have errors while you’re publishing your project, you should try to upd
 
 1.  From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**.
 
-    ![Nuget Package Manager for package updates](images/ie-emie-packageupdate.png)
+    ![Nuget Package Manager for package updates.](images/ie-emie-packageupdate.png)
 
 2.  Click **Updates** on the left side of the tool, and click the **Update All** button.<p>
 You may need to do some additional package cleanup to remove older package versions.
diff --git a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
index 4651adf5cf..4573423115 100644
--- a/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/enterprise-mode/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -9,7 +9,7 @@ centralized control, you can create one global list of websites that render usin
 1.  Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Microsoft Edge\\Configure the Enterprise Mode     Site List** setting.<p>Turning this setting on also requires you to create and store a site list.
 
 <!-- 
-    ![Local Group Policy Editor for using a site list](../edge/images/config-enterprise-site-list.png)
+    ![Local Group Policy Editor for using a site list.](../edge/images/config-enterprise-site-list.png)
 -->
 
 2.  Click **Enabled**, and then in the **Options** area, type the location to your site list.
@@ -24,7 +24,7 @@ All of your managed devices must have access to this location if you want them t
 
 2.  Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file.<p>For example:
     <!--
-    ![Enterprise mode with site list in the registry](../edge/images/enterprise-mode-value-data.png) -->
+    ![Enterprise mode with site list in the registry.](../edge/images/enterprise-mode-value-data.png) -->
 
     -   **HTTPS location:** `"SiteList"="https://localhost:8080/sites.xml"`
 
diff --git a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md
index b34f9be63f..c8ef3d030c 100644
--- a/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/enterprise-mode/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -33,7 +33,7 @@ Besides turning on this feature, you also have the option to provide a URL for E
 
 1.  Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting.
 
-    ![group policy editor with emie setting](images/ie-emie-editpolicy.png)
+    ![group policy editor with emie setting.](images/ie-emie-editpolicy.png)
 
 2.  Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu.
 
@@ -45,7 +45,7 @@ Besides turning on this feature, you also have the option to provide a URL for E
 
 3.  Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates.
 
-    ![edit registry string for data collection location](images/ie-emie-editregistrystring.png)
+    ![edit registry string for data collection location.](images/ie-emie-editregistrystring.png)
 
 Your **Value data** location can be any of the following types:
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
index 1acd936993..65fbb8eaaf 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/collect-data-using-enterprise-site-discovery.md
@@ -38,11 +38,11 @@ Before you start, you need to make sure you have the following:
 
     1.  Go to the [Microsoft Security Bulletin](/security-updates/) page, and change the filter to **Windows Internet Explorer 11**.
 
-        ![microsoft security bulletin techcenter](images/securitybulletin-filter.png)
+        ![microsoft security bulletin techcenter.](images/securitybulletin-filter.png)
 
     2.  Click the title of the latest cumulative security update, and then scroll down to the **Affected software** table.
 
-        ![affected software section](images/affectedsoftware.png)
+        ![affected software section.](images/affectedsoftware.png)
 
     3.  Click the link that represents both your operating system version and Internet Explorer 11, and then follow the instructions in the **How to get this update** section.
 
@@ -284,13 +284,13 @@ You can collect your hardware inventory using the MOF Editor, while you’re con
 
 1.  From the Configuration Manager, click **Administration**, click **Client Settings**, double-click **Default Client Settings**, click **Hardware Inventory**, and then click **Set Classes**.
 
-    ![Configuration Manager, showing the hardware inventory settings for client computers](images/configmgrhardwareinventory.png)
+    ![Configuration Manager, showing the hardware inventory settings for client computers.](images/configmgrhardwareinventory.png)
 
 2.  Click **Add**, click **Connect**, and connect to a computer that has completed the setup process and has already existing classes.
 
 3.  Change the **WMI Namespace** to `root\cimv2\IETelemetry`, and click **Connect**.
 
-    ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box](images/ie11-inventory-addclassconnectscreen.png)
+    ![Configuration Manager, with the Connect to Windows Management Instrumentation (WMI) box.](images/ie11-inventory-addclassconnectscreen.png)
 
 4.  Select the check boxes next to the following classes, and then click **OK**:
 
@@ -397,12 +397,12 @@ The sample reports, **SCCM Report Sample – ActiveX.rdl** and **SCCM Report Sam
 ### SCCM Report Sample – ActiveX.rdl
 Gives you a list of all of the ActiveX-related sites visited by the client computer.
 
-![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer](images/configmgractivexreport.png)
+![ActiveX.rdl report, lists all ActiveX-related sites visited by the client computer.](images/configmgractivexreport.png)
 
 ### SCCM Report Sample – Site Discovery.rdl
 Gives you a list of all of the sites visited by the client computer.
 
-![Site Discovery.rdl report, lists all websites visited by the client computer](images/ie-site-discovery-sample-report.png)
+![Site Discovery.rdl report, lists all websites visited by the client computer.](images/ie-site-discovery-sample-report.png)
 
 ## View the collected XML data
 After the XML files are created, you can use your own solutions to extract and parse the data. The data will look like:
@@ -440,7 +440,7 @@ You can import this XML data into the correct version of the Enterprise Mode Sit
 
 1.  Open the Enterprise Mode Site List Manager, click **File**, and then click **Bulk add from file**.
 
-    ![Enterprise Mode Site List Manager with Bulk add from file option](images/bulkadd-emiesitelistmgr.png)
+    ![Enterprise Mode Site List Manager with Bulk add from file option.](images/bulkadd-emiesitelistmgr.png)
 
 2.  Go to your XML file to add the included sites to the tool, and then click **Open**.<br>Each site is validated and if successful, added to the global site list when you click **OK** to close the menu. If a site doesn’t pass validation, you can try to fix the issues or pick the site and click **Add to list** to ignore the validation problem. For more information about fixing validation problems, see [Fix validation problems using the Enterprise Mode Site List Manager](fix-validation-problems-using-the-enterprise-mode-site-list-manager.md).
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
index e8d1ec3d7d..5cfa201d18 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/deprecated-document-modes.md
@@ -48,7 +48,7 @@ The compatibility improvements made in IE11 lets older websites just work in the
 ## Document mode selection flowchart
 This flowchart shows how IE11 works when document modes are used.
 
-![Flowchart detailing how document modes are chosen in IE11](images/docmode-decisions-sm.png)<br>
+![Flowchart detailing how document modes are chosen in IE11.](images/docmode-decisions-sm.png)<br>
 [Click this link to enlarge image](img-ie11-docmode-lg.md)
 
 ## Known Issues with Internet Explorer 8 document mode in Enterprise Mode
diff --git a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
index 333686dc07..9ec7ddf862 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/fix-compat-issues-with-doc-modes-and-enterprise-mode-site-list.md
@@ -45,7 +45,7 @@ To see if this fix might help you, run through this process one step at a time,
 
 1.  Go to a site having compatibility problems, press **F12** to open the **F12 Developer Tools**, and go to the **Emulation** tool.
 
-    ![Emulation tool showing document mode selection](images/docmode-f12.png)
+    ![Emulation tool showing document mode selection.](images/docmode-f12.png)
 
 2.  Starting with the **11 (Default)** option, test your broken scenario.<br>
 If that doesn’t work, continue down to the next lowest document mode, stopping as soon as you find a document mode that fixes your problems. For more information about the Emulation tool, see [Emulate browsers, screen sizes, and GPS locations](/previous-versions/windows/internet-explorer/ie-developer/samples/dn255001(v=vs.85)).
@@ -62,7 +62,7 @@ There are two versions of the Enterprise Mode site list schema and the Enterpris
 
 1.  Open the Enterprise Mode Site List Manager, and click **Add**.
 
-    ![Enterprise Mode Site List Manager, showing the available modes](images/emie-listmgr.png)
+    ![Enterprise Mode Site List Manager, showing the available modes.](images/emie-listmgr.png)
 
 2.  Add the **URL** and pick the document mode from the **Launch in** box. This should be the same document mode you found fixed your problems while testing the site.<br>
 Similar to Enterprise Mode, you can specify a document mode for a particular web path—such as contoso.com/ERP—or at a domain level. In the above, the entire contoso.com domain loads in Enterprise Mode, while microsoft.com is forced to load into IE8 Document Mode and bing.com loads in IE11.
@@ -74,7 +74,7 @@ For more information about Enterprise Mode, see [What is Enterprise Mode?](what-
 ### Review your Enterprise Mode site list
 Take a look at your Enterprise Mode site list and make sure everything is the way you want it. The next step will be to turn the list on and start to use it in your company. The Enterprise Mode Site List Manager will look something like:
 
-![Enterprise Mode Site List Manager, showing the different modes](images/emie-sitelistmgr.png)
+![Enterprise Mode Site List Manager, showing the different modes.](images/emie-sitelistmgr.png)
 
 And the underlying XML code will look something like:
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
index 75283c1f64..4eed39657f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/out-of-date-activex-control-blocking.md
@@ -62,15 +62,15 @@ When IE blocks an outdated ActiveX control, you’ll see a notification bar simi
 
 **Internet Explorer 9 through Internet Explorer 11**
 
-![Warning about outdated activex controls (ie9+)](images/outdatedcontrolwarning.png)
+![Warning about outdated activex controls (ie9+).](images/outdatedcontrolwarning.png)
 
 **Windows Internet Explorer 8**
 
-![Warning about outdated activex controls (ie8)](images/ieoutdatedcontrolwarning.png)
+![Warning about outdated activex controls (ie8).](images/ieoutdatedcontrolwarning.png)
 
 Out-of-date ActiveX control blocking also gives you a security warning that tells you if a webpage tries to launch specific outdated apps, outside of IE:
 
-![Warning about outdated activex controls outside ie](images/ieoutdatedcontroloutsideofie.png)
+![Warning about outdated activex controls outside ie.](images/ieoutdatedcontroloutsideofie.png)
 
 
 ## How do I fix an outdated ActiveX control or app?
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
index 6edccdda73..9424e5e32f 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-the-default-browser-using-group-policy.md
@@ -27,7 +27,7 @@ You can use the Group Policy setting, **Set a default associations configuration
 1.  Open your Group Policy editor and go to the **Computer Configuration\Administrative Templates\\Windows Components\\File Explorer\\Set a default associations configuration file** setting.<p>
 Turning this setting on also requires you to create and store a default associations configuration file, locally or on a network share. For more information about creating this file, see [Export or Import Default Application Associations]( https://go.microsoft.com/fwlink/p/?LinkId=618268).
 
-    ![set default associations group policy setting](images/setdefaultbrowsergp.png)
+    ![set default associations group policy setting.](images/setdefaultbrowsergp.png)
 
 2.  Click **Enabled**, and then in the **Options** area, type the location to your default associations configuration file.<p>
 If this setting is turned on and your employee's device is domain-joined, this file is processed and default associations are applied at logon. If this setting isn't configured or is turned off, or if your employee's device isn't domain-joined, no default associations are applied at logon.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
index dd26f8e369..b42426f1d7 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/set-up-enterprise-mode-logging-and-data-collection.md
@@ -31,11 +31,11 @@ ms.date: 07/27/2017
 
 Using Group Policy, you can turn on Enterprise Mode for Internet Explorer and then you can turn on local user control using the **Let users turn on and use Enterprise Mode from the Tools menu** setting, located in the `Administrative Templates\Windows Components\Internet Explorer` category path. After you turn this setting on, your users can turn on Enterprise Mode locally, from the IE **Tools** menu.
 
-![enterprise mode option on the tools menu](images/ie-emie-toolsmenu.png)
+![enterprise mode option on the tools menu.](images/ie-emie-toolsmenu.png)
 
 The **Let users turn on and use Enterprise Mode from the Tools menu** setting also lets you decide where to send the user reports (as a URL). We recommend creating a custom HTTP port 81 to let your incoming user information go to a dedicated site. A dedicated site is important so you can quickly pick out the Enterprise Mode traffic from your other website traffic.
 
-![group policy to turn on enterprise mode](images/ie-emie-grouppolicy.png)
+![group policy to turn on enterprise mode.](images/ie-emie-grouppolicy.png)
 
 Getting these reports lets you find out about sites that aren’t working right, so you can add them to your Enterprise Mode site list, without having to locate them all yourself. For more information about creating and using a site list, see the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.2)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-2-schema-and-enterprise-mode-tool.md) or the [Add multiple sites to the Enterprise Mode site list using a file and the Enterprise Mode Site List Manager (schema v.1)](add-multiple-sites-to-enterprise-mode-site-list-using-the-version-1-schema-and-enterprise-mode-tool.md) topic, based on your operating system.
 
@@ -51,11 +51,11 @@ When you turn logging on, you need a valid URL that points to a server that can
 
 3. Open the Internet Information Services (IIS) Manager, click **Bindings**, highlight **Port 81**, click **Edit**, and then change the website information to point to Port 81 so it matches your custom-created port.
 
-   ![IIS Manager, editing website bindings](images/ie-emie-editbindings.png)
+   ![IIS Manager, editing website bindings.](images/ie-emie-editbindings.png)
 
 4. Open the **Logging** feature, pick **W3C** for the format, and click **Select Fields** to open the **W3C Logging Fields** box.
 
-   ![IIS Manager, setting logging options](images/ie-emie-logging.png)
+   ![IIS Manager, setting logging options.](images/ie-emie-logging.png)
 
 5. Change the WC3 logging fields to include only the **Date**, **Client IP**, **User Name**, and **URI Query** standard fields, and then click **OK**.<p>
    Using only these fields keeps the log file simple, giving you the date, client IP address, and the website URI information for any site changed by your users.
@@ -76,7 +76,7 @@ When you turn logging on, you need a valid URL that points to a server that can
 ### IIS log file information
 This is what your log files will look like after you set everything up and at least one of your users has turned on Enterprise Mode locally from the **Tools** menu. You can see the URL of the problematic website and client IP address of the user that turned on Enterprise Mode.
 
-![Enterprise Mode log file](images/ie-emie-logfile.png)
+![Enterprise Mode log file.](images/ie-emie-logfile.png)
 
 
 ## Using the GitHub sample to collect your data
@@ -103,14 +103,14 @@ For logging, you’re going to need a valid URL that points to a server that can
 
 5. Right-click on the name, PhoneHomeSample, and click **Publish**.
 
-   ![Visual Studio, Publish menu](images/ie-emie-publishsolution.png)
+   ![Visual Studio, Publish menu.](images/ie-emie-publishsolution.png)
 
 6. In the **Publish Web** wizard, pick the publishing target and options that work for your organization.
 
    **Important**<br>
    Make sure you have a database associated with your publishing target. Otherwise, your reports won’t be collected and you’ll have problems deploying the website. 
 
-   ![Visual Studio, Publish Web wizard](images/ie-emie-publishweb.png)
+   ![Visual Studio, Publish Web wizard.](images/ie-emie-publishweb.png)
 
    After you finish the publishing process, you need to test to make sure the app deployed successfully.
 
@@ -135,7 +135,7 @@ For logging, you’re going to need a valid URL that points to a server that can
 -   Go to `https://<deploy_URL>/List` to see the report results.<p>
 If you’re already on the webpage, you’ll need to refresh the page to see the results.
 
-    ![Enterprise Mode Result report with details](images/ie-emie-reportwdetails.png)
+    ![Enterprise Mode Result report with details.](images/ie-emie-reportwdetails.png)
 
 
 ### Troubleshooting publishing errors
@@ -145,7 +145,7 @@ If you have errors while you’re publishing your project, you should try to upd
 
 1.  From the **Tools** menu of Microsoft Visual Studio, click **NuGet Package Manager**, and click **Manage NuGet Packages for Solution**.
 
-    ![Nuget Package Manager for package updates](images/ie-emie-packageupdate.png)
+    ![Nuget Package Manager for package updates.](images/ie-emie-packageupdate.png)
 
 2.  Click **Updates** on the left side of the tool, and click the **Update All** button.<p>
 You may need to do some additional package cleanup to remove older package versions.
diff --git a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
index 14bd40e745..ec77071c73 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/tips-and-tricks-to-manage-ie-compatibility.md
@@ -28,7 +28,7 @@ Jump to:
 
 [Enterprise Mode for Internet Explorer 11](enterprise-mode-overview-for-ie11.md) can be very effective in providing backward compatibility for older web apps. The Enterprise Mode Site List includes the ability to put any web app in any document mode, include IE8 and IE7 Enterprise Modes, without changing a single line of code on the website.
 
-![Internet Explorer Enterprise Modes and document modes](images/img-enterprise-mode-site-list-xml.jpg)
+![Internet Explorer Enterprise Modes and document modes.](images/img-enterprise-mode-site-list-xml.jpg)
 
 Sites in the \<docMode\> section can be rendered in any document mode, as shown in blue above. Some sites designed for older versions of Internet Explorer may require better backward compatibility, and these can leverage the \<emie\> section of the Enterprise Mode Site List. IE8 Enterprise Mode provides higher-fidelity emulation for Internet Explorer 8 by using, among other improvements, the original Internet Explorer 8 user agent string. IE7 Enterprise Mode further improves emulation by adding Compatibility View.  
   
@@ -84,7 +84,7 @@ To see if the site works in the Internet Explorer 5, Internet Explorer 7, Intern
 
 -   Open the site in Internet Explorer 11, load the F12 tools by pressing the **F12** key or by selecting **F12 Developer Tools** from the **Tools** menu, and select the **Emulation** tab.  
 
-    ![F12 Developer Tools Emulation tab](images/img-f12-developer-tools-emulation.jpg)
+    ![F12 Developer Tools Emulation tab.](images/img-f12-developer-tools-emulation.jpg)
 
 -   Run the site in each document mode until you find the mode in which the site works.
  
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
index 8c84054dc3..1b32fa64ad 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-enterprise-mode-and-use-a-site-list.md
@@ -39,7 +39,7 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi
 1. Open your Group Policy editor and go to the `Administrative Templates\Windows Components\Internet Explorer\Use the Enterprise Mode IE website list` setting.<p>
    Turning this setting on also requires you to create and store a site list. For more information about creating your site list, see the [Use the Enterprise Mode Site List Manager](use-the-enterprise-mode-site-list-manager.md) topics.
 
-   ![local group policy editor for using a site list](images/ie-emie-grouppolicysitelist.png)
+   ![local group policy editor for using a site list.](images/ie-emie-grouppolicysitelist.png)
 
 2. Click **Enabled**, and then in the **Options** area, type the location to your site list.
 
@@ -51,7 +51,7 @@ Before you can use a site list with Enterprise Mode, you need to turn the functi
 
 4. Edit the `SiteList` registry key to point to where you want to keep your Enterprise Mode site list file. For example:
 
-   ![enterprise mode with site list in the registry](images/ie-emie-registrysitelist.png)
+   ![enterprise mode with site list in the registry.](images/ie-emie-registrysitelist.png)
 
    -   **HTTPS location**: `"SiteList"="https://localhost:8080/sites.xml"`
 
diff --git a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
index b4db0fb7a4..897b27ceed 100644
--- a/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
+++ b/browsers/internet-explorer/ie11-deploy-guide/turn-on-local-control-and-logging-for-enterprise-mode.md
@@ -37,7 +37,7 @@ Besides turning on this feature, you also have the option to provide a URL for E
 
 1. Open your Group Policy editor and go to the **Administrative Templates\\Windows Components\\Internet Explorer\\Let users turn on and use Enterprise Mode from the Tools menu** setting.
 
-   ![group policy editor with emie setting](images/ie-emie-editpolicy.png)
+   ![group policy editor with emie setting.](images/ie-emie-editpolicy.png)
 
 2. Click **Enabled**, and then in the **Options** area, type the location for where to receive reports about when your employees use this functionality to turn Enterprise Mode on or off from the **Tools** menu.
 
@@ -49,7 +49,7 @@ Besides turning on this feature, you also have the option to provide a URL for E
 
 5. Right-click the **Enable** key, click **Modify**, and then type a **Value data** to point to a server that you can listen to for updates.
 
-   ![edit registry string for data collection location](images/ie-emie-editregistrystring.png)
+   ![edit registry string for data collection location.](images/ie-emie-editregistrystring.png)
 
 Your **Value data** location can be any of the following types:
 
diff --git a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
index fd6904f4a8..54ae269373 100644
--- a/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
+++ b/browsers/internet-explorer/ie11-ieak/licensing-version-and-features-ieak11.md
@@ -33,32 +33,32 @@ During installation, you must pick a version of IEAK 11, either **External** or
 
 |                  Feature                  |                                     Internal                                     |                                       External                                       |
 |-------------------------------------------|:--------------------------------------------------------------------------------:|:------------------------------------------------------------------------------------:|
-|              Welcome screen               | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|              File locations               | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|            Platform selection             | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|            Language selection             | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|          Package type selection           | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|             Feature selection             | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|  Automatic Version Synchronization (AVS)  | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|             Custom components             | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|             Internal install              | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
-|              User experience              | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
-|          Browser user interface           | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|             Search providers              | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|  Important URLs – Home page and support   | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|               Accelerators                | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|    Favorites, Favorites bar, and feeds    | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|             Browsing options              | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
-| First Run wizard and Welcome page options | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|            Connection manager             | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|            Connection settings            | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|          Automatic configuration          | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
-|              Proxy settings               | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|       Security and privacy settings       | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
-|          Add a root certificate           | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
-|                 Programs                  | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
-|            Additional settings            | ![Available](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
-|              Wizard complete              | ![Available](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|              Welcome screen               | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|              File locations               | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|            Platform selection             | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|            Language selection             | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|          Package type selection           | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|             Feature selection             | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|  Automatic Version Synchronization (AVS)  | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|             Custom components             | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|             Internal install              | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
+|              User experience              | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
+|          Browser user interface           | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|             Search providers              | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|  Important URLs – Home page and support   | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|               Accelerators                | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|    Favorites, Favorites bar, and feeds    | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|             Browsing options              | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
+| First Run wizard and Welcome page options | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|            Connection manager             | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|            Connection settings            | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|          Automatic configuration          | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
+|              Proxy settings               | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|       Security and privacy settings       | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
+|          Add a root certificate           | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
+|                 Programs                  | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
+|            Additional settings            | ![Available.](/microsoft-edge/deploy/images/148767.png) | ![Not available](/microsoft-edge/deploy/images/148766.png) |
+|              Wizard complete              | ![Available.](/microsoft-edge/deploy/images/148767.png) |   ![Available](/microsoft-edge/deploy/images/148767.png)   |
 
 ---
 
diff --git a/education/trial-in-a-box/educator-tib-get-started.md b/education/trial-in-a-box/educator-tib-get-started.md
index d0251e80ba..bbf1be6015 100644
--- a/education/trial-in-a-box/educator-tib-get-started.md
+++ b/education/trial-in-a-box/educator-tib-get-started.md
@@ -24,13 +24,13 @@ manager: dansimp
 
 | Tool | Description |
 | :---: |:--- |
-| [![Connect the device to Wi-Fi](images/edu-TIB-setp-1-v3.png)](#edu-task1) | [Log in](#edu-task1) to **Device A** with your Teacher credentials and connect to the school network. |
-| [![Try Learning Tools Immersive Reader](images/edu-TIB-setp-2-v3.png)](#edu-task2) | **Interested in significantly improving your students' reading speed and comprehension?<sup>[1](#footnote1)</sup>** </br>Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. |
-| [![Launch Microsoft Teams](images/edu-TIB-setp-3-v3.png)](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?** </br>Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. |
-| [![Open OneNote](images/edu-TIB-setp-4-v3.png)](#edu-task4) | **Trying to expand classroom creativity and interaction between students?** </br>Open [OneNote](#edu-task4) and create an example group project for your class. |
-| [![Try Photos app](images/edu-tib-setp-5-v4.png)](#edu-task5) | **Curious about telling stories through video?** </br>Try the [Photos app](#edu-task5) to make your own example video. |
-| [![Play with Minecraft: Education Edition](images/edu-tib-setp-6-v4.png)](#edu-task6) | **Want to teach kids to further collaborate and problem solve?** </br>Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. |
-| [![Do Math with Windows Ink](images/edu-tib-setp-7-v1.png)](#edu-task7) | **Want to provide a personal math tutor for your students?** </br>Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. |
+| [![Connect the device to Wi-Fi.](images/edu-TIB-setp-1-v3.png)](#edu-task1) | [Log in](#edu-task1) to **Device A** with your Teacher credentials and connect to the school network. |
+| [![Try Learning Tools Immersive Reader.](images/edu-TIB-setp-2-v3.png)](#edu-task2) | **Interested in significantly improving your students' reading speed and comprehension?<sup>[1](#footnote1)</sup>** </br>Try the [Learning Tools Immersive Reader](#edu-task2) to see how kids can learn to read faster, using text read aloud, and highlighting words for syntax. |
+| [![Launch Microsoft Teams.](images/edu-TIB-setp-3-v3.png)](#edu-task3) | **Looking to foster collaboration, communication, and critical thinking in the classroom?** </br>Launch [Microsoft Teams](#edu-task3) and learn how to set up digital classroom discussions, respond to student questions, and organize class content. |
+| [![Open OneNote.](images/edu-TIB-setp-4-v3.png)](#edu-task4) | **Trying to expand classroom creativity and interaction between students?** </br>Open [OneNote](#edu-task4) and create an example group project for your class. |
+| [![Try Photos app.](images/edu-tib-setp-5-v4.png)](#edu-task5) | **Curious about telling stories through video?** </br>Try the [Photos app](#edu-task5) to make your own example video. |
+| [![Play with Minecraft: Education Edition.](images/edu-tib-setp-6-v4.png)](#edu-task6) | **Want to teach kids to further collaborate and problem solve?** </br>Play with [Minecraft: Education Edition](#edu-task6) to see how it can be used as a collaborative and versatile platform across subjects to encourage 21st century skills. |
+| [![Do Math with Windows Ink.](images/edu-tib-setp-7-v1.png)](#edu-task7) | **Want to provide a personal math tutor for your students?** </br>Use [Windows Ink and the Math Assistant feature](#edu-task7) in OneNote to give students step-by-step instructions and interactive 2D graphs for math problems. |
 
 
 </br>
@@ -41,7 +41,7 @@ manager: dansimp
 </br>
 
 
-![Log in to Device A and connect to the school network](images/edu-TIB-setp-1-jump.png)
+![Log in to Device A and connect to the school network.](images/edu-TIB-setp-1-jump.png)
 ## <a name="edu-task1"></a>1. Log in and connect to the school network
 To try out the educator tasks, start by logging in as a teacher.
 
@@ -55,7 +55,7 @@ To try out the educator tasks, start by logging in as a teacher.
 </br>
 </br>
 
-![Improve student reading speed and comprehension](images/edu-TIB-setp-2-jump.png)
+![Improve student reading speed and comprehension.](images/edu-TIB-setp-2-jump.png)
 ## <a name="edu-task2"></a>2. Significantly improve student reading speed and comprehension
 
 > [!VIDEO https://www.youtube.com/embed/GCzSAslq_2Y]
@@ -78,7 +78,7 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse
 
 4. Select the **Immersive Reader** button.
 
-   ![Word's Immersive Reader](images/word_online_immersive_reader.png)
+   ![Word's Immersive Reader.](images/word_online_immersive_reader.png)
 
 5. Press the **Play** button to hear text read aloud.
 
@@ -86,14 +86,14 @@ Learning Tools and the Immersive Reader can be used in the Microsoft Edge browse
 
    | Text to Speech | Text Preferences | Grammar Options | Line Focus |
    | :------------: | :--------------: | :-------------: | :--------: |
-   | ![Word Text to Speech](images/wordonline_tts.png) | ![Word Text Preferences](images/wordonline_text_preferences.png) | ![Word Grammar Options](images/wordonline_grammar_options.png) | ![Word Line Focus](images/wordonline_line_focus.png) |
+   | ![Word Text to Speech.](images/wordonline_tts.png) | ![Word Text Preferences](images/wordonline_text_preferences.png) | ![Word Grammar Options](images/wordonline_grammar_options.png) | ![Word Line Focus](images/wordonline_line_focus.png) |
 
 </br>
 </br>
 
 
 
-![Spark communication, critical thinking, and creativity with Microsoft Teams](images/edu-TIB-setp-3-jump.png)
+![Spark communication, critical thinking, and creativity with Microsoft Teams.](images/edu-TIB-setp-3-jump.png)
 ## <a name="edu-task3"></a>3. Spark communication, critical thinking, and creativity in the classroom
 
 > [!VIDEO https://www.youtube.com/embed/riQr4Dqb8B8]
@@ -114,7 +114,7 @@ Take a guided tour of Microsoft Teams and test drive this digital hub.
 </br>
 </br>
 
-![Expand classroom collaboration and interaction with OneNote](images/edu-TIB-setp-4-jump.png)
+![Expand classroom collaboration and interaction with OneNote.](images/edu-TIB-setp-4-jump.png)
 ## <a name="edu-task4"></a>4. Expand classroom collaboration and interaction between students
 
 > [!VIDEO https://www.youtube.com/embed/dzDSWMb_fIE]
@@ -135,16 +135,16 @@ When you're not using the pen, just use the magnet to stick it to the left side
 3. Follow the instructions for the project. Look for the **Try this!** callouts to experiment with these engaging activities.
    - Discover the power of digital ink by selecting the Draw tab. Choose your pen and get scribbling.
 
-     ![OneNote Draw tab](images/onenote_draw.png)
+     ![OneNote Draw tab.](images/onenote_draw.png)
 
    - Type anywhere on the page! Just click your cursor where you want to place text.
    - Use the checkmark in the **Home** tab to keep track of completed tasks.
 
-     ![OneNote To Do Tag](images/onenote_checkmark.png)
+     ![OneNote To Do Tag.](images/onenote_checkmark.png)
 
    - To find information without leaving OneNote, use the Researcher tool found under the Insert tab.
 
-     ![OneNote Researcher](images/onenote_researcher.png)
+     ![OneNote Researcher.](images/onenote_researcher.png)
 
 </br>
 </br>
@@ -178,7 +178,7 @@ Use video to create a project summary.
 
 8. Drag the videos to the Storyboard, one by one. Your project should look roughly like this:
 
-   ![Photos app layout showing videos added in previous steps](images/photo_app_1.png)
+   ![Photos app layout showing videos added in previous steps.](images/photo_app_1.png)
 
 9. Select the first card in the Storyboard (the video of the project materials) and select **Text**, type a title in, a text style, a layout, and select **Done**.
 
@@ -191,7 +191,7 @@ Use video to create a project summary.
     4. Play back your effect.
     5. Select **Done** when you have it where you want it.
 
-    ![Lighting bolt effect being added to a video clip](images/photo_app_2.png)
+    ![Lighting bolt effect being added to a video clip.](images/photo_app_2.png)
 
 12. Select **Music** and select a track from the **Recommended** music collection.
     1. The music will update automatically to match the length of your video project, even as you make changes.
@@ -208,7 +208,7 @@ Check out this use case video of the Photos team partnering with the Bureau Of F
 </br>
 </br>
 
-![Further collaborate and problem solve with Minecraft: Education Edition](images/edu-TIB-setp-5-jump.png)
+![Further collaborate and problem solve with Minecraft: Education Edition.](images/edu-TIB-setp-5-jump.png)
 ## <a name="edu-task6"></a>6. Get kids to further collaborate and problem solve
 
 > [!VIDEO https://www.youtube.com/embed/QI_bRNUugog]
@@ -226,7 +226,7 @@ Today, we'll explore a Minecraft world through the eyes of a student.
 
 3. Scroll down to the **Details** section and select **Download World**.
 
-   ![Select the download world link](images/mcee_downloadworld.png)
+   ![Select the download world link.](images/mcee_downloadworld.png)
 
 4. When prompted, save the world.
 
@@ -250,7 +250,7 @@ Today, we'll explore a Minecraft world through the eyes of a student.
 
     To try more advanced movements or building within Minecraft, use the Minecraft Controls Diagram.
 
-    ![Minecraft mouse and keyboard controls](images/mcee_keyboard_mouse_controls.png)
+    ![Minecraft mouse and keyboard controls.](images/mcee_keyboard_mouse_controls.png)
 
 12. Access and adapt over 300 lesson plans, spanning all grades and subjects, to meet your needs. Enjoy exploring new worlds and happy crafting.
 
@@ -260,13 +260,13 @@ Today, we'll explore a Minecraft world through the eyes of a student.
     2. Click **Class Resources**.
     3. Click **Find a Lesson**.
 
-    ![Access and adapt over 300 Minecraft lesson plans](images/minecraft_lesson_plans.png)
+    ![Access and adapt over 300 Minecraft lesson plans.](images/minecraft_lesson_plans.png)
 
 </br>
 </br>
 </br>
 
-![Help students understand new math concepts with the Math Assistant in OneNote](images/Inking.png)
+![Help students understand new math concepts with the Math Assistant in OneNote.](images/Inking.png)
 ## <a name="edu-task7"></a>7. Use Windows Ink to provide a personal math tutor for your students
 
 The **Math Assistant** and **Ink Replay** features available in the OneNote app give your students step-by-step instructions on how to solve their math problems and help them visualize math functions on an interactive 2D graph.
@@ -275,15 +275,15 @@ The **Math Assistant** and **Ink Replay** features available in the OneNote app
 To get started:
 1. Open the OneNote app for Windows 10 (not OneNote 2016).
 
-   ![OneNote icon](images/OneNote_logo.png)
+   ![OneNote icon.](images/OneNote_logo.png)
 
 2. In the top left corner, click on the **<** arrow to access your notebooks and pages.
 
-   ![OneNote back arrow navigation button](images/left_arrow.png)
+   ![OneNote back arrow navigation button.](images/left_arrow.png)
 
 3. Click **Add Page** to launch a blank work space.
 
-   ![Select add page button](images/plus-page.png)
+   ![Select add page button.](images/plus-page.png)
 
 4. Make sure your pen is paired to the device. To pair, see <a href="https://support.microsoft.com/help/12383" target="_blank">Connect to Bluetooth devices</a>.
 
@@ -292,26 +292,26 @@ To solve the equation 3x+4=7, follow these instructions:
 
 2. If you wrote the equation using digital ink, use the **Lasso tool** to circle the equation. If you typed the equation, highlight it using your mouse.
 
-   ![Lasso button](images/lasso.png)
+   ![Lasso button.](images/lasso.png)
 
 3. On the **Draw** tab, click the **Math** button.
 
-   ![Math button](images/math-button.png)
+   ![Math button.](images/math-button.png)
 
 4. From the drop-down menu in the **Math** pane, select the option to **Solve for x**. You can now see the final solution of the equation.
 
-   ![Solve for x menu](images/solve-for-x.png)
+   ![Solve for x menu.](images/solve-for-x.png)
 
 5. From the second drop-down below, choose **Steps for Solving Linear Formula**, which shows you the step-by-step solution of this equation.
 
 6. On the **View** tab, click the **Replay** button. Use your mouse to select the written equation and watch your text in replay. Replay is great for students to review how the teacher solved the equation and for teachers to review how students approached a problem.
 
-   ![Replay button](images/replay.png)
+   ![Replay button.](images/replay.png)
 
 To graph the equation 3x+4=7, follow these instructions:
 1. From the drop-down menu in the **Math** pane, select the option to **Graph Both Sides in 2D**. You can play with the interactive graph of your equation - use a single finger to move the graph position or two fingers to change the **zoom** level.
 
-   ![Graph both sides in 2D](images/graph-for-x.png)
+   ![Graph both sides in 2D.](images/graph-for-x.png)
 
 2. Click the **Insert on Page** button below the graph to add a screenshot of the graph to your page.
    </br>
diff --git a/education/trial-in-a-box/index.md b/education/trial-in-a-box/index.md
index f21a0ddcf4..5f1c865bce 100644
--- a/education/trial-in-a-box/index.md
+++ b/education/trial-in-a-box/index.md
@@ -16,7 +16,7 @@ ms.date: 12/11/2017
 
 # Microsoft Education Trial in a Box
 
-![Microsoft Education Trial in a Box - Unlock Limitless Learning](images/Unlock-Limitless-Learning.png)
+![Microsoft Education Trial in a Box - Unlock Limitless Learning.](images/Unlock-Limitless-Learning.png)
 
 </br>
 
@@ -28,7 +28,7 @@ Welcome to Microsoft Education Trial in a Box. We built this trial to make it ea
 
 </br>
 
-| [![Get started for Educators](images/teacher_rotated_resized.png)](educator-tib-get-started.md) | [![Get started for IT Admins](images/itadmin_rotated_resized.png)](itadmin-tib-get-started.md) |
+| [![Get started for Educators.](images/teacher_rotated_resized.png)](educator-tib-get-started.md) | [![Get started for IT Admins](images/itadmin_rotated_resized.png)](itadmin-tib-get-started.md) |
 | :---: | :---: | 
 | <span style="font-size: 1.5em">**Educator**</span></br>Enhance students of all abilities by unleashing their creativity, collaboration, and improving problem-solving skills. </br>[Get started](educator-tib-get-started.md) | <span style="font-size: 1.5em">**IT Admin**</span></br>Quickly implement and deploy a full cloud infrastructure that's secure and easy to manage. </br> [Get started](itadmin-tib-get-started.md) |
 
diff --git a/education/trial-in-a-box/itadmin-tib-get-started.md b/education/trial-in-a-box/itadmin-tib-get-started.md
index be9a131941..d0ba6a05b3 100644
--- a/education/trial-in-a-box/itadmin-tib-get-started.md
+++ b/education/trial-in-a-box/itadmin-tib-get-started.md
@@ -24,11 +24,11 @@ manager: dansimp
 
 |&nbsp;  |&nbsp;  |
 | :---: |:--- |
-| [![Log in to Device A](images/admin-TIB-setp-1-v3.png)](#it-task1) | [Log in](#it-task1) to **Device A** with your IT Admin credentials and connect to your school's network. |
-| [![Configure Device B with Set up School PCs](images/admin-TIB-setp-2-v3.png)](#it-task2) | [Configure Device B](#it-task2) with the Set up School PCs app. |
-| [![Configure Intune for Education](images/admin-TIB-setp-3-v3.png)](#it-task3) | [Express configure Intune for Education](#it-task3) to manage devices, users, and policies. |
-| [![Find and deploy apps](images/admin-TIB-setp-4-v3.png)](#it-task4) | [Find apps from the Microsoft Store for Education](#it-task4) and deploy them to manage devices in your tenant. |
-| [![Create custom folders](images/admin-TIB-setp-5-v3.png)](#it-task5) | [Create custom folders](#it-task5) that will appear on each managed device's **Start** menu. |
+| [![Log in to Device A.](images/admin-TIB-setp-1-v3.png)](#it-task1) | [Log in](#it-task1) to **Device A** with your IT Admin credentials and connect to your school's network. |
+| [![Configure Device B with Set up School PCs.](images/admin-TIB-setp-2-v3.png)](#it-task2) | [Configure Device B](#it-task2) with the Set up School PCs app. |
+| [![Configure Intune for Education.](images/admin-TIB-setp-3-v3.png)](#it-task3) | [Express configure Intune for Education](#it-task3) to manage devices, users, and policies. |
+| [![Find and deploy apps.](images/admin-TIB-setp-4-v3.png)](#it-task4) | [Find apps from the Microsoft Store for Education](#it-task4) and deploy them to manage devices in your tenant. |
+| [![Create custom folders.](images/admin-TIB-setp-5-v3.png)](#it-task5) | [Create custom folders](#it-task5) that will appear on each managed device's **Start** menu. |
 
 
 </br>
@@ -42,7 +42,7 @@ If you run into any problems while following the steps in this guide, or you hav
 
 </br>
 
-![Log in to Device A](images/admin-TIB-setp-1-jump.png) 
+![Log in to Device A.](images/admin-TIB-setp-1-jump.png) 
 ## <a name="it-task1"></a>1. Log in to Device A with your IT Admin credentials and connect to the school network
 To try out the IT admin tasks, start by logging in as an IT admin.
 
@@ -56,7 +56,7 @@ To try out the IT admin tasks, start by logging in as an IT admin.
 
 </br>
 
-![Configure Device B with Set up School PCs](images/admin-TIB-setp-2-jump.png) 
+![Configure Device B with Set up School PCs.](images/admin-TIB-setp-2-jump.png) 
 ## <a name="it-task2"></a>2. Configure Device B with Set up School PCs
 Now you're ready to learn how to configure a brand new device. You will start on **Device A** by downloading and running the Set up School PCs app. Then, you will configure **Device B**.
 
@@ -66,11 +66,11 @@ If you've previously used Set up School PCs to provision student devices, you ca
 
 1. From the **Start** menu, find and then click **Microsoft Store** to launch the Store.
 
-    ![Microsoft Store from the Start menu](images/start_microsoft_store.png)
+    ![Microsoft Store from the Start menu.](images/start_microsoft_store.png)
 
 2. Search for the **Set up School PCs** app.
 
-    ![Set up School PCs on Microsoft Store](images/microsoft_store_suspc_install.png)
+    ![Set up School PCs on Microsoft Store.](images/microsoft_store_suspc_install.png)
 
 3. Click **Install**.
 
@@ -78,7 +78,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
 
 1. On **Device A**, launch the Set up School PCs app.
 
-    ![Launch the Set up School PCs app](images/suspc_start.png)
+    ![Launch the Set up School PCs app.](images/suspc_start.png)
 
 2. Click **Get started**.
 3. Select **Sign-in**.
@@ -95,7 +95,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
 
     We recommend checking the highlighted settings below:
 
-    ![Configure student PC settings](images/suspc_configure_pcsettings_selected.png)
+    ![Configure student PC settings.](images/suspc_configure_pcsettings_selected.png)
 
    - **Remove apps pre-installed by the device manufacturer** - If you select this option, this will reset the machine and the provisioning process will take longer (about 30 minutes).
    - **Allow local storage (not recommended for shared devices)** lets students save files to the **Desktop** and **Documents** folder on the student PC.
@@ -108,7 +108,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
 
 7. **Set up the Take a Test app** configures the device for taking quizzes and high-stakes assessments by some providers like Smarter Balanced. Windows will lock down the student PC so that students can't access anything else while taking the test.
 
-    ![Configure the Take a Test app](images/suspc_takeatest.png)
+    ![Configure the Take a Test app.](images/suspc_takeatest.png)
 
    1. Specify if you want to create a Take a Test button on the students' sign-in screens.
    2. Select **Advanced settings** to allow keyboard text suggestions to appear and to allow teachers to monitor online tests. 
@@ -120,7 +120,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
 
 8. **Add recommended apps** lets you choose from a set of recommended Microsoft Store apps to provision. 
 
-    ![Recommended apps in Set up School PCs package configuration](images/suspc_configure_recommendedapps_v2.png)
+    ![Recommended apps in Set up School PCs package configuration.](images/suspc_configure_recommendedapps_v2.png)
 
     The recommended apps include the following:
     * **Office 365 for Windows 10 S (Education Preview)** - Optional. This works well for the Trial in a Box PCs running Windows 10 S. However, if you try to install this app on other editions of Windows 10, setup will fail. Also note that if you select **Office 365 for Windows 10 S (Education Preview)**, it will take about 30-45 minutes longer for Set up School PCs to create the provisioning package as the app downloads Office 365 for Windows 10 S (Education Preview) from the Microsoft Store.
@@ -131,7 +131,7 @@ If you've previously used Set up School PCs to provision student devices, you ca
 
     To change any of the settings, select the page or section (such as **Sign-in** or **Settings**) to go back to that page and make your changes.
 
-    ![Select the section or page name to make a change](images/suspc_review_summary.png)
+    ![Select the section or page name to make a change.](images/suspc_review_summary.png)
 
 10. Accept the summary and then insert a USB drive in **Device A**. Use the USB drive that came in the Trial in a Box accessories box to save the provisioning package.
 11. Select the drive and then **Save** to create the provisioning package. 
@@ -153,7 +153,7 @@ A provisioning package is a method for applying settings to Windows 10 without n
 
 1. Start with **Device B** turned off or with the PC on the first-run setup screen. In Windows 10 S Fall Creators Update, the first-run setup screen says **Let's start with region. Is this right?**. 
 
-    ![The first screen to set up a new PC in Windows 10 Fall Creators Update](images/win10_oobe_firstscreen.png)
+    ![The first screen to set up a new PC in Windows 10 Fall Creators Update.](images/win10_oobe_firstscreen.png)
 
     If you go past the region selection screen, select **Ctrl + Shift + F3** which will prompt the "System Preparation Tool." Select **Okay** in the tool to return to the region selection screen. If this doesn't work, reset the PC by going to **Settings > Update & Security > Recovery > Reset this PC.**
 
@@ -166,20 +166,20 @@ You can complete the rest of the IT admin tasks using **Device A**.
 
 </br>
 
-![Express configure Intune for Education](images/admin-TIB-setp-3-jump.png) 
+![Express configure Intune for Education.](images/admin-TIB-setp-3-jump.png) 
 ## <a name="it-task3"></a>3. Express configure Intune for Education to manage devices, users, and policies
 Intune for Education provides an **Express configuration** option so you can get going right away. We'll use that option here.
 
 1. Log into the <a href="https://intuneeducation.portal.azure.com/" target="_blank">Intune for Education console</a>. 
 2. On the Intune for Education dashboard, click **Launch Express Configuration** or select the **Express configuration**.
 
-    ![Intune for Education dashboard](images/i4e_dashboard_expressconfig.png)
+    ![Intune for Education dashboard.](images/i4e_dashboard_expressconfig.png)
 
 3. In the **Welcome to Intune for Education** screen, click **Get started** and follow the prompts until you get to the **Choose group** screen.
 4. In the **Choose group** screen, select **All Users** so that all apps and settings that we select during express setup will apply to this group. 
 5. In the **Choose apps** screen, you will see a selection of desktop (Win32) apps, Web apps, and Microsoft Store apps. 
 
-    ![Choose apps you want to provision to the group](images/i4e_expressconfig_chooseapps.png)
+    ![Choose apps you want to provision to the group.](images/i4e_expressconfig_chooseapps.png)
 
 6. Add or remove apps by clicking on them. A blue checkmark means the app is added and will be installed for all members of the group selected in step 5.
 
@@ -197,7 +197,7 @@ Intune for Education provides an **Express configuration** option so you can get
 
 </br>
 
-![Find apps from the Microsoft Store for Education](images/admin-TIB-setp-4-jump.png) 
+![Find apps from the Microsoft Store for Education.](images/admin-TIB-setp-4-jump.png) 
 ## <a name="it-task4"></a>4. Find apps from the Microsoft Store for Education and deploy them to managed devices in your tenant
 The Microsoft Store for Education is where you can shop for more apps for your school.
 
@@ -205,7 +205,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s
 2. In the **Store apps** section, select **+ New app** to go to the <a href="https://educationstore.microsoft.com" target="_blank">Microsoft Store for Education</a>.
 3. Select **Sign in** and start shopping for apps for your school.
 
-    ![Microsoft Store for Education site](images/msfe_portal.png)
+    ![Microsoft Store for Education site.](images/msfe_portal.png)
 
 4. Check some of the categories for suggested apps or search the Store for a free educational or reference app. Find ones that you haven't already installed during express configuration for Intune for Education. For example, these apps are free:
     - Duolingo - Learn Languages for Free
@@ -222,7 +222,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s
 
     The apps will show up in your inventory along with the apps that Microsoft automatically provisioned for your education tenant.
 
-    ![List of apps bought for the school](images/msfe_boughtapps.png)
+    ![List of apps bought for the school.](images/msfe_boughtapps.png)
 
     In the **Private store** column of the **Products & services** page, the status for some apps will indicate that it's "In private store" while others will say "Adding to private store" or "Not applicable". Learn more about this in <a href="/microsoft-store/distribute-apps-from-your-private-store" target="_blank">Distribute apps using your private store</a>.
 
@@ -231,7 +231,7 @@ The Microsoft Store for Education is where you can shop for more apps for your s
 
 </br>
 
-![Create custom folders that appear on managed devices](images/admin-TIB-setp-5-jump.png) 
+![Create custom folders that appear on managed devices.](images/admin-TIB-setp-5-jump.png) 
 ## <a name="it-task5"></a>5. Create custom folders that will appear on each managed device's Start menu
 Update settings for all devices in your tenant by adding the **Documents** and **Downloads** folders to all devices managed in Intune for Education.
 
@@ -239,7 +239,7 @@ Update settings for all devices in your tenant by adding the **Documents** and *
 2. Select **Group > All Devices > Settings** and expand **Windows interface settings**.
 3. In **Choose folders that appear in the Start menu**, select **Documents** and **Downloads**.
 
-    ![Choose folders that appear in the Start menu](images/screenshot-bug.png)
+    ![Choose folders that appear in the Start menu.](images/screenshot-bug.png)
 
 4. **Save** your changes.
 
diff --git a/education/trial-in-a-box/support-options.md b/education/trial-in-a-box/support-options.md
index 9cb32351de..627a78c9ef 100644
--- a/education/trial-in-a-box/support-options.md
+++ b/education/trial-in-a-box/support-options.md
@@ -38,7 +38,7 @@ For more information about checking for updates, and how to optionally turn on a
    > [!NOTE]
    > For the alternate email address, make sure you use a different address from your Office 365 email address.
 
-   ![Complete your contact details](images/o365_adminaccountinfo.png)
+   ![Complete your contact details.](images/o365_adminaccountinfo.png)
 
 4. Click **Save**.
 
@@ -46,17 +46,17 @@ For more information about checking for updates, and how to optionally turn on a
 
 1. Click the **Need help?** button in the lower right-hand corner of the Office 365 console.
 
-   ![Select Need help to get support](images/o365_needhelp.png)
+   ![Select Need help to get support.](images/o365_needhelp.png)
 
    You will see a sidebar window open up on the right-hand side of the screen.
 
-   ![Option to have a support representative call you](images/o365_needhelp_callingoption.png)
+   ![Option to have a support representative call you.](images/o365_needhelp_callingoption.png)
 
    If you chose to have a support representative call you, a new support ticket will be opened and you can track these in **Support tickets**.
 
-   ![Track your support tickets](images/o365_needhelp_supporttickets.png)
+   ![Track your support tickets.](images/o365_needhelp_supporttickets.png)
 
-2. Click the **question button** ![Question button](images/o365_needhelp_questionbutton.png) in the top navigation of the sidebar window.
+2. Click the **question button** ![Question button.](images/o365_needhelp_questionbutton.png) in the top navigation of the sidebar window.
 3. In the field below **Need help?**, enter a description of your help request.
 4. Click the **Get help button**.
 5. In the **Let us call you** section, enter a phone number where you can be reached.
@@ -69,7 +69,7 @@ Forget your password? Follow these steps to recover it.
 1. Go to <a href="https://portal.office.com/" target="_blank">https://portal.office.com</a>
 2. Select **Can't access your account** and follow the prompts to get back into your account.
 
-   ![Recover your account](images/officeportal_cantaccessaccount.png)
+   ![Recover your account.](images/officeportal_cantaccessaccount.png)
 
 
 
diff --git a/education/windows/autopilot-reset.md b/education/windows/autopilot-reset.md
index 00b99a4c75..c0ac95e03e 100644
--- a/education/windows/autopilot-reset.md
+++ b/education/windows/autopilot-reset.md
@@ -61,7 +61,7 @@ You can set the policy using one of these methods:
 
   - When using [Set up School PCs](use-set-up-school-pcs-app.md), in the **Configure student PC settings** screen, select **Enable Windows 10 Autopilot Reset** among the list of settings for the student PC as shown in the following example:
 
-    ![Configure student PC settings in Set up School PCs](images/suspc_configure_pc2.jpg)
+    ![Configure student PC settings in Set up School PCs.](images/suspc_configure_pc2.jpg)
     
 ## Trigger Autopilot Reset
 Autopilot Reset is a two-step process: trigger it and then authenticate. Once you've done these two steps, you can let the process execute and once it's done, the device is again ready for use. 
@@ -70,7 +70,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
 
 1. From the Windows device lock screen, enter the keystroke: **CTRL + Windows key + R**. 
 
-   ![Enter CTRL+Windows key+R on the Windows lockscreen](images/autopilot-reset-lockscreen.png)
+   ![Enter CTRL+Windows key+R on the Windows lockscreen.](images/autopilot-reset-lockscreen.png)
 
    This will open up a custom login screen for Autopilot Reset. The screen serves two purposes:
 
@@ -78,7 +78,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
 
    2. Notify the user in case a provisioning package, created using Windows Configuration Designer or Set up School PCs, will be used as part of the process.
 
-      ![Custom login screen for Autopilot Reset](images/autopilot-reset-customlogin.png)
+      ![Custom login screen for Autopilot Reset.](images/autopilot-reset-customlogin.png)
 
 2. Sign in with the admin account credentials. If you created a provisioning package, plug in the USB drive and trigger Autopilot Reset.
 
@@ -97,7 +97,7 @@ Autopilot Reset is a two-step process: trigger it and then authenticate. Once yo
 
    - Is returned to a known good managed state, connected to Azure AD and MDM.
 
-     ![Notification that provisioning is complete](images/autopilot-reset-provisioningcomplete.png)
+     ![Notification that provisioning is complete.](images/autopilot-reset-provisioningcomplete.png)
 
      Once provisioning is complete, the device is again ready for use.
 
diff --git a/education/windows/change-to-pro-education.md b/education/windows/change-to-pro-education.md
index b104042dbc..ea30225b3e 100644
--- a/education/windows/change-to-pro-education.md
+++ b/education/windows/change-to-pro-education.md
@@ -65,7 +65,7 @@ See [change using Microsoft Store for Education](#change-using-microsoft-store-f
    
         **Figure 1** - Enter the details for the Windows edition change
 
-        ![Enter the details for the Windows edition change](images/i4e_editionupgrade.png)
+        ![Enter the details for the Windows edition change.](images/i4e_editionupgrade.png)
 
 3. The change will automatically be applied to the group you selected.
 
@@ -78,7 +78,7 @@ You can use Windows Configuration Designer to create a provisioning package that
 
     **Figure 2** - Enter the license key 
 
-    ![Enter the license key to change to Windows 10 Pro Education](images/wcd_productkey.png)
+    ![Enter the license key to change to Windows 10 Pro Education.](images/wcd_productkey.png)
 
 3. Complete the rest of the process for creating a provisioning package and then apply the package to the devices you want to change to Windows 10 Pro Education.
 
@@ -123,7 +123,7 @@ Once you enable the setting to change to Windows 10 Pro Education, the change wi
 
     **Figure 3** - Check the box to confirm
 
-    ![Check the box to confirm](images/msfe_manage_benefits_checktoconfirm.png)
+    ![Check the box to confirm.](images/msfe_manage_benefits_checktoconfirm.png)
 
 5. Click **Change all my devices**. 
 
@@ -169,13 +169,13 @@ If the Windows device is running Windows 10, version 1703, follow these steps.
 
     **Figure 4** - Select how you'd like to set up the device
 
-    ![Select how you'd like to set up the device](images/1_howtosetup.png)
+    ![Select how you'd like to set up the device.](images/1_howtosetup.png)
 
 2. On the **Sign in with Microsoft** page, enter the username and password to use with Office 365 or other services from Microsoft, and then click **Next**.
 
     **Figure 5** - Enter the account details
 
-    ![Enter the account details you use with Office 365 or other Microsoft services](images/2_signinwithms.png)
+    ![Enter the account details you use with Office 365 or other Microsoft services.](images/2_signinwithms.png)
 
 3. Go through the rest of Windows device setup. Once you're done, the device will be Azure AD joined to your school's subscription.
 
@@ -188,21 +188,21 @@ If the Windows device is running Windows 10, version 1703, follow these steps.
 
     **Figure 6** - Go to **Access work or school** in Settings
 
-    ![Go to Access work or school in Settings](images/settings_workorschool_1.png)
+    ![Go to Access work or school in Settings.](images/settings_workorschool_1.png)
 
 2. In **Access work or school**, click **Connect**.
 3. In the **Set up a work or school account** window, click the **Join this device to Azure Active Directory** option at the bottom.
 
     **Figure 7** - Select the option to join the device to Azure Active Directory
 
-    ![Select the option to join the device to Azure Active Directory](images/settings_setupworkorschoolaccount_2.png)
+    ![Select the option to join the device to Azure Active Directory.](images/settings_setupworkorschoolaccount_2.png)
 
 4. On the **Let's get you signed in** window, enter the Azure AD credentials (username and password) and sign in. This will join the device to the school's Azure AD.
 5. To verify that the device was successfully joined to Azure AD, go back to **Settings > Accounts > Access work or school**. You should now see a connection under the **Connect to work or school** section that indicates the device is connected to Azure AD.
 
     **Figure 8** - Verify the device connected to Azure AD
 
-    ![Verify the device is connected to Azure AD](images/settings_connectedtoazuread_3.png)
+    ![Verify the device is connected to Azure AD.](images/settings_connectedtoazuread_3.png)
 
 
 #### Step 2: Sign in using Azure AD account
@@ -286,7 +286,7 @@ Once the automatic change to Windows 10 Pro Education is turned off, the change
 
     **Figure 12** - Revert to Windows 10 Pro
 
-    ![Revert to Windows 10 Pro](images/msfe_manage_reverttowin10pro.png)
+    ![Revert to Windows 10 Pro.](images/msfe_manage_reverttowin10pro.png)
 
 4. You will be asked if you're sure that you want to turn off automatic changes to Windows 10 Pro Education. Click **Yes**.
 5. Click **Close** in the **Success** page.
@@ -304,7 +304,7 @@ You need to synchronize these identities so that users will have a *single ident
 
 **Figure 13** - On-premises AD DS integrated with Azure AD
 
-![Illustration of Azure Active Directory Connect](images/windows-ad-connect.png)
+![Illustration of Azure Active Directory Connect.](images/windows-ad-connect.png)
 
 For more information about integrating on-premises AD DS domains with Azure AD, see these resources:
 -   [Integrating your on-premises identities with Azure Active Directory](/azure/active-directory/hybrid/whatis-hybrid-identity)
diff --git a/education/windows/chromebook-migration-guide.md b/education/windows/chromebook-migration-guide.md
index 59da859362..d927aef072 100644
--- a/education/windows/chromebook-migration-guide.md
+++ b/education/windows/chromebook-migration-guide.md
@@ -118,7 +118,7 @@ At the end of this section, you should have a list of Chromebook user and device
 
 You use the Google Admin Console (as shown in Figure 1) to manage user and device settings. These settings are applied to all the Chromebook devices in your institution that are enrolled in the Google Admin Console. Review the user and device settings in the Google Admin Console and determine which settings are appropriate for your Windows devices.
 
-![figure 1](images/chromebook-fig1-googleadmin.png)
+![figure 1.](images/chromebook-fig1-googleadmin.png)
 
 Figure 1. Google Admin Console
 
@@ -221,7 +221,7 @@ Table 3. Settings in the Security node in the Google Admin Console
 
 In addition to the settings configured in the Google Admin Console, users may have locally configured their devices based on their own personal preferences (as shown in Figure 2). Table 4 lists the Chromebook user and device settings that you can locally configure. Review the settings and determine which settings you will migrate to Windows. Some of the settings listed in Table 4 can only be seen when you click the **Show advanced settings** link (as shown in Figure 2).
 
-![figure 2](images/fig2-locallyconfig.png)
+![figure 2.](images/fig2-locallyconfig.png)
 
 Figure 2. Locally-configured settings on Chromebook
 
diff --git a/education/windows/configure-windows-for-education.md b/education/windows/configure-windows-for-education.md
index f662b8ac78..27b3806af5 100644
--- a/education/windows/configure-windows-for-education.md
+++ b/education/windows/configure-windows-for-education.md
@@ -94,19 +94,19 @@ Use one of these methods to set this policy.
     - Data type:  Integer
     - Value:  0
 
-      ![Create an OMA URI for AllowCortana](images/allowcortana_omauri.png)
+      ![Create an OMA URI for AllowCortana.](images/allowcortana_omauri.png)
 
 ### Group Policy
 Set **Computer Configuration > Administrative Templates > Windows Components > Search > AllowCortana** to **Disabled**.
 
-![Set AllowCortana to disabled through Group Policy](images/allowcortana_gp.png)
+![Set AllowCortana to disabled through Group Policy.](images/allowcortana_gp.png)
 
 ### Provisioning tools
 - [Set up School PCs](use-set-up-school-pcs-app.md) always sets this policy in provisioning packages it creates.
 - [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) 
     - Under **Runtime settings**, click the **Policies** settings group, set **Experience > Cortana** to **No**.
 
-        ![Set AllowCortana to No in Windows Configuration Designer](images/allowcortana_wcd.png)
+        ![Set AllowCortana to No in Windows Configuration Designer.](images/allowcortana_wcd.png)
 
 ## SetEduPolicies
 **SetEduPolicies** is a policy that applies a set of configuration behaviors to Windows. It is a policy node in the [SharedPC configuration service provider](/windows/client-management/mdm/sharedpc-csp).
@@ -123,7 +123,7 @@ Use one of these methods to set this policy.
     - Data type:  Boolean
     - Value:  true
 
-      ![Create an OMA URI for SetEduPolices](images/setedupolicies_omauri.png)
+      ![Create an OMA URI for SetEduPolices.](images/setedupolicies_omauri.png)
 
 ### Group Policy
 **SetEduPolicies** is not natively supported in Group Policy. Instead, use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to set the policy in [MDM SharedPC](/windows/win32/dmwmibridgeprov/mdm-sharedpc). 
@@ -147,7 +147,7 @@ For example:
 - [Windows Configuration Designer](/windows/configuration/provisioning-packages/provisioning-create-package) 
     - Under **Runtime settings**, click the **SharedPC** settings group, set **PolicyCustomization > SetEduPolicies** to **True**.
 
-        ![Set SetEduPolicies to True in Windows Configuration Designer](images/setedupolicies_wcd.png)
+        ![Set SetEduPolicies to True in Windows Configuration Designer.](images/setedupolicies_wcd.png)
 
 ## Ad-free search with Bing
 Provide an ad-free experience that is a safer, more private search option for K–12 education institutions in the United States. 
diff --git a/education/windows/deploy-windows-10-in-a-school-district.md b/education/windows/deploy-windows-10-in-a-school-district.md
index 5ca4cb7ea0..9dcdd7ca81 100644
--- a/education/windows/deploy-windows-10-in-a-school-district.md
+++ b/education/windows/deploy-windows-10-in-a-school-district.md
@@ -34,21 +34,21 @@ Proper preparation is essential for a successful district deployment. To avoid c
 As part of preparing for your district deployment, you need to plan your district configuration — the focus of this guide. Figure 1 illustrates a typical finished district configuration that you can use as a model (the blueprint in our builder analogy) for the finished state.
 
 > [!div class="mx-imgBorder"]
-> ![Typical district configuration for this guide](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide")
+> ![Typical district configuration for this guide.](images/edu-districtdeploy-fig1.png "Typical district configuration for this guide")
 
 *Figure 1. Typical district configuration for this guide*
 
 A *district* consists of multiple schools, typically at different physical locations. Figure 2 illustrates a typical school configuration within the district that this guide uses.
 
 > [!div class="mx-imgBorder"]
-> ![Typical school configuration for this guide](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide")
+> ![Typical school configuration for this guide.](images/edu-districtdeploy-fig2.png "Typical school configuration for this guide")
 
 *Figure 2. Typical school configuration for this guide*
 
 Finally, each school consists of multiple classrooms. Figure 3 shows the classroom configuration this guide uses.
 
 > [!div class="mx-imgBorder"]
-> ![Typical classroom configuration in a school](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school")
+> ![Typical classroom configuration in a school.](images/edu-districtdeploy-fig3.png "Typical classroom configuration in a school")
 
 *Figure 3. Typical classroom configuration in a school*
 
@@ -181,7 +181,7 @@ The high-level process for deploying and configuring devices within individual c
 9. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS–Azure AD integration.
 
 > [!div class="mx-imgBorder"]
-> ![How district configuration works](images/edu-districtdeploy-fig4.png "How district configuration works")
+> ![How district configuration works.](images/edu-districtdeploy-fig4.png "How district configuration works")
 
 *Figure 4. How district configuration works*
 
@@ -768,7 +768,7 @@ In this method, you have an on-premises AD DS domain. As shown in Figure 5, the
 > Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)).
 
 > [!div class="mx-imgBorder"]
-> ![Automatic synchronization between AD DS and Azure AD](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD")
+> ![Automatic synchronization between AD DS and Azure AD.](images/edu-districtdeploy-fig5.png "Automatic synchronization between AD DS and Azure AD")
 
 *Figure 5. Automatic synchronization between AD DS and Azure AD*
 
@@ -779,7 +779,7 @@ For more information about how to perform this step, see the [Integrate on-premi
 In this method, you have no on-premises AD DS domain. As shown in Figure 6, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
 
 > [!div class="mx-imgBorder"]
-> ![Bulk import into Azure AD from other sources](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources")
+> ![Bulk import into Azure AD from other sources.](images/edu-districtdeploy-fig6.png "Bulk import into Azure AD from other sources")
 
 *Figure 6. Bulk import into Azure AD from other sources*
 
@@ -812,14 +812,14 @@ You can deploy the Azure AD Connect tool:
 - **On premises.** As shown in Figure 7, Azure AD Connect runs on premises, which has the advantage of not requiring a VPN connection to Azure. It does, however, require a virtual machine (VM) or physical server.
 
   > [!div class="mx-imgBorder"]
-  > ![Azure AD Connect on premises](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises")
+  > ![Azure AD Connect on premises.](images/edu-districtdeploy-fig7.png "Azure AD Connect on premises")
 
   *Figure 7. Azure AD Connect on premises*
 
 - **In Azure.** As shown in Figure 8, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
 
   > [!div class="mx-imgBorder"]
-  > ![Azure AD Connect in Azure](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure")
+  > ![Azure AD Connect in Azure.](images/edu-districtdeploy-fig8.png "Azure AD Connect in Azure")
 
   *Figure 8. Azure AD Connect in Azure*
 
diff --git a/education/windows/deploy-windows-10-in-a-school.md b/education/windows/deploy-windows-10-in-a-school.md
index 3b464f9fa6..318b892188 100644
--- a/education/windows/deploy-windows-10-in-a-school.md
+++ b/education/windows/deploy-windows-10-in-a-school.md
@@ -30,13 +30,13 @@ Proper preparation is essential for a successful school deployment. To avoid com
 
 As part of preparing for your school deployment, you need to plan your configuration—the focus of this guide. Figure 1 illustrates a typical finished school configuration that you can use as a model (the blueprint in our builder analogy) for the finished state.
 
-![fig 1](images/deploy-win-10-school-figure1.png)
+![fig 1.](images/deploy-win-10-school-figure1.png)
 
 *Figure 1. Typical school configuration for this guide*
 
 Figure 2 shows the classroom configuration this guide uses.
 
-![fig 2](images/deploy-win-10-school-figure2.png)
+![fig 2.](images/deploy-win-10-school-figure2.png)
 
 *Figure 2. Typical classroom configuration in a school*
 
@@ -112,7 +112,7 @@ The high-level process for deploying and configuring devices within individual c
 6. On the student and faculty devices, deploy Windows 10 to new or existing devices, or upgrade eligible devices to Windows 10.
 7. On the admin device, manage the Windows 10 devices and apps, the Office 365 subscription, and the AD DS and Azure AD integration.
 
-![fig 3](images/deploy-win-10-school-figure3.png)
+![fig 3.](images/deploy-win-10-school-figure3.png)
 
 *Figure 3. How school configuration works*
 
@@ -346,7 +346,7 @@ In this method, you have an on-premises AD DS domain. As shown in Figure 4, the
 
 **Note**&nbsp;&nbsp;Azure AD Connect also supports synchronization from any Lightweight Directory Access Protocol version 3 (LDAPv3)–compliant directory by using the information provided in [Generic LDAP Connector for FIM 2010 R2 Technical Reference](/previous-versions/mim/dn510997(v=ws.10)?f=255&MSPPError=-2147217396).
 
-![fig 4](images/deploy-win-10-school-figure4.png)
+![fig 4.](images/deploy-win-10-school-figure4.png)
 
 *Figure 4. Automatic synchronization between AD DS and Azure AD*
 
@@ -356,7 +356,7 @@ For more information about how to perform this step, see the [Integrate on-premi
 
 In this method, you have no on-premises AD DS domain. As shown in Figure 5, you manually prepare a .csv file with the student information from your source, and then manually import the information directly into Azure AD. The .csv file must be in the format that Office 365 specifies.
 
-![fig 5](images/deploy-win-10-school-figure5.png)
+![fig 5.](images/deploy-win-10-school-figure5.png)
 
 *Figure 5. Bulk import into Azure AD from other sources*
 
@@ -383,13 +383,13 @@ You can deploy the Azure AD Connect tool by using one of the following methods:
 
 - **On premises.** As shown in Figure 6, Azure AD Connect runs on premises, which has the advantage of not requiring a virtual private network (VPN) connection to Azure. It does, however, require a virtual machine (VM) or physical server.
 
-  ![fig 6](images/deploy-win-10-school-figure6.png)
+  ![fig 6.](images/deploy-win-10-school-figure6.png)
 
   *Figure 6. Azure AD Connect on premises*
 
 - **In Azure**. As shown in Figure 7, Azure AD Connect runs on a VM in Azure AD, which has the advantages of being faster to provision (than a physical, on-premises server), offers better site availability, and helps reduce the number of on-premises servers. The disadvantage is that you need to deploy a VPN gateway on premises.
 
-  ![fig 7](images/deploy-win-10-school-figure7.png)
+  ![fig 7.](images/deploy-win-10-school-figure7.png)
 
   *Figure 7. Azure AD Connect in Azure*
 
diff --git a/education/windows/edu-deployment-recommendations.md b/education/windows/edu-deployment-recommendations.md
index eaa2f7c35b..03a761c858 100644
--- a/education/windows/edu-deployment-recommendations.md
+++ b/education/windows/edu-deployment-recommendations.md
@@ -55,11 +55,11 @@ To turn off access to contacts for all apps on individual Windows devices:
 
 1. On the computer, go to **Settings** and select **Privacy**.
 
-   ![Privacy settings](images/win10_settings_privacy.png)
+   ![Privacy settings.](images/win10_settings_privacy.png)
 
 2. Under the list of **Privacy** areas, select **Contacts**.
 
-   ![Contacts privacy settings](images/win10_settings_privacy_contacts.png)
+   ![Contacts privacy settings.](images/win10_settings_privacy_contacts.png)
 
 3. Turn off **Let apps access my contacts**.
 
@@ -73,7 +73,7 @@ For IT-managed Windows devices, you can use a Group Policy to turn off the setti
 
 If you want to allow only certain apps to have access to contacts, you can use the switch for each app to specify which ones you want on or off.
 
-![Choose apps with access to contacts](images/win10_settings_privacy_contacts_apps.png)
+![Choose apps with access to contacts.](images/win10_settings_privacy_contacts_apps.png)
 
 The list of apps on the Windows-based device may vary from the above example. The list depends on what apps you have installed and which of these apps access contacts.
 
@@ -83,7 +83,7 @@ To allow only certain apps to have access to contacts, you can:
 
 * Apply the Group Policy: **Computer Configuration** > **Administrative Templates** > **Windows Components** > **App Privacy** > **Let Windows apps access contacts** and then specify the default for each app by adding the app's Package Family Name under the default behavior you want to enforce.
 
-  ![App privacy Group Policy](images/gp_letwinappsaccesscontacts.png)
+  ![App privacy Group Policy.](images/gp_letwinappsaccesscontacts.png)
 
 
 ## Skype and Xbox settings
@@ -109,7 +109,7 @@ Skype uses the user’s contact details to deliver important information about t
 
 To manage and edit your profile in the Skype UWP app, follow these steps:
 
-1. In the Skype UWP app, select the user profile icon ![Skype profile icon](images/skype_uwp_userprofile_icon.png)  to go to the user’s profile page.
+1. In the Skype UWP app, select the user profile icon ![Skype profile icon.](images/skype_uwp_userprofile_icon.png)  to go to the user’s profile page.
 
 2. In the account page, select **Manage account** for the Skype account that you want to change. This will take you to the online Skype portal.
 
@@ -127,7 +127,7 @@ To manage and edit your profile in the Skype UWP app, follow these steps:
 
 6. To change the profile picture, go to the Skype app and click on the current profile picture or avatar. The **Manage Profile Picture** window pops up.
 
-   ![Skype profile icon](images/skype_uwp_manageprofilepic.png)
+   ![Skype profile icon.](images/skype_uwp_manageprofilepic.png)
 
    * To take a new picture, click the camera icon in the pop up window. To upload a new picture, click the three dots (**...**).
 
diff --git a/education/windows/education-scenarios-store-for-business.md b/education/windows/education-scenarios-store-for-business.md
index 586d6ea6b8..f4ea0cf4ef 100644
--- a/education/windows/education-scenarios-store-for-business.md
+++ b/education/windows/education-scenarios-store-for-business.md
@@ -39,7 +39,7 @@ Admins can control whether or not teachers are automatically assigned the **Basi
 2. Click **Manage**, and then click **Settings**. 
 3. On **Shop**, select or clear **Make everyone a Basic Purchaser**.
 
-![manage settings to control Basic Purchaser role assignment](images/sfe-make-everyone-bp.png)
+![manage settings to control Basic Purchaser role assignment.](images/sfe-make-everyone-bp.png)
 
 > [!NOTE]
 > **Make everyone a Basic Purchaser** is on by default. 
@@ -52,7 +52,7 @@ When **Make everyone a Basic Purchaser** is turned off, admins can manually assi
 2. Click **Manage**, and then choose **Permissions**.
 3. On **Roles**, click **Assign roles**, type and select a name, choose the role you want to assign, and then click **Save**.
 
-    ![Permission page for Microsoft Store for Business](images/sfe-roles.png)
+    ![Permission page for Microsoft Store for Business.](images/sfe-roles.png)
 
 **Blocked Basic Purchasers**
 
diff --git a/education/windows/get-minecraft-for-education.md b/education/windows/get-minecraft-for-education.md
index 78f1759c45..a89e29de02 100644
--- a/education/windows/get-minecraft-for-education.md
+++ b/education/windows/get-minecraft-for-education.md
@@ -29,7 +29,7 @@ ms.topic: conceptual
 
 Teachers and IT administrators can now get early access to **Minecraft: Education Edition** and add it their Microsoft Store for Business for distribution. 
 
-<!-- ![education.minecraft.net](images/minecraft.png) -->
+<!-- ![education.minecraft.net.](images/minecraft.png) -->
 
 ## Prerequisites
  
@@ -39,11 +39,11 @@ Teachers and IT administrators can now get early access to **Minecraft: Educatio
   - Office 365 Education, which includes online versions of Office apps plus 1 TB online storage. [Sign up your school for Office 365 Education.](https://products.office.com/academic/office-365-education-plan)
   - If your school has an Office 365 Education subscription, it includes a free Azure AD subscription. [Register your free Azure AD subscription.](/windows/client-management/mdm/register-your-free-azure-active-directory-subscription)
 
-<!-- ![teacher](images/teacher.png) --> 
+<!-- ![teacher.](images/teacher.png) --> 
 
 [Learn how teachers can get and distribute **Minecraft: Education Edition**](teacher-get-minecraft.md)
 
   
-<!-- ![IT administrator](images/school.png) -->
+<!-- ![IT administrator.](images/school.png) -->
 
 [Learn how IT administrators can get and distribute **Minecraft: Education Edition**](school-get-minecraft.md), and how to manage permissions for Minecraft.
\ No newline at end of file
diff --git a/education/windows/index.md b/education/windows/index.md
index 81e3f97634..cf961bfe83 100644
--- a/education/windows/index.md
+++ b/education/windows/index.md
@@ -14,15 +14,15 @@ ms.date: 10/13/2017
 
 # Windows 10 for Education
 
-![Windows 10 Education and Windows 10 Pro Education](images/windows-10-for-education-banner.png)
+![Windows 10 Education and Windows 10 Pro Education.](images/windows-10-for-education-banner.png)
 
-## ![Learn more about Windows](images/education.png) Learn
+## ![Learn more about Windows.](images/education.png) Learn
 
 <p><b><a href="windows-editions-for-education-customers.md" data-raw-source="[Windows 10 editions for education customers](windows-editions-for-education-customers.md)">Windows 10 editions for education customers</a></b><br />Windows 10, version 1607 introduces two editions designed for the unique needs of K-12 institutions: Windows 10 Pro Education and Windows 10 Education. These editions provide education-specific default settings for the evolving landscape in K-12 education IT environments.</p>
 <p><b><a href="https://www.microsoft.com/WindowsForBusiness/Compare" data-raw-source="[Compare each Windows edition](https://www.microsoft.com/WindowsForBusiness/Compare)">Compare each Windows edition</a></b><br />Find out more about the features and functionality we support in each edition of Windows.</p>
 <p><b><a href="https://www.microsoft.com/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools" data-raw-source="[Get Windows 10 Education or Windows 10 Pro Education](https://www.microsoft.com/education/buy-license/overview-of-how-to-buy/default.aspx?tabshow=schools)">Get Windows 10 Education or Windows 10 Pro Education</a></b><br />When you&#39;ve made your decision, find out how to buy Windows for your school.</p>
 
-## ![Plan for Windows 10 in your school](images/clipboard.png) Plan
+## ![Plan for Windows 10 in your school.](images/clipboard.png) Plan
 
 <p><b><a href="configure-windows-for-education.md" data-raw-source="[Windows 10 configuration recommendations for education customers](configure-windows-for-education.md)">Windows 10 configuration recommendations for education customers</a></b><br />Provides guidance on ways to customize the OS diagnostic data, consumer experiences, Cortana, search, as well as some of the preinstalled apps, so that Windows is ready for your school.</p>
 <p><b><a href="edu-deployment-recommendations.md" data-raw-source="[Deployment recommendations for school IT administrators](edu-deployment-recommendations.md)">Deployment recommendations for school IT administrators</a></b><br />Learn how to customize the OS privacy settings, Skype, and Xbox for Windows-based devices used in schools so that you can choose what information is shared with Microsoft.</p>
@@ -30,14 +30,14 @@ ms.date: 10/13/2017
 <div class="side-by-side-content-right"><p><b><a href="take-tests-in-windows-10.md" data-raw-source="[Take tests in Windows 10](take-tests-in-windows-10.md)">Take tests in Windows 10</a></b><br />Take a Test is a new app that lets you create the right environment for taking tests. Learn how to use and get it set up.</p>
 <p><b><a href="chromebook-migration-guide.md" data-raw-source="[Chromebook migration guide](chromebook-migration-guide.md)">Chromebook migration guide</a></b><br />Find out how you can migrate a Chromebook-based learning environment to a Windows 10-based learning environment.</p>
 
-## ![Deploy Windows 10 for Education](images/PCicon.png) Deploy
+## ![Deploy Windows 10 for Education.](images/PCicon.png) Deploy
 
 <p><b><a href="set-up-windows-10.md" data-raw-source="[Set up Windows devices for education](set-up-windows-10.md)">Set up Windows devices for education</a></b><br />Depending on your school&#39;s device management needs, you can use the Set up School PCs app or the Windows Configuration Designer tool to quickly set up student PCs.</p>
 <p><b><a href="deploy-windows-10-in-a-school.md" data-raw-source="[Deploy Windows 10 in a school](deploy-windows-10-in-a-school.md)">Deploy Windows 10 in a school</a></b><br />Get step-by-step guidance to help you deploy Windows 10 in a school environment.</p>
 <p><b><a href="deploy-windows-10-in-a-school-district.md" data-raw-source="[Deploy Windows 10 in a school district](deploy-windows-10-in-a-school-district.md)">Deploy Windows 10 in a school district</a></b><br />Get step-by-step guidance on how to deploy Windows 10 to PCs and devices across a school district.</p>
 <p><b><a href="test-windows10s-for-edu.md" data-raw-source="[Test Windows 10 S on existing Windows 10 education devices](test-windows10s-for-edu.md)">Test Windows 10 S on existing Windows 10 education devices</a></b><br />Test Windows 10 S on a variety of Windows 10 devices (except Windows 10 Home) in your school and share your feedback with us.</p>
 
-## ![Switch to Windows 10 for Education](images/windows.png) Switch
+## ![Switch to Windows 10 for Education.](images/windows.png) Switch
 
 <p><b><a href="change-to-pro-education.md" data-raw-source="[Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S](change-to-pro-education.md)">Switch to Windows 10 Pro Education from Windows 10 Pro or Windows 10 S</a></b><br />If you have an education tenant and use Windows 10 Pro or Windows 10 S in your schools, find out how you can opt-in to a free switch to Windows 10 Pro Education.</p>
 
diff --git a/education/windows/school-get-minecraft.md b/education/windows/school-get-minecraft.md
index e3900603b6..a728b75a41 100644
--- a/education/windows/school-get-minecraft.md
+++ b/education/windows/school-get-minecraft.md
@@ -50,15 +50,15 @@ If you’ve been approved and are part of the Enrollment for Education Solutions
 
 1. Go to [https://education.minecraft.net/](https://education.minecraft.net/) and select **GET STARTED**.
 
-    <!-- ![Click Get the app](images/it-get-app.png) --> 
+    <!-- ![Click Get the app.](images/it-get-app.png) --> 
 
 2. Enter your email address, and select Educator, Administrator, or Student. </br> If your email address isn't associated to an Azure AD or Office 365 Education tenant, you'll be asked to create one.
 
-    <!-- ![Enter school email address](images/enter-email.png) -->
+    <!-- ![Enter school email address.](images/enter-email.png) -->
     
 3. Select **Get the app**. This will take you to the Microsoft Store for Education to download the app. You will also receive an email with instructions and a link to the Store.
 
-    <!-- ![You can get the app now](images/get-the-app.png) -->
+    <!-- ![You can get the app now.](images/get-the-app.png) -->
 
 4. Sign in to Microsoft Store for Education with your email address.
 
@@ -66,7 +66,7 @@ If you’ve been approved and are part of the Enrollment for Education Solutions
 
 6. **Minecraft: Education Edition** opens in the Microsoft Store for Education. Select **Get the app**. This places **Minecraft: Education Edition** in your Store inventory.
 
-    <!-- ![Get Minecraft app in Store](images/minecraft-get-the-app.png) -->
+    <!-- ![Get Minecraft app in Store.](images/minecraft-get-the-app.png) -->
 
 Now that the app is in your Microsoft Store for Education inventory, you can choose how to distribute Minecraft. For more information on distribution options, see [Distribute Minecraft](#distribute-minecraft).
 
@@ -113,11 +113,11 @@ After you've finished the purchase, you can find your invoice by checking **Mine
 2. Click **Minecraft: Education Edition** in the list of apps. 
 3. On **Minecraft: Education Edition**, click **View Bills**.
 
-    ![Minecraft: Education Edition app details page with view bills link highlighted](images/mcee-view-bills.png) 
+    ![Minecraft: Education Edition app details page with view bills link highlighted.](images/mcee-view-bills.png) 
 
 4. On **Invoice Bills**, click the invoice number to view and download your invoice. It downloads as a .pdf.
 
-   ![Minecraft: Education Edition app details page with view bills link highlighted](images/mcee-invoice-bills.png)
+   ![Minecraft: Education Edition app details page with view bills link highlighted.](images/mcee-invoice-bills.png)
 
 The **Payment Instructions** section on the first page of the invoice has information on invoice amount, due date, and how to pay with electronic funds transfer, or with a check. 
 
@@ -133,11 +133,11 @@ Admins can also add Minecraft: Education Edition to the private store. This allo
 <!---
 Here's the page you'll see for Minecraft: Education Edition licenses purchased directly through the Microsoft Store for Business. 
 
-![App distribution options - individual copies](images/mc-install-for-me-teacher.png)
+![App distribution options - individual copies.](images/mc-install-for-me-teacher.png)
 
 Here's the page you'll see for Minecraft: Education Edition licenses purchased through volume licensing.
 
-![App distribution options - individual copies](images/wsfb-minecraft-vl.png)
+![App distribution options - individual copies.](images/wsfb-minecraft-vl.png)
 --->
 
 ### Configure automatic subscription assignment
@@ -168,7 +168,7 @@ You can install the app on your PC. This gives you a chance to test the app and
 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 
 2. Click **Manage**, and then click **Install**.
 
-    <!-- ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png) -->
+    <!-- ![Minecraft Education Edition product page.](images/mc-install-for-me-teacher.png) -->
 
 3. Click **Install**.  
 
@@ -180,33 +180,33 @@ Enter email addresses for your students, and each student will get an email with
 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 
 2. Click **Manage**.
 
-    ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png)
+    ![Minecraft Education Edition product page.](images/mc-install-for-me-teacher.png)
 3. Click **Invite people**.
  
 4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**. 
 
     You can only assign the app to students with work or school accounts. If you don't find the student, you might need to add a work or school account for the student.    
    
-    ![Assign to people showing student name](images/minecraft-assign-to-people-name.png)
+    ![Assign to people showing student name.](images/minecraft-assign-to-people-name.png)
 
 **To finish Minecraft install (for students)**
 
 1. Students will receive an email with a link that will install the app on their PC.</br>
 
-    ![Email with Get the app link](images/minecraft-student-install-email.png)
+    ![Email with Get the app link.](images/minecraft-student-install-email.png)
 
 2. Click **Get the app** to start the app install in Microsoft Store app. 
 3. In Microsoft Store app, click **Install**. 
 
-    ![Microsoft Store app with Minecraft page](images/minecraft-in-windows-store-app.png)
+    ![Microsoft Store app with Minecraft page.](images/minecraft-in-windows-store-app.png)
 
     After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**. Microsoft Store app is preinstalled with Windows 10.
 
-    ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png) 
+    ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) 
 
     When students click **My Library** they'll find apps assigned to them.
 
-    ![My Library for example student](images/minecraft-my-library.png) 
+    ![My Library for example student.](images/minecraft-my-library.png) 
 
 ### Download for others
 Download for others allows teachers or IT admins to download an app that they can install on PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when:
@@ -225,11 +225,11 @@ Minecraft: Education Edition will not install if there are updates pending for o
 1. Start Microsoft Store app on the PC (click **Start**, and type **Store**).
 2. Click the account button, and then click **Downloads and updates**.
 
-      ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png)
+      ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png)
       
 3. Click **Check for updates**, and install all available updates. 
 
-      ![Microsoft Store app showing access to My Library](images/mc-check-for-updates.png)
+      ![Microsoft Store app showing access to My Library.](images/mc-check-for-updates.png)
       
 4. Restart the computer before installing Minecraft: Education Edition.  
 
@@ -238,7 +238,7 @@ You'll download a .zip file, extract the files, and then use one of the files to
 
 1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
 
-    ![Microsoft Store app showing access to My Library](images/mc-dnld-others-teacher.png)
+    ![Microsoft Store app showing access to My Library.](images/mc-dnld-others-teacher.png)
  
 2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.  
@@ -257,7 +257,7 @@ However, tenant admins can control whether or not teachers automatically sign up
 To prevent educators from automatically signing up for Microsoft Store for Business
 1.  In Microsoft Store for Business, click **Settings**, and then click **Permissions**. 
 
-    ![Permission page for Microsoft Store for Business](images/minecraft-admin-permissions.png)
+    ![Permission page for Microsoft Store for Business.](images/minecraft-admin-permissions.png)
 
 2. Click **Allow educators in my organization to sign up for the Microsoft Store for Business.**
 
@@ -269,7 +269,7 @@ Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**.
 - Acquire and manage the app
 - Info on Support page (including links to documentation and access to support through customer service)
 
-    ![assign roles to manage Minecraft permissions](images/minecraft-perms.png)
+    ![assign roles to manage Minecraft permissions.](images/minecraft-perms.png)
 
 **To assign Basic Purchaser role**
 
@@ -280,15 +280,15 @@ Minecraft: Education Edition adds a new role for teachers: **Basic Purchaser**.
 
 2. Click **Settings**, and then choose **Permissions**.
 
-    ![Permission page for Microsoft Store for Business](images/minecraft-admin-permissions.png)
+    ![Permission page for Microsoft Store for Business.](images/minecraft-admin-permissions.png)
 
 3. Click **Add people**, type a name, select the correct person, choose the role you want to assign, and click **Save**.
 
-    ![Permission page for Microsoft Store for Business](images/minecraft-assign-roles.png)
+    ![Permission page for Microsoft Store for Business.](images/minecraft-assign-roles.png)
     
     Microsoft Store for Business updates the list of people and permissions. 
     
-    ![Permission page for Microsoft Store for Business](images/minecraft-assign-roles-2.png)
+    ![Permission page for Microsoft Store for Business.](images/minecraft-assign-roles-2.png)
 
 -->
 
diff --git a/education/windows/set-up-school-pcs-azure-ad-join.md b/education/windows/set-up-school-pcs-azure-ad-join.md
index 6d62b6bb55..02198518ca 100644
--- a/education/windows/set-up-school-pcs-azure-ad-join.md
+++ b/education/windows/set-up-school-pcs-azure-ad-join.md
@@ -48,7 +48,7 @@ Active Directory** \> **Devices** \> **Device settings**.
 for Azure AD by selecting **All** or **Selected**. If you choose the latter
 option, select the teachers and IT staff to allow them to connect to Azure AD.  
 
-![Select the users you want to let join devices to Azure AD](images/suspc-enable-shared-pc-1807.png)  
+![Select the users you want to let join devices to Azure AD.](images/suspc-enable-shared-pc-1807.png)  
 
 You can also create an account that holds the exclusive rights to join devices. When a student PC needs to be set up, provide the account credentials to the appropriate teachers or staff.
 
diff --git a/education/windows/set-up-students-pcs-to-join-domain.md b/education/windows/set-up-students-pcs-to-join-domain.md
index 22d45b09fc..328b2f80a1 100644
--- a/education/windows/set-up-students-pcs-to-join-domain.md
+++ b/education/windows/set-up-students-pcs-to-join-domain.md
@@ -43,7 +43,7 @@ Follow the steps in [Provision PCs with common settings for initial deployment (
 
       **Figure 7** - Add the account to use for test-taking
 
-      ![Add the account to use for test-taking](images/wcd_settings_assignedaccess.png)
+      ![Add the account to use for test-taking.](images/wcd_settings_assignedaccess.png)
 
       The account can be in one of the following formats:
       - username
diff --git a/education/windows/set-up-students-pcs-with-apps.md b/education/windows/set-up-students-pcs-with-apps.md
index 7d803777e5..f0bb65fa78 100644
--- a/education/windows/set-up-students-pcs-with-apps.md
+++ b/education/windows/set-up-students-pcs-with-apps.md
@@ -35,7 +35,7 @@ You can apply a provisioning package on a USB drive to off-the-shelf devices dur
 2. 
 2. On the **Finish** page, select **Switch to advanced editor**.
 
-  ![Switch to advanced editor](images/icd-school-adv-edit.png)
+  ![Switch to advanced editor.](images/icd-school-adv-edit.png)
 
 **Next steps**
 - [Add a desktop app to your package](#add-a-desktop-app-to-your-package)
@@ -52,7 +52,7 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
 
 2. Click **Advanced provisioning**.
 
-  ![ICD start options](images/icdstart-option.png)  
+  ![ICD start options.](images/icdstart-option.png)  
   
 3. Name your project and click **Next**.
 
@@ -89,17 +89,17 @@ Universal apps that you can distribute in the provisioning package can be line-o
 
 2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page.
 
-    ![details for offline app package](images/uwp-family.png)
+    ![details for offline app package.](images/uwp-family.png)
 
 3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
 
 4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. 
 
-    ![required frameworks for offline app package](images/uwp-dependencies.png)
+    ![required frameworks for offline app package.](images/uwp-dependencies.png)
 
 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. In Microsoft Store for Business, you generate the license for the app on the app's download page.
 
-    ![generate license for offline app](images/uwp-license.png)
+    ![generate license for offline app.](images/uwp-license.png)
 
 [Learn more about distributing offline apps from the Microsoft Store for Business.](/microsoft-store/distribute-offline-apps)
 
@@ -168,7 +168,7 @@ If your build is successful, the name of the provisioning package, output direct
 **During initial setup, from a USB drive**
 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
 
-    ![The first screen to set up a new PC](images/oobe.jpg)
+    ![The first screen to set up a new PC.](images/oobe.jpg)
 
 2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
 
@@ -176,11 +176,11 @@ If your build is successful, the name of the provisioning package, output direct
 
 3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
 
-    ![Provision this device](images/prov.jpg)
+    ![Provision this device.](images/prov.jpg)
     
 4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
 
-    ![Choose a package](images/choose-package.png)
+    ![Choose a package.](images/choose-package.png)
 
 5. Select **Yes, add it**.
 
@@ -188,11 +188,11 @@ If your build is successful, the name of the provisioning package, output direct
     
 6. Read and accept the Microsoft Software License Terms.  
 
-    ![Sign in](images/license-terms.png)
+    ![Sign in.](images/license-terms.png)
     
 7. Select **Use Express settings**.
 
-    ![Get going fast](images/express-settings.png)
+    ![Get going fast.](images/express-settings.png)
 
 8. If the PC doesn't use a volume license, you'll see the **Who owns this PC?** screen. Select **My work or school owns it** and tap **Next**.
 
@@ -200,18 +200,18 @@ If your build is successful, the name of the provisioning package, output direct
 
 9. On the **Choose how you'll connect** screen, select **Join Azure AD** or **Join a domain** and tap **Next**.
 
-    ![Connect to Azure AD](images/connect-aad.png)
+    ![Connect to Azure AD.](images/connect-aad.png)
 
 10. Sign in with  your domain, Azure AD,  or Office 365 account and password. When you see the progress ring, you can remove the USB drive.
 
-    ![Sign in](images/sign-in-prov.png)
+    ![Sign in.](images/sign-in-prov.png)
 
     
 **After setup, from a USB drive, network folder, or SharePoint site**
 
 On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work access** &gt; **Add or remove a management package** &gt; **Add a package**, and select the package to install. 
 
-![add a package option](images/package.png)
+![add a package option.](images/package.png)
 
 -->
 
diff --git a/education/windows/set-up-windows-10.md b/education/windows/set-up-windows-10.md
index b401df97ef..e1acdf9f1d 100644
--- a/education/windows/set-up-windows-10.md
+++ b/education/windows/set-up-windows-10.md
@@ -27,7 +27,7 @@ Choose the tool that is appropriate for how your students will sign in (Active D
 
 You can use the following diagram to compare the tools.
 
-![Which tool to use to set up Windows 10](images/suspc_wcd_featureslist.png)
+![Which tool to use to set up Windows 10.](images/suspc_wcd_featureslist.png)
 
 
 ## In this section
diff --git a/education/windows/take-a-test-multiple-pcs.md b/education/windows/take-a-test-multiple-pcs.md
index 3044c770e5..10e2d2f7e0 100644
--- a/education/windows/take-a-test-multiple-pcs.md
+++ b/education/windows/take-a-test-multiple-pcs.md
@@ -39,7 +39,7 @@ If you set up Take a Test, this adds a **Take a Test** button on the student PC'
 
 **Figure 1** - Configure Take a Test in the Set up School PCs app
 
-![Configure Take a Test in the Set up School PCs app](images/suspc_choosesettings_setuptakeatest.png)
+![Configure Take a Test in the Set up School PCs app.](images/suspc_choosesettings_setuptakeatest.png)
 
 ### Set up a test account in Intune for Education
 You can set up a test-taking account in Intune for Education. To do this, follow these steps:
@@ -49,7 +49,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow
 
     **Figure 2** - Add a test profile in Intune for Education
 
-    ![Add a test profile in Intune for Education](images/i4e_takeatestprofile_addnewprofile.png)
+    ![Add a test profile in Intune for Education.](images/i4e_takeatestprofile_addnewprofile.png)
 
 3. In the new profile page:
    1. Enter a name for the profile.
@@ -60,7 +60,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow
 
       **Figure 3** - Add information about the test profile
 
-      ![Add information about the test profile](images/i4e_takeatestprofile_newtestaccount.png)
+      ![Add information about the test profile.](images/i4e_takeatestprofile_newtestaccount.png)
 
       After you save the test profile, you will see a summary of the settings that you configured for Take a Test. Next, you'll need to assign the test profile to a group that will be using the test account.
     
@@ -68,13 +68,13 @@ You can set up a test-taking account in Intune for Education. To do this, follow
 
    **Figure 4** - Assign the test account to a group
 
-   ![Assign the test account to a group](images/i4e_takeatestprofile_accountsummary.png)
+   ![Assign the test account to a group.](images/i4e_takeatestprofile_accountsummary.png)
 
 5. In the **Groups** page, click **Change group assignments**.
 
     **Figure 5** - Change group assignments
 
-    ![Change group assignments](images/i4e_takeatestprofile_groups_changegroupassignments.png)
+    ![Change group assignments.](images/i4e_takeatestprofile_groups_changegroupassignments.png)
 
 6. In the **Change group assignments** page:
    1. Select a group from the right column and click **Add Members** to select the group and assign the test-taking account to that group. You can select more than one group. 
@@ -82,7 +82,7 @@ You can set up a test-taking account in Intune for Education. To do this, follow
 
       **Figure 6** - Select the group(s) that will use the test account
 
-      ![Select the groups that will use the test account](images/i4e_takeatestprofile_groupassignment_selected.png)
+      ![Select the groups that will use the test account.](images/i4e_takeatestprofile_groupassignment_selected.png)
 
 And that's it! When the students from the selected group sign in to the student PCs using the Take a Test user name that you selected, the PC will be locked down and Take a Test will open the assessment URL and students can start taking tests.
 
@@ -136,7 +136,7 @@ To set up a test account through Windows Configuration Designer, follow these st
 
       **Figure 7** - Add the account to use for test-taking
 
-      ![Add the account to use for test-taking](images/wcd_settings_assignedaccess.png)
+      ![Add the account to use for test-taking.](images/wcd_settings_assignedaccess.png)
 
       The account can be in one of the following formats:
       - username
diff --git a/education/windows/take-a-test-single-pc.md b/education/windows/take-a-test-single-pc.md
index 1286a5aec8..9d26301975 100644
--- a/education/windows/take-a-test-single-pc.md
+++ b/education/windows/take-a-test-single-pc.md
@@ -30,13 +30,13 @@ To configure the assessment URL and a dedicated testing account on a single PC,
 
    **Figure 1** - Use the Settings app to set up a test-taking account
 
-   ![Use the Settings app to set up a test-taking account](images/tat_settingsapp_workorschoolaccess_setuptestaccount.png)
+   ![Use the Settings app to set up a test-taking account.](images/tat_settingsapp_workorschoolaccess_setuptestaccount.png)
 
 4. In the **Set up an account for taking tests** window, choose an existing account to use as the dedicated testing account.
 
    **Figure 2** - Choose the test-taking account
 
-   ![Choose the test-taking account](images/tat_settingsapp_setuptesttakingaccount_1703.png) 
+   ![Choose the test-taking account.](images/tat_settingsapp_setuptesttakingaccount_1703.png) 
 
     > [!NOTE]  
     > If you don't have an account on the device, you can create a new account. To do this, go to **Settings > Accounts > Other people > Add someone else to this PC > I don’t have this person’s sign-in information > Add a user without a Microsoft account**.
diff --git a/education/windows/take-tests-in-windows-10.md b/education/windows/take-tests-in-windows-10.md
index 7e016c22c0..f9ba6a9479 100644
--- a/education/windows/take-tests-in-windows-10.md
+++ b/education/windows/take-tests-in-windows-10.md
@@ -32,7 +32,7 @@ Many schools use online testing for formative and summative assessments. It's cr
 
 ## How to use Take a Test
 
-![Set up and user flow for the Take a Test app](images/take_a_test_flow_dark.png)
+![Set up and user flow for the Take a Test app.](images/take_a_test_flow_dark.png)
 
 There are several ways to configure devices for assessments, depending on your use case:
 
diff --git a/education/windows/teacher-get-minecraft.md b/education/windows/teacher-get-minecraft.md
index 136499ee4c..6f0d1d4341 100644
--- a/education/windows/teacher-get-minecraft.md
+++ b/education/windows/teacher-get-minecraft.md
@@ -65,7 +65,7 @@ After Minecraft: Education Edition licenses have been purchased, either directly
 - You can assign the app to others.  
 - You can download the app to distribute. 
 
-<!-- ![App distribution options](images/mc-install-for-me-teacher.png) -->
+<!-- ![App distribution options.](images/mc-install-for-me-teacher.png) -->
 
 ### Install for me
 You can install the app on your PC. This gives you a chance to work with the app before using it with your students.   
@@ -73,7 +73,7 @@ You can install the app on your PC. This gives you a chance to work with the app
 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 
 2. Click **Manage**, and then click **Install**.
 
-    <!-- ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png) -->
+    <!-- ![Minecraft Education Edition product page.](images/mc-install-for-me-teacher.png) -->
 
 3. Click **Install**. 
 
@@ -84,13 +84,13 @@ Enter email addresses for your students, and each student will get an email with
 1. Sign in to [Microsoft Store for Education](https://educationstore.microsoft.com). 
 2. Click **Manage**.
 
-    <!-- ![Minecraft Education Edition product page](images/mc-install-for-me-teacher.png) -->
+    <!-- ![Minecraft Education Edition product page.](images/mc-install-for-me-teacher.png) -->
 
 3. Click **Invite people**.
     
 4. Type the name, or email address of the student or group you want to assign the app to, and then click **Assign**.
 
-   ![Assign to people showing student name](images/minecraft-assign-to-people-name.png)
+   ![Assign to people showing student name.](images/minecraft-assign-to-people-name.png)
    
    You can assign the app to students with work or school accounts. </br>
    If you don't find the student, you can still assign the app to them if self-service sign up is supported for your domain. Students will receive an email with a link to Microsoft 365 admin center where they can create an account, and then install **Minecraft: Education Edition**. Questions about self-service sign up? Check with your admin. 
@@ -100,20 +100,20 @@ Enter email addresses for your students, and each student will get an email with
 
 Students will receive an email with a link that will install the app on their PC.
 
-![Email with Get the app link](images/minecraft-student-install-email.png)
+![Email with Get the app link.](images/minecraft-student-install-email.png)
 
 1. Click **Get the app** to start the app install in Microsoft Store app. 
 2. In Microsoft Store app, click **Install**. 
 
-     ![Microsoft Store app with Minecraft page](images/minecraft-in-windows-store-app.png)
+     ![Microsoft Store app with Minecraft page.](images/minecraft-in-windows-store-app.png)
 
       After installing the app, students can find Minecraft: Education Edition in Microsoft Store app under **My Library**.
 
-    ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png) 
+    ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png) 
 
       When students click **My Library** they'll find apps assigned to them.
 
-    ![My Library for example student](images/minecraft-my-library.png)  
+    ![My Library for example student.](images/minecraft-my-library.png)  
 
 ### Download for others
 Download for others allows teachers or IT admins to download a packages that they can install on student PCs. This will install Minecraft: Education Edition on the PC, and allows anyone with a Windows account to use the app on that PC. This option is best for students, and for shared computers. Choose this option when:
@@ -132,11 +132,11 @@ Minecraft: Education Edition will not install if there are updates pending for o
 1. Start Microsoft Store app on the PC (click **Start**, and type **Store**).
 2. Click the account button, and then click **Downloads and updates**.
 
-      ![Microsoft Store app showing access to My Library](images/minecraft-private-store.png)
+      ![Microsoft Store app showing access to My Library.](images/minecraft-private-store.png)
       
 3. Click **Check for updates**, and install all available updates. 
 
-      ![Microsoft Store app showing access to My Library](images/mc-check-for-updates.png)
+      ![Microsoft Store app showing access to My Library.](images/mc-check-for-updates.png)
       
 4. Restart the computer before installing Minecraft: Education Edition. 
    
@@ -145,7 +145,7 @@ You'll download a .zip file, extract the files, and then use one of the files to
 
 1. **Download Minecraft Education Edition.zip**. From the **Minecraft: Education Edition** page, click **Download for others** tab, and then click **Download**.
 
-    ![Microsoft Store app showing access to My Library](images/mc-dnld-others-teacher.png)
+    ![Microsoft Store app showing access to My Library.](images/mc-dnld-others-teacher.png)
  
 2. **Extract files**. Find the .zip file that you downloaded and extract the files. This is usually your **Downloads** folder, unless you chose to save the .zip file to a different location. Right-click the file and choose **Extract all**.
 3. **Save to USB drive**. After you've extracted the files, save the Minecraft: Education Edition folder to a USB drive, or to a network location that you can access from each PC.  
diff --git a/education/windows/use-set-up-school-pcs-app.md b/education/windows/use-set-up-school-pcs-app.md
index 3f31119391..ca36e12e5a 100644
--- a/education/windows/use-set-up-school-pcs-app.md
+++ b/education/windows/use-set-up-school-pcs-app.md
@@ -103,7 +103,7 @@ We strongly recommend that you avoid changing preset policies. Changes can slow
 
 The **Set up School PCs** app guides you through the configuration choices for the student PCs.  To begin, open the app on your PC and click **Get started**.   
     
-   ![Launch the Set up School PCs app](images/suspc_getstarted_050817.png)  
+   ![Launch the Set up School PCs app.](images/suspc_getstarted_050817.png)  
 
 ### Package name  
 Type a unique name to help distinguish your school's provisioning packages. The name appears:  
diff --git a/smb/cloud-mode-business-setup.md b/smb/cloud-mode-business-setup.md
index 4294d7199e..3b6a109ef3 100644
--- a/smb/cloud-mode-business-setup.md
+++ b/smb/cloud-mode-business-setup.md
@@ -18,7 +18,7 @@ ms.topic: conceptual
 
 # Get started: Deploy and manage a full cloud IT solution for your business
 
-![Learn how to set up a full cloud infrastructure for your business](images/business-cloud-mode.png)
+![Learn how to set up a full cloud infrastructure for your business.](images/business-cloud-mode.png)
 
 **Applies to:**
 
@@ -61,7 +61,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
 
    **Figure 1** - Try or buy Office 365
 
-   ![Office 365 for business sign up](images/office365_tryorbuy_now.png)
+   ![Office 365 for business sign up.](images/office365_tryorbuy_now.png)
 
 2. Fill out the sign up form and provide information about you and your company.
 3. Create a user ID and password to use to sign into your account.
@@ -76,7 +76,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
 
    **Figure 2** - Microsoft 365 admin center
 
-   ![Microsoft 365 admin center](images/office365_portal.png)
+   ![Microsoft 365 admin center.](images/office365_portal.png)
 
 
 6. Select the **Admin** tile to go to the admin center.
@@ -86,7 +86,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
   
    **Figure 3** - Admin center
 
-   ![Microsoft 365 admin center](images/office365_admin_portal.png)
+   ![Microsoft 365 admin center.](images/office365_admin_portal.png)
 
 
 8. Go back to the <a href="https://portal.office.com/adminportal/home#/homepage" target="_blank">admin center</a> to add or buy a domain.
@@ -94,14 +94,14 @@ If this is the first time you're setting this up, and you'd like to see how it's
 
       **Figure 4** - Option to add or buy a domain
 
-      ![Add or buy a domain in admin center](images/office365_buy_domain.png)
+      ![Add or buy a domain in admin center.](images/office365_buy_domain.png)
     
 
    2. In the **Home > Domains** page, you will see the Microsoft-provided domain, such as *fabrikamdesign.onmicrosoft.com*.
 
       **Figure 5** - Microsoft-provided domain
 
-      ![Microsoft-provided domain](images/office365_ms_provided_domain.png)
+      ![Microsoft-provided domain.](images/office365_ms_provided_domain.png)
 
       - If you already have a domain, select **+ Add domain** to add your existing domain. If you select this option, you'll be required to verify that you own the domain. Follow the steps in the wizard to verify your domain.
       - If you don't already own a domain, select **+ Buy domain**. If you're using a trial plan, you'll be required to upgrade your trial plan in order to buy a domain. Choose the subscription plan to use for your business and provide the details to complete your order.
@@ -110,7 +110,7 @@ If this is the first time you're setting this up, and you'd like to see how it's
 
       **Figure 6** - Domains
 
-      ![Verify your domains in the admin center](images/office365_additional_domain.png)
+      ![Verify your domains in the admin center.](images/office365_additional_domain.png)
 
 ### 1.2 Add users and assign product licenses
 Once you've set up Office and added your domain, it's time to add users so they have access to Office 365. People in your organization need an account before they can sign in and access Office 365. The easiest way to add users is to add them one at a time in the Microsoft 365 admin center.
@@ -123,7 +123,7 @@ When adding users, you can also assign admin privileges to certain users in your
 
    **Figure 7** - Add users
 
-   ![Add Office 365 users](images/office365_users.png)
+   ![Add Office 365 users.](images/office365_users.png)
 
 2. In the **Home > Active users** page, add users individually or in bulk.
    - To add users one at a time, select **+ Add a user**.
@@ -132,7 +132,7 @@ When adding users, you can also assign admin privileges to certain users in your
 
      **Figure 8** - Add an individual user
 
-     ![Add an individual user](images/office365_add_individual_user.png)
+     ![Add an individual user.](images/office365_add_individual_user.png)
 
    - To add multiple users at once, select **More** and then choose **+ Import multiple users**. If you select this option, you'll need to create and upload a CSV file containing the list of users.
 
@@ -140,13 +140,13 @@ When adding users, you can also assign admin privileges to certain users in your
 
      **Figure 9** - Import multiple users
 
-     ![Import multiple users](images/office365_import_multiple_users.png)
+     ![Import multiple users.](images/office365_import_multiple_users.png)
 
 3. Verify that all the users you added appear in the list of **Active users**. The **Status** should indicate the product licenses that were assigned to them.
 
    **Figure 10** - List of active users
 
-   ![Verify users and assigned product licenses](images/o365_active_users.png)
+   ![Verify users and assigned product licenses.](images/o365_active_users.png)
 
 ### 1.3 Add Microsoft Intune
 Microsoft Intune provides mobile device management, app management, and PC management capabilities from the cloud. Using Intune, organizations can provide their employees with access to apps, data, and corporate resources from anywhere on almost any device while helping to keep corporate information secure. To learn more, see <a href="/intune/understand-explore/introduction-to-microsoft-intune" target="_blank">What is Intune?</a>
@@ -160,14 +160,14 @@ Microsoft Intune provides mobile device management, app management, and PC manag
 
    **Figure 11** - Assign Intune licenses
 
-   ![Assign Microsoft Intune licenses to users](images/o365_assign_intune_license.png)
+   ![Assign Microsoft Intune licenses to users.](images/o365_assign_intune_license.png)
 
 5. In the admin center, confirm that **Intune** shows up in the list under **Admin centers**. If it doesn't, sign out and then sign back in and then check again.
 6. Select **Intune**. This will take you to the Intune management portal.
 
    **Figure 12** - Microsoft Intune management portal
 
-   ![Microsoft Intune management portal](images/intune_portal_home.png)
+   ![Microsoft Intune management portal.](images/intune_portal_home.png)
 
 Intune should now be added to your tenant. We'll come back to Intune later when we [Configure Microsoft Store for Business for app distribution](#17-configure-microsoft-store-for-business-for-app-distribution).
 
@@ -185,21 +185,21 @@ Microsoft Azure is an open and flexible cloud platform that enables you to quick
 
    **Figure 13** - Access to Azure AD is not available
 
-   ![Access to Azure AD not available](images/azure_ad_access_not_available.png)
+   ![Access to Azure AD not available.](images/azure_ad_access_not_available.png)
 
 3. From the error message, select the country/region for your business. This should match with the location you specified when you signed up for Office 365.
 4. Click **Azure subscription**. This will take you to a free trial sign up screen.
 
    **Figure 14** - Sign up for Microsoft Azure
 
-   ![Sign up for Microsoft Azure](images/azure_ad_sign_up_screen.png)
+   ![Sign up for Microsoft Azure.](images/azure_ad_sign_up_screen.png)
 
 5. In the **Free trial sign up** screen, fill in the required information and then click **Sign up**.
 6. After you sign up, you should see the message that your subscription is ready. Click **Start managing my service**.
 
    **Figure 15** - Start managing your Azure subscription
 
-   ![Start managing your Azure subscription](images/azure_ad_successful_signup.png)
+   ![Start managing your Azure subscription.](images/azure_ad_successful_signup.png)
 
    This will take you to the <a href="https://portal.azure.com" target="_blank">Microsoft Azure portal</a>.
 
@@ -216,26 +216,26 @@ To add Azure AD group(s), we will use the <a href="https://manage.windowsazure.c
 
    **Figure 16** - Azure first sign-in screen
 
-   ![Select Azure AD](images/azure_portal_classic_configure_directory.png)
+   ![Select Azure AD.](images/azure_portal_classic_configure_directory.png)
 
 2. Select the directory (such as Fabrikam Design) to go to the directory's home page.
 
    **Figure 17** - Directory home page
 
-   ![Directory home page](images/azure_portal_classic_directory_ready.png)
+   ![Directory home page.](images/azure_portal_classic_directory_ready.png)
 
 3. From the menu options on top, select **Groups**.
 
    **Figure 18** - Azure AD groups
 
-   ![Add groups in Azure AD](images/azure_portal_classic_groups.png)
+   ![Add groups in Azure AD.](images/azure_portal_classic_groups.png)
 
 4. Select **Add a group** (from the top) or **Add group** at the bottom.
 5. In the **Add Group** window, add a name, group type, and description for the group and click the checkmark to save your changes. The new group will appear on the groups list.
 
    **Figure 19** - Newly added group in Azure AD
 
-   ![Verify the new group appears on the list](images/azure_portal_classic_all_users_group.png)
+   ![Verify the new group appears on the list.](images/azure_portal_classic_all_users_group.png)
 
 6. In the **Groups** tab, select the arrow next to the group (such as **All users**), add members to the group, and then save your changes.
 
@@ -243,7 +243,7 @@ To add Azure AD group(s), we will use the <a href="https://manage.windowsazure.c
 
    **Figure 20** - Members in the new group
 
-   ![Members added to the new group](images/azure_portal_classic_members_added.png)
+   ![Members added to the new group.](images/azure_portal_classic_members_added.png)
 
 7. Repeat steps 2-6 to add other groups. You can add groups based on their roles in your company, based on the apps that each group can use, and so on.
 
@@ -263,14 +263,14 @@ You can read <a href="https://blogs.technet.microsoft.com/enterprisemobility/201
 
    **Figure 21** - List of applications for your company
 
-   ![List of applications for your company](images/azure_portal_classic_applications.png)
+   ![List of applications for your company.](images/azure_portal_classic_applications.png)
 
 2. Select **Microsoft Intune** to configure the application.
 3. In the Microsoft Intune configuration page, click **Configure** to start automatic MDM enrollment configuration with Intune.
 
    **Figure 22** - Configure Microsoft Intune in Azure
 
-   ![Configure Microsoft Intune in Azure](images/azure_portal_classic_configure_intune_app.png)
+   ![Configure Microsoft Intune in Azure.](images/azure_portal_classic_configure_intune_app.png)
 
 4. In the Microsoft Intune configuration page:
    - In the **Properties** section, you should see a list of URLs for MDM discovery, MDM terms of use, and MDM compliance.
@@ -289,7 +289,7 @@ You can read <a href="https://blogs.technet.microsoft.com/enterprisemobility/201
 
    **Figure 23** - Configure Microsoft Intune
 
-   ![Configure automatic MDM enrollment with Intune](images/azure_portal_classic_configure_intune_mdm_enrollment.png)
+   ![Configure automatic MDM enrollment with Intune.](images/azure_portal_classic_configure_intune_mdm_enrollment.png)
 
 ### 1.7 Configure Microsoft Store for Business for app distribution
 Next, you'll need to configure Microsoft Store for Business to distribute apps with a management tool such as Intune.
@@ -303,7 +303,7 @@ In this part of the walkthrough, we'll be working on the <a href="https://manage
 
    **Figure 24** - Mobile device management
 
-   ![Set up mobile device management in Intune](images/intune_admin_mdm_configure.png)
+   ![Set up mobile device management in Intune.](images/intune_admin_mdm_configure.png)
 
 3. Sign into <a href="https://businessstore.microsoft.com/en-us/Store/Apps" target="_blank">Microsoft Store for Business</a> using the same tenant account that you used to sign into Intune.
 4. Accept the EULA.
@@ -312,20 +312,20 @@ In this part of the walkthrough, we'll be working on the <a href="https://manage
 
    **Figure 25** - Activate Intune as the Store management tool
 
-   ![Activate Intune from the Store portal](images/wsfb_management_tools_activate.png)
+   ![Activate Intune from the Store portal.](images/wsfb_management_tools_activate.png)
 
 7. Go back to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Admin > Mobile Device Management**, expand **Windows**, and then choose **Store for Business**.
 8. In the **Microsoft Store for Business** page, select **Configure Sync** to sync your Store for Business volume-purchased apps with Intune.
 
    **Figure 26** - Configure Store for Business sync in Intune
 
-   ![Configure Store for Business sync in Intune](images/intune_admin_mdm_store_sync.png)
+   ![Configure Store for Business sync in Intune.](images/intune_admin_mdm_store_sync.png)
 
 9. In the **Configure Microsoft Store for Business app sync** dialog box, check **Enable Microsoft Store for Business sync**. In the **Language** dropdown list, choose the language in which you want apps from the Store to be displayed in the Intune console and then click **OK**.
 
    **Figure 27** - Enable Microsoft Store for Business sync in Intune
 
-   ![Enable Store for Business sync in Intune](images/intune_configure_store_app_sync_dialog.png)
+   ![Enable Store for Business sync in Intune.](images/intune_configure_store_app_sync_dialog.png)
 
    The **Microsoft Store for Business** page will refresh and it will show the details from the sync.
 
@@ -348,7 +348,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S
 
    **Figure 28** - Shop for Store apps
 
-   ![Shop for Store apps](images/wsfb_shop_microsoft_apps.png)
+   ![Shop for Store apps.](images/wsfb_shop_microsoft_apps.png)
 
 2. Click to select an app, such as **Reader**. This opens the app page.
 3. In the app's Store page, click **Get the app**. You should see a dialog that confirms your order. Click **Close**. This will refresh the app's Store page.
@@ -358,7 +358,7 @@ In the following example, we'll show you how to buy apps through the Microsoft S
 
    **Figure 29** - App inventory shows the purchased apps
 
-   ![Confirm that your inventory shows purchased apps](images/wsfb_manage_inventory_newapps.png)
+   ![Confirm that your inventory shows purchased apps.](images/wsfb_manage_inventory_newapps.png)
 
    > [!NOTE]
    > Sync happens automatically, but it may take up to 24 hours for your organization's private store and 12 hours for Intune to sync all your purchased apps. You can force a sync to make this process happen faster. For more info, see [To sync recently purchased apps](#forceappsync).
@@ -372,7 +372,7 @@ If you need to sync your most recently purchased apps and have it appear in your
 
    **Figure 30** - Force a sync in Intune
 
-   ![Force a sync in Intune](images/intune_admin_mdm_forcesync.png)
+   ![Force a sync in Intune.](images/intune_admin_mdm_forcesync.png)
 
 **To view purchased apps**
 - In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Apps > Apps** and then choose **Volume-Purchased Apps** to see the list of available apps. Verify that the apps you purchased were imported correctly.
@@ -393,7 +393,7 @@ To set up new Windows devices, go through the Windows initial device setup or fi
 
    **Figure 31** - First screen in Windows device setup
 
-   ![First screen in Windows device setup](images/win10_hithere.png)
+   ![First screen in Windows device setup.](images/win10_hithere.png)
 
    > [!NOTE]  
    > During setup, if you don't have a Wi-Fi network configured, make sure you connect the device to the Internet through a wired/Ethernet connection.
@@ -403,13 +403,13 @@ To set up new Windows devices, go through the Windows initial device setup or fi
 
    **Figure 32** - Choose how you'll connect your Windows device
 
-   ![Choose how you'll connect the Windows device](images/win10_choosehowtoconnect.png)
+   ![Choose how you'll connect the Windows device.](images/win10_choosehowtoconnect.png)
 
 4. In the **Let's get you signed in** screen, sign in using one of the user accounts you added in section [1.2 Add users and assign product licenses](#12-add-users-and-assign-product-licenses). We suggest signing in as one of the global administrators. Later, sign in on another device using one of the non-admin accounts.
 
    **Figure 33** - Sign in using one of the accounts you added
 
-   ![Sign in using one of the accounts you added](images/win10_signin_admin_account.png)
+   ![Sign in using one of the accounts you added.](images/win10_signin_admin_account.png)
 
 5. If this is the first time you're signing in, you will be asked to update your password. Update the password and continue with sign-in and setup.
 
@@ -430,7 +430,7 @@ In the <a href="https://manage.microsoft.com/" target="_blank">Intune management
 
    **Figure 34** - Check the PC name on your device
 
-   ![Check the PC name on your device](images/win10_settings_pcname.png)
+   ![Check the PC name on your device.](images/win10_settings_pcname.png)
   
 2. Log in to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>.
 3. Select **Groups** and then go to **Devices**.
@@ -441,7 +441,7 @@ In the <a href="https://manage.microsoft.com/" target="_blank">Intune management
 
    **Figure 35** - Check that the device appears in Intune
 
-   ![Check that the device appears in Intune](images/intune_groups_devices_list.png)
+   ![Check that the device appears in Intune.](images/intune_groups_devices_list.png)
 
 ## 3. Manage device settings and features
 You can use Microsoft Intune admin settings and policies to manage features on your organization's mobile devices and computers. For more info, see [Manage settings and features on your devices with Microsoft Intune policies](/intune/deploy-use/manage-settings-and-features-on-your-devices-with-microsoft-intune-policies).
@@ -460,7 +460,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
 
    **Figure 36** - Reconfigure an app's deployment setting in Intune
 
-   ![Reconfigure app deployment settings in Intune](images/intune_apps_deploymentaction.png)
+   ![Reconfigure app deployment settings in Intune.](images/intune_apps_deploymentaction.png)
 
 6. Click **Finish**.
 7. Repeat steps 2-6 for other apps that you want to deploy to the device(s) as soon as possible.
@@ -470,7 +470,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
 
      **Figure 37** - Confirm that additional apps were deployed to the device
 
-     ![Confirm that additional apps were deployed to the device](images/win10_deploy_apps_immediately.png)
+     ![Confirm that additional apps were deployed to the device.](images/win10_deploy_apps_immediately.png)
 
 ### 3.2 Configure other settings in Intune
 
@@ -486,7 +486,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
 
    **Figure 38** - Add a configuration policy
 
-   ![Add a configuration policy](images/intune_policy_disablecamera.png)
+   ![Add a configuration policy.](images/intune_policy_disablecamera.png)
 
 7. Click **Save Policy**. A confirmation window will pop up.
 8. On the **Deploy Policy** confirmation window, select **Yes** to deploy the policy now.
@@ -495,7 +495,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
 
     **Figure 39** - The new policy should appear in the **Policies** list.
 
-    ![New policy appears on the list](images/intune_policies_newpolicy_deployed.png)
+    ![New policy appears on the list.](images/intune_policies_newpolicy_deployed.png)
 
 **To turn off Windows Hello and PINs during device setup**
 1. In the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a>, select **Admin**.
@@ -504,7 +504,7 @@ In some cases, if an app is missing from the device, you need to reconfigure the
 
    **Figure 40** - Policy to disable Windows Hello for Business
 
-   ![Disable Windows Hello for Business](images/intune_policy_disable_windowshello.png)
+   ![Disable Windows Hello for Business.](images/intune_policy_disable_windowshello.png)
 
 4. Click **Save**.
 
@@ -531,32 +531,32 @@ For other devices, such as those personally-owned by employees who need to conne
 
    **Figure 41** - Add an Azure AD account to the device
 
-   ![Add an Azure AD account to the device](images/win10_add_new_user_join_aad.png)
+   ![Add an Azure AD account to the device.](images/win10_add_new_user_join_aad.png)
 
 4. In the **Let's get you signed in** window, enter the work credentials for the account and then click **Sign in** to authenticate the user.
 
    **Figure 42** - Enter the account details
 
-   ![Enter the account details](images/win10_add_new_user_account_aadwork.png)
+   ![Enter the account details.](images/win10_add_new_user_account_aadwork.png)
 
 5. You will be asked to update the password so enter a new password.
 6. Verify the details to make sure you're connecting to the right organization and then click **Join**.
 
    **Figure 43** - Make sure this is your organization
 
-   ![Make sure this is your organization](images/win10_confirm_organization_details.png)
+   ![Make sure this is your organization.](images/win10_confirm_organization_details.png)
 
 7. You will see a confirmation window that says the device is now connected to your organization. Click **Done**.
 
    **Figure 44** - Confirmation that the device is now connected
 
-   ![Confirmation that the device is now connected](images/win10_confirm_device_connected_to_org.png)
+   ![Confirmation that the device is now connected.](images/win10_confirm_device_connected_to_org.png)
 
 8. The **Connect to work or school** window will refresh and will now include an entry that shows you're connected to your organization's Azure AD. This means the device is now registered in Azure AD and enrolled in MDM and the account should have access to the organization's resources.
 
    **Figure 45** - Device is now enrolled in Azure AD
 
-   ![Device is enrolled in Azure AD](images/win10_device_enrolled_in_aad.png)
+   ![Device is enrolled in Azure AD.](images/win10_device_enrolled_in_aad.png)
 
 9. You can confirm that the new device and user are showing up as Intune-managed by going to the <a href="https://manage.microsoft.com/" target="_blank">Intune management portal</a> and following the steps in [2.3 Verify the device is Azure AD joined](#23-verify-the-device-is-azure-ad-joined). It may take several minutes before the new device shows up so check again later.
 
diff --git a/smb/index.md b/smb/index.md
index cc4c596a1c..a6ae7f1200 100644
--- a/smb/index.md
+++ b/smb/index.md
@@ -17,16 +17,16 @@ audience: itpro
 
 # Windows 10 for SMB
 
-![Windows 10 for SMB](images/smb_portal_banner.png)
+![Windows 10 for SMB.](images/smb_portal_banner.png)
 
-## ![Learn more about Windows and other resources for SMBs](images/learn.png) Learn
+## ![Learn more about Windows and other resources for SMBs.](images/learn.png) Learn
 
 <p><b><a href="https://business.microsoft.com/en-us/products/windows" target="_blank">Windows 10 for business</a></b><br />Learn how Windows 10 and Windows devices can help your business.</p>
 <p><b><a href="https://blogs.business.microsoft.com/" target="_blank">SMB blog</a></b><br />Read about the latest stories, technology insights, and business strategies for SMBs.</p>
 <p><b><a href="https://business.microsoft.com/en-us/products" target="_blank">How to buy</a></b><br />Go here when you&#39;re ready to buy or want to learn more about Microsoft products you can use to help transform your business.</p>
 
 
-## ![Deploy a Microsoft solution for your business](images/deploy.png) Deploy
+## ![Deploy a Microsoft solution for your business.](images/deploy.png) Deploy
 
 <p><b><a href="cloud-mode-business-setup.md" data-raw-source="[Get started: Deploy and manage a full cloud IT solution for your business](cloud-mode-business-setup.md)">Get started: Deploy and manage a full cloud IT solution for your business</a></b><br />Find out how easy it is to deploy and manage a full cloud IT solution for your small to midsize business using Microsoft cloud services and tools.</p>
 
diff --git a/store-for-business/acquire-apps-microsoft-store-for-business.md b/store-for-business/acquire-apps-microsoft-store-for-business.md
index 73c2ce1f3d..882b7e57ba 100644
--- a/store-for-business/acquire-apps-microsoft-store-for-business.md
+++ b/store-for-business/acquire-apps-microsoft-store-for-business.md
@@ -55,7 +55,7 @@ There are a couple of things we need to know when you pay for apps. You can add
 2. Select **Manage**, and then select **Settings**. 
 3. On **Shop**, , under **Shopping behavior**, turn on or turn off **Allow users to shop**.
 
-![manage settings to control Basic Purchaser role assignment](images/sfb-allow-shop-setting.png)
+![manage settings to control Basic Purchaser role assignment.](images/sfb-allow-shop-setting.png)
 
 ## Allow app requests
 
diff --git a/store-for-business/billing-understand-your-invoice-msfb.md b/store-for-business/billing-understand-your-invoice-msfb.md
index 26bb2598f8..bee1e82435 100644
--- a/store-for-business/billing-understand-your-invoice-msfb.md
+++ b/store-for-business/billing-understand-your-invoice-msfb.md
@@ -51,7 +51,7 @@ invoice and descriptions for each term.
 
 The **Invoice Summary** is on the top of the first page and shows information about your billing profile and how you pay.
 
-![Invoice summary section](images/invoicesummary.png)
+![Invoice summary section.](images/invoicesummary.png)
 
 
 | Term | Description |
@@ -68,7 +68,7 @@ The **Invoice Summary** is on the top of the first page and shows information ab
 The **Billing Summary**  shows the charges against the billing profile since the previous billing period, any credits that were applied, tax, and the total amount due.
 
 
-![Billing summary section](images/billingsummary.png)
+![Billing summary section.](images/billingsummary.png)
 
 | Term | Description |
 | --- | --- |
@@ -91,7 +91,7 @@ The total amount due for each service family is calculated by subtracting Azure
 
 `Total = Charges/Credits - Azure Credit + Tax`
 
-![Details by invoice section](images/invoicesectiondetails.png)
+![Details by invoice section.](images/invoicesectiondetails.png)
 
 | Term |Description |
 | --- | --- |
diff --git a/store-for-business/microsoft-store-for-business-education-powershell-module.md b/store-for-business/microsoft-store-for-business-education-powershell-module.md
index bb29be21a9..3bdd7d61bc 100644
--- a/store-for-business/microsoft-store-for-business-education-powershell-module.md
+++ b/store-for-business/microsoft-store-for-business-education-powershell-module.md
@@ -91,7 +91,7 @@ Get-MSStoreInventory
 >1. Sign in to [Microsoft Store for Business](https://go.microsoft.com/fwlink/p/?LinkId=691845) or [Microsoft Store for Education](https://businessstore.microsoft.com/).
 >2. Click **Manage** and then choose **Apps & software**.
 >3. Click the line-of-business app. The URL of the page will contain the product ID and SKU as part of the URL. For example:
->![Url after apps/ is product id and next is SKU](images/lob-sku.png)
+>![Url after apps/ is product id and next is SKU.](images/lob-sku.png)
 
 ## View people assigned to a product
 Most items in **Products and Services** in **Microsoft Store for Business and Education** need to be assigned to people in your org. You can view the people in your org assigned to a specific product by using these commands:
diff --git a/store-for-business/troubleshoot-microsoft-store-for-business.md b/store-for-business/troubleshoot-microsoft-store-for-business.md
index 784e422a8a..0a66d2a739 100644
--- a/store-for-business/troubleshoot-microsoft-store-for-business.md
+++ b/store-for-business/troubleshoot-microsoft-store-for-business.md
@@ -36,23 +36,23 @@ The private store for your organization is a page in Microsoft Store app that co
 
 1.  Click the people icon in Microsoft Store app, and click **Sign in**.
 
-    ![Sign in to Store app with a different account](images/wsfb-wsappsignin.png)
+    ![Sign in to Store app with a different account.](images/wsfb-wsappsignin.png)
 
 2.  Click **Add account**, and then click **Work or school account**.
 
-    ![Choose an account to use](images/wsfb-wsappaddacct.png)
+    ![Choose an account to use.](images/wsfb-wsappaddacct.png)
 
 3.  Type the email account and password, and click **Sign in**.
 
-    ![Sign in for work or school account](images/wsfb-wsappworkacct.png)
+    ![Sign in for work or school account.](images/wsfb-wsappworkacct.png)
 
 4.  You should see the private store for your organization. In our example, the page is named **Contoso publishing**.
 
-    ![Private store with name highlighted](images/wsfb-wsappprivatestore.png)
+    ![Private store with name highlighted.](images/wsfb-wsappprivatestore.png)
 
     Click the private store to see apps in your private store.
 
-    ![Private store for Contoso publishing](images/wsfb-privatestoreapps.png)
+    ![Private store for Contoso publishing.](images/wsfb-privatestoreapps.png)
 
 ## Troubleshooting Microsoft Store for Business integration with Microsoft Endpoint Configuration Manager
 
diff --git a/store-for-business/whats-new-microsoft-store-business-education.md b/store-for-business/whats-new-microsoft-store-business-education.md
index 66f34fdabe..4b0cd1e47d 100644
--- a/store-for-business/whats-new-microsoft-store-business-education.md
+++ b/store-for-business/whats-new-microsoft-store-business-education.md
@@ -26,7 +26,7 @@ Microsoft Store for Business and Education regularly releases new and improved f
 
 :::row:::
    :::column span="1":::
-   ![Security groups](images/security-groups-icon.png)
+   ![Security groups.](images/security-groups-icon.png)
    :::column-end:::
    :::column span="1":::
    **Use security groups with Private store apps**<br /><br /> On the details page for apps in your private store, you can set **Private store availability**. This allows you to choose which security groups can see an app in the private store. <br /><br />[Get more info](./app-inventory-management-microsoft-store-for-business.md#private-store-availability)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education
@@ -38,7 +38,7 @@ Microsoft Store for Business and Education regularly releases new and improved f
 We’ve been working on bug fixes and performance improvements to provide you a better experience. Stay tuned for new features!
 |  |  |
 |-----------------------|---------------------------------|
-| ![Private store performance icon](images/perf-improvement-icon.png) |**Performance improvements in private store**<br /><br /> We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. <br /><br />[Get more info](./manage-private-store-settings.md#private-store-performance)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
+| ![Private store performance icon.](images/perf-improvement-icon.png) |**Performance improvements in private store**<br /><br /> We've made it significantly faster for you to update the private store. Many changes to the private store are available immediately after you make them. <br /><br />[Get more info](./manage-private-store-settings.md#private-store-performance)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
 | <iframe width="288" height="232" src="https://www.youtube-nocookie.com/embed/IpLIZU_j7Z0" frameborder="0" allowfullscreen></iframe>| **Manage Windows device deployment with Windows Autopilot Deployment** <br /><br /> In Microsoft Store for Business, you can manage devices for your organization and apply an Autopilot deployment profile to your devices. When people in your organization run the out-of-box experience on the device, the profile configures Windows, based on the Autopilot deployment profile you applied to the device.<br /><br />[Get more info](add-profile-to-devices.md)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education  |
 | ![Microsoft Store for Business Settings page, Distribute tab showing app requests setting.](images/msfb-wn-1709-app-request.png) |**Request an app**<br /><br />People in your organization can request additional licenses for apps in your private store, and then Admins or Purchasers can make the purchases. <br /><br />[Get more info](./acquire-apps-microsoft-store-for-business.md#request-apps)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
 ||  ![Image showing Add a Collection.](images/msfb-add-collection.png) |**Private store collections**<br /><br> You can groups of apps in your private store with **Collections**. This can help you organize apps and help people find apps for their job or classroom. <br /><br />[Get more info](https://review.docs.microsoft.com/microsoft-store/manage-private-store-settings?branch=msfb-14856406#add-a-collection)<br /><br />**Applies to**:<br /> Microsoft Store for Business <br /> Microsoft Store for Education |
diff --git a/store-for-business/working-with-line-of-business-apps.md b/store-for-business/working-with-line-of-business-apps.md
index 2150c9e7c3..8efc8effad 100644
--- a/store-for-business/working-with-line-of-business-apps.md
+++ b/store-for-business/working-with-line-of-business-apps.md
@@ -46,7 +46,7 @@ You'll need to set up:
 -   LOB publishers need to have an app in Microsoft Store, or have an app ready to submit to the Store.
 
 The process and timing look like this:
-![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for MSFB admin, LOB publisher, and Developer](images/lob-workflow.png)
+![Process showing LOB workflow in Microsoft Store for Business. Includes workflow for MSFB admin, LOB publisher, and Developer.](images/lob-workflow.png)
 
 ## <a href="" id="add-lob-publisher"></a>Add an LOB publisher (Admin)
 Admins need to invite developer or ISVs to become an LOB publisher.
diff --git a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
index b0bdee5283..130ad633ee 100644
--- a/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
+++ b/windows/application-management/app-v/appv-application-publishing-and-client-interaction.md
@@ -423,7 +423,7 @@ The process then configures the client for package or connection group additions
 
 This completes an App-V package add for the publishing refresh process. The next step is publishing the package to a specific target (machine or user).
 
-![Package add file and registry data](images/packageaddfileandregistrydata.png)
+![Package add file and registry data.](images/packageaddfileandregistrydata.png)
 
 **Package add file and registry data**
 
@@ -454,7 +454,7 @@ During the Publishing Refresh operation, the specific publishing operation, **Pu
 
 Publishing an App-V Package that is part of a Connection Group is very similar to the above process. For connection groups, the path that stores the specific catalog information includes PackageGroups as a child of the Catalog Directory. Review the Machine and User Catalog information in the preceding sections for details.
 
-![package add file and registry data - global](images/packageaddfileandregistrydata-global.png)
+![package add file and registry data - global.](images/packageaddfileandregistrydata-global.png)
 
 **Package add file and registry data—global**
 
@@ -481,7 +481,7 @@ After the Publishing Refresh process, the user launches and then relaunches an A
 
 7. The Application launches. For any missing files in the package store (sparse files), App-V will stream fault the files on an as-needed basis.
 
-    ![package add file and registry data - stream](images/packageaddfileandregistrydata-stream.png)
+    ![package add file and registry data - stream.](images/packageaddfileandregistrydata-stream.png)
 
     **Package add file and registry data—stream**
 
diff --git a/windows/application-management/app-v/appv-deployment-checklist.md b/windows/application-management/app-v/appv-deployment-checklist.md
index 501a6eae9f..4183212c31 100644
--- a/windows/application-management/app-v/appv-deployment-checklist.md
+++ b/windows/application-management/app-v/appv-deployment-checklist.md
@@ -20,9 +20,9 @@ This checklist outlines the recommended steps and items to consider when deployi
 
 |Status|Task|References|Notes|
 |---|---|---|---|
-|![Checklist box](../app-v/images/checklistbox.gif)|Prepare the computing environment for App-V deployment during your planning phase.|[App-V planning checklist](appv-planning-checklist.md)||
-|![Checklist box](../app-v/images/checklistbox.gif)|Review App-V's supported configurations.|[App-V supported configurations](appv-supported-configurations.md)||
-|![Checklist box](../app-v/images/checklistbox.gif)|Run App-V Setup to deploy the required App-V features for your environment.|[How to install the sequencer](appv-install-the-sequencer.md)<br>[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)<br>[How to deploy the App-V server](appv-deploy-the-appv-server.md)||
+|![Checklist box.](../app-v/images/checklistbox.gif)|Prepare the computing environment for App-V deployment during your planning phase.|[App-V planning checklist](appv-planning-checklist.md)||
+|![Checklist box.](../app-v/images/checklistbox.gif)|Review App-V's supported configurations.|[App-V supported configurations](appv-supported-configurations.md)||
+|![Checklist box.](../app-v/images/checklistbox.gif)|Run App-V Setup to deploy the required App-V features for your environment.|[How to install the sequencer](appv-install-the-sequencer.md)<br>[Enable the App-V desktop client](appv-enable-the-app-v-desktop-client.md)<br>[How to deploy the App-V server](appv-deploy-the-appv-server.md)||
 
 >[!NOTE]
 >Keep track of server names and associated URLs you create during installation. You'll need this information throughout the installation process.
diff --git a/windows/application-management/app-v/appv-install-the-sequencer.md b/windows/application-management/app-v/appv-install-the-sequencer.md
index e8785b3d7f..9bde5d0531 100644
--- a/windows/application-management/app-v/appv-install-the-sequencer.md
+++ b/windows/application-management/app-v/appv-install-the-sequencer.md
@@ -28,7 +28,7 @@ The App-V Sequencer is included in the Windows 10 Assessment and Deployment Kit
 1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
 2. Select the **Get Windows ADK for Windows 10** button on the page to start the ADK installer. Make sure that **Microsoft Application Virtualization (App-V) Sequencer** is selected during the installation.
 
-    ![Selecting APP-V features in ADK](images/app-v-in-adk.png)
+    ![Selecting APP-V features in ADK.](images/app-v-in-adk.png)
 3. To open the Sequencer, go to the **Start** menu and select **Microsoft Application Virtualization (App-V) Sequencer**.
 
 See [Creating and managing virtual applications](appv-creating-and-managing-virtualized-applications.md) and the [Application Virtualization Sequencing Guide](https://download.microsoft.com/download/F/7/8/F784A197-73BE-48FF-83DA-4102C05A6D44/App-V%205.0%20Sequencing%20Guide.docx) for information about creating virtual applications with the Sequencer.
diff --git a/windows/application-management/app-v/appv-planning-checklist.md b/windows/application-management/app-v/appv-planning-checklist.md
index e838f04c45..50887ca724 100644
--- a/windows/application-management/app-v/appv-planning-checklist.md
+++ b/windows/application-management/app-v/appv-planning-checklist.md
@@ -23,12 +23,12 @@ This checklist can be used to help you plan for preparing your organization for
 
 |Status|Task|References|Notes|
 |---|---|---|---|
-|![Checklist box](../app-v/images/checklistbox.gif)|Review the getting started information about App-V to gain a basic understanding of the product before beginning deployment planning.|[Getting started with App-V](appv-getting-started.md)||
-|![Checklist box](../app-v/images/checklistbox.gif)|Plan for App-V deployment prerequisites and prepare your computing environment.|[App-V prerequisites](appv-prerequisites.md)||
-|![Checklist box](../app-v/images/checklistbox.gif)|If you plan to use the App-V management server, plan for the required roles.|[Planning for the App-V server deployment](appv-planning-for-appv-server-deployment.md)||
-|![Checklist box](../app-v/images/checklistbox.gif)|Plan for the App-V sequencer and client to create and run virtualized applications.|[Planning for the App-V Sequencer and client deployment](appv-planning-for-sequencer-and-client-deployment.md)||
-|![Checklist box](../app-v/images/checklistbox.gif)|If applicable, review the options and steps for migrating from a previous version of App-V.|[Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md)||
-|![Checklist box](../app-v/images/checklistbox.gif)|Decide whether to configure App-V clients in Shared Content Store mode.|[Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md)||
+|![Checklist box.](../app-v/images/checklistbox.gif)|Review the getting started information about App-V to gain a basic understanding of the product before beginning deployment planning.|[Getting started with App-V](appv-getting-started.md)||
+|![Checklist box.](../app-v/images/checklistbox.gif)|Plan for App-V deployment prerequisites and prepare your computing environment.|[App-V prerequisites](appv-prerequisites.md)||
+|![Checklist box.](../app-v/images/checklistbox.gif)|If you plan to use the App-V management server, plan for the required roles.|[Planning for the App-V server deployment](appv-planning-for-appv-server-deployment.md)||
+|![Checklist box.](../app-v/images/checklistbox.gif)|Plan for the App-V sequencer and client to create and run virtualized applications.|[Planning for the App-V Sequencer and client deployment](appv-planning-for-sequencer-and-client-deployment.md)||
+|![Checklist box.](../app-v/images/checklistbox.gif)|If applicable, review the options and steps for migrating from a previous version of App-V.|[Migrating to App-V from a previous version](appv-migrating-to-appv-from-a-previous-version.md)||
+|![Checklist box.](../app-v/images/checklistbox.gif)|Decide whether to configure App-V clients in Shared Content Store mode.|[Deploying the App-V Sequencer and configuring the client](appv-deploying-the-appv-sequencer-and-client.md)||
 
 
 
diff --git a/windows/application-management/enterprise-background-activity-controls.md b/windows/application-management/enterprise-background-activity-controls.md
index d123957cd1..0a72c19e87 100644
--- a/windows/application-management/enterprise-background-activity-controls.md
+++ b/windows/application-management/enterprise-background-activity-controls.md
@@ -23,15 +23,15 @@ Enterprise users want the same ability to enable or limit background activity. I
 
 Users have the ability to control background activity for their device through two interfaces in the **Settings** app: the **Background apps** page and the **Battery usage by app** page. The **Background apps** page has a master switch to turn background activity on or off for all apps, and provides individual switches to control each app's ability to run in the background. 
 
-![Background apps settings page](images/backgroundapps-setting.png)
+![Background apps settings page.](images/backgroundapps-setting.png)
 
 The **Battery usage by app** page allows fine-grained tuning of background activity. Users have the ability to set background activity to by **Managed By Windows**, as well as turning it on or off for each app. Only devices with a battery have this page available in the **Settings** app. Here is the set of available controls on desktop: 
 
-![Battery usage by app on desktop](images/battery-usage-by-app-desktop.png)
+![Battery usage by app on desktop.](images/battery-usage-by-app-desktop.png)
 
 Here is the set of available controls for mobile devices: 
 
-![Battery usage by app on mobile](images/battery-usage-by-app-mobile.png)
+![Battery usage by app on mobile.](images/battery-usage-by-app-mobile.png)
 
 Although the user interface differs across editions of the operating system, the policy and developer interface is consistent across Windows 10. For more information about these controls, see [Optimize background activity](/windows/uwp/debug-test-perf/optimize-background-activity).
 
diff --git a/windows/application-management/per-user-services-in-windows.md b/windows/application-management/per-user-services-in-windows.md
index 0cda2dc8c9..4483687ba8 100644
--- a/windows/application-management/per-user-services-in-windows.md
+++ b/windows/application-management/per-user-services-in-windows.md
@@ -102,19 +102,19 @@ If a per-user service can't be disabled using a the security template, you can d
 
 5. Right-click **Registry** > **New** > **Registry Item**.
 
-   ![Group Policy preferences disabling per-user services](media/gpp-per-user-services.png) 
+   ![Group Policy preferences disabling per-user services.](media/gpp-per-user-services.png) 
    
 6. Make sure that  HKEY_Local_Machine is selected for Hive and then click ... (the ellipses) next to Key Path.
 
-   ![Choose HKLM](media/gpp-hklm.png)  
+   ![Choose HKLM.](media/gpp-hklm.png)  
     
 7. Browse to **System\CurrentControlSet\Services\PimIndexMaintenanceSvc**. In the list of values, highlight **Start** and click **Select**.
 
-   ![Select Start](media/gpp-svc-start.png)   
+   ![Select Start.](media/gpp-svc-start.png)   
    
 8. Change **Value data** from **00000003** to **00000004** and click **OK**. Note setting the Value data to **4** = **Disabled**. 
 
-   ![Startup Type is Disabled](media/gpp-svc-disabled.png)   
+   ![Startup Type is Disabled.](media/gpp-svc-disabled.png)   
    
 9. To add the other services that cannot be managed with a Group Policy templates, edit the policy and repeat steps 5-8.  
 
@@ -140,14 +140,14 @@ REG.EXE ADD HKLM\System\CurrentControlSet\Services\WpnUserService /v Start /t RE
 
 If you cannot use Group Policy preferences to manage the per-user services, you can edit the registry with regedit.exe. To disable the template services, change the Startup Type for each service to 4 (disabled):
 
-![Using Regedit to change servive Starup Type](media/regedit-change-service-startup-type.png) 
+![Using Regedit to change servive Starup Type.](media/regedit-change-service-startup-type.png) 
 
 > [!CAUTION]
 > We recommend that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the Registry Editor or by the Windows operating system before they are applied. As a result, incorrect values can be stored, and this can result in unrecoverable errors in the system. When possible, instead of editing the registry directly, use Group Policy or other Windows tools such as the Microsoft Management Console (MMC) to accomplish tasks. If you must edit the registry, use extreme caution. 
 
 Beginning with Windows 10, version 1709 and Windows Server, version 1709, you can prevent the per-user service from being created by setting **UserServiceFlags** to 0 under the same service configuration in the registry:
 
-![Create per-user services in disabled state](media/user-service-flag.png)
+![Create per-user services in disabled state.](media/user-service-flag.png)
 
 ### Manage template services by modifying the Windows image
 
@@ -186,4 +186,4 @@ For example, you might see the following per-user services listed in the Service
 
 You can query the service configuration from the command line. The **Type** value indicates whether the service is a user-service template or user-service instance.
 
-![Use sc.exe to view service type](media/cmd-type.png)
\ No newline at end of file
+![Use sc.exe to view service type.](media/cmd-type.png)
\ No newline at end of file
diff --git a/windows/application-management/svchost-service-refactoring.md b/windows/application-management/svchost-service-refactoring.md
index 4130fde7e5..8482a3497c 100644
--- a/windows/application-management/svchost-service-refactoring.md
+++ b/windows/application-management/svchost-service-refactoring.md
@@ -48,11 +48,11 @@ Refactoring also makes it easier to view running processes in Task Manager. You
 
 For example, here are the running processes displayed in Task Manager in Windows 10 version 1607:
 
-![Running processes in Task Manager, version 1607](media/svchost-grouped-processes.png) 
+![Running processes in Task Manager, version 1607.](media/svchost-grouped-processes.png) 
   
 Compare that to the same view of running processes in Windows 10 version 1703:
 
-![Running processes in Task Manager, version 1703](media/svchost-separated-processes.png)
+![Running processes in Task Manager, version 1703.](media/svchost-separated-processes.png)
   
  
 
@@ -66,7 +66,7 @@ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services.
 The default value of **1** prevents the service from being split.
 
 For example, this is the registry key configuration for BFE:
-![Example of a service that cannot be separated](media/svchost-separation-disabled.png)
+![Example of a service that cannot be separated.](media/svchost-separation-disabled.png)
 
 ## Memory footprint
 
@@ -77,7 +77,7 @@ Consider the following:
 
 |Grouped Services (< 3.5GB) | Split Services (3.5GB+)
 |--------------------------------------- | ------------------------------------------ | 
-|![Memory utilization for grouped services](media/svchost-grouped-utilization.png)   |![Memory utilization for separated services](media/svchost-separated-utilization.png)       |
+|![Memory utilization for grouped services.](media/svchost-grouped-utilization.png)   |![Memory utilization for separated services](media/svchost-separated-utilization.png)       |
 
 > [!NOTE]
 > The above represents the peak observed values.
diff --git a/windows/client-management/administrative-tools-in-windows-10.md b/windows/client-management/administrative-tools-in-windows-10.md
index 260944a53c..6da0fdfdb9 100644
--- a/windows/client-management/administrative-tools-in-windows-10.md
+++ b/windows/client-management/administrative-tools-in-windows-10.md
@@ -23,11 +23,11 @@ ms.topic: article
 
 Administrative Tools is a folder in Control Panel that contains tools for system administrators and advanced users. 
 
-![Screenshot of Control Panel](images/admin-tools.png)
+![Screenshot of Control Panel.](images/admin-tools.png)
 
 The tools in the folder might vary depending on which edition of Windows you are using. 
 
-![Screenshot of folder of admin tools](images/admin-tools-folder.png)
+![Screenshot of folder of admin tools.](images/admin-tools-folder.png)
 
 These tools were included in previous versions of Windows. The associated documentation for each tool should help you use these tools in Windows 10. The following list provides links to documentation for each tool. The tools are located within the folder C:\Windows\System32\ or its subfolders.
 
diff --git a/windows/client-management/advanced-troubleshooting-802-authentication.md b/windows/client-management/advanced-troubleshooting-802-authentication.md
index ac96c101cf..c2a8ea0c57 100644
--- a/windows/client-management/advanced-troubleshooting-802-authentication.md
+++ b/windows/client-management/advanced-troubleshooting-802-authentication.md
@@ -41,53 +41,53 @@ Check Windows Security Event log on the NPS Server for NPS events that correspon
  
 In the event message, scroll to the very bottom, and then check the [Reason Code](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd197570(v%3dws.10)) field and the text that's associated with it.
  
-   ![example of an audit failure](images/auditfailure.png)
+   ![example of an audit failure.](images/auditfailure.png)
    *Example: event ID 6273 (Audit Failure)*<br><br>
 ‎
-   ![example of an audit success](images/auditsuccess.png)
+   ![example of an audit success.](images/auditsuccess.png)
    *Example: event ID 6272 (Audit Success)*<br>
 
 ‎The WLAN AutoConfig operational log lists information and error events based on conditions detected by or reported to the WLAN AutoConfig service. The operational log contains information about the wireless network adapter, the properties of the wireless connection profile, the specified network authentication, and, in the event of connectivity problems, the reason for the failure. For wired network access, the Wired AutoConfig operational log is an equivalent one.
 
 On the client side, go to **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\WLAN-AutoConfig/Operational** for wireless issues. For wired network access issues, go to  **..\Wired-AutoConfig/Operational**. See the following example:
 
-![event viewer screenshot showing wired-autoconfig and WLAN autoconfig](images/eventviewer.png)
+![event viewer screenshot showing wired-autoconfig and WLAN autoconfig.](images/eventviewer.png)
  
 Most 802.1X authentication issues are because of problems with the certificate that's used for client or server authentication. Examples include invalid certificate, expiration, chain verification failure, and revocation check failure. 
 
 First, validate the type of EAP method that's used:
  
-![eap authentication type comparison](images/comparisontable.png)
+![eap authentication type comparison.](images/comparisontable.png)
 
 If a certificate is used for its authentication method, check whether the certificate is valid. For the server (NPS) side, you can confirm what certificate is being used from the EAP property menu. In **NPS snap-in**, go to **Policies** > **Network Policies**. Select and hold (or right-click) the policy, and then select **Properties**. In the pop-up window, go to the **Constraints** tab, and then select the **Authentication Methods** section.
 
-![Constraints tab of the secure wireless connections properties](images/eappropertymenu.png)
+![Constraints tab of the secure wireless connections properties.](images/eappropertymenu.png)
  
 The CAPI2 event log is useful for troubleshooting certificate-related issues.
 By default, this log isn't enabled. To enable this log, expand **Event Viewer (Local)\Applications and Services Logs\Microsoft\Windows\CAPI2**, select and hold (or right-click) **Operational**, and then select **Enable Log**.
 
-![screenshot of event viewer](images/capi.png)
+![screenshot of event viewer.](images/capi.png)
  
 For information about how to analyze CAPI2 event logs, see
 [Troubleshooting PKI Problems on Windows Vista](/previous-versions/windows/it-pro/windows-vista/cc749296%28v=ws.10%29).
 
 When troubleshooting complex 802.1X authentication issues, it's important to understand the 802.1X authentication process. Here's an example of wireless connection process with 802.1X authentication:
 
-![authenticator flow chart](images/authenticator_flow_chart.png)
+![authenticator flow chart.](images/authenticator_flow_chart.png)
  
 If you [collect a network packet capture](troubleshoot-tcpip-netmon.md) on both the client and the server (NPS) side, you can see a flow like the one below. Type **EAPOL** in the Display Filter for a client-side capture, and **EAP** for an NPS-side capture. See the following examples:
 
-![client-side packet capture data](images/clientsidepacket_cap_data.png)
+![client-side packet capture data.](images/clientsidepacket_cap_data.png)
 *Client-side packet capture data*<br><br>
 
-![NPS-side packet capture data](images/NPS_sidepacket_capture_data.png) 
+![NPS-side packet capture data.](images/NPS_sidepacket_capture_data.png) 
 *NPS-side packet capture data*<br>
 ‎
 
 > [!NOTE]
 > If you have a wireless trace, you can also [view ETL files with network monitor](/windows/desktop/ndf/using-network-monitor-to-view-etl-files) and apply the **ONEX_MicrosoftWindowsOneX** and **WLAN_MicrosoftWindowsWLANAutoConfig** Network Monitor filters. If you need to load the required [parser](/archive/blogs/netmon/parser-profiles-in-network-monitor-3-4), see the instructions under the **Help** menu in Network Monitor. Here's an example:
 
-![ETL parse](images/etl.png) 
+![ETL parse.](images/etl.png) 
 
 ## Audit policy
 
diff --git a/windows/client-management/advanced-troubleshooting-boot-problems.md b/windows/client-management/advanced-troubleshooting-boot-problems.md
index 646585085e..d039c10c17 100644
--- a/windows/client-management/advanced-troubleshooting-boot-problems.md
+++ b/windows/client-management/advanced-troubleshooting-boot-problems.md
@@ -50,7 +50,7 @@ The kernel passes control to the session manager process (Smss.exe) which initia
 
 Here is a summary of the boot sequence, what will be seen on the display, and typical boot problems at that point in the sequence. Before starting troubleshooting, you have to understand the outline of the boot process and display status to ensure that the issue is properly identified at the beginning of the engagement.
 
-![thumbnail of boot sequence flowchart](images/boot-sequence-thumb.png)<br>
+![thumbnail of boot sequence flowchart.](images/boot-sequence-thumb.png)<br>
 [Click to enlarge](img-boot-sequence.md)<br>
 
 
diff --git a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
index ce4154396e..57d2cc10a8 100644
--- a/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
+++ b/windows/client-management/advanced-troubleshooting-wireless-network-connectivity.md
@@ -152,7 +152,7 @@ The important components of the MSM include:
 - Security Manager (SecMgr) - handles all pre and post-connection security operations.
 - Authentication Engine (AuthMgr) – Manages 802.1x auth requests
 
-    ![MSM details](images/msmdetails.png)
+    ![MSM details.](images/msmdetails.png)
 
 Each of these components has their own individual state machines which follow specific transitions.
 Enable the **FSM transition, SecMgr Transition,** and **AuthMgr Transition** filters in TextAnalysisTool for more detail.
@@ -327,4 +327,4 @@ Copy and paste all the lines below and save them into a text file named "wifi.ta
 
 In the following example, the **View** settings are configured to **Show Only Filtered Lines**.
 
-![TAT filter example](images/tat.png)
\ No newline at end of file
+![TAT filter example.](images/tat.png)
\ No newline at end of file
diff --git a/windows/client-management/change-default-removal-policy-external-storage-media.md b/windows/client-management/change-default-removal-policy-external-storage-media.md
index 69fa51d4e4..d59710d70b 100644
--- a/windows/client-management/change-default-removal-policy-external-storage-media.md
+++ b/windows/client-management/change-default-removal-policy-external-storage-media.md
@@ -54,4 +54,4 @@ To change the policy for an external storage device:
   
 7. Select the policy that you want to use.
   
-   ![Policy options for disk management](./images/change-def-rem-policy-2.png)
+   ![Policy options for disk management.](./images/change-def-rem-policy-2.png)
diff --git a/windows/client-management/connect-to-remote-aadj-pc.md b/windows/client-management/connect-to-remote-aadj-pc.md
index 275869bf99..4d8f35673e 100644
--- a/windows/client-management/connect-to-remote-aadj-pc.md
+++ b/windows/client-management/connect-to-remote-aadj-pc.md
@@ -24,7 +24,7 @@ ms.topic: article
 
 From its release, Windows 10 has supported remote connections to PCs joined to Active Directory. Starting in Windows 10, version 1607, you can also connect to a remote PC that is [joined to Azure Active Directory (Azure AD)](/azure/active-directory/devices/concept-azure-ad-join). Starting in Windows 10, version 1809, you can [use biometrics to authenticate to a remote desktop session](/windows/whats-new/whats-new-windows-10-version-1809#remote-desktop-with-biometrics).
 
-![Remote Desktop Connection client](images/rdp.png)
+![Remote Desktop Connection client.](images/rdp.png)
 
 ## Set up
 
@@ -40,7 +40,7 @@ Ensure [Remote Credential Guard](/windows/access-protection/remote-credential-gu
   
   2. Enable **Allow remote connections to this computer** and select **Allow connections only from computers running Remote Desktop with Network Level Authentication**.
 
-     ![Allow remote connections to this computer](images/allow-rdp.png)
+     ![Allow remote connections to this computer.](images/allow-rdp.png)
 
   3. If the user who joined the PC to Azure AD is the only one who is going to connect remotely, no additional configuration is needed. To allow additional users or groups to connect to the PC, you must allow remote connections for the specified users or groups. Users can be added either manually or through MDM policies:
      
diff --git a/windows/client-management/img-boot-sequence.md b/windows/client-management/img-boot-sequence.md
index b1077e5be6..6ce343dade 100644
--- a/windows/client-management/img-boot-sequence.md
+++ b/windows/client-management/img-boot-sequence.md
@@ -14,4 +14,4 @@ ms.prod: w10
 
 Return to: [Advanced troubleshooting for Windows boot problems](advanced-troubleshooting-boot-problems.md)<br>
 
-![Full-sized boot sequence flowchart](images/boot-sequence.png)
+![Full-sized boot sequence flowchart.](images/boot-sequence.png)
diff --git a/windows/client-management/introduction-page-file.md b/windows/client-management/introduction-page-file.md
index 376916c1d3..9354d9c8c9 100644
--- a/windows/client-management/introduction-page-file.md
+++ b/windows/client-management/introduction-page-file.md
@@ -56,13 +56,13 @@ Page files extend how much "committed memory" (also known as "virtual memory") i
 
 The system commit memory limit is the sum of physical memory and all page files combined. It represents the maximum system-committed memory (also known as the "system commit charge") that the system can support.
 
-![Task manager](images/task-manager.png)
+![Task manager.](images/task-manager.png)
  
 The system commit charge is the total committed or "promised" memory of all committed virtual memory in the system. If the system commit charge reaches the system commit limit, the system and processes might not get committed memory. This condition can cause freezing, crashing, and other malfunctions. Therefore, make sure that you set the system commit limit high enough to support the system commit charge during peak usage.
 
-![Out of memory](images/out-of-memory.png)
+![Out of memory.](images/out-of-memory.png)
 
-![Task Manager](images/task-manager-commit.png)
+![Task Manager.](images/task-manager-commit.png)
 
 The system committed charge and system committed limit can be measured on the **Performance** tab in Task Manager or by using the "\Memory\Committed Bytes" and "\Memory\Commit Limit" performance counters. The \Memory\% Committed Bytes In Use counter is a ratio of \Memory\Committed Bytes to \Memory\Commit Limit values.
 
diff --git a/windows/client-management/manage-device-installation-with-group-policy.md b/windows/client-management/manage-device-installation-with-group-policy.md
index 263dd24430..db00986ab0 100644
--- a/windows/client-management/manage-device-installation-with-group-policy.md
+++ b/windows/client-management/manage-device-installation-with-group-policy.md
@@ -212,7 +212,7 @@ This policy setting will change the evaluation order in which Allow and Prevent
 
 Some of these policies take precedence over other policies. The flowchart shown below illustrates how Windows processes them to determine whether a user can install a device or not, as shown in Figure below.
  			
-![Device Installation policies flow chart](images/device-installation-flowchart.png)<br/>_Device Installation policies flow chart_
+![Device Installation policies flow chart.](images/device-installation-flowchart.png)<br/>_Device Installation policies flow chart_
 
 
 
@@ -261,17 +261,17 @@ To find device identification strings using Device Manager
 
 4. Find the “Printers” section and find the target printer
  
-    ![Selecting the printer in Device Manager](images/device-installation-dm-printer-by-device.png)<br/>_Selecting the printer in Device Manager_
+    ![Selecting the printer in Device Manager.](images/device-installation-dm-printer-by-device.png)<br/>_Selecting the printer in Device Manager_
 
 5. Double-click the printer and move to the ‘Details’ tab.
 
-    ![‘Details’ tab](images/device-installation-dm-printer-details-screen.png)<br/>_Open the ‘Details’ tab to look for the device identifiers_
+    ![‘Details’ tab.](images/device-installation-dm-printer-details-screen.png)<br/>_Open the ‘Details’ tab to look for the device identifiers_
 
 6. From the ‘Value’ window, copy the most detailed Hardware ID – we will use this in the policies.
 
-    ![HWID](images/device-installation-dm-printer-hardware-ids.png)
+    ![HWID.](images/device-installation-dm-printer-hardware-ids.png)
 
-    ![Compatible ID](images/device-installation-dm-printer-compatible-ids.png)<br/>_HWID and Compatible ID_
+    ![Compatible ID.](images/device-installation-dm-printer-compatible-ids.png)<br/>_HWID and Compatible ID_
 
     > [!TIP]
     > You can also determine your device identification strings by using the PnPUtil command-line utility. For more information, see [PnPUtil - Windows drivers](/windows-hardware/drivers/devtest/pnputil) in Microsoft Docs.
@@ -360,7 +360,7 @@ Creating the policy to prevent all printers from being installed:
 
 6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318}
 
-    ![List of prevent Class GUIDs](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
+    ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
 
 7. Click ‘OK’.
 
@@ -399,7 +399,7 @@ Getting the right device identifier to prevent it from being installed:
 
 1. Get your printer’s Hardware ID – in this example we will use the identifier we found previously
 
-    ![Printer Hardware ID identifier](images/device-installation-dm-printer-hardware-ids.png)<br/>_Printer Hardware ID_
+    ![Printer Hardware ID identifier.](images/device-installation-dm-printer-hardware-ids.png)<br/>_Printer Hardware ID_
 
 2. Write down the device ID (in this case Hardware ID) – WSDPRINT\CanonMX920_seriesC1A0; Take the more specific identifier to make sure you block a specific printer and not a family of printers
 
@@ -417,7 +417,7 @@ Creating the policy to prevent a single printer from being installed:
 
 5. Enter the printer device ID you found above – WSDPRINT\CanonMX920_seriesC1A0
 
-    ![Prevent Device ID list](images/device-installation-gpo-prevent-device-id-list-printer.png)<br/>_Prevent Device ID list_
+    ![Prevent Device ID list.](images/device-installation-gpo-prevent-device-id-list-printer.png)<br/>_Prevent Device ID list_
 
 6. Click ‘OK’.
 
@@ -477,7 +477,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
 
 6. Enter the printer class GUID you found above with the curly braces (this is important! Otherwise, it won’t work): {4d36e979-e325-11ce-bfc1-08002be10318}
 
-    ![List of prevent Class GUIDs](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
+    ![List of prevent Class GUIDs.](images/device-installation-gpo-prevent-class-list.png)<br/>_List of prevent Class GUIDs_
 
 7. Click ‘OK’.
 
@@ -489,7 +489,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
 
     ![Image of Local Group Policy Editor that shows the policies under "Device Installation Restrictions" and the policy named in this step.](images/device-installation-apply-layered_policy-1.png)
 
-    ![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria."](images/device-installation-apply-layered-policy-2.png)<br/>_Apply layered order of evaluation policy_
+    ![Image that shows the current settings of the policy named in this step, "Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria.".](images/device-installation-apply-layered-policy-2.png)<br/>_Apply layered order of evaluation policy_
 
 9. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
 
@@ -497,7 +497,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
 
 11. Enter the printer device ID you found above: WSDPRINT\CanonMX920_seriesC1A0.
 
-    ![Allow Printer Hardware ID](images/device-installation-gpo-allow-device-id-list-printer.png)<br/>_Allow Printer Hardware ID_
+    ![Allow Printer Hardware ID.](images/device-installation-gpo-allow-device-id-list-printer.png)<br/>_Allow Printer Hardware ID_
 
 12. Click ‘OK’.
 
@@ -532,22 +532,22 @@ Getting the right device identifier to prevent it from being installed and its l
 
 3. Find the USB thumb-drive and select it.
  
-    ![Selecting the usb thumb-drive in Device Manager](images/device-installation-dm-usb-by-device.png)<br/>_Selecting the usb thumb-drive in Device Manager_
+    ![Selecting the usb thumb-drive in Device Manager.](images/device-installation-dm-usb-by-device.png)<br/>_Selecting the usb thumb-drive in Device Manager_
 
 4. Change View (in the top menu) to ‘Devices by connections’. This view represents the way devices are installed in the PnP tree.
 
-    ![Changing view in Device Manager to see the PnP connection tree](images/device-installation-dm-usb-by-connection.png)<br/>_Changing view in Device Manager to see the PnP connection tree_
+    ![Changing view in Device Manager to see the PnP connection tree.](images/device-installation-dm-usb-by-connection.png)<br/>_Changing view in Device Manager to see the PnP connection tree_
 
     > [!NOTE]
     > When blocking\Preventing a device that sits higher in the PnP tree, all the devices that sit under it will be blocked. For example: Preventing a “Generic USB Hub” from being installed, all the devices that lay below a “Generic USB Hub” will be blocked.
  
-    ![Blocking nested devices from the root](images/device-installation-dm-usb-by-connection-blocked.png)<br/>_When blocking one device, all the devices that are nested below it will be blocked as well_
+    ![Blocking nested devices from the root.](images/device-installation-dm-usb-by-connection-blocked.png)<br/>_When blocking one device, all the devices that are nested below it will be blocked as well_
 
 5. Double-click the USB thumb-drive and move to the ‘Details’ tab.
 
 6. From the ‘Value’ window, copy the most detailed Hardware ID—we will use this in the policies. In this case Device ID = USBSTOR\DiskGeneric_Flash_Disk______8.07
  
-    ![USB device hardware IDs](images/device-installation-dm-usb-hwid.png)<br/>_USB device hardware IDs_
+    ![USB device hardware IDs.](images/device-installation-dm-usb-hwid.png)<br/>_USB device hardware IDs_
 
 Creating the policy to prevent a single USB thumb-drive from being installed:
 
@@ -563,7 +563,7 @@ Creating the policy to prevent a single USB thumb-drive from being installed:
 
 5. Enter the USB thumb-drive device ID you found above – USBSTOR\DiskGeneric_Flash_Disk______8.07
  
-    ![Prevent Device IDs list](images/device-installation-gpo-prevent-device-id-list-usb.png)<br/>_Prevent Device IDs list_
+    ![Prevent Device IDs list.](images/device-installation-gpo-prevent-device-id-list-usb.png)<br/>_Prevent Device IDs list_
 
 6. Click ‘OK’.
 
@@ -620,7 +620,7 @@ As mentioned in scenario #4, it is not enough to enable only a single hardware I
 - “USB Root Hub (USB 3.0)” -> USB\ROOT_HUB30
 - “Generic USB Hub” -> USB\USB20_HUB
  
-![USB devices nested in the PnP tree](images/device-installation-dm-usb-by-connection-layering.png)<br/>_USB devices nested under each other in the PnP tree_
+![USB devices nested in the PnP tree.](images/device-installation-dm-usb-by-connection-layering.png)<br/>_USB devices nested under each other in the PnP tree_
 
 These devices are internal devices on the machine that define the USB port connection to the outside world. Enabling them should not enable any external/peripheral device from being installed on the machine.
 
@@ -663,7 +663,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
 
 9. Open the **Apply layered order of evaluation for Allow and Prevent device installation policies across all device match criteria** policy and enable it – this policy will enable you to override the wide coverage of the ‘Prevent’ policy with a specific device.
 
-    ![Apply layered order of evaluation policy](images/device-installation-apply-layered_policy-1.png)<br/>_Apply layered order of evaluation policy_
+    ![Apply layered order of evaluation policy.](images/device-installation-apply-layered_policy-1.png)<br/>_Apply layered order of evaluation policy_
 
 10. Now Open **Allow installation of devices that match any of these device IDs** policy and select the ‘Enable’ radio button.
 
@@ -671,7 +671,7 @@ First create a ‘Prevent Class’ policy and then create ‘Allow Device’ one
 
 12. Enter the full list of USB device IDs you found above including the specific USB Thumb-drive you would like to authorize for installation – USBSTOR\DiskGeneric_Flash_Disk______8.07
 
-    ![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs."](images/device-installation-gpo-allow-device-id-list-usb.png)<br/>_Allowed USB Device IDs list_
+    ![Image of an example list of devices that have been configured for the policy "Allow installation of devices that match any of these Device IDs.".](images/device-installation-gpo-allow-device-id-list-usb.png)<br/>_Allowed USB Device IDs list_
 
 13. Click ‘OK’.
 
diff --git a/windows/client-management/manage-settings-app-with-group-policy.md b/windows/client-management/manage-settings-app-with-group-policy.md
index a177277d07..f64ee0de0c 100644
--- a/windows/client-management/manage-settings-app-with-group-policy.md
+++ b/windows/client-management/manage-settings-app-with-group-policy.md
@@ -35,7 +35,7 @@ Policy paths:
 
 **User Configuration** > **Administrative Templates** > **Control Panel** > **Settings Page Visibility**.
 
-![Settings page visibility policy](images/settings-page-visibility-gp.png)
+![Settings page visibility policy.](images/settings-page-visibility-gp.png)
 
 ## Configuring the Group Policy
 
diff --git a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
index 22ba2d74a8..0e9dd8a789 100644
--- a/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
+++ b/windows/client-management/manage-windows-10-in-your-organization-modern-management.md
@@ -92,7 +92,7 @@ For more information about how Windows 10 and Azure AD optimize access to work r
 
 As you review the roles in your organization, you can use the following generalized decision tree to begin to identify users or devices that require domain join. Consider switching the remaining users to Azure AD.
 
-![Decision tree for device authentication options](images/windows-10-management-cyod-byod-flow.png)
+![Decision tree for device authentication options.](images/windows-10-management-cyod-byod-flow.png)
 
 ## Settings and Configuration
 
diff --git a/windows/client-management/mandatory-user-profile.md b/windows/client-management/mandatory-user-profile.md
index b5b30659d6..7b77f47742 100644
--- a/windows/client-management/mandatory-user-profile.md
+++ b/windows/client-management/mandatory-user-profile.md
@@ -75,7 +75,7 @@ First, you create a default user profile with the customizations that you want,
    > [!TIP]
    > If you receive an error message that says "Sysprep was not able to validate your Windows installation", open %WINDIR%\\System32\\Sysprep\\Panther\\setupact.log and look for an entry like the following:
    >
-   > ![Microsoft Bing Translator package error](images/sysprep-error.png)
+   > ![Microsoft Bing Translator package error.](images/sysprep-error.png)
    >
    > Use the [Remove-AppxProvisionedPackage](/powershell/module/dism/remove-appxprovisionedpackage?view=win10-ps&preserve-view=true) and [Remove-AppxPackage -AllUsers](/powershell/module/appx/remove-appxpackage?view=win10-ps&preserve-view=true) cmdlet in Windows PowerShell to uninstall the app that is listed in the log.
 
@@ -86,11 +86,11 @@ First, you create a default user profile with the customizations that you want,
 1. In **User Profiles**, click **Default Profile**, and then click **Copy To**.
 
 
-   ![Example of User Profiles UI](images/copy-to.png)
+   ![Example of User Profiles UI.](images/copy-to.png)
 
 1. In **Copy To**, under **Permitted to use**, click **Change**.
 
-   ![Example of Copy To UI](images/copy-to-change.png)
+   ![Example of Copy To UI.](images/copy-to-change.png)
 
 1. In **Select User or Group**, in the **Enter the object name to select** field, type `everyone`, click **Check Names**, and then click **OK**.
 
@@ -98,11 +98,11 @@ First, you create a default user profile with the customizations that you want,
 
    - If the device is joined to the domain and you are signed in with an account that has permissions to write to a shared folder on the network, you can enter the shared folder path.
 
-   ![Example of Copy profile to](images/copy-to-path.png)
+   ![Example of Copy profile to.](images/copy-to-path.png)
 
    - If the device is not joined to the domain, you can save the profile locally and then copy it to the shared folder location.
 
-   ![Example of Copy To UI with UNC path](images/copy-to-path.png)
+   ![Example of Copy To UI with UNC path.](images/copy-to-path.png)
 
 1. Click **OK** to copy the default user profile.
 
@@ -139,9 +139,9 @@ When a user is configured with a mandatory profile, Windows 10 starts as though
 
 | Group Policy setting | Windows 10 | Windows Server 2016 | Windows 8.1 | Windows Server 2012 |
 | --- | --- | --- | --- | --- |
-| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) |
-| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png)  | ![not supported](images/crossmark.png)  |
-| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) |
+| Computer Configuration > Administrative Templates > System > Logon > **Show first sign-in animation** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) | ![supported](images/checkmark.png) |
+| Computer Configuration > Administrative Templates > Windows Components > Search > **Allow Cortana** = Disabled | ![supported.](images/checkmark.png) | ![supported](images/checkmark.png) | ![not supported](images/crossmark.png)  | ![not supported](images/crossmark.png)  |
+| Computer Configuration > Administrative Templates > Windows Components > Cloud Content > **Turn off Microsoft consumer experience** = Enabled | ![supported.](images/checkmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) | ![not supported](images/crossmark.png) |
 
 > [!NOTE]
 > The Group Policy settings above can be applied in Windows 10 Professional edition.
diff --git a/windows/client-management/mdm/accountmanagement-csp.md b/windows/client-management/mdm/accountmanagement-csp.md
index 930343209f..42722f7bd7 100644
--- a/windows/client-management/mdm/accountmanagement-csp.md
+++ b/windows/client-management/mdm/accountmanagement-csp.md
@@ -22,7 +22,7 @@ AccountManagement CSP is used to configure setting in the Account Manager servic
 
 The following diagram shows the AccountManagement configuration service provider in tree format.
 
-![accountmanagement csp](images/provisioning-csp-accountmanagement.png)
+![accountmanagement csp.](images/provisioning-csp-accountmanagement.png)
 
 <a href="" id="accountmanagement"></a>**./Vendor/MSFT/AccountManagement**  
 Root node for the AccountManagement configuration service provider.
diff --git a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
index 34f60116f4..64394a6989 100644
--- a/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
+++ b/windows/client-management/mdm/add-an-azure-ad-tenant-and-azure-ad-subscription.md
@@ -21,45 +21,45 @@ Here's a step-by-step guide to adding an Azure Active Directory tenant, adding a
 
 1. Sign up for Azure AD tenant from [this website](https://account.windowsazure.com/organization) by creating an administrator account for your organization.
 
-   ![sign up for azure ad tenant](images/azure-ad-add-tenant1.png)
+   ![sign up for azure ad tenant.](images/azure-ad-add-tenant1.png)
 
 2. Enter the information for your organization. Select **check availability** to verify that domain name that you selected is available.
 
-   ![sign up for azure ad](images/azure-ad-add-tenant2.png)
+   ![sign up for azure ad.](images/azure-ad-add-tenant2.png)
 
 3. Complete the login and country information. Enter a valid phone number, then select **Send text message** or **Call me**.
 
-   ![create azure account](images/azure-ad-add-tenant3.png)
+   ![create azure account.](images/azure-ad-add-tenant3.png)
 
 4. Enter the code that you receive and then select **Verify code**. After the code is verified and the continue button turns green, select **continue**.
 
-   ![add aad tenant](images/azure-ad-add-tenant3-b.png)
+   ![add aad tenant.](images/azure-ad-add-tenant3-b.png)
 
 5. After you finish creating your Azure account, you can add an Azure AD subscription.
 
    If you don't have a paid subscription to any Microsoft service, you can purchase an Azure AD premium subscription. Go to the Office 356 portal at https://portal.office.com/, and then sign in using the admin account that you created in Step 4 (for example, user1@contosoltd.onmicrosoftcom).
 
-   ![login to office 365](images/azure-ad-add-tenant4.png)
+   ![login to office 365.](images/azure-ad-add-tenant4.png)
 
 6. Select **Install software**.
 
-   ![login to office 365](images/azure-ad-add-tenant5.png)
+   ![login to office 365.](images/azure-ad-add-tenant5.png)
 
 7. In the Microsoft 365 admin center, select **Purchase Services** from the left navigation.
 
-   ![purchase service option in admin center menu](images/azure-ad-add-tenant6.png)
+   ![purchase service option in admin center menu.](images/azure-ad-add-tenant6.png)
 
 8. On the **Purchase services** page, scroll down until you see **Azure Active Directory Premium**, then select to purchase.
 
-   ![azure active directory option in purchase services page](images/azure-ad-add-tenant7.png)
+   ![azure active directory option in purchase services page.](images/azure-ad-add-tenant7.png)
 
 9. Continue with your purchase.
 
-   ![azure active directory premium payment page](images/azure-ad-add-tenant8.png)
+   ![azure active directory premium payment page.](images/azure-ad-add-tenant8.png)
 
 10. After the purchase is completed, you can log in to your Office 365 Admin Portal and you will see the **Azure AD** option from the Admin drop-down menu along with other services (SharePoint, Exchange, etc....).
 
-    ![admin center left navigation menu](images/azure-ad-add-tenant9.png)
+    ![admin center left navigation menu.](images/azure-ad-add-tenant9.png)
 
     When you choose Azure AD, it will take you to the Azure AD portal where you can manage your Azure AD applications.
 
@@ -69,27 +69,27 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent
 
 1.  Sign in to the Microsoft 365 admin center at <https://portal.office.com> using your organization's account.
 
-    ![register azuread](images/azure-ad-add-tenant10.png)
+    ![register azuread.](images/azure-ad-add-tenant10.png)
 
 2.  On the **Home** page, select on the Admin tools icon.
 
-    ![register azuread](images/azure-ad-add-tenant11.png)
+    ![register azuread.](images/azure-ad-add-tenant11.png)
 
 3.  On the **Admin center** page, hover your mouse over the Admin tools icon on the left and then click **Azure AD**. This will take you to the Azure Active Directory sign-up page and brings up your existing Office 365 organization account information.
 
-    ![register azuread](images/azure-ad-add-tenant12.png)
+    ![register azuread.](images/azure-ad-add-tenant12.png)
 
 4.  On the **Sign up** page, make sure to enter a valid phone number and then click **Sign up**.
 
-    ![register azuread](images/azure-ad-add-tenant13.png)
+    ![register azuread.](images/azure-ad-add-tenant13.png)
 
 5.  It may take a few minutes to process the request.
 
-    ![register azuread](images/azure-ad-add-tenant14.png)
+    ![register azuread.](images/azure-ad-add-tenant14.png)
 
 6.  You will see a welcome page when the process completes.
 
-    ![register azuread](images/azure-ad-add-tenant15.png)
+    ![register azuread.](images/azure-ad-add-tenant15.png)
 
  
 
diff --git a/windows/client-management/mdm/applocker-csp.md b/windows/client-management/mdm/applocker-csp.md
index 3df830bda7..5669fcf0f8 100644
--- a/windows/client-management/mdm/applocker-csp.md
+++ b/windows/client-management/mdm/applocker-csp.md
@@ -263,16 +263,16 @@ Supported operations are Get, Add, Delete, and Replace.
 
     The **Device Portal** page opens on your browser.
 
-    ![device portal screenshot](images/applocker-screenshot1.png)
+    ![device portal screenshot.](images/applocker-screenshot1.png)
 
 8.  On the desktop **Device Portal** page, click **Apps** to open the **App Manager**.
 9.  On the **App Manager** page under **Running apps**, you will see the **Publisher** and **PackageFullName** of apps.
 
-    ![device portal app manager](images/applocker-screenshot3.png)
+    ![device portal app manager.](images/applocker-screenshot3.png)
 
 10. If you do not see the app that you want, look under **Installed apps**. Using the drop- down menu, click on the application and you get the Version, Publisher, and PackageFullName displayed.
 
-    ![app manager](images/applocker-screenshot2.png)
+    ![app manager.](images/applocker-screenshot2.png)
 
 The following table shows the mapping of information to the AppLocker publisher rule field.
 
diff --git a/windows/client-management/mdm/appv-deploy-and-config.md b/windows/client-management/mdm/appv-deploy-and-config.md
index 157bf6f4d0..4c8f6eaecd 100644
--- a/windows/client-management/mdm/appv-deploy-and-config.md
+++ b/windows/client-management/mdm/appv-deploy-and-config.md
@@ -23,7 +23,7 @@ manager: dansimp
 
 [EnterpriseAppVManagement CSP reference](./enterpriseappvmanagement-csp.md)
 
-![enterpriseappvmanagement csp](images/provisioning-csp-enterpriseappvmanagement.png)
+![enterpriseappvmanagement csp.](images/provisioning-csp-enterpriseappvmanagement.png)
 
 <p>(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.</p>
 
diff --git a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
index 82a11f3eb6..97f22aae88 100644
--- a/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
+++ b/windows/client-management/mdm/azure-active-directory-integration-with-mdm.md
@@ -90,7 +90,7 @@ After the users accepts the Terms of Use, the device is registered in Azure AD a
 
 The following diagram illustrates the high-level flow involved in the actual enrollment process. The device is first registered with Azure AD. This process assigns a unique device identifier to the device and presents the device with the ability to authenticate itself with Azure AD (device authentication). Subsequently, the device is enrolled for management with the MDM. This is done by calling the enrollment endpoint and requesting enrollment for the user and device. At this point, the user has been authenticated and device has been registered and authenticated with Azure AD. This information is made available to the MDM in the form of claims within an access token presented at the enrollment endpoint.
 
-![azure ad enrollment flow](images/azure-ad-enrollment-flow.png)
+![azure ad enrollment flow.](images/azure-ad-enrollment-flow.png)
 
 The MDM is expected to use this information about the device (Device ID) when reporting device compliance back to Azure AD using the [Azure AD Graph API](/azure/active-directory/develop/active-directory-graph-api). A sample for reporting device compliance is provided later in this topic.
 
@@ -173,7 +173,7 @@ IT administrators use the Azure AD app gallery to add an MDM for their organizat
 
 The following image illustrates how MDM applications will show up in the Azure app gallery in a category dedicated to MDM software.
 
-![azure ad add an app for mdm](images/azure-ad-app-gallery.png)
+![azure ad add an app for mdm.](images/azure-ad-app-gallery.png)
 
 ### Add cloud-based MDM to the app gallery
 
@@ -732,7 +732,7 @@ Response:
 
 When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
 
-![aadj unenrollment](images/azure-ad-unenrollment.png)
+![aadj unenrollment.](images/azure-ad-unenrollment.png)
 
 ## Error codes
 
diff --git a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
index 21499425a9..ce25592491 100644
--- a/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
+++ b/windows/client-management/mdm/azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md
@@ -20,10 +20,10 @@ manager: dansimp
 2. Select **Mobility (MDM and MAM)**, and find the Microsoft Intune app.
 3. Select **Microsoft Intune** and configure the blade. 
 
-![How to get to the Blade](images/azure-mdm-intune.png) 
+![How to get to the Blade.](images/azure-mdm-intune.png) 
 
 Configure the blade                                                                      
 
-![Configure the Blade](images/azure-intune-configure-scope.png) 
+![Configure the Blade.](images/azure-intune-configure-scope.png) 
 
 You can specify settings to allow all users to enroll a device and make it Intune ready, or choose to allow some users (and then add a group of users). 
diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md
index 0bb9326924..e07354fa81 100644
--- a/windows/client-management/mdm/bootstrap-csp.md
+++ b/windows/client-management/mdm/bootstrap-csp.md
@@ -27,7 +27,7 @@ The BOOTSTRAP configuration service provider sets the Trusted Provisioning Serve
 
 The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
 
-![bootstrap csp (cp)](images/provisioning-csp-bootstrap-cp.png)
+![bootstrap csp (cp).](images/provisioning-csp-bootstrap-cp.png)
 
 <a href="" id="context-allow"></a>**CONTEXT-ALLOW**  
 Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value.
diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md
index 46ee3a5e98..15a939f7eb 100644
--- a/windows/client-management/mdm/browserfavorite-csp.md
+++ b/windows/client-management/mdm/browserfavorite-csp.md
@@ -30,7 +30,7 @@ This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID
 
 The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider.
 
-![browserfavorite csp (cp)](images/provisioning-csp-browserfavorite-cp.png)
+![browserfavorite csp (cp).](images/provisioning-csp-browserfavorite-cp.png)
 
 <a href="" id="favorite-name-------------"></a>***favorite name***   
 Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer.
diff --git a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
index 4fabdbc971..d1db6d514e 100644
--- a/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
+++ b/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool.md
@@ -57,7 +57,7 @@ Using the WCD, create a provisioning package using the enrollment information re
 1. Open the WCD tool.
 2. Click **Advanced Provisioning**.
 
-   ![icd start page](images/bulk-enrollment7.png)
+   ![icd start page.](images/bulk-enrollment7.png)
 3. Enter a project name and click **Next**.
 4. Select **All Windows editions**, since Provisioning CSP is common to all Windows editions, then click **Next**.
 5. Skip **Import a provisioning package (optional)** and click **Finish**.
@@ -74,20 +74,20 @@ Using the WCD, create a provisioning package using the enrollment information re
    For detailed descriptions of these settings, see [Provisioning CSP](provisioning-csp.md).
    Here is the screenshot of the WCD at this point.
    
-    ![bulk enrollment screenshot](images/bulk-enrollment.png)
+    ![bulk enrollment screenshot.](images/bulk-enrollment.png)
 9. Configure the other settings, such as the Wi-Fi connections so that the device can join a network before joining MDM (e.g., **Runtime settings** &gt; **ConnectivityProfiles** &gt; **WLANSetting**).
 10. When you are done adding all the settings, on the **File** menu, click **Save**.
 11. On the main menu click **Export** &gt; **Provisioning package**.
 
-    ![icd menu for export](images/bulk-enrollment2.png)
+    ![icd menu for export.](images/bulk-enrollment2.png)
 12. Enter the values for your package and specify the package output location.
 
-    ![enter package information](images/bulk-enrollment3.png)
-    ![enter additional information for package information](images/bulk-enrollment4.png)
-    ![specify file location](images/bulk-enrollment6.png)
+    ![enter package information.](images/bulk-enrollment3.png)
+    ![enter additional information for package information.](images/bulk-enrollment4.png)
+    ![specify file location.](images/bulk-enrollment6.png)
 13. Click **Build**.
 
-    ![icb build window](images/bulk-enrollment5.png)
+    ![icb build window.](images/bulk-enrollment5.png)
 14. Apply the package to some test devices and verify that they work. For more information, see [Apply a provisioning package](#apply-a-provisioning-package).
 15. Apply the package to your devices.
 
@@ -108,7 +108,7 @@ Using the WCD, create a provisioning package using the enrollment information re
    5.  Set **ExportCertificate** to False.
    6.  For **KeyLocation**, select **Software only**.
 
-   ![icd certificates section](images/bulk-enrollment8.png)
+   ![icd certificates section.](images/bulk-enrollment8.png)
 7. Specify the workplace settings.
    1. Got to **Workplace** &gt; **Enrollments**.
    2. Enter the **UPN** for the enrollment and then click **Add**.
diff --git a/windows/client-management/mdm/cellularsettings-csp.md b/windows/client-management/mdm/cellularsettings-csp.md
index 64372f26a8..ab4cb97c8f 100644
--- a/windows/client-management/mdm/cellularsettings-csp.md
+++ b/windows/client-management/mdm/cellularsettings-csp.md
@@ -21,7 +21,7 @@ The CellularSettings configuration service provider is used to configure cellula
 
 The following image shows the CellularSettings CSP in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
 
-![provisioning for cellular settings](images/provisioning-csp-cellularsettings.png)
+![provisioning for cellular settings.](images/provisioning-csp-cellularsettings.png)
 
 <a href="" id="dataroam"></a>**DataRoam**  
 <p style="margin-left: 20px"> Optional. Integer. Specifies the default roaming value. Valid values are:</p>
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md
index 5063181c3f..1d42413872 100644
--- a/windows/client-management/mdm/cm-cellularentries-csp.md
+++ b/windows/client-management/mdm/cm-cellularentries-csp.md
@@ -20,7 +20,7 @@ This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capa
 
 The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider.
 
-![cm\-cellularentries csp](images/provisioning-csp-cm-cellularentries.png)
+![cm\-cellularentries csp.](images/provisioning-csp-cm-cellularentries.png)
 
 <a href="" id="entryname"></a>***entryname***  
 <p style="margin-left: 20px">Defines the name of the connection.</p>
diff --git a/windows/client-management/mdm/configuration-service-provider-reference.md b/windows/client-management/mdm/configuration-service-provider-reference.md
index cce8060fe3..d4793c91e6 100644
--- a/windows/client-management/mdm/configuration-service-provider-reference.md
+++ b/windows/client-management/mdm/configuration-service-provider-reference.md
@@ -2555,36 +2555,36 @@ The following list shows the CSPs supported in HoloLens devices:
 
 | Configuration service provider        | HoloLens (1st gen) Development Edition      | HoloLens (1st gen) Commercial Suite | HoloLens 2 |
 |------|--------|--------|--------|
-| [AccountManagement CSP](accountmanagement-csp.md)   | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png)
-| [Accounts CSP](accounts-csp.md)    | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
-| [ApplicationControl CSP](applicationcontrol-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) |  ![check mark](images/checkmark.png) |
-| [AppLocker CSP](applocker-csp.md)      | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![cross mark](images/crossmark.png) |
-| [AssignedAccess CSP](assignedaccess-csp.md)      | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png) |
-| [CertificateStore CSP](certificatestore-csp.md)    | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)| ![check mark](images/checkmark.png) |
-| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)  | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [DevDetail CSP](devdetail-csp.md)   | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [DeveloperSetup CSP](developersetup-csp.md)   | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>2</sup>   (runtime provisioning via provisioning packages only; no MDM support)| ![check mark](images/checkmark.png) |
-| [DeviceManageability CSP](devicemanageability-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
-| [DeviceStatus CSP](devicestatus-csp.md)  | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)  | ![check mark](images/checkmark.png) |
-| [DevInfo CSP](devinfo-csp.md)  | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [DiagnosticLog CSP](diagnosticlog-csp.md)  | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [DMAcc CSP](dmacc-csp.md)      | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [DMClient CSP](dmclient-csp.md)    | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>10</sup>  |
-| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [NetworkProxy CSP](networkproxy-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
-| [NetworkQoSPolicy CSP](networkqospolicy-csp.md)  | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png)       | ![check mark](images/checkmark.png) <sup>8</sup>|
-| [NodeCache CSP](nodecache-csp.md)  | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-[PassportForWork CSP](passportforwork-csp.md) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
-| [Policy CSP](policy-configuration-service-provider.md)    | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [RemoteFind CSP](remotefind-csp.md)    | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png) |
-| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only)  | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png) |
-| [RootCATrustedCertificates CSP](rootcacertificates-csp.md)   | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>10</sup>  |
-| [Update CSP](update-csp.md)     | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [VPNv2 CSP](vpnv2-csp.md)    | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [WiFi CSP](wifi-csp.md)     | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
-| [WindowsLicensing CSP](windowslicensing-csp.md)   | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![cross mark](images/crossmark.png) |
+| [AccountManagement CSP](accountmanagement-csp.md)   | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png)
+| [Accounts CSP](accounts-csp.md)    | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
+| [ApplicationControl CSP](applicationcontrol-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) |  ![check mark](images/checkmark.png) |
+| [AppLocker CSP](applocker-csp.md)      | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![cross mark](images/crossmark.png) |
+| [AssignedAccess CSP](assignedaccess-csp.md)      | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png) |
+| [CertificateStore CSP](certificatestore-csp.md)    | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png)| ![check mark](images/checkmark.png) |
+| [ClientCertificateInstall CSP](clientcertificateinstall-csp.md)  | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [DevDetail CSP](devdetail-csp.md)   | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [DeveloperSetup CSP](developersetup-csp.md)   | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>2</sup>   (runtime provisioning via provisioning packages only; no MDM support)| ![check mark](images/checkmark.png) |
+| [DeviceManageability CSP](devicemanageability-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
+| [DeviceStatus CSP](devicestatus-csp.md)  | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)  | ![check mark](images/checkmark.png) |
+| [DevInfo CSP](devinfo-csp.md)  | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [DiagnosticLog CSP](diagnosticlog-csp.md)  | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [DMAcc CSP](dmacc-csp.md)      | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [DMClient CSP](dmclient-csp.md)    | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [EnrollmentStatusTracking CSP](enrollmentstatustracking-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>10</sup>  |
+| [EnterpriseModernAppManagement CSP](enterprisemodernappmanagement-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [NetworkProxy CSP](networkproxy-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) |
+| [NetworkQoSPolicy CSP](networkqospolicy-csp.md)  | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png)       | ![check mark](images/checkmark.png) <sup>8</sup>|
+| [NodeCache CSP](nodecache-csp.md)  | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+[PassportForWork CSP](passportforwork-csp.md) | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) | ![check mark](images/checkmark.png) |
+| [Policy CSP](policy-configuration-service-provider.md)    | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [RemoteFind CSP](remotefind-csp.md)    | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png) |
+| [RemoteWipe CSP](remotewipe-csp.md) (**doWipe** and **doWipePersistProvisionedData** nodes only)  | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>4</sup>       | ![check mark](images/checkmark.png) |
+| [RootCATrustedCertificates CSP](rootcacertificates-csp.md)   | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [TenantLockdown CSP](tenantlockdown-csp.md) | ![cross mark.](images/crossmark.png) | ![cross mark](images/crossmark.png) | ![check mark](images/checkmark.png) <sup>10</sup>  |
+| [Update CSP](update-csp.md)     | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [VPNv2 CSP](vpnv2-csp.md)    | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [WiFi CSP](wifi-csp.md)     | ![cross mark.](images/crossmark.png) | ![check mark](images/checkmark.png)       | ![check mark](images/checkmark.png) |
+| [WindowsLicensing CSP](windowslicensing-csp.md)   | ![check mark.](images/checkmark.png) | ![check mark](images/checkmark.png)       | ![cross mark](images/crossmark.png) |
 
  
 ## <a href="" id="surfacehubcspsupport"></a>CSPs supported in Microsoft Surface Hub
diff --git a/windows/client-management/mdm/device-update-management.md b/windows/client-management/mdm/device-update-management.md
index 8e886f3661..cc589f1f13 100644
--- a/windows/client-management/mdm/device-update-management.md
+++ b/windows/client-management/mdm/device-update-management.md
@@ -42,7 +42,7 @@ For more information about the CSPs, see [Update CSP](update-csp.md) and the upd
 
 The following diagram provides a conceptual overview of how this works:
 
-![mobile device update management](images/mdm-update-sync.png)
+![mobile device update management.](images/mdm-update-sync.png)
 
 The diagram can be roughly divided into three areas:
 
@@ -56,7 +56,7 @@ The Microsoft Update Catalog is huge and contains many updates that are not need
 
 This section describes how this is done. The following diagram shows the server-server sync protocol process.
 
-![mdm server-server sync](images/deviceupdateprocess2.png)
+![mdm server-server sync.](images/deviceupdateprocess2.png)
 
 MSDN provides much information about the Server-Server sync protocol. In particular:
 
@@ -140,7 +140,7 @@ The enterprise IT can configure auto-update polices via OMA DM using the [Policy
 
 The following diagram shows the Update policies in a tree format.
 
-![update policies](images/update-policies.png)
+![update policies.](images/update-policies.png)
 
 <a href="" id="update-activehoursend"></a>**Update/ActiveHoursEnd**
 > [!NOTE]
@@ -676,7 +676,7 @@ Example
 
 The enterprise IT can configure the set of approved updates and get compliance status via OMA DM using the [Update CSP](update-csp.md). The following diagram shows the Update CSP in tree format..
 
-![provisioning csp update](images/provisioning-csp-update.png)
+![provisioning csp update.](images/provisioning-csp-update.png)
 
 <a href="" id="update"></a>**Update**
 The root node.
@@ -889,9 +889,9 @@ Here is the list of older policies that are still supported for backward compati
 
 The following screenshots of the administrator console show the list of update titles, approval status, and additional metadata fields.
 
-![mdm update management screenshot](images/deviceupdatescreenshot1.png)
+![mdm update management screenshot.](images/deviceupdatescreenshot1.png)
 
-![mdm update management metadata screenshot](images/deviceupdatescreenshot2.png)
+![mdm update management metadata screenshot.](images/deviceupdatescreenshot2.png)
 
 
 ## <a href="" id="syncmlexample"></a>SyncML example
@@ -945,5 +945,5 @@ Set auto update to notify and defer.
 
 The following diagram and screenshots show the process flow of the device update process using Windows Server Update Services and Microsoft Update Catalog.
 
-![mdm device update management screenshot3](images/deviceupdatescreenshot3.png)![mdm device update management screenshot4](images/deviceupdatescreenshot4.png)![mdm device update management screenshot5](images/deviceupdatescreenshot5.png)![mdm device update management screenshot6](images/deviceupdatescreenshot6.png)![mdm device update management screenshot7](images/deviceupdatescreenshot7.png)![mdm device update management screenshot8](images/deviceupdatescreenshot8.png)![mdm device update management screenshot9](images/deviceupdatescreenshot9.png)
+![mdm device update management screenshot3.](images/deviceupdatescreenshot3.png)![mdm device update management screenshot4](images/deviceupdatescreenshot4.png)![mdm device update management screenshot5](images/deviceupdatescreenshot5.png)![mdm device update management screenshot6](images/deviceupdatescreenshot6.png)![mdm device update management screenshot7](images/deviceupdatescreenshot7.png)![mdm device update management screenshot8](images/deviceupdatescreenshot8.png)![mdm device update management screenshot9](images/deviceupdatescreenshot9.png)
 
diff --git a/windows/client-management/mdm/deviceinstanceservice-csp.md b/windows/client-management/mdm/deviceinstanceservice-csp.md
index f24564545c..0db22bf159 100644
--- a/windows/client-management/mdm/deviceinstanceservice-csp.md
+++ b/windows/client-management/mdm/deviceinstanceservice-csp.md
@@ -26,7 +26,7 @@ The DeviceInstance CSP is only supported in Windows 10 Mobile.
 
 The following diagram shows the DeviceInstanceService configuration service provider in tree format.
 
-![provisioning\-csp\-deviceinstanceservice](images/provisioning-csp-deviceinstanceservice.png)
+![provisioning\-csp\-deviceinstanceservice.](images/provisioning-csp-deviceinstanceservice.png)
 
 <a href="" id="roaming"></a>**Roaming**  
 A boolean value that specifies the roaming status of the device. In dual SIM mode when the device supports two different phone numbers, querying SIM 1 explicitly with ./Vendor/MSFT/DeviceInstanceService/Identify1/Roaming is functionally equivalent to using ./Vendor/MSFT/DeviceInstanceService/Roaming.
diff --git a/windows/client-management/mdm/devicelock-csp.md b/windows/client-management/mdm/devicelock-csp.md
index cef65071ec..9933e58a23 100644
--- a/windows/client-management/mdm/devicelock-csp.md
+++ b/windows/client-management/mdm/devicelock-csp.md
@@ -32,7 +32,7 @@ The DevicePasswordEnabled setting must be set to 0 (device password is enabled)
 
 The following image shows the DeviceLock configuration service provider in tree format.
 
-![devicelock csp](images/provisioning-csp-devicelock.png)
+![devicelock csp.](images/provisioning-csp-devicelock.png)
 
 <a href="" id="provider"></a>**Provider**  
 Required. An interior node to group all policy providers. Scope is permanent. Supported operation is Get.
diff --git a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
index 6043b61d8c..92ed52968c 100644
--- a/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
+++ b/windows/client-management/mdm/diagnose-mdm-failures-in-windows-10.md
@@ -20,13 +20,13 @@ To help diagnose enrollment or device management issues in Windows 10 devices m
 
 1. On your managed device go to **Settings** > **Accounts** > **Access work or school**.
 1. Click your work or school account, then click **Info.**  
-   ![Access work or school page in Settings](images/diagnose-mdm-failures15.png)
+   ![Access work or school page in Settings.](images/diagnose-mdm-failures15.png)
 
 1. At the bottom of the **Settings** page, click **Create report**.  
-   ![Access work or school page and then Create report](images/diagnose-mdm-failures16.png)
+   ![Access work or school page and then Create report.](images/diagnose-mdm-failures16.png)
 1. A window opens that shows the path to the log files. Click **Export**.
 
-   ![Access work or school log files](images/diagnose-mdm-failures17.png)
+   ![Access work or school log files.](images/diagnose-mdm-failures17.png)
 
 1. In File Explorer, navigate to c:\Users\Public\Documents\MDMDiagnostics to see the report.
 
@@ -59,7 +59,7 @@ Starting with the Windows 10, version 1511, MDM logs are captured in the Event
 
 Here's a screenshot:
 
-![mdm event viewer](images/diagnose-mdm-failures1.png)
+![mdm event viewer.](images/diagnose-mdm-failures1.png)
 
 In this location, the **Admin** channel logs events by default. However, if you need more details logs you can enable **Debug** logs by choosing **Show Analytic and Debug** logs option in **View** menu in Event Viewer.
 
@@ -238,26 +238,26 @@ For best results, ensure that the PC or VM on which you are viewing logs matches
 1.  Open eventvwr.msc.
 2.  Right-click on **Event Viewer(Local)** and select **Open Saved Log**.
 
-    ![event viewer screenshot](images/diagnose-mdm-failures9.png)
+    ![event viewer screenshot.](images/diagnose-mdm-failures9.png)
 
 3.  Navigate to the etl file that you got from the device and then open the file.
 4.  Click **Yes** when prompted to save it to the new log format.
 
-    ![event viewer prompt](images/diagnose-mdm-failures10.png)
+    ![event viewer prompt.](images/diagnose-mdm-failures10.png)
 
-    ![diagnose mdm failures](images/diagnose-mdm-failures11.png)
+    ![diagnose mdm failures.](images/diagnose-mdm-failures11.png)
 
 5.  The new view contains traces from the channel. Click on **Filter Current Log** from the **Actions** menu.
 
-    ![event viewer actions](images/diagnose-mdm-failures12.png)
+    ![event viewer actions.](images/diagnose-mdm-failures12.png)
 
 6.  Add a filter to Event sources by selecting **DeviceManagement-EnterpriseDiagnostics-Provider** and click **OK**.
 
-    ![event filter for Device Management](images/diagnose-mdm-failures13.png)
+    ![event filter for Device Management.](images/diagnose-mdm-failures13.png)
 
 7.  Now you are ready to start reviewing the logs.
 
-    ![event viewer review logs](images/diagnose-mdm-failures14.png)
+    ![event viewer review logs.](images/diagnose-mdm-failures14.png)
 
 ## Collect device state data
 
diff --git a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md
index 35fe6568b0..5f48d033a0 100644
--- a/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md
+++ b/windows/client-management/mdm/disconnecting-from-mdm-unenrollment.md
@@ -137,7 +137,7 @@ You can only use the Work Access page to unenroll under the following conditions
 
 When a user is enrolled into MDM through Azure Active Directory Join and then disconnects the enrollment, there is no warning that the user will lose Windows Information Protection (WIP) data. The disconnection message does not indicate the loss of WIP data.
 
-![aadj unenerollment](images/azure-ad-unenrollment.png)
+![aadj unenerollment.](images/azure-ad-unenrollment.png)
 
 When a device is enrolled into MDM through Azure Active Directory Join and then remotely unenrolled, the device may get into a state where it must be re-imaged. When devices are remotely unenrolled from MDM, the AAD association is also removed. This safeguard is in place to avoid leaving the corporated devices in unmanaged state.
 
diff --git a/windows/client-management/mdm/eap-configuration.md b/windows/client-management/mdm/eap-configuration.md
index 43882781ec..2ef69ad6c3 100644
--- a/windows/client-management/mdm/eap-configuration.md
+++ b/windows/client-management/mdm/eap-configuration.md
@@ -24,35 +24,35 @@ To get the EAP configuration from your desktop using the rasphone tool that is s
 
 1.  Run rasphone.exe.
 
-    ![vpnv2 rasphone](images/vpnv2-csp-rasphone.png)
+    ![vpnv2 rasphone.](images/vpnv2-csp-rasphone.png)
 
 1.  If you don't currently have a VPN connection and you see the following message, select **OK**.
 
-    ![vpnv2 csp network connections](images/vpnv2-csp-networkconnections.png)
+    ![vpnv2 csp network connections.](images/vpnv2-csp-networkconnections.png)
 
 1.  In the wizard, select **Workplace network**.
 
-    ![vpnv2 csp set up connection](images/vpnv2-csp-setupnewconnection.png)
+    ![vpnv2 csp set up connection.](images/vpnv2-csp-setupnewconnection.png)
 
 1.  Enter an Internet address and connection name. These can be fake since it does not impact the authentication parameters.
 
-    ![vpnv2 csp set up connection 2](images/vpnv2-csp-setupnewconnection2.png)
+    ![vpnv2 csp set up connection 2.](images/vpnv2-csp-setupnewconnection2.png)
 
 1.  Create a fake VPN connection. In the UI shown here, select **Properties**.
 
-    ![vpnv2 csp choose nw connection](images/vpnv2-csp-choosenetworkconnection.png)
+    ![vpnv2 csp choose nw connection.](images/vpnv2-csp-choosenetworkconnection.png)
 
 1.  In the **Test Properties** dialog, select the **Security** tab.
 
-    ![vpnv2 csp test props](images/vpnv2-csp-testproperties.png)
+    ![vpnv2 csp test props.](images/vpnv2-csp-testproperties.png)
 
 1.  On the **Security** tab, select **Use Extensible Authentication Protocol (EAP)**.
 
-    ![vpnv2 csp test props2](images/vpnv2-csp-testproperties2.png)
+    ![vpnv2 csp test props2.](images/vpnv2-csp-testproperties2.png)
 
 1.  From the drop-down menu, select the EAP method that you want to configure, and then select **Properties** to configure as needed.
 
-    ![vpnv2 csp test props3](images/vpnv2-csp-testproperties3.png)![vpnv2 csp test props4](images/vpnv2-csp-testproperties4.png)
+    ![vpnv2 csp test props3.](images/vpnv2-csp-testproperties3.png)![vpnv2 csp test props4](images/vpnv2-csp-testproperties4.png)
 
 1.  Switch over to PowerShell and use the following cmdlets to retrieve the EAP configuration XML.
 
@@ -267,7 +267,7 @@ Alternatively, you can use the following procedure to create an EAP configuratio
 1.  Follow steps 1 through 7 in the EAP configuration article.
 1.  In the **Microsoft VPN SelfHost Properties** dialog box, select **Microsoft: Smart Card or other Certificate** from the drop-down menu (this selects EAP TLS).
 
-    ![vpn self host properties window](images/certfiltering1.png)
+    ![vpn self host properties window.](images/certfiltering1.png)
 
     > [!NOTE]
     > For PEAP or TTLS, select the appropriate method and continue following this procedure.
@@ -277,11 +277,11 @@ Alternatively, you can use the following procedure to create an EAP configuratio
 1.  Select the **Properties** button underneath the drop-down menu.
 1.  On the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
 
-    ![smart card or other certificate properties window](images/certfiltering2.png)
+    ![smart card or other certificate properties window.](images/certfiltering2.png)
 
 1.  On the **Configure Certificate Selection** menu, adjust the filters as needed.
 
-    ![configure certificate window](images/certfiltering3.png)
+    ![configure certificate window.](images/certfiltering3.png)
 
 1.  Select **OK** to close the windows and get back to the main rasphone.exe dialog box.
 1.  Close the rasphone dialog box.
diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
index d6a0127bab..cfc9928a0b 100644
--- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
+++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md
@@ -47,19 +47,19 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](
 
     2. Under **Best match**, click **Edit group policy** to launch it.  
        
-       ![GPEdit search](images/admx-gpedit-search.png)
+       ![GPEdit search.](images/admx-gpedit-search.png)
 
     3. In **Local Computer Policy** navigate to the policy you want to configure.  
     
        In this example, navigate to **Administrative Templates >  System > App-V**.
 
-       ![App-V policies](images/admx-appv.png)
+       ![App-V policies.](images/admx-appv.png)
 
     4. Double-click **Enable App-V Client**.  
 
        The **Options** section is empty, which means there are no parameters necessary to enable the policy. If the **Options** section is not empty, follow the procedure in [Enable a policy that requires parameters](#enable-a-policy-that-requires-parameters)
 
-       ![Enable App-V client](images/admx-appv-enableapp-vclient.png)
+       ![Enable App-V client.](images/admx-appv-enableapp-vclient.png)
 
 3.  Create the SyncML to enable the policy that does not require any parameter.  
 
@@ -99,15 +99,15 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](
 
    1. Double-click **Publishing Server 2 Settings** to see the parameters you need to configure when you enable this policy.
 
-      ![Enable publishing server 2 policy](images/admx-appv-publishingserver2.png)
+      ![Enable publishing server 2 policy.](images/admx-appv-publishingserver2.png)
 
-      ![Enable publishing server 2 settings](images/admx-app-v-enablepublishingserver2settings.png)
+      ![Enable publishing server 2 settings.](images/admx-app-v-enablepublishingserver2settings.png)
 
    2. Find the variable names of the parameters in the ADMX file.
 
       You can find the ADMX file name in the policy description in Policy CSP. In this example, the filename appv.admx is listed in [AppVirtualization/PublishingAllowServer2](policy-configuration-service-provider.md#appvirtualization-publishingallowserver2).
 
-      ![Publishing server 2 policy description](images/admx-appv-policy-description.png)
+      ![Publishing server 2 policy description.](images/admx-appv-policy-description.png)
 
    3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the admx files) and open appv.admx.
 
diff --git a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
index f4c951af17..bab52cb7fd 100644
--- a/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
+++ b/windows/client-management/mdm/enable-offline-updates-for-windows-embedded-8-1-handheld-devices-to-windows-10.md
@@ -84,7 +84,7 @@ After the upgrade to Windows 10 is complete, if you decide to push down a new we
 
 The following diagram shows a high-level overview of the process.
 
-![update process for windows embedded 8.1 devices](images/windowsembedded-update.png)
+![update process for windows embedded 8.1 devices.](images/windowsembedded-update.png)
 
 ## Step 1: Prepare a test device to download updates from Microsoft Update
 
@@ -107,15 +107,15 @@ Trigger the device to check for updates either manually or using Microsoft Endpo
 
 1.  Remotely trigger a scan of the test device by deploying a Trigger Scan configuration baseline.
 
-    ![device scan using Configuration Manager](images/windowsembedded-update2.png)
+    ![device scan using Configuration Manager.](images/windowsembedded-update2.png)
 
 2.  Set the value of this OMA-URI by going to **Configuration Item**, and then selecting the newly created Trigger Scan settings from the previous step.
 
-    ![device scan using Configuration Manager](images/windowsembedded-update3.png)
+    ![device scan using Configuration Manager.](images/windowsembedded-update3.png)
 
 3.  Ensure that the value that is specified for this URI is greater than the value on the device(s), and that the **Remediate noncompliant rules when supported** option is selected. For the first time, any value that is greater than 0 will work, but for subsequent configurations, ensure that you specify an incremented value.
 
-    ![device scan using Configuration Manager](images/windowsembedded-update4.png)
+    ![device scan using Configuration Manager.](images/windowsembedded-update4.png)
 
 4.  Create a configuration baseline for Trigger Scan and Deploy. We recommend that this configuration baseline be deployed after the Controlled Updates baseline has been applied to the device. (The corresponding files are deployed on the device through a device sync session.)
 5.  Follow the prompts for downloading the updates, but do not install the updates on the device.
@@ -216,11 +216,11 @@ The deployment process has three parts:
 
 1.  Create a configuration item. In the **Browse Settings** window, select **Device File** as a filter, and then select **Select**.
 
-    ![embedded device update](images/windowsembedded-update18.png)
+    ![embedded device update.](images/windowsembedded-update18.png)
 
 2.  Browse to the DUControlledUpdates.xml that was created from the test device, and then specify the file path and name on the device as `NonPersistent\DUControlledUpdates.xml`.
 
-    ![embedded device update](images/windowsembedded-update19.png)
+    ![embedded device update.](images/windowsembedded-update19.png)
 
 3.  Select **Remediate noncompliant settings**, and then select **OK**.
 
@@ -231,7 +231,7 @@ The deployment process has three parts:
 1.  Create a configuration item and specify the file path and name on the device as `NonPersistent\DUCustomContentURIs.xml`
 2.  Select **Remediate noncompliant settings**.
 
-    ![embedded device update](images/windowsembedded-update21.png)
+    ![embedded device update.](images/windowsembedded-update21.png)
 
 3.  Select **OK**.
 
@@ -242,11 +242,11 @@ The deployment process has three parts:
 1.  Create a configuration baseline item and give it a name (such as ControlledUpdates).
 2.  Add the DUControlledUpdates and DUCustomContentURIs configuration items, and then select **OK**.
 
-    ![embedded device update](images/windowsembedded-update22.png)
+    ![embedded device update.](images/windowsembedded-update22.png)
 
 3.  Deploy the configuration baseline to the appropriate device or device collection.
 
-    ![embedded device update](images/windowsembedded-update23.png)
+    ![embedded device update.](images/windowsembedded-update23.png)
 
 4.  Select **OK**.
 
@@ -472,57 +472,57 @@ Use this procedure for pre-GDR1 devices:
 2.  In Microsoft Endpoint Configuration Manager, under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Items**.
 3.  Select **Create Configuration Item**.
 
-    ![device update using Configuration Manager](images/windowsembedded-update5.png)
+    ![device update using Configuration Manager.](images/windowsembedded-update5.png)
 4.  Enter a filename (such as GetDUReport), and then select **Mobile Device**.
 5.  On the **Mobile Device Settings** page, select **Configure Additional Settings that are not in the default settings group**, and then select **Next**.
 
-    ![device update using Configuration Manager](images/windowsembedded-update6.png)
+    ![device update using Configuration Manager.](images/windowsembedded-update6.png)
 6.  On the **Additional Settings** page, select **Add**.
 
-    ![device update using Configuration Manager](images/windowsembedded-update7.png)
+    ![device update using Configuration Manager.](images/windowsembedded-update7.png)
 7.  On the **Browse Settings** page, select **Create Setting**.
 
-    ![device update](images/windowsembedded-update8.png)
+    ![device update.](images/windowsembedded-update8.png)
 8.  Enter a unique **Name**. For **Setting type**, select **OMA-URI**, and for **Data type**, select **String**.
 9.  In the **OMA-URI** text box, enter `./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml`, and then select **OK**.
 
-    ![handheld device update](images/windowsembedded-update9.png)
+    ![handheld device update.](images/windowsembedded-update9.png)
 10. On the **Browse Settings** page, select **Close**.
 11. On the **Create Configuration Item Wizard** page, select **All Windows Embedded 8.1 Handheld** as the supported platform, and then select **Next**.
 
-    ![embedded device update](images/windowsembedded-update10.png)
+    ![embedded device update.](images/windowsembedded-update10.png)
 12. Close the **Create Configuration Item Wizard** page.
 13. Right-click on the newly create configuration item, and then select the **Compliance Rules** tab.
 14. Select the new created mobile device setting (such as DUReport), and then select **Select**.
 15. Enter a dummy value (such as zzz) that is different from the one on the device.
 
-    ![embedded device update](images/windowsembedded-update11.png)
+    ![embedded device update.](images/windowsembedded-update11.png)
 16. Disable remediation by deselecting the **Remediate noncompliant rules when supported** option.
 17. Select **OK** to close the **Edit Rule** page.
 18. Create a new configuration baseline. Under **Assets and Compliance** > **Compliance Settings**, right-click **Configuration Baselines**.
 19. Select **Create Configuration Item**.
 
-    ![embedded device update](images/windowsembedded-update12.png)
+    ![embedded device update.](images/windowsembedded-update12.png)
 20. Enter a baseline name (such as RetrieveDUReport).
 21. Add the configuration item that you just created. Select **Add**, and then select the configuration item that you just created (such as DUReport).
 
-    ![embedded device update](images/windowsembedded-update13.png)
+    ![embedded device update.](images/windowsembedded-update13.png)
 22. Select **OK**, and then select **OK** again to complete the configuration baseline.
 23. Deploy the newly created configuration baseline to the appropriate device collection. Right-click on the configuration baseline that you created, and then select **Deploy**.
 
-    ![embedded device update](images/windowsembedded-update14.png)
+    ![embedded device update.](images/windowsembedded-update14.png)
 24. Select **Remediate noncompliant rules when supported**.
 25. Select the appropriate device collection and define the schedule.
 
-    ![device update](images/windowsembedded-update15.png)
+    ![device update.](images/windowsembedded-update15.png)
 26. To view the DUReport content, select the appropriate deployment for the configuration baseline that you created. Right-click on the deployment, and then select **View Status**.
 27. Select **Run Summarization**, and then select **Refresh**. The test device(s) should be listed on the **Non-Compliant** tab.
 28. Under **Asset Details**, right-click on the test device, and then select **Mode Details**.
 
-    ![device update](images/windowsembedded-update16.png)
+    ![device update.](images/windowsembedded-update16.png)
 29. On the **Non-compliant** tab, you can see the DUReport, but you cannot retrieve the content from here.
 
-    ![device update](images/windowsembedded-update17.png)
+    ![device update.](images/windowsembedded-update17.png)
 30. To retrieve the DUReport, open C:\\Program Files\\SMS\_CCM\\SMS\_DM.log.
 31. In the log file, search from the bottom for "./Vendor/MSFT/EnterpriseExt/DeviceUpdate/UpdatesResultXml" RuleExression="Equals zzz," where zzz is the dummy value. Just above this, copy the information for UpdateData and use this information to create the DUControlledUpdates.xml.
 
diff --git a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
index 322e4dbc40..c9f13235e0 100644
--- a/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
+++ b/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy.md
@@ -46,11 +46,11 @@ To ensure that the auto-enrollment feature is working as expected, you must veri
 The following steps demonstrate required settings using the Intune service:
 1. Verify that the user who is going to enroll the device has a valid Intune license.
 
-    ![Intune license verification](images/auto-enrollment-intune-license-verification.png)
+    ![Intune license verification.](images/auto-enrollment-intune-license-verification.png)
 
 2. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For additional details, see [Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal](./azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md).
 
-    ![Auto-enrollment activation verification](images/auto-enrollment-activation-verification.png)
+    ![Auto-enrollment activation verification.](images/auto-enrollment-activation-verification.png)
 
     > [!IMPORTANT]
     > For BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
@@ -62,23 +62,23 @@ The following steps demonstrate required settings using the Intune service:
 
     You can confirm that the device is properly hybrid-joined if both **AzureAdJoined** and **DomainJoined** are set to **YES**.
 
-    ![Auto-enrollment device status result](images/auto-enrollment-device-status-result.png)
+    ![Auto-enrollment device status result.](images/auto-enrollment-device-status-result.png)
 
     Additionally, verify that the SSO State section displays **AzureAdPrt** as **YES**.
 
-    ![Auto-enrollment Azure AD prt verification](images/auto-enrollment-azureadprt-verification.png)
+    ![Auto-enrollment Azure AD prt verification.](images/auto-enrollment-azureadprt-verification.png)
 
     This information can also be found on the Azure AD device list.
 
-    ![Azure AD device list](images/azure-ad-device-list.png)
+    ![Azure AD device list.](images/azure-ad-device-list.png)
 
 5. Verify that the MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
 
-    ![MDM discovery URL](images/auto-enrollment-mdm-discovery-url.png)
+    ![MDM discovery URL.](images/auto-enrollment-mdm-discovery-url.png)
 
 6. Some tenants might have both **Microsoft Intune** and **Microsoft Intune Enrollment** under **Mobility**. Make sure that your auto-enrollment settings are configured under **Microsoft Intune** instead of **Microsoft Intune Enrollment**.
 
-    ![Mobility setting MDM intune](images/auto-enrollment-microsoft-intune-setting.png)
+    ![Mobility setting MDM intune.](images/auto-enrollment-microsoft-intune-setting.png)
 
 7. Verify that the *Enable Automatic MDM enrollment using default Azure AD credentials* group policy (**Local Group Policy Editor > Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is properly deployed to all devices which should be enrolled into Intune.
 You may contact your domain administrators to verify if the group policy has been deployed successfully.
@@ -87,7 +87,7 @@ You may contact your domain administrators to verify if the group policy has bee
 
 9. Verify that Microsoft Intune should allow enrollment of Windows devices.
 
-    ![Enrollment of Windows devices](images/auto-enrollment-enrollment-of-windows-devices.png)
+    ![Enrollment of Windows devices.](images/auto-enrollment-enrollment-of-windows-devices.png)
 
 ## Configure the auto-enrollment Group Policy for a single PC
 
@@ -102,18 +102,18 @@ Requirements:
 
     Click Start, then in the text box type gpedit.
 
-    ![GPEdit desktop app search result](images/autoenrollment-gpedit.png)
+    ![GPEdit desktop app search result.](images/autoenrollment-gpedit.png)
 
 2. Under **Best match**, click **Edit group policy** to launch it.
 
 3. In **Local Computer Policy**, click **Administrative Templates** > **Windows Components** > **MDM**.
 
     > [!div class="mx-imgBorder"]
-    > ![MDM policies](images/autoenrollment-mdm-policies.png)
+    > ![MDM policies.](images/autoenrollment-mdm-policies.png)
 
 4. Double-click **Enable automatic MDM enrollment using default Azure AD credentials** (previously called **Auto MDM Enrollment with AAD Token** in Windows 10, version 1709). For ADMX files in Windows 10, version 1903 and later, select **User Credential** as the Selected Credential Type to use.
 
-   ![MDM autoenrollment policy](images/autoenrollment-policy.png)
+   ![MDM autoenrollment policy.](images/autoenrollment-policy.png)
 
 5. Click **Enable**, and select **User Credential** from the dropdown **Select Credential Type to Use**, then click **OK**.
 
@@ -129,7 +129,7 @@ Requirements:
 
     If two-factor authentication is required, you will be prompted to complete the process. Here is an example screenshot.
 
-    ![Two-factor authentication notification](images/autoenrollment-2-factor-auth.png)
+    ![Two-factor authentication notification.](images/autoenrollment-2-factor-auth.png)
 
     > [!Tip]
     > You can avoid this behavior by using Conditional Access Policies in Azure AD.
@@ -139,7 +139,7 @@ Requirements:
 
 7. Click **Info** to see the MDM enrollment information.
 
-    ![Work School Settings](images/autoenrollment-settings-work-school.png)
+    ![Work School Settings.](images/autoenrollment-settings-work-school.png)
 
     If you do not see the **Info** button or the enrollment information, it is possible that the enrollment failed. Check the status in [Task Scheduler app](#task-scheduler-app).
 
@@ -148,13 +148,13 @@ Requirements:
 
 1. Click **Start**, then in the text box type **task scheduler**.
 
-   ![Task Scheduler search result](images/autoenrollment-task-schedulerapp.png)
+   ![Task Scheduler search result.](images/autoenrollment-task-schedulerapp.png)
 
 2. Under **Best match**, click **Task Scheduler** to launch it.
 
 3. In **Task Scheduler Library**, open **Microsoft > Windows** , then click **EnterpriseMgmt**.
 
-    ![Auto-enrollment scheduled task](images/autoenrollment-scheduled-task.png)
+    ![Auto-enrollment scheduled task.](images/autoenrollment-scheduled-task.png)
 
     To see the result of the task, move the scroll bar to the right to see the **Last Run Result**. Note that **0x80180026** is a failure message (MENROLL\_E_DEVICE\_MANAGEMENT_BLOCKED). You can see the logs in the **History** tab.
 
@@ -239,13 +239,13 @@ To collect Event Viewer logs:
 
 3. Search for event ID 75, which represents a successful auto-enrollment. Here is an example screenshot that shows the auto-enrollment completed successfully:
 
-    ![Event ID 75](images/auto-enrollment-troubleshooting-event-id-75.png)
+    ![Event ID 75.](images/auto-enrollment-troubleshooting-event-id-75.png)
 
     If you cannot find event ID 75 in the logs, it indicates that the auto-enrollment failed. This can happen because of the following reasons:
 
     - The enrollment failed with error. In this case, search for event ID 76, which represents failed auto-enrollment. Here is an example screenshot that shows that the auto-enrollment failed:
 
-      ![Event ID 76](images/auto-enrollment-troubleshooting-event-id-76.png)
+      ![Event ID 76.](images/auto-enrollment-troubleshooting-event-id-76.png)
 
       To troubleshoot, check the error code that appears in the event. See [Troubleshooting Windows device enrollment problems in Microsoft Intune](https://support.microsoft.com/en-ph/help/4469913/troubleshooting-windows-device-enrollment-problems-in-microsoft-intune) for more information.
 
@@ -253,7 +253,7 @@ To collect Event Viewer logs:
 
       The auto-enrollment process is triggered by a task (**Microsoft > Windows > EnterpriseMgmt**) within the task-scheduler. This task appears if the *Enable automatic MDM enrollment using default Azure AD credentials* group policy (**Computer Configuration > Policies > Administrative Templates > Windows Components > MDM**) is successfully deployed to the target machine as shown in the following screenshot:
 
-      ![Task scheduler](images/auto-enrollment-task-scheduler.png)
+      ![Task scheduler.](images/auto-enrollment-task-scheduler.png)
 
     > [!Note]
     > This task isn't visible to standard users - run Scheduled Tasks with administrative credentials to find the task.
@@ -262,24 +262,24 @@ To collect Event Viewer logs:
     **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational**.
     Look for an entry where the task scheduler created by enrollment client for automatically enrolling in MDM from AAD is triggered by event ID 107.
 
-    ![Event ID 107](images/auto-enrollment-event-id-107.png)
+    ![Event ID 107.](images/auto-enrollment-event-id-107.png)
 
     When the task is completed, a new event ID 102 is logged.
 
-    ![Event ID 102](images/auto-enrollment-event-id-102.png)
+    ![Event ID 102.](images/auto-enrollment-event-id-102.png)
 
     Note that the task scheduler log displays event ID 102 (task completed) regardless of the auto-enrollment success or failure. This means that the task scheduler log is only useful to confirm if the auto-enrollment task is triggered or not. It does not indicate the success or failure of auto-enrollment.
 
     If you cannot see from the log that task Schedule created by enrollment client for automatically enrolling in MDM from AAD is initiated, there is possibly issue with the group policy. Immediately run the command `gpupdate /force` in command prompt to get the GPO applied. If this still does not help, further troubleshooting on the Active Directory is required.
     One frequently seen error is related to some outdated enrollment entries in the registry on the target client device (**HKLM > Software > Microsoft > Enrollments**). If a device has been enrolled (can be any MDM solution and not only Intune), some enrollment information added into the registry is seen:
 
-    ![Outdated enrollment entries](images/auto-enrollment-outdated-enrollment-entries.png)
+    ![Outdated enrollment entries.](images/auto-enrollment-outdated-enrollment-entries.png)
 
     By default, these entries are removed when the device is un-enrolled, but occasionally the registry key remains even after un-enrollment. In this case, `gpupdate /force` fails to initiate the auto-enrollment task and error code 2149056522 is displayed in the **Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational** event log file under event ID 7016.
 
     A resolution to this issue is to remove the registry key manually. If you do not know which registry key to remove, go for the key which displays most entries as the screenshot above. All other keys will display fewer entries as shown in the following screenshot:
 
-    ![Manually deleted entries](images/auto-enrollment-activation-verification-less-entries.png)
+    ![Manually deleted entries.](images/auto-enrollment-activation-verification-less-entries.png)
 
 ### Related topics
 
diff --git a/windows/client-management/mdm/enterprise-app-management.md b/windows/client-management/mdm/enterprise-app-management.md
index b809041a65..c29e2047ad 100644
--- a/windows/client-management/mdm/enterprise-app-management.md
+++ b/windows/client-management/mdm/enterprise-app-management.md
@@ -41,7 +41,7 @@ These classifications are represented as nodes in the EnterpriseModernAppManagem
 
 The following diagram shows the EnterpriseModernAppManagement CSP in a tree format.
 
-![enterprisemodernappmanagement csp diagram](images/provisioning-csp-enterprisemodernappmanagement.png)
+![enterprisemodernappmanagement csp diagram.](images/provisioning-csp-enterprisemodernappmanagement.png)
 
 Each app displays one package family name and 1-n package full names for installed apps. The apps are categorized based on their origin (Store, nonStore, System).
 
diff --git a/windows/client-management/mdm/enterpriseappmanagement-csp.md b/windows/client-management/mdm/enterpriseappmanagement-csp.md
index 51c1a6581f..98249aad50 100644
--- a/windows/client-management/mdm/enterpriseappmanagement-csp.md
+++ b/windows/client-management/mdm/enterpriseappmanagement-csp.md
@@ -23,7 +23,7 @@ The EnterpriseAppManagement enterprise configuration service provider is used to
 
 The following diagram shows the EnterpriseAppManagement configuration service provider in tree format.
 
-![enterpriseappmanagement csp](images/provisioning-csp-enterpriseappmanagement.png)
+![enterpriseappmanagement csp.](images/provisioning-csp-enterpriseappmanagement.png)
 
 <a href="" id="enterpriseid"></a>***EnterpriseID***
 Optional. A dynamic node that represents the EnterpriseID as a GUID. It is used to enroll or unenroll enterprise applications.
diff --git a/windows/client-management/mdm/filesystem-csp.md b/windows/client-management/mdm/filesystem-csp.md
index 12547591ba..3df7b51be2 100644
--- a/windows/client-management/mdm/filesystem-csp.md
+++ b/windows/client-management/mdm/filesystem-csp.md
@@ -24,7 +24,7 @@ The FileSystem configuration service provider is used to query, add, modify, and
 
 The following diagram shows the FileSystem configuration service provider management object in tree format as used by OMA DM. The OMA Client Provisioning protocol is not supported by this configuration service provider.
 
-![filesystem csp (dm)](images/provisioning-csp-filesystem-dm.png)
+![filesystem csp (dm).](images/provisioning-csp-filesystem-dm.png)
 
 <a href="" id="filesystem"></a>**FileSystem**
 Required. Defines the root of the file system management object. It functions as the root directory for file system queries.
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md
index 9f691cab8c..03fb5b432d 100644
--- a/windows/client-management/mdm/healthattestation-csp.md
+++ b/windows/client-management/mdm/healthattestation-csp.md
@@ -104,7 +104,7 @@ The following is a list of functions performed by the Device HealthAttestation C
 - Receives an encrypted blob (DHA-EncBlob) from DHA-Service, and stores it in a local cache on the device</li>
 - Receives attestation requests (DHA-Requests) from a DHA-Enabled-MDM, and replies with a device health report (DHA-Report)</li>
 
-![healthattestation service diagram](images/healthattestation_2.png)
+![healthattestation service diagram.](images/healthattestation_2.png)
 
 <table> 
 <col width="20%" />
diff --git a/windows/client-management/mdm/hotspot-csp.md b/windows/client-management/mdm/hotspot-csp.md
index 36a979715e..af7934b674 100644
--- a/windows/client-management/mdm/hotspot-csp.md
+++ b/windows/client-management/mdm/hotspot-csp.md
@@ -27,7 +27,7 @@ The HotSpot configuration service provider is used to configure and enable Inter
 
 The following diagram shows the HotSpot configuration service provider management object in tree format as used by OMA Client Provisioning. The OMA DM protocol is not supported by this configuration service provider.
 
-![hotspot csp (cp)](images/provisioning-csp-hotspot-cp.png)
+![hotspot csp (cp).](images/provisioning-csp-hotspot-cp.png)
 
 <a href="" id="enabled"></a>**Enabled**
 Required. Specifies whether to enable Internet sharing on the device. The default is false.
diff --git a/windows/client-management/mdm/implement-server-side-mobile-application-management.md b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
index 08a455f462..68633b48af 100644
--- a/windows/client-management/mdm/implement-server-side-mobile-application-management.md
+++ b/windows/client-management/mdm/implement-server-side-mobile-application-management.md
@@ -44,7 +44,7 @@ To make applications WIP-aware, app developers need to include the following dat
 
 MAM enrollment requires integration with Azure AD. The MAM service provider needs to publish the Management MDM app to the Azure AD app gallery. Starting with Azure AD in Windows 10, version 1703, the same cloud-based Management MDM app will support both MDM and MAM enrollments. If you have already published your MDM app, it needs to be updated to include MAM Enrollment and Terms of use URLs. The screenshot below illustrates the management app for an IT admin configuration.  
 
-![Mobile application management app](images/implement-server-side-mobile-application-management.png)
+![Mobile application management app.](images/implement-server-side-mobile-application-management.png)
 
 MAM and MDM services in an organization could be provided by different vendors. Depending on the company configuration, IT admin typically needs to add one or two Azure AD Management apps to configure MAM and MDM policies. For example, if both MAM and MDM are provided by the same vendor, then an IT Admin needs to add one Management app from this vendor that will contain both MAM and MDM policies for the organization. Alternatively, if the MAM and MDM services in an organization are provided by two different vendors, then two Management apps from the two vendors need to be configured for the company in Azure AD: one for MAM and one for MDM. Please note: if the MDM service in an organization is not integrated with Azure AD and uses auto-discovery, only one Management app for MAM needs to be configured.  
 
diff --git a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
index 12e50c7af7..875c7d0ded 100644
--- a/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
+++ b/windows/client-management/mdm/management-tool-for-windows-store-for-business.md
@@ -59,13 +59,13 @@ The Store for Business provides services that enable a management tool to synchr
 
 The following diagram provides an overview of app distribution from acquisition of an offline-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices.
 
-![business store offline app distribution](images/businessstoreportalservices2.png)
+![business store offline app distribution.](images/businessstoreportalservices2.png)
 
 ### Online-licensed application distribution
 
 The following diagram provides an overview of app distribution from acquisition of an online-licensed application to distribution to a client. Once synchronized from the Store for Business, the management tool can use the Windows management framework to distribute applications to devices. For online-licensed applications, the management tool calls back into the Store for Business management services to assign an application prior to issuing the policy to install the application.
 
-![business store online app distribution](images/businessstoreportalservices3.png)
+![business store online app distribution.](images/businessstoreportalservices3.png)
 
 ## Integrate with Azure Active Directory
 
@@ -105,7 +105,7 @@ After registering your management tool with Azure AD, the management tool can ca
 
 The diagram below shows the call patterns for acquiring a new or updated application.
 
-![business store portal service flow diagram](images/businessstoreportalservicesflow.png)
+![business store portal service flow diagram.](images/businessstoreportalservicesflow.png)
 
 **Here is the list of available operations**:
 
diff --git a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
index d1e7b033f2..6dbe747d92 100644
--- a/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
+++ b/windows/client-management/mdm/mdm-enrollment-of-windows-devices.md
@@ -25,7 +25,7 @@ In today’s cloud-first world, enterprise IT departments increasingly want to l
 
 You can connect corporate-owned devices to work by either joining the device to an Active Directory domain, or to an Azure Active Directory (Azure AD) domain. Windows 10 does not require a personal Microsoft account on devices joined to Azure AD or an on-premises Active Directory domain.
 
-![active directory azure ad signin](images/unifiedenrollment-rs1-1.png)
+![active directory azure ad signin.](images/unifiedenrollment-rs1-1.png)
 
 ### Connect your device to an Active Directory domain (join a domain)
 
@@ -40,15 +40,15 @@ Joining your device to an Active Directory domain during the out-of-box-experien
 
 1.  On the **Who Owns this PC?** page, select **My work or school owns it**.
 
-    ![oobe local account creation](images/unifiedenrollment-rs1-2.png)
+    ![oobe local account creation.](images/unifiedenrollment-rs1-2.png)
 
 2.  Next, select **Join a domain**.
 
-    ![select domain or azure ad](images/unifiedenrollment-rs1-3.png)
+    ![select domain or azure ad.](images/unifiedenrollment-rs1-3.png)
 
 3.  You'll see a prompt to set up a local account on the device. Enter your local account details, and then select **Next** to continue.
 
-    ![create pc account](images/unifiedenrollment-rs1-4.png)
+    ![create pc account.](images/unifiedenrollment-rs1-4.png)
 
 ### Use the Settings app
 
@@ -56,27 +56,27 @@ To create a local account and connect the device:
 
 1.  Launch the Settings app.
 
-    ![windows settings page](images/unifiedenrollment-rs1-5.png)
+    ![windows settings page.](images/unifiedenrollment-rs1-5.png)
 
 2.  Next, select **Accounts**.
 
-    ![windows settings accounts select](images/unifiedenrollment-rs1-6.png)
+    ![windows settings accounts select.](images/unifiedenrollment-rs1-6.png)
 
 3.  Navigate to **Access work or school**.
 
-    ![select access work or school](images/unifiedenrollment-rs1-7.png)
+    ![select access work or school.](images/unifiedenrollment-rs1-7.png)
 
 4.  Select **Connect**.
 
-    ![connect to work or school](images/unifiedenrollment-rs1-8.png)
+    ![connect to work or school.](images/unifiedenrollment-rs1-8.png)
 
 5.  Under **Alternate actions**, select **Join this device to a local Active Directory domain**.
 
-    ![join account to active directory domain](images/unifiedenrollment-rs1-9.png)
+    ![join account to active directory domain.](images/unifiedenrollment-rs1-9.png)
 
 6.  Type in your domain name, follow the instructions, and then select **Next** to continue. After you complete the flow and restart your device, it should be connected to your Active Directory domain. You can now sign in to the device using your domain credentials.
 
-    ![type in domain name](images/unifiedenrollment-rs1-10.png)
+    ![type in domain name.](images/unifiedenrollment-rs1-10.png)
 
 ### Help with connecting to an Active Directory domain
 
@@ -101,11 +101,11 @@ To join a domain:
 
 1.  Select **My work or school owns it**, then select **Next.**
 
-    ![oobe local account creation](images/unifiedenrollment-rs1-11.png)
+    ![oobe local account creation.](images/unifiedenrollment-rs1-11.png)
 
 2.  Select **Join Azure AD**, and then select **Next.**
 
-    ![select domain or azure ad](images/unifiedenrollment-rs1-12.png)
+    ![select domain or azure ad.](images/unifiedenrollment-rs1-12.png)
 
 3.  Type in your Azure AD username. This is the email address you use to log into Microsoft Office 365 and similar services.
 
@@ -113,7 +113,7 @@ To join a domain:
 
     Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. If your Azure AD tenant has auto-enrollment configured, your device will also be enrolled into MDM during this flow. For more information, see [these steps](azure-ad-and-microsoft-intune-automatic-mdm-enrollment-in-the-new-portal.md). If your tenant is not configured for auto-enrollment, you will have to go through the enrollment flow a second time to connect your device to MDM. After you complete the flow, your device will be connected to your organization’s Azure AD domain.
 
-    ![azure ad signin](images/unifiedenrollment-rs1-13.png)
+    ![azure ad signin.](images/unifiedenrollment-rs1-13.png)
 
 ### Use the Settings app
 
@@ -121,27 +121,27 @@ To create a local account and connect the device:
 
 1.  Launch the Settings app.
 
-    ![windows settings page](images/unifiedenrollment-rs1-14.png)
+    ![windows settings page.](images/unifiedenrollment-rs1-14.png)
 
 2.  Next, navigate to **Accounts**.
 
-    ![windows settings accounts select](images/unifiedenrollment-rs1-15.png)
+    ![windows settings accounts select.](images/unifiedenrollment-rs1-15.png)
 
 3.  Navigate to **Access work or school**.
 
-    ![select access work or school](images/unifiedenrollment-rs1-16.png)
+    ![select access work or school.](images/unifiedenrollment-rs1-16.png)
 
 4.  Select **Connect**.
 
-    ![connect to work or school](images/unifiedenrollment-rs1-17.png)
+    ![connect to work or school.](images/unifiedenrollment-rs1-17.png)
 
 5.  Under **Alternate Actions**, selct **Join this device to Azure Active Directory**.
 
-    ![join work or school account to azure ad](images/unifiedenrollment-rs1-18.png)
+    ![join work or school account to azure ad.](images/unifiedenrollment-rs1-18.png)
 
 6.  Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
 
-    ![azure ad sign in](images/unifiedenrollment-rs1-19.png)
+    ![azure ad sign in.](images/unifiedenrollment-rs1-19.png)
 
 7.  If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and you can enter your password directly on this page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication.
 
@@ -151,7 +151,7 @@ To create a local account and connect the device:
 
     After you reach the end of the flow, your device should be connected to your organization’s Azure AD domain. You may now log out of your current account and sign in using your Azure AD username.
 
-    ![corporate sign in](images/unifiedenrollment-rs1-20.png)
+    ![corporate sign in.](images/unifiedenrollment-rs1-20.png)
 
 ### Help with connecting to an Azure AD domain
 
@@ -183,19 +183,19 @@ To create a local account and connect the device:
 
 1.  Launch the Settings app, and then select **Accounts** >**Start** > **Settings** > **Accounts**.
 
-    ![windows settings page](images/unifiedenrollment-rs1-21-b.png)
+    ![windows settings page.](images/unifiedenrollment-rs1-21-b.png)
 
 2.  Navigate to **Access work or school**.
 
-    ![select access work or school](images/unifiedenrollment-rs1-23-b.png)
+    ![select access work or school.](images/unifiedenrollment-rs1-23-b.png)
 
 3.  Select **Connect**.
 
-    ![connect to work or school](images/unifiedenrollment-rs1-24-b.png)
+    ![connect to work or school.](images/unifiedenrollment-rs1-24-b.png)
 
 4.  Type in your Azure AD username. This is the email address you use to log into Office 365 and similar services.
 
-    ![join work or school account to azure ad](images/unifiedenrollment-rs1-25-b.png)
+    ![join work or school account to azure ad.](images/unifiedenrollment-rs1-25-b.png)
 
 5.  If the tenant is a cloud-only, password hash sync, or pass-through authentication tenant, this page changes to show the organization's custom branding, and can enter your password directly into the page. If the tenant is part of a federated domain, you are redirected to the organization's on-premises federation server, such as AD FS, for authentication.
 
@@ -205,11 +205,11 @@ To create a local account and connect the device:
 
     Starting in Windows 10, version 1709, you will see the status page that shows the progress of your device being set up.
 
-    ![corporate sign in](images/unifiedenrollment-rs1-26.png)
+    ![corporate sign in.](images/unifiedenrollment-rs1-26.png)
 
 6.  After you complete the flow, your Microsoft account will be connected to your work or school account.
 
-    ![account successfully added](images/unifiedenrollment-rs1-27.png)
+    ![account successfully added.](images/unifiedenrollment-rs1-27.png)
 
 ### Connect to MDM on a desktop (enrolling in device management)
 
@@ -221,29 +221,29 @@ To create a local account and connect the device:
 
 1. Launch the Settings app.
 
-   ![windows settings page](images/unifiedenrollment-rs1-28.png)
+   ![windows settings page.](images/unifiedenrollment-rs1-28.png)
 
 2. Next, navigate to **Accounts**.
 
-   ![windows settings accounts page](images/unifiedenrollment-rs1-29.png)
+   ![windows settings accounts page.](images/unifiedenrollment-rs1-29.png)
 
 3. Navigate to **Access work or school**.
 
-   ![access work or school](images/unifiedenrollment-rs1-30.png)
+   ![access work or school.](images/unifiedenrollment-rs1-30.png)
 
 4. Select the **Enroll only in device management** link (available in servicing build 14393.82, KB3176934). For older builds, see [Connect your Windows 10-based device to work using a deep link](mdm-enrollment-of-windows-devices.md#connect-your-windows-10-based-device-to-work-using-a-deep-link).
 
-   ![connect to work or school](images/unifiedenrollment-rs1-31.png)
+   ![connect to work or school.](images/unifiedenrollment-rs1-31.png)
 
 5. Type in your work email address.
 
-   ![set up work or school account](images/unifiedenrollment-rs1-32.png)
+   ![set up work or school account.](images/unifiedenrollment-rs1-32.png)
 
 6. If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information.
 
    Based on IT policy, you may also be prompted to provide a second factor of authentication at this point. Starting in Windows 10, version 1709, you will see the enrollment progress on screen.
 
-   ![corporate sign in](images/unifiedenrollment-rs1-33-b.png)
+   ![corporate sign in.](images/unifiedenrollment-rs1-33-b.png)
 
    After you complete the flow, your device will be connected to your organization’s MDM.
    
@@ -300,7 +300,7 @@ To connect your devices to MDM using deep links:
 
     - IT admins can add this link to a welcome email that users can select to enroll into MDM.
 
-      ![using enrollment deeplink in email](images/deeplinkenrollment1.png)
+      ![using enrollment deeplink in email.](images/deeplinkenrollment1.png)
 
     - IT admins can also add this link to an internal web page that users refer to enrollment instructions.
 
@@ -308,20 +308,20 @@ To connect your devices to MDM using deep links:
 
     Type in your work email address.
 
-    ![set up work or school account](images/deeplinkenrollment3.png)
+    ![set up work or school account.](images/deeplinkenrollment3.png)
 
 3.  If the device finds an endpoint that only supports on-premises authentication, this page will change and ask you for your password. If the device finds an MDM endpoint that supports federated authentication, you’ll be presented with a new window that will ask you for additional authentication information. Based on IT policy, you may also be prompted to provide a second factor of authentication at this point.
 
     After you complete the flow, your device will be connected to your organization's MDM.
 
-    ![corporate sign in](images/deeplinkenrollment4.png)
+    ![corporate sign in.](images/deeplinkenrollment4.png)
 
 ## Manage connections
 
 
 To manage your work or school connections, select **Settings** > **Accounts** > **Access work or school**. Your connections will show on this page and selecting one will expand options for that connection.
 
-![managing work or school account](images/unifiedenrollment-rs1-34-b.png)
+![managing work or school account.](images/unifiedenrollment-rs1-34-b.png)
 
 ### Info
 
@@ -335,7 +335,7 @@ Selecting the **Info** button will open a new page in the Settings app that prov
 
 Starting in Windows 10, version 1709, selecting the **Info** button will show a list of policies and line-of-business apps installed by your organization. Here is an example screenshot.
 
-![work or school info](images/unifiedenrollment-rs1-35-b.png)
+![work or school info.](images/unifiedenrollment-rs1-35-b.png)
 
 > [!NOTE]
 > Starting in Windows 10, version 1709, the **Manage** button is no longer available. 
@@ -357,7 +357,7 @@ You can collect diagnostic logs around your work connections by going to **Setti
 
 Starting in Windows 10, version 1709, you can get the advanced diagnostic report by going to **Settings** > **Accounts** > **Access work or school**, and selecting the **Info** button. At the bottom of the Settings page, you will see the button to create a report, as shown here.
 
-![collecting enrollment management log files](images/unifiedenrollment-rs1-37-c.png)
+![collecting enrollment management log files.](images/unifiedenrollment-rs1-37-c.png)
 
  
 
diff --git a/windows/client-management/mdm/messaging-csp.md b/windows/client-management/mdm/messaging-csp.md
index e9383e871f..ad2d4edddc 100644
--- a/windows/client-management/mdm/messaging-csp.md
+++ b/windows/client-management/mdm/messaging-csp.md
@@ -17,7 +17,7 @@ The Messaging configuration service provider is used to configure the ability to
 
 The following diagram shows the Messaging configuration service provider in tree format.
 
-![messaging csp](images/provisioning-csp-messaging.png)
+![messaging csp.](images/provisioning-csp-messaging.png)
 
 <a href="" id="--user-msft-applocker"></a>**./User/Vendor/MSFT/Messaging**  
 
diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md
index 32f9b5ee66..6c898afe02 100644
--- a/windows/client-management/mdm/mobile-device-enrollment.md
+++ b/windows/client-management/mdm/mobile-device-enrollment.md
@@ -68,7 +68,7 @@ Devices that are joined to an on-premises Active Directory can enroll into MDM v
 
 Starting in Windows 10, version 1607, IT admin can disable MDM enrollments for domain-joined PCs using Group Policy. Using the GP editor, the path is **Computer configuration** &gt; **Administrative Templates** &gt; **Windows Components** &gt; **MDM** &gt; **Disable MDM Enrollment**.
 
-![Disable MDM enrollment policy in GP Editor](images/mdm-enrollment-disable-policy.png)
+![Disable MDM enrollment policy in GP Editor.](images/mdm-enrollment-disable-policy.png)
 
 Here is the corresponding registry key:
 
diff --git a/windows/client-management/mdm/napdef-csp.md b/windows/client-management/mdm/napdef-csp.md
index 1b5f5ecdd4..0b715c1a53 100644
--- a/windows/client-management/mdm/napdef-csp.md
+++ b/windows/client-management/mdm/napdef-csp.md
@@ -27,11 +27,11 @@ The NAPDEF configuration service provider is used to add, modify, or delete WAP
 
 The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **initial bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
 
-![napdef csp (cp) (initial bootstrapping)](images/provisioning-csp-napdef-cp.png)
+![napdef csp (cp) (initial bootstrapping).](images/provisioning-csp-napdef-cp.png)
 
 The following diagram shows the NAPDEF configuration service provider management object in tree format as used by OMA Client Provisioning for **updating the bootstrapping of the phone**. The OMA DM protocol is not supported by this configuration service provider.
 
-![napdef csp (cp) (update bootstrapping)](images/provisioning-csp-napdef-cp-2.png)
+![napdef csp (cp) (update bootstrapping).](images/provisioning-csp-napdef-cp-2.png)
 
 <a href="" id="napauthinfo"></a>**NAPAUTHINFO**  
 Defines a group of authentication settings.
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index ce79fdb702..272489e4a8 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -240,7 +240,7 @@ Passing CDATA in data in SyncML to ConfigManager and CSPs does not work in Windo
 
 The certificate setting under "SSL Settings" in the IIS server for SCEP must be set to "Ignore" in Windows 10. In Windows Phone 8.1, when you set the client certificate to "Accept," it works fine.
 
-![ssl settings](images/ssl-settings.png)
+![ssl settings.](images/ssl-settings.png)
 
 ### MDM enrollment fails on the mobile device when traffic is going through proxy
 
@@ -439,7 +439,7 @@ Alternatively you can use the following procedure to create an EAP Configuration
 1.  Follow steps 1 through 7 in the [EAP configuration](eap-configuration.md) article.
 2.  In the Microsoft VPN SelfHost Properties dialog box, select **Microsoft : Smart Card or other Certificate** from the drop down (this selects EAP TLS.)
 
-    ![vpn selfhost properties window](images/certfiltering1.png)
+    ![vpn selfhost properties window.](images/certfiltering1.png)
 
     > [!NOTE]
     > For PEAP or TTLS, select the appropriate method and continue following this procedure.
@@ -447,10 +447,10 @@ Alternatively you can use the following procedure to create an EAP Configuration
 3.  Click the **Properties** button underneath the drop down menu.
 4.  In the **Smart Card or other Certificate Properties** menu, select the **Advanced** button.
 
-    ![smart card or other certificate properties window](images/certfiltering2.png)
+    ![smart card or other certificate properties window.](images/certfiltering2.png)
 5.  In the **Configure Certificate Selection** menu, adjust the filters as needed.
 
-    ![configure certificate selection window](images/certfiltering3.png)
+    ![configure certificate selection window.](images/certfiltering3.png)
 6.  Click **OK** to close the windows to get back to the main rasphone.exe dialog box.
 7.  Close the rasphone dialog box.
 8.  Continue following the procedure in the [EAP configuration](eap-configuration.md) article from Step 9 to get an EAP TLS profile with appropriate filtering.
@@ -492,7 +492,7 @@ No. Only one MDM is allowed.
 4.  Click **Configure**.
 5.  Set quota to unlimited.
 
-    ![aad maximum joined devices](images/faq-max-devices.png)
+    ![aad maximum joined devices.](images/faq-max-devices.png)
  
 
 ### **What is dmwappushsvc?**
diff --git a/windows/client-management/mdm/passportforwork-csp.md b/windows/client-management/mdm/passportforwork-csp.md
index c73d5fdc8d..84ff8f5e34 100644
--- a/windows/client-management/mdm/passportforwork-csp.md
+++ b/windows/client-management/mdm/passportforwork-csp.md
@@ -23,13 +23,13 @@ The PassportForWork configuration service provider is used to provision Windows
 
 The following diagram shows the PassportForWork configuration service provider in tree format.
 
-![passportforwork csp](images/provisioning-csp-passportforwork.png)
+![passportforwork csp.](images/provisioning-csp-passportforwork.png)
 
 ### Device configuration diagram
 
 The following diagram shows the PassportForWork configuration service provider in tree format.
 
-![passportforwork diagram](images/provisioning-csp-passportforwork2.png)
+![passportforwork diagram.](images/provisioning-csp-passportforwork2.png)
 
 <a href="" id="passportforwork"></a>**PassportForWork**  
 Root node for PassportForWork configuration service provider.
diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md
index ddeb61f84a..da0f0543dc 100644
--- a/windows/client-management/mdm/policy-configuration-service-provider.md
+++ b/windows/client-management/mdm/policy-configuration-service-provider.md
@@ -44,7 +44,7 @@ The Policy configuration service provider has the following sub-categories:
 
 The following diagram shows the Policy configuration service provider in tree format as used by both Open Mobile Alliance Device Management (OMA DM) and OMA Client Provisioning.
 
-![policy csp diagram](images/provisioning-csp-policy.png)
+![policy csp diagram.](images/provisioning-csp-policy.png)
 
 
 <a href="" id="--vendor-msft-policy"></a>**./Vendor/MSFT/Policy**  
diff --git a/windows/client-management/mdm/policy-csp-deviceinstallation.md b/windows/client-management/mdm/policy-csp-deviceinstallation.md
index 9d7aa06011..013edacaec 100644
--- a/windows/client-management/mdm/policy-csp-deviceinstallation.md
+++ b/windows/client-management/mdm/policy-csp-deviceinstallation.md
@@ -549,7 +549,7 @@ To verify that the policy is applied, check C:\windows\INF\setupapi.dev.log and
 ```
 You can also change the evaluation order of device installation policy settings by using a custom profile in Intune.
 
-:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image":::
+:::image type="content" source="images/edit-row.png" alt-text="This is a edit row image.":::
 
 <!--/Example-->
 <!--Validation-->
@@ -743,7 +743,7 @@ To verify the policy is applied, check C:\windows\INF\setupapi.dev.log and see i
 
 You can also block installation by using a custom profile in Intune. 
 
-![Custom profile prevent devices](images/custom-profile-prevent-other-devices.png)
+![Custom profile prevent devices.](images/custom-profile-prevent-other-devices.png)
 <!--/Example-->
 <!--Validation-->
 
@@ -863,7 +863,7 @@ You can also block installation and usage of prohibited peripherals by using a c
 
 For example, this custom profile blocks installation and usage of USB devices with hardware IDs "USB\Composite" and "USB\Class_FF", and applies to USB devices with matching hardware IDs that are already installed.
 
-![Custom profile prevent device ids](images/custom-profile-prevent-device-ids.png)
+![Custom profile prevent device ids.](images/custom-profile-prevent-device-ids.png)
 <!--/Example-->
 <!--Validation-->
 
@@ -977,7 +977,7 @@ You can also block installation and usage of prohibited peripherals by using a c
 
 For example, this custom profile prevents installation of devices with matching device instance IDs.
 
-![Custom profile](images/custom-profile-prevent-device-instance-ids.png)
+![Custom profile.](images/custom-profile-prevent-device-instance-ids.png)
 
 To prevent installation of devices with matching device instance IDs by using custom profile in Intune:
 1. Locate the device instance ID.
diff --git a/windows/client-management/mdm/policy-csp-mixedreality.md b/windows/client-management/mdm/policy-csp-mixedreality.md
index cdf909411f..7f7e8ae961 100644
--- a/windows/client-management/mdm/policy-csp-mixedreality.md
+++ b/windows/client-management/mdm/policy-csp-mixedreality.md
@@ -40,20 +40,6 @@ manager: dansimp
   </dd>
 </dl>
 
-Steps to use this policy correctly:
-
-1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s).
-1. Create a custom OMA URI based device configuration that sets this policy value to desired number of days (> 0) and assign it to HoloLens device(s).
-    1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays
-    1. The value can be between min / max allowed.
-1. Enroll HoloLens devices and verify both configurations get applied to the device.
-1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created.
-1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days.
-1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point here is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted.
-
-> [!NOTE]
-> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments.
-
 <hr/>
 
 <!--Policy-->
@@ -79,6 +65,20 @@ Steps to use this policy correctly:
 </tr>
 </table>
 
+Steps to use this policy correctly:
+
+1. Create a device configuration profile for kiosk targeting Azure AD groups and assign it to HoloLens device(s).
+1. Create a custom OMA URI based device configuration that sets this policy value to desired number of days (> 0) and assign it to HoloLens device(s).
+    1. The URI value should be entered in OMA-URI text box as ./Vendor/MSFT/Policy/Config/MixedReality/AADGroupMembershipCacheValidityInDays
+    1. The value can be between min / max allowed.
+1. Enroll HoloLens devices and verify both configurations get applied to the device.
+1. Let Azure AD user 1 sign-in when internet is available. Once the user signs-in and Azure AD group membership is confirmed successfully, cache will be created.
+1. Now Azure AD user 1 can take HoloLens offline and use it for kiosk mode as long as policy value allows for X number of days.
+1. Steps 4 and 5 can be repeated for any other Azure AD user N. The key point here is that any Azure AD user must sign-in to device using Internet at least once. Then we can determine that they are member of Azure AD group to which Kiosk configuration is targeted.
+
+> [!NOTE]
+> Until step 4 is performed for a Azure AD user will experience failure behavior mentioned similar to “disconnected” environments.
+
 <!--/SupportedSKUs-->
 <hr/>
 
diff --git a/windows/client-management/mdm/policy-csp-system.md b/windows/client-management/mdm/policy-csp-system.md
index b02ba826b4..d627137d97 100644
--- a/windows/client-management/mdm/policy-csp-system.md
+++ b/windows/client-management/mdm/policy-csp-system.md
@@ -7,7 +7,7 @@ ms.prod: w10
 ms.technology: windows
 author: manikadhiman
 ms.localizationpriority: medium
-ms.date: 10/14/2020
+ms.date: 08/26/2021
 ms.reviewer: 
 manager: dansimp
 ---
@@ -62,7 +62,7 @@ manager: dansimp
     <a href="#system-allowusertoresetphone">System/AllowUserToResetPhone</a>
   </dd>
  <dd>
-    <a href="#system-allowwufbcloudprocessing">System/AllowWuFBCloudProcessing</a>
+    <a href="#system-allowwufbcloudprocessing">System/AllowWUfBCloudProcessing</a>
   </dd>
   <dd>
     <a href="#system-bootstartdriverinitialization">System/BootStartDriverInitialization</a>
@@ -964,7 +964,7 @@ The following list shows the supported values:
 <hr/>
 
 <!--Policy-->
-<a href="" id="system-allowwufbcloudprocessing"></a>**System/AllowWuFBCloudProcessing**
+<a href="" id="system-allowwufbcloudprocessing"></a>**System/AllowWUfBCloudProcessing**
 
 <hr/>
 
@@ -985,6 +985,15 @@ If you disable or do not configure this policy setting, devices enrolled to the
 
 <hr/>
 
+<!--/Description-->
+<!--SupportedValues-->
+The following list shows the supported values:
+
+-   0 - Disabled.
+-   8 - Enabled.
+<!--/SupportedValues-->
+
+
 <!--Policy-->
 <a href="" id="system-bootstartdriverinitialization"></a>**System/BootStartDriverInitialization**  
 
diff --git a/windows/client-management/mdm/push-notification-windows-mdm.md b/windows/client-management/mdm/push-notification-windows-mdm.md
index a0a34ee244..92df20eba2 100644
--- a/windows/client-management/mdm/push-notification-windows-mdm.md
+++ b/windows/client-management/mdm/push-notification-windows-mdm.md
@@ -52,34 +52,34 @@ To get a PFN and WNS credentials, you must create an Microsoft Store app.
 
 1.  Go to the Windows [Dashboard](https://dev.windows.com/en-US/dashboard) and sign in with your developer account.
 
-    ![mdm push notification1](images/push-notification1.png)
+    ![mdm push notification1.](images/push-notification1.png)
 2.  Create a new app.
 
-    ![mdm push notification2](images/push-notification2.png)
+    ![mdm push notification2.](images/push-notification2.png)
 3.  Reserve an app name.
 
-    ![mdm push notification3](images/push-notification3.png)
+    ![mdm push notification3.](images/push-notification3.png)
 4.  Click **Services**.
 
-    ![mdm push notification4](images/push-notification4.png)
+    ![mdm push notification4.](images/push-notification4.png)
 5.  Click **Push notifications**.
 
-    ![mdm push notification5](images/push-notification5.png)
+    ![mdm push notification5.](images/push-notification5.png)
 6.  Click **Live Services site**. A new window opens for the **Application Registration Portal** page.
 
-    ![mdm push notification6](images/push-notification6.png)
+    ![mdm push notification6.](images/push-notification6.png)
 7.  In the **Application Registration Portal** page, you will see the properties for the app that you created, such as:
     -   Application Id
     -   Application Secrets
     -   Microsoft Store Package SID, Application Identity, and Publisher.
 
-    ![mdm push notification7](images/push-notification7.png)
+    ![mdm push notification7.](images/push-notification7.png)
 8.  Click **Save**.
 9.  Close the **Application Registration Portal** window and go back to the Windows Dev Center Dashboard.
 10. Select your app from the list on the left.
 11. From the left nav, expand **App management** and then click **App identity**.
 
-    ![mdm push notification10](images/push-notification10.png)
+    ![mdm push notification10.](images/push-notification10.png)
 12. In the **App identity** page, you will see the **Package Family Name (PFN)** of your app.
 
  
diff --git a/windows/client-management/mdm/pxlogical-csp.md b/windows/client-management/mdm/pxlogical-csp.md
index 48baff3fe8..e2d40a822a 100644
--- a/windows/client-management/mdm/pxlogical-csp.md
+++ b/windows/client-management/mdm/pxlogical-csp.md
@@ -23,11 +23,11 @@ The PXLOGICAL configuration service provider is used to add, remove, or modify W
 
 The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for initial bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
 
-![pxlogical csp (cp) (initial bootstrapping)](images/provisioning-csp-pxlogical-cp.png)
+![pxlogical csp (cp) (initial bootstrapping).](images/provisioning-csp-pxlogical-cp.png)
 
 The following diagram shows the PXLOGICAL configuration service provider management object in tree format as used by OMA Client Provisioning for updating the bootstrapping of the device. The OMA DM protocol is not supported by this configuration service provider.
 
-![pxlogical csp (cp) (update bootstrapping)](images/provisioning-csp-pxlogical-cp-2.png)
+![pxlogical csp (cp) (update bootstrapping).](images/provisioning-csp-pxlogical-cp-2.png)
 
 <a href="" id="pxphysical"></a>**PXPHYSICAL**  
 Defines a group of logical proxy settings.
diff --git a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md
index be9c8a5339..28e198aa1f 100644
--- a/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md
+++ b/windows/client-management/mdm/register-your-free-azure-active-directory-subscription.md
@@ -23,15 +23,15 @@ If you have paid subscriptions to Office 365, Microsoft Dynamics CRM Online, Ent
 
 1.  Sign in to the Microsoft 365 admin center at <https://portal.office.com> using your organization's account.
 
-    ![register azuread](images/azure-ad-add-tenant10.png)
+    ![register azuread.](images/azure-ad-add-tenant10.png)
 
 2.  On the **Home** page, click on the Admin tools icon.
 
-    ![register azuread](images/azure-ad-add-tenant11.png)
+    ![register azuread.](images/azure-ad-add-tenant11.png)
 
 3.  On the **Admin center** page, under Admin Centers on the left, click **Azure Active Directory**. This will take you to the Azure Active Directory portal.
 
-    ![Azure-AD-updated](https://user-images.githubusercontent.com/41186174/71594506-e4845300-2b40-11ea-9a08-c21c824e12a4.png)
+    ![Azure-AD-updated.](https://user-images.githubusercontent.com/41186174/71594506-e4845300-2b40-11ea-9a08-c21c824e12a4.png)
 
 
 
diff --git a/windows/client-management/mdm/securitypolicy-csp.md b/windows/client-management/mdm/securitypolicy-csp.md
index 9e203d4d39..4ffdbad557 100644
--- a/windows/client-management/mdm/securitypolicy-csp.md
+++ b/windows/client-management/mdm/securitypolicy-csp.md
@@ -25,7 +25,7 @@ For the SecurityPolicy CSP, you cannot use the Replace command unless the node a
 
 The following diagram shows the SecurityPolicy configuration service provider management object in tree format as used by both OMA DM and OMA Client Provisioning.
 
-![securitypolicy csp (dm,cp)](images/provisioning-csp-securitypolicy-dmandcp.png)
+![securitypolicy csp (dm,cp).](images/provisioning-csp-securitypolicy-dmandcp.png)
 
 <a href="" id="policyid"></a>***PolicyID***  
 Defines the security policy identifier as a decimal value.
diff --git a/windows/client-management/mdm/understanding-admx-backed-policies.md b/windows/client-management/mdm/understanding-admx-backed-policies.md
index 5b211a0f55..21f39c4389 100644
--- a/windows/client-management/mdm/understanding-admx-backed-policies.md
+++ b/windows/client-management/mdm/understanding-admx-backed-policies.md
@@ -56,11 +56,11 @@ Group Policy option button setting:
 
 The following diagram shows the main display for the Group Policy Editor.
 
-![Group Policy editor](images/group-policy-editor.png)
+![Group Policy editor.](images/group-policy-editor.png)
 
 The following diagram shows the settings for the "Publishing Server 2 Settings" Group Policy in the Group Policy Editor.
 
-![Group Policy publisher server 2 settings](images/group-policy-publisher-server-2-settings.png)
+![Group Policy publisher server 2 settings.](images/group-policy-publisher-server-2-settings.png)
 
 Note that most Group Policies are a simple Boolean type. For a Boolean Group Policy, if you select **Enabled**, the options panel contains no data input fields and the payload of the SyncML is simply `<enabled/>`. However, if there are data input fields in the options panel, the MDM server must supply this data. The following *Enabling a Group Policy* example illustrates this complexity. In this example, 10 name-value pairs are described by `<data />` tags in the payload, which correspond to the 10 data input fields in the Group Policy Editor options panel for the "Publishing Server 2 Settings" Group Policy. The ADMX file, which defines the Group Policies, is consumed by the MDM server, similarly to how the Group Policy Editor consumes it. The Group Policy Editor displays a UI to receive the complete Group Policy instance data, which the MDM server's IT administrator console must also do. For every `<text>` element and id attribute in the ADMX policy definition, there must be a corresponding `<data />` element and id attribute in the payload. The ADMX file drives the policy definition and is required by the MDM server via the SyncML protocol.
 
diff --git a/windows/client-management/mdm/unifiedwritefilter-csp.md b/windows/client-management/mdm/unifiedwritefilter-csp.md
index 7916778bec..00d2b86cd5 100644
--- a/windows/client-management/mdm/unifiedwritefilter-csp.md
+++ b/windows/client-management/mdm/unifiedwritefilter-csp.md
@@ -119,7 +119,7 @@ Currently SwapfileSize should not be relied for determining or controlling the o
 <a href="" id="currentsession-maximumoverlaysize"></a>**CurrentSession/MaximumOverlaySize** or <a href="" id="nextsession-maximumoverlaysize"></a>**NextSession/MaximumOverlaySize**
 should be used for that purpose.
 
-:::image type="content" source="images/overlaysetting.png" alt-text="This is the overlay setting":::
+:::image type="content" source="images/overlaysetting.png" alt-text="This is the overlay setting.":::
 
 > [!NOTE]
 > Only single swapfile is supported in current implementation and creating swapfile on specific volume will disable any other swapfile created on other volumes.
diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md
index 3f6badf192..42a6882673 100644
--- a/windows/client-management/mdm/vpn-csp.md
+++ b/windows/client-management/mdm/vpn-csp.md
@@ -33,7 +33,7 @@ Important considerations:
 
 The following diagram shows the VPN configuration service provider in tree format.
 
-![provisioning\-csp\-vpnimg](images/provisioning-csp-vpn.png)
+![provisioning\-csp\-vpnimg.](images/provisioning-csp-vpn.png)
 
 <a href="" id="profilename"></a>***ProfileName***
 Unique alpha numeric Identifier for the profile. The profile name must not include a forward slash (/).
diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md
index d6b9110b32..e7321b1888 100644
--- a/windows/client-management/mdm/w4-application-csp.md
+++ b/windows/client-management/mdm/w4-application-csp.md
@@ -25,7 +25,7 @@ The default security roles are defined in the root characteristic, and map to ea
 
 The following diagram shows the configuration service provider in tree format as used by OMA Client Provisioning.
 
-![w4 application csp (cp)](images/provisioning-csp-w4-application-cp.png)
+![w4 application csp (cp).](images/provisioning-csp-w4-application-cp.png)
 
 <a href="" id="appid"></a>**APPID**
 Required. This parameter takes a string value. The only supported value for configuring MMS is "w4".
diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md
index 20f21f79bc..7aaa801796 100644
--- a/windows/client-management/mdm/w7-application-csp.md
+++ b/windows/client-management/mdm/w7-application-csp.md
@@ -23,7 +23,7 @@ The APPLICATION configuration service provider that has an APPID of w7 is used f
 
 The following image shows the configuration service provider in tree format as used by OMA Client Provisioning.
 
-![w7 application csp (dm)](images/provisioning-csp-w7-application-dm.png)
+![w7 application csp (dm).](images/provisioning-csp-w7-application-dm.png)
 
 > **Note**   All parm names and characteristic types are case sensitive and must use all uppercase.
 Both APPSRV and CLIENT credentials must be provided in provisioning XML.
diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md
index 125bbfb687..e867ae66ef 100644
--- a/windows/client-management/mdm/wifi-csp.md
+++ b/windows/client-management/mdm/wifi-csp.md
@@ -31,7 +31,7 @@ Programming considerations:
 
 The following image shows the WiFi configuration service provider in tree format.
 
-![wi-fi csp diagram](images/provisioning-csp-wifi.png)
+![wi-fi csp diagram.](images/provisioning-csp-wifi.png)
 
 The following list shows the characteristics and parameters.
 
diff --git a/windows/client-management/mdm/windows-mdm-enterprise-settings.md b/windows/client-management/mdm/windows-mdm-enterprise-settings.md
index a8be6bba9c..e5e7511669 100644
--- a/windows/client-management/mdm/windows-mdm-enterprise-settings.md
+++ b/windows/client-management/mdm/windows-mdm-enterprise-settings.md
@@ -25,7 +25,7 @@ The DM client is configured during the enrollment process to be invoked by the t
 
 The following diagram shows the work flow between server and client.
 
-![windows client and server mdm diagram](images/enterprise-workflow.png)
+![windows client and server mdm diagram.](images/enterprise-workflow.png)
 
 
 ## Management workflow
diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
index c68424cd04..fc13fd3034 100644
--- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
+++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md
@@ -19,7 +19,7 @@ The Windows Defender Advanced Threat Protection (WDATP) configuration service pr
 
 The following diagram shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM).
 
-![windowsadvancedthreatprotection csp diagram](images/provisioning-csp-watp.png)
+![windowsadvancedthreatprotection csp diagram.](images/provisioning-csp-watp.png)
 
 The following list describes the characteristics and parameters.
 
diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md
index 2f3cdf7fc7..2fe71b5e76 100644
--- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md
+++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md
@@ -213,16 +213,16 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
 
 | Class                                                                    | Test completed in Windows 10 for desktop |
 |--------------------------------------------------------------------------|------------------------------------------|
-| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema)       | ![cross mark](images/checkmark.png)      |
-| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema)      | ![cross mark](images/checkmark.png)      |
-| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema)     | ![cross mark](images/checkmark.png)      |
-| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema)            | ![cross mark](images/checkmark.png)      |
+| [**wpcappoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema)       | ![cross mark.](images/checkmark.png)      |
+| [**wpcgameoverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema)      | ![cross mark.](images/checkmark.png)      |
+| [**wpcgamessettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema)     | ![cross mark.](images/checkmark.png)      |
+| [**wpcrating**](/windows/win32/parcon/parental-controls-wmi-provider-schema)            | ![cross mark.](images/checkmark.png)      |
 | [**wpcRatingsDescriptor**](/windows/win32/parcon/parental-controls-wmi-provider-schema) |                                          |
-| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema)     | ![cross mark](images/checkmark.png)      |
-| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema)    | ![cross mark](images/checkmark.png)      |
-| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema)       | ![cross mark](images/checkmark.png)      |
-| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema)      | ![cross mark](images/checkmark.png)      |
-| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema)       | ![cross mark](images/checkmark.png)      |
+| [**wpcratingssystem**](/windows/win32/parcon/parental-controls-wmi-provider-schema)     | ![cross mark.](images/checkmark.png)      |
+| [**wpcsystemsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema)    | ![cross mark.](images/checkmark.png)      |
+| [**wpcurloverride**](/windows/win32/parcon/parental-controls-wmi-provider-schema)       | ![cross mark.](images/checkmark.png)      |
+| [**wpcusersettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema)      | ![cross mark.](images/checkmark.png)      |
+| [**wpcwebsettings**](/windows/win32/parcon/parental-controls-wmi-provider-schema)       | ![cross mark.](images/checkmark.png)      |
 
  
 
@@ -232,17 +232,17 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
 |--------------------------------------------------------------------------|------------------------------------------|
 [**Win32\_1394Controller**](/windows/win32/cimwin32prov/win32-1394controller) |
 [**Win32\_BaseBoard**](/windows/win32/cimwin32prov/win32-baseboard)      |
-[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery)        | ![cross mark](images/checkmark.png)
-[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios)           | ![cross mark](images/checkmark.png)
+[**Win32\_Battery**](/windows/win32/cimwin32prov/win32-battery)        | ![cross mark.](images/checkmark.png)
+[**Win32\_BIOS**](/windows/win32/cimwin32prov/win32-bios)           | ![cross mark.](images/checkmark.png)
 [**Win32\_CDROMDrive**](/windows/win32/cimwin32prov/win32-cdromdrive)     |
-[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | ![cross mark](images/checkmark.png)
-[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | ![cross mark](images/checkmark.png)
-[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime)    | ![cross mark](images/checkmark.png)
+[**Win32\_ComputerSystem**](/windows/win32/cimwin32prov/win32-computersystem) | ![cross mark.](images/checkmark.png)
+[**Win32\_ComputerSystemProduct**](/windows/win32/cimwin32prov/win32-computersystemproduct) | ![cross mark.](images/checkmark.png)
+[**Win32\_CurrentTime**](/previous-versions/windows/desktop/wmitimepprov/win32-currenttime)    | ![cross mark.](images/checkmark.png)
 [**Win32\_Desktop**](/windows/win32/cimwin32prov/win32-desktop)        |
-[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |![cross mark](images/checkmark.png)
-[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive)      | ![cross mark](images/checkmark.png)
+[**Win32\_DesktopMonitor**](/windows/win32/cimwin32prov/win32-desktopmonitor) |![cross mark.](images/checkmark.png)
+[**Win32\_DiskDrive**](/windows/win32/cimwin32prov/win32-diskdrive)      | ![cross mark.](images/checkmark.png)
 [**Win32\_DiskPartition**](/windows/win32/cimwin32prov/win32-diskpartition)  |
-[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | ![cross mark](images/checkmark.png)
+[**Win32\_DisplayConfiguration**](/previous-versions//aa394137(v=vs.85)) | ![cross mark.](images/checkmark.png)
 [**Win32\_DMAChannel**](/windows/win32/cimwin32prov/win32-dmachannel)     | 
 [**Win32\_DriverVXD**](/previous-versions//aa394141(v=vs.85))      |
 [**Win32\_EncryptableVolume**](/windows/win32/secprov/win32-encryptablevolume) |
@@ -252,23 +252,23 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
 [**Win32\_IRQResource**](/windows/win32/cimwin32prov/win32-irqresource)    |
 [**Win32\_Keyboard**](/windows/win32/cimwin32prov/win32-keyboard)       |
 [**Win32\_LoadOrderGroup**](/windows/win32/cimwin32prov/win32-loadordergroup) |
-[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime)      | ![cross mark](images/checkmark.png)
+[**Win32\_LocalTime**](/previous-versions/windows/desktop/wmitimepprov/win32-localtime)      | ![cross mark.](images/checkmark.png)
 [**Win32\_LoggedOnUser**](/windows/win32/cimwin32prov/win32-loggedonuser)   |
-[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk)    | ![cross mark](images/checkmark.png)
+[**Win32\_LogicalDisk**](/windows/win32/cimwin32prov/win32-logicaldisk)    | ![cross mark.](images/checkmark.png)
 [**Win32\_MotherboardDevice**](/windows/win32/cimwin32prov/win32-motherboarddevice) |
-[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | ![cross mark](images/checkmark.png)
+[**Win32\_NetworkAdapter**](/windows/win32/cimwin32prov/win32-networkadapter) | ![cross mark.](images/checkmark.png)
 [**Win32\_NetworkAdapterConfiguration**](/windows/win32/cimwin32prov/win32-networkadapterconfiguration) |
 [**Win32\_NetworkClient**](/windows/win32/cimwin32prov/win32-networkclient)  |
 [**Win32\_NetworkLoginProfile**](/windows/win32/cimwin32prov/win32-networkloginprofile) |
 [**Win32\_NetworkProtocol**](/windows/win32/cimwin32prov/win32-networkprotocol) |
 [**Win32\_NTEventlogFile**](/previous-versions/windows/desktop/legacy/aa394225(v=vs.85))  |
-[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | ![cross mark](images/checkmark.png)
+[**Win32\_OperatingSystem**](/windows/win32/cimwin32prov/win32-operatingsystem) | ![cross mark.](images/checkmark.png)
 [**Win32\_OSRecoveryConfiguration**](/windows/win32/cimwin32prov/win32-osrecoveryconfiguration) |
 [**Win32\_PageFileSetting**](/windows/win32/cimwin32prov/win32-pagefilesetting) |
 [**Win32\_ParallelPort**](/windows/win32/cimwin32prov/win32-parallelport) |
 [**Win32\_PCMCIAController**](/windows/win32/cimwin32prov/win32-pcmciacontroller) |
 [**Win32\_PhysicalMedia**](/previous-versions/windows/desktop/cimwin32a/win32-physicalmedia)                                   |  
-[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory)   | ![cross mark](images/checkmark.png)
+[**Win32\_PhysicalMemory**](/windows/win32/cimwin32prov/win32-physicalmemory)   | ![cross mark.](images/checkmark.png)
 [**Win32\_PnPDevice**](/windows/win32/cimwin32prov/win32-pnpdevice)        |  
 [**Win32\_PnPEntity**](/windows/win32/cimwin32prov/win32-pnpentity)        |  
 [**Win32\_PointingDevice**](/windows/win32/cimwin32prov/win32-pointingdevice)   |
@@ -277,25 +277,25 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw
 [**Win32\_POTSModem**](/windows/win32/cimwin32prov/win32-potsmodem)        |
 [**Win32\_Printer**](/windows/win32/cimwin32prov/win32-printer)          |
 [**Win32\_PrinterConfiguration**](/windows/win32/cimwin32prov/win32-printerconfiguration) |
-[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor)        | ![cross mark](images/checkmark.png)
-[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | ![cross mark](images/checkmark.png)
+[**Win32\_Processor**](/windows/win32/cimwin32prov/win32-processor)        | ![cross mark.](images/checkmark.png)
+[**Win32\_QuickFixEngineering**](/windows/win32/cimwin32prov/win32-quickfixengineering) | ![cross mark.](images/checkmark.png)
 [**Win32\_Registry**](/windows/win32/cimwin32prov/win32-registry)         |
 [**Win32\_SCSIController**](/windows/win32/cimwin32prov/win32-scsicontroller)   |
 [**Win32\_SerialPort**](/windows/win32/cimwin32prov/win32-serialport)       |
 [**Win32\_SerialPortConfiguration**](/windows/win32/cimwin32prov/win32-serialportconfiguration) |
 [**Win32\_ServerFeature**](/windows/win32/wmisdk/win32-serverfeature)    |
-[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service)          | ![cross mark](images/checkmark.png)
-[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share)            | ![cross mark](images/checkmark.png)
+[**Win32\_Service**](/windows/win32/cimwin32prov/win32-service)          | ![cross mark.](images/checkmark.png)
+[**Win32\_Share**](/windows/win32/cimwin32prov/win32-share)            | ![cross mark.](images/checkmark.png)
 [**Win32\_SoundDevice**](/windows/win32/cimwin32prov/win32-sounddevice)      |
 [**Win32\_SystemAccount**](/windows/win32/cimwin32prov/win32-systemaccount)    |
-[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios)       | ![cross mark](images/checkmark.png)
+[**Win32\_SystemBIOS**](/windows/win32/cimwin32prov/win32-systembios)       | ![cross mark.](images/checkmark.png)
 [**Win32\_SystemDriver**](/windows/win32/cimwin32prov/win32-systemdriver)     |
-[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure)  | ![cross mark](images/checkmark.png)
+[**Win32\_SystemEnclosure**](/windows/win32/cimwin32prov/win32-systemenclosure)  | ![cross mark.](images/checkmark.png)
 [**Win32\_TapeDrive**](/windows/win32/cimwin32prov/win32-tapedrive)        |
-[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone)         | ![cross mark](images/checkmark.png)
+[**Win32\_TimeZone**](/windows/win32/cimwin32prov/win32-timezone)         | ![cross mark.](images/checkmark.png)
 [**Win32\_UninterruptiblePowerSupply**](/previous-versions//aa394503(v=vs.85)) |
 [**Win32\_USBController**](/windows/win32/cimwin32prov/win32-usbcontroller)    |
-[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime)          | ![cross mark](images/checkmark.png)
+[**Win32\_UTCTime**](/previous-versions/windows/desktop/wmitimepprov/win32-utctime)          | ![cross mark.](images/checkmark.png)
 [**Win32\_VideoController**](/windows/win32/cimwin32prov/win32-videocontroller) |
 **Win32\_WindowsUpdateAgentVersion**                                                        |
  
diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md
index 6a50151342..acdcd2d268 100644
--- a/windows/client-management/quick-assist.md
+++ b/windows/client-management/quick-assist.md
@@ -57,7 +57,7 @@ Both the helper and sharer must be able to reach these endpoints over port 443:
 
 7. RDP shares the video to the helper over https (port 443) through the RDP relay service to the helper's RDP control. Input is shared from the helper to the sharer through the RDP relay service.
 
-:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established":::
+:::image type="content" source="images/quick-assist-flow.png" lightbox="images/quick-assist-flow.png" alt-text="Schematic flow of connections when a Quick Assist session is established.":::
 
 ### Data and privacy
 
diff --git a/windows/client-management/troubleshoot-inaccessible-boot-device.md b/windows/client-management/troubleshoot-inaccessible-boot-device.md
index e0afd3d480..490b24075a 100644
--- a/windows/client-management/troubleshoot-inaccessible-boot-device.md
+++ b/windows/client-management/troubleshoot-inaccessible-boot-device.md
@@ -119,7 +119,7 @@ To verify the BCD entries:
    > [!NOTE]
    > If the computer is UEFI-based, the file path value that's specified in the **path** parameter of **{bootmgr}** and **{default}** contains an **.efi** extension.
 
-   ![bcdedit](images/screenshot1.png)
+   ![bcdedit.](images/screenshot1.png)
 
 If any of the information is wrong or missing, we recommend that you create a backup of the BCD store. To do this, run `bcdedit /export C:\temp\bcdbackup`. This command creates a backup in **C:\\temp\\** that's named **bcdbackup**. To restore the backup, run `bcdedit /import C:\temp\bcdbackup`. This command overwrites all BCD settings by using the settings in **bcdbackup**.
 
@@ -179,11 +179,11 @@ Dism /Image:<Specify the OS drive>: /Get-packages
 
 After you run this command, you'll see the **Install pending** and **Uninstall Pending** packages:
 
-![Dism output pending update](images/pendingupdate.png)
+![Dism output pending update.](images/pendingupdate.png)
 
 1. Run the `dism /Image:C:\ /Cleanup-Image /RevertPendingActions` command. Replace **C:** with the system partition for your computer.
 
-    ![Dism output revert pending](images/revertpending.png)
+    ![Dism output revert pending.](images/revertpending.png)
 
 2. Navigate to ***OSdriveLetter*:\Windows\WinSxS**, and then check whether the **pending.xml** file exists. If it does, rename it to **pending.xml.old**.
 
@@ -193,14 +193,14 @@ After you run this command, you'll see the **Install pending** and **Uninstall P
 
 5. Navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **COMPONENT** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineComponentHive** for the new hive.
     
-    ![Load Hive](images/loadhive.png)
+    ![Load Hive.](images/loadhive.png)
 
 6. Expand **HKEY_LOCAL_MACHINE\OfflineComponentHive**, and check whether the **PendingXmlIdentifier** key exists. Create a backup of the **OfflineComponentHive** key, and then delete the **PendingXmlIdentifier** key.
 
 7. Unload the hive. To do this, highlight **OfflineComponentHive**, and then select **File** > **Unload hive**.
 
    > [!div class="mx-imgBorder"]
-   > ![Unload Hive](images/unloadhive.png)![Unload Hive](images/unloadhive1.png)
+   > ![Unload Hive.](images/unloadhive.png)![Unload Hive](images/unloadhive1.png)
 
 8. Select **HKEY_LOCAL_MACHINE**, go to **File** > **Load Hive**, navigate to ***OSdriveLetter*:\Windows\System32\config**, select the file that's named **SYSTEM** (with no extension), and then select **Open**. When you're prompted, enter the name **OfflineSystemHive** for the new hive.
 
@@ -256,7 +256,7 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the
    \Control\Class\\{71A27CDD-812A-11D0-BEC7-08002BE2092F}
 
    > [!div class="mx-imgBorder"]
-   > ![Registry](images/controlset.png) 
+   > ![Registry.](images/controlset.png) 
 
    If an **UpperFilters**  or **LowerFilters**  entry is non-standard (for example, it's not a Windows default filter driver, such as PartMgr), remove the entry. To remove it, double-click it in the right pane, and then delete only that value.
 
@@ -274,8 +274,8 @@ Check whether there are any non-Microsoft upper and lower filter drivers on the
 
 *	`chkdsk /f /r OsDrive:`
 
-    ![Check disk](images/check-disk.png)
+    ![Check disk.](images/check-disk.png)
 
 *	`sfc /scannow /offbootdir=OsDrive:\ /offwindir=OsDrive:\Windows`
 
-    ![SFC scannow](images/sfc-scannow.png)
+    ![SFC scannow.](images/sfc-scannow.png)
diff --git a/windows/client-management/troubleshoot-stop-errors.md b/windows/client-management/troubleshoot-stop-errors.md
index 454101462a..390add3169 100644
--- a/windows/client-management/troubleshoot-stop-errors.md
+++ b/windows/client-management/troubleshoot-stop-errors.md
@@ -165,13 +165,13 @@ You can use the tools such as Windows Software Development KIT (SDK) and Symbols
 
 6. Click on **Open Crash Dump**, and then open the memory.dmp file that you copied. See the example below.
 
-    ![WinDbg img](images/windbg.png)
+    ![WinDbg img.](images/windbg.png)
 
 7. There should be a link that says **!analyze -v** under **Bugcheck Analysis**. Click that link. This will enter the command !analyze -v in the prompt at the bottom of the page.
 
 8. A detailed bugcheck analysis will appear. See the example below.
 
-    ![Bugcheck analysis](images/bugcheck-analysis.png)
+    ![Bugcheck analysis.](images/bugcheck-analysis.png)
 
 9. Scroll down to the section where it says **STACK_TEXT**. There will be rows of numbers with each row followed by a colon and some text. That text should tell you what DLL is causing the crash and if applicable what service is crashing the DLL.
 
diff --git a/windows/client-management/troubleshoot-tcpip-connectivity.md b/windows/client-management/troubleshoot-tcpip-connectivity.md
index 77e524634d..10ae554304 100644
--- a/windows/client-management/troubleshoot-tcpip-connectivity.md
+++ b/windows/client-management/troubleshoot-tcpip-connectivity.md
@@ -44,17 +44,17 @@ If the initial TCP handshake is failing because of packet drops, then you would
     
 Source side connecting on port 445:
 
-![Screenshot of frame summary in Network Monitor](images/tcp-ts-6.png)
+![Screenshot of frame summary in Network Monitor.](images/tcp-ts-6.png)
 
 Destination side: applying the same filter, you do not see any packets.
 
-![Screenshot of frame summary with filter in Network Monitor](images/tcp-ts-7.png)
+![Screenshot of frame summary with filter in Network Monitor.](images/tcp-ts-7.png)
 
 For the rest of the data, TCP will retransmit the packets five times.
 
 **Source 192.168.1.62 side trace:**
 
-![Screenshot showing packet side trace](images/tcp-ts-8.png)
+![Screenshot showing packet side trace.](images/tcp-ts-8.png)
 
 **Destination 192.168.1.2 side trace:**
      
@@ -79,15 +79,15 @@ In the below screenshots, you see that the packets seen on the source and the de
     
 **Source Side**
 
-![Screenshot of packets on source side in Network Monitor](images/tcp-ts-9.png)
+![Screenshot of packets on source side in Network Monitor.](images/tcp-ts-9.png)
 
 **On the destination-side trace** 
 
-![Screenshot of packets on destination side in Network Monitor](images/tcp-ts-10.png)
+![Screenshot of packets on destination side in Network Monitor.](images/tcp-ts-10.png)
 
 You also see an ACK+RST flag packet in a case when the TCP establishment packet SYN is sent out. The TCP SYN packet is sent when the client wants to connect on a particular port, but if the destination/server for some reason does not want to accept the packet, it would send an ACK+RST packet.  
 
-![Screenshot of packet flag](images/tcp-ts-11.png)
+![Screenshot of packet flag.](images/tcp-ts-11.png)
 
 The application that's causing the reset (identified by port numbers) should be investigated to understand what is causing it to reset the connection. 
  
@@ -110,8 +110,8 @@ auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:enable /fai
  
 You can then review the Security event logs to see for a packet drop on a particular port-IP and a filter ID associated with it.
 
-![Screenshot of Event Properties](images/tcp-ts-12.png)
+![Screenshot of Event Properties.](images/tcp-ts-12.png)
 
 Now, run the command `netsh wfp show state`, this will generate a wfpstate.xml file. After you open this file and filter for the ID that you find in the above event (2944008), you'll be able to see a firewall rule name that's associated with this ID that's blocking the connection.
 
-![Screenshot of wfpstate.xml file](images/tcp-ts-13.png)
+![Screenshot of wfpstate.xml file.](images/tcp-ts-13.png)
diff --git a/windows/client-management/troubleshoot-tcpip-netmon.md b/windows/client-management/troubleshoot-tcpip-netmon.md
index b432191920..daa23de8b1 100644
--- a/windows/client-management/troubleshoot-tcpip-netmon.md
+++ b/windows/client-management/troubleshoot-tcpip-netmon.md
@@ -21,7 +21,7 @@ In this topic, you will learn how to use Microsoft Network Monitor 3.4, which is
 
 To get started, [download Network Monitor tool](https://www.microsoft.com/download/details.aspx?id=4865). When you install Network Monitor, it installs its driver and hooks it to all the network adapters installed on the device. You can see the same on the adapter properties, as shown in the following image:
 
-![Adapters](images/nm-adapters.png)
+![Adapters.](images/nm-adapters.png)
 
 When the driver gets hooked to the network interface card (NIC) during installation, the NIC is reinitialized, which might cause a brief network glitch.
 
@@ -29,15 +29,15 @@ When the driver gets hooked to the network interface card (NIC) during installat
 
 1. Run netmon in an elevated status by choosing Run as Administrator.
 
-    ![Image of Start search results for Netmon](images/nm-start.png)
+    ![Image of Start search results for Netmon.](images/nm-start.png)
 
 2. Network Monitor opens with all network adapters displayed. Select the network adapters where you want to capture traffic, click **New Capture**, and then click **Start**.
 
-    ![Image of the New Capture option on menu](images/tcp-ts-4.png)
+    ![Image of the New Capture option on menu.](images/tcp-ts-4.png)
 
 3. Reproduce the issue, and you will see that Network Monitor grabs the packets on the wire.
 
-    ![Frame summary of network packets](images/tcp-ts-5.png)
+    ![Frame summary of network packets.](images/tcp-ts-5.png)
 
 4. Select **Stop**, and go to **File > Save as** to save the results. By default, the file will be saved as a ".cap" file.
 
diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
index ca8551b1dd..4c1e8b1b7f 100644
--- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md
+++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
@@ -58,19 +58,19 @@ Since outbound connections start to fail, you will see a lot of the below behavi
  
 - Unable to sign in to the machine with domain credentials, however sign-in with local account works. Domain sign-in will require you to contact the DC for authentication which is again an outbound connection. If you have cache credentials set, then domain sign-in might still work.
 
-    ![Screenshot of error for NETLOGON in Event Viewer](images/tcp-ts-14.png)
+    ![Screenshot of error for NETLOGON in Event Viewer.](images/tcp-ts-14.png)
 
 - Group Policy update failures:
 
-    ![Screenshot of event properties for Group Policy failure](images/tcp-ts-15.png)
+    ![Screenshot of event properties for Group Policy failure.](images/tcp-ts-15.png)
 
 - File shares are inaccessible:
 
-    ![Screenshot of error message "Windows cannot access"](images/tcp-ts-16.png)
+    ![Screenshot of error message "Windows cannot access."](images/tcp-ts-16.png)
 
 - RDP from the affected server fails:
 
-    ![Screenshot of error when Remote Desktop is unable to connect](images/tcp-ts-17.png)
+    ![Screenshot of error when Remote Desktop is unable to connect.](images/tcp-ts-17.png)
 
 - Any other application running on the machine will start to give out errors
 
@@ -84,15 +84,15 @@ If you suspect that the machine is in a state of port exhaustion:
 
     a.	**Event ID 4227**
 
-    ![Screenshot of event id 4227 in Event Viewer](images/tcp-ts-18.png)
+    ![Screenshot of event id 4227 in Event Viewer.](images/tcp-ts-18.png)
 
     b.	**Event ID 4231**
 
-    ![Screenshot of event id 4231 in Event Viewer](images/tcp-ts-19.png)
+    ![Screenshot of event id 4231 in Event Viewer.](images/tcp-ts-19.png)
 
 3. Collect a `netstat -anob` output from the server. The netstat output will show you a huge number of entries for TIME_WAIT state for a single PID.
 
-    ![Screenshot of netstate command output](images/tcp-ts-20.png)
+    ![Screenshot of netstate command output.](images/tcp-ts-20.png)
 
 After a graceful closure or an abrupt closure of a session, after a period of 4 minutes (default), the port used the process or application would be released back to the available pool. During this 4 minutes, the TCP connection state will be TIME_WAIT state. In a situation where you suspect port exhaustion, an application or process will not be able to release all the ports that it has consumed and will remain in the TIME_WAIT state.
  
@@ -136,7 +136,7 @@ If method 1 does not help you identify the process (prior to Windows 10 and Wind
 1. Add a column called “handles” under details/processes.
 2. Sort the column handles to identify the process with the highest number of handles. Usually the process with handles greater than 3000 could be the culprit except for processes like System, lsass.exe, store.exe, sqlsvr.exe.
 
-    ![Screenshot of handles column in Windows Task Maner](images/tcp-ts-21.png)
+    ![Screenshot of handles column in Windows Task Maner.](images/tcp-ts-21.png)
 
 3. If any other process than these has a higher number, stop that process and then try to login using domain credentials and see if it succeeds.
  
@@ -157,7 +157,7 @@ Steps to use Process explorer:
     
     File   \Device\AFD
 
-    ![Screenshot of Process Explorer](images/tcp-ts-22.png)
+    ![Screenshot of Process Explorer.](images/tcp-ts-22.png)
 
 10. Some are normal, but large numbers of them are not (hundreds to thousands). Close the process in question. If that restores outbound connectivity, then you have further proven that the app is the cause. Contact the vendor of that app.
  
diff --git a/windows/client-management/troubleshoot-tcpip-rpc-errors.md b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
index 37b4dfa002..ba02501c81 100644
--- a/windows/client-management/troubleshoot-tcpip-rpc-errors.md
+++ b/windows/client-management/troubleshoot-tcpip-rpc-errors.md
@@ -16,7 +16,7 @@ manager: dansimp
 
 You might encounter an **RPC server unavailable** error when connecting to Windows Management Instrumentation (WMI), SQL Server, during a remote connection, or for some Microsoft Management Console (MMC) snap-ins. The following image is an example of an RPC error.
 
-![The following error has occurred: the RPC server is unavailable](images/rpc-error.png)
+![The following error has occurred: the RPC server is unavailable.](images/rpc-error.png)
 
 This is a commonly encountered error message in the networking world and one can lose hope very fast without trying to understand much, as to what is happening ‘under the hood’. 
 
@@ -37,7 +37,7 @@ Before getting in to troubleshooting the <em>*RPC server unavailable</em>- error
 
 Client A wants to execute some functions or wants to make use of a service running on the remote server, will first establish the connection with the Remote Server by doing a three-way handshake.  
 
-![Diagram illustrating connection to remote server](images/rpc-flow.png)
+![Diagram illustrating connection to remote server.](images/rpc-flow.png)
 
 RPC ports can be given from a specific range as well.
 ### Configure RPC dynamic port allocation
@@ -162,13 +162,13 @@ Open the traces in [Microsoft Network Monitor 3.4](troubleshoot-tcpip-netmon.md)
 
 - Now check if you are getting a response from the server. If you get a response, note the dynamic port number that you have been allocated to use.
 
-    ![Screenshot of Network Monitor with dynamic port highlighted](images/tcp-ts-23.png)
+    ![Screenshot of Network Monitor with dynamic port highlighted.](images/tcp-ts-23.png)
 
 - Check if we are connecting successfully to this Dynamic port successfully.
 
 - The filter should be something like this: `tcp.port==<dynamic-port-allocated>` and `ipv4.address==<server-ip>` 
 
-    ![Screenshot of Network Monitor with filter applied](images/tcp-ts-24.png)
+    ![Screenshot of Network Monitor with filter applied.](images/tcp-ts-24.png)
 
 This should help you verify the connectivity and isolate if any network issues are seen.
 
@@ -177,7 +177,7 @@ This should help you verify the connectivity and isolate if any network issues a
 
 The most common reason why we would see the RPC server unavailable is when the dynamic port that the client tries to connect is not reachable. The client side trace would then show TCP SYN retransmits for the dynamic port.
  
-![Screenshot of Network Monitor with TCP SYN retransmits](images/tcp-ts-25.png)
+![Screenshot of Network Monitor with TCP SYN retransmits.](images/tcp-ts-25.png)
  
 The port cannot be reachable due to one of the following reasons:
 
diff --git a/windows/client-management/windows-version-search.md b/windows/client-management/windows-version-search.md
index 29a781be98..16c416a9cd 100644
--- a/windows/client-management/windows-version-search.md
+++ b/windows/client-management/windows-version-search.md
@@ -22,27 +22,27 @@ Click **Start** > **Settings** > **System** > click **About** from the bottom of
 
 You'll now see **Edition**, **Version**, and **OS Build** information. Something like this:
 
-![screenshot of the system properties window for a device running Windows 10](images/systemcollage.png)
+![screenshot of the system properties window for a device running Windows 10.](images/systemcollage.png)
 
 ## Using Keyword Search
 You can simply type the following in the search bar and press **ENTER** to see version details for your device. 
 
 **“winver”**
 
-![screenshot of the About Windows display text](images/winver.png)
+![screenshot of the About Windows display text.](images/winver.png)
 
 **“msinfo”** or **"msinfo32"** to open **System Information**:
 
-![screenshot of the System Information display text](images/msinfo32.png)
+![screenshot of the System Information display text.](images/msinfo32.png)
 
 ## Using Command Prompt or PowerShell
 At the Command Prompt or PowerShell interface, type **"systeminfo | findstr /B /C:"OS Name" /B /C:"OS Version"** and then press **ENTER**
 
-![screenshot of system information display text](images/refcmd.png)
+![screenshot of system information display text.](images/refcmd.png)
 
 At the Command Prompt or PowerShell, type **"slmgr /dlv"**, and then press ENTER. The /dlv command displays the detailed licensing information. Notice the output displays "EnterpriseS" as seen in the image below:
 
-![screenshot of software licensing manager](images/slmgr_dlv.png)
+![screenshot of software licensing manager.](images/slmgr_dlv.png)
 
 ## What does it all mean?
 
diff --git a/windows/configuration/configure-windows-10-taskbar.md b/windows/configuration/configure-windows-10-taskbar.md
index 15407ebc50..5f433844ac 100644
--- a/windows/configuration/configure-windows-10-taskbar.md
+++ b/windows/configuration/configure-windows-10-taskbar.md
@@ -31,7 +31,7 @@ The order of apps in the XML file dictates the order of pinned apps on the taskb
 
 The following example shows how apps will be pinned: Windows default apps to the left (blue circle), apps pinned by the user in the center (orange triangle), and apps that you pin using the XML file to the right (green square).
 
-![Windows left, user center, enterprise to the right](images/taskbar-generic.png)
+![Windows left, user center, enterprise to the right.](images/taskbar-generic.png)
 
 
 ## Configure taskbar (general)
@@ -142,11 +142,11 @@ The `<CustomTaskbarLayoutCollection>` section will append listed apps to the tas
 ```
 **Before:**
 
-![default apps pinned to taskbar](images/taskbar-default.png)
+![default apps pinned to taskbar.](images/taskbar-default.png)
 
 **After:**
 
- ![additional apps pinned to taskbar](images/taskbar-default-plus.png)
+ ![additional apps pinned to taskbar.](images/taskbar-default-plus.png)
 
 ## Remove default apps and add your own
 
@@ -175,11 +175,11 @@ If you only want to remove some of the default pinned apps, you would use this m
 ```
 **Before:**
 
-![Taskbar with default apps](images/taskbar-default.png)
+![Taskbar with default apps.](images/taskbar-default.png)
 
 **After:**
 
-![Taskbar with default apps removed](images/taskbar-default-removed.png)
+![Taskbar with default apps removed.](images/taskbar-default-removed.png)
 
 ## Remove default apps
 
@@ -250,15 +250,15 @@ The following example shows you how to configure taskbars by country or region.
 
 When the preceding example XML file is applied, the resulting taskbar for computers in the US or UK:
 
-![taskbar for US and UK locale](images/taskbar-region-usuk.png)
+![taskbar for US and UK locale.](images/taskbar-region-usuk.png)
 
 The resulting taskbar for computers in Germany or France:
 
-![taskbar for DE and FR locale](images/taskbar-region-defr.png)
+![taskbar for DE and FR locale.](images/taskbar-region-defr.png)
 
 The resulting taskbar for computers in any other country region:
 
-![taskbar for all other regions](images/taskbar-region-other.png)
+![taskbar for all other regions.](images/taskbar-region-other.png)
 
 
 > [!NOTE]
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
index e8a0cdee55..1190119050 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
@@ -19,7 +19,7 @@ Cortana integration is a Preview feature that's available for your test or dev e
 >[!NOTE]
 >For more info about Dynamics CRM integration, how to turn on Cortana, and how to provide feedback, see [Preview feature: Set up Cortana integration](https://go.microsoft.com/fwlink/p/?LinkId=746819).
 
-![Cortana at work, showing the sales data pulled from Dynamics CRM](../images/cortana-crm-screen.png)
+![Cortana at work, showing the sales data pulled from Dynamics CRM.](../images/cortana-crm-screen.png)
 
 ## Turn on Cortana with Dynamics CRM in your organization
 You must be a CRM administrator to turn on and use Preview features. For more info about what Preview features are and how to use them, see [What are Preview features and how do I enable them](https://go.microsoft.com/fwlink/p/?LinkId=746817)?
@@ -43,7 +43,7 @@ You must tell your employees to turn on Cortana, before they’ll be able to use
 
 2. Click on **Connected Services**, click **Dynamics CRM**, and then click **Connect**.
 
-    ![Cotana at work, showing how to turn on the connected services for Dynamics CRM](../images/cortana-connect-crm.png)
+    ![Cotana at work, showing how to turn on the connected services for Dynamics CRM.](../images/cortana-connect-crm.png)
 
     The employee can also disconnect by clicking **Disconnect** from the **Dynamics CRM** screen.
 
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
index 65919eb8e8..481cb27659 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
@@ -48,35 +48,35 @@ Before you can start this testing scenario, you must first set up your test envi
 
 2. Expand the left rail by clicking the **Show the navigation pane** icon.
 
-    ![Cortana at work, showing the navigation expand icon in Power BI](../images/cortana-powerbi-expand-nav.png)
+    ![Cortana at work, showing the navigation expand icon in Power BI.](../images/cortana-powerbi-expand-nav.png)
 
 3. Click **Get Data** from the left-hand navigation in Power BI.
 
-    ![Cortana at work, showing the Get Data link](../images/cortana-powerbi-getdata.png)
+    ![Cortana at work, showing the Get Data link.](../images/cortana-powerbi-getdata.png)
 
 4. Click **Samples** from the **Content Pack Library** area of the **Get Data** screen.
 
-    ![Cortana at work, showing the Samples link](../images/cortana-powerbi-getdata-samples.png)
+    ![Cortana at work, showing the Samples link.](../images/cortana-powerbi-getdata-samples.png)
 
 5. Click **Retail Analysis Sample**, and then click **Connect**.
 
-    ![Cortana at work, showing the Samples link](../images/cortana-powerbi-retail-analysis-sample.png)
+    ![Cortana at work, showing the Samples link.](../images/cortana-powerbi-retail-analysis-sample.png)
  
     The sample data is imported and you’re returned to the **Power BI** screen.
 
 6. Click **Dashboards** from the left pane of the **Power BI** screen, and then click **Retail Analysis Sample**.
 
-    ![Cortana at work, showing a dashboard view of the sample data](../images/cortana-powerbi-retail-analysis-dashboard.png)    
+    ![Cortana at work, showing a dashboard view of the sample data.](../images/cortana-powerbi-retail-analysis-dashboard.png)    
  
 7. In the upper right-hand menu, click the **Settings** icon, and then click **Settings**.
 
-    ![Cortana at work, showing where to find the Settings option](../images/cortana-powerbi-settings.png) 
+    ![Cortana at work, showing where to find the Settings option.](../images/cortana-powerbi-settings.png) 
 
 8. Click the **Datasets** tab, and then pick the **Retail Analysis Sample** dataset from the list.
 
 9. Click **Q&A and Cortana**, check the **Allow Cortana to access this dataset** box, and then click **Apply**.
 
-    ![Cortana at work, showing where to find the dataset options](../images/cortana-powerbi-retail-analysis-dataset.png)
+    ![Cortana at work, showing where to find the dataset options.](../images/cortana-powerbi-retail-analysis-dataset.png)
 
     >[!NOTE]
     >It can take up to 30 minutes for a new dataset to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.<p>If you enable a dataset for Cortana, and that dataset is part of a content pack you own, you’ll need to re-publish for your colleagues to also use it with Cortana.
@@ -92,7 +92,7 @@ After you’ve finished creating your Answer Page, you can continue to the inclu
 **To create a custom sales data Answer Page for Cortana**
 1. In Power BI, click **My Workspace**, click **Create**, and then click **Report**.
 
-    ![Cortana at work, showing where to create the new report](../images/cortana-powerbi-create-report.png)
+    ![Cortana at work, showing where to create the new report.](../images/cortana-powerbi-create-report.png)
  
 2. In the **Create Report** screen, click the **Retail Analysis Sample**, and then click **Create**.
 
@@ -100,11 +100,11 @@ After you’ve finished creating your Answer Page, you can continue to the inclu
 
 3. In the **Visualizations** pane, click the paint roller icon, expand **Page Size**, and then pick **Cortana** from the **Type** drop-down list.
 
-    ![Cortana at work, showing the Visualizations options](../images/cortana-powerbi-pagesize.png)
+    ![Cortana at work, showing the Visualizations options.](../images/cortana-powerbi-pagesize.png)
 
 4. In the **Fields** pane, click to expand **Sales**, expand **This year sales**, and then add both **Value** and **Goal**.
 
-    ![Cortana at work, showing the Field options](../images/cortana-powerbi-field-selection.png)
+    ![Cortana at work, showing the Field options.](../images/cortana-powerbi-field-selection.png)
  
     The automatically generated graph is added to your blank report. You have the option to change colors, add borders, add additional visualizations, and modify this page so that it answers the question about sales data as precisely, and in as custom a way, as you want. You just need to make sure that it all stays within the page borders.
 
@@ -112,7 +112,7 @@ After you’ve finished creating your Answer Page, you can continue to the inclu
 
     The alternate names help Cortana to know what questions to look for and when to show this report. To also improve your results, you should avoid using the names of your report columns.
 
-    ![Cortana at work, showing the page info for your specific report](../images/cortana-powerbi-report-qna.png)
+    ![Cortana at work, showing the page info for your specific report.](../images/cortana-powerbi-report-qna.png)
     
 6. Click **File**, click **Save as**, and save the report as _Sales data 2016_. 
 
@@ -128,13 +128,13 @@ Now that you’ve set up your device, you can use Cortana to show your info from
 
     Cortana shows you the available results.
 
-    ![Cortana at work, showing the best matches based on the Power BI data](../images/cortana-powerbi-search.png)
+    ![Cortana at work, showing the best matches based on the Power BI data.](../images/cortana-powerbi-search.png)
  	 
 3. In the **Power BI** area, click **This year in sales – in Retail Analysis Sample**.
 
  	Cortana returns your custom report.
 
-    ![Cortana at work, showing your custom report from Power BI](../images/cortana-powerbi-myreport.png)
+    ![Cortana at work, showing your custom report from Power BI.](../images/cortana-powerbi-myreport.png)
  	 
 >[!NOTE]
 >For more info about how to connect your own data, build your own custom Power BI cards and Answer Pages for Cortana, and how to share the cards with everyone in your organization, see [Use Power BI to create a custom Answer Page for Cortana](https://powerbi.microsoft.com/documentation/powerbi-service-cortana-desktop-entity-cards/).
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
index 478aeb7938..c701623a88 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@@ -49,7 +49,7 @@ While these aren't line-of-business apps, we've worked to make sure to implement
 
 2. Click on **Connected Services**, click **Uber**, and then click **Connect**.
 
-    ![Cortana at work, showing where to connect the Uber service to Cortana](../images/cortana-connect-uber.png)
+    ![Cortana at work, showing where to connect the Uber service to Cortana.](../images/cortana-connect-uber.png)
 
 **To use the voice-enabled commands with Cortana**
 1. Click on the **Cortana** icon in the taskbar, and then click the **Microphone** icon (to the right of the **Search** box).
diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index 601ad70810..f50e213ce8 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -161,7 +161,7 @@ When you have the Start layout that you want your users to see, use the [Export-
 
 A partial Start layout enables you to add one or more customized tile groups to users' Start screens or menus, while still allowing users to make changes to other parts of the Start layout. All groups that you add are *locked*, meaning users cannot change the contents of those tile groups, however users can change the location of those groups. Locked groups are identified with an icon, as shown in the following image.
 
-![locked tile group](images/start-pinned-app.png)
+![locked tile group.](images/start-pinned-app.png)
 
 When a partial Start layout is applied for the first time, the new groups are added to the users' existing Start layouts. If an app tile is in both an existing group and in a new locked group, the duplicate app tile is removed from the existing (unlocked) group.
 
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
index 12f62c8444..7b7dcaed64 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-group-policy.md
@@ -92,13 +92,13 @@ This procedure adds the customized Start and taskbar layout to the user configur
 
 2. Go to **User Configuration** or **Computer Configuration** &gt; **Administrative Templates** &gt;**Start Menu and Taskbar**.
 
-   ![start screen layout policy settings](images/starttemplate.jpg)
+   ![start screen layout policy settings.](images/starttemplate.jpg)
 
 3. Right-click **Start Layout** in the right pane, and click **Edit**.
 
    This opens the **Start Layout** policy settings.
 
-   ![policy settings for start screen layout](images/startlayoutpolicy.jpg)
+   ![policy settings for start screen layout.](images/startlayoutpolicy.jpg)
 
 4. Enter the following settings, and then click **OK**:
 
diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
index ea856b24cd..42b70e6248 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-provisioning-packages-and-icd.md
@@ -87,7 +87,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
 7. Open the customizations.xml file in a text editor. The **&lt;Customizations&gt;** section will look like this:
 
-    ![Customizations file with the placeholder text to replace highlighted](images/customization-start.png)
+    ![Customizations file with the placeholder text to replace highlighted.](images/customization-start.png)
 
 7. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape).
 
diff --git a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
index aa195fb89f..f5540c6ddd 100644
--- a/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
+++ b/windows/configuration/find-the-application-user-model-id-of-an-installed-app.md
@@ -50,7 +50,7 @@ To get the names and AUMIDs for all apps installed for the current user, perform
 
 3. In the **Choose Details** window, select **AppUserModelId**, and then select **OK**. (You might need to change the **View** setting from **Tiles** to **Details**.)
 
-![Image of the Choose Details options](images/aumid-file-explorer.png)
+![Image of the Choose Details options.](images/aumid-file-explorer.png)
 
 ## To find the AUMID of an installed app for the current user by using the registry
 
diff --git a/windows/configuration/kiosk-methods.md b/windows/configuration/kiosk-methods.md
index bd502511d7..9efa2b652d 100644
--- a/windows/configuration/kiosk-methods.md
+++ b/windows/configuration/kiosk-methods.md
@@ -24,13 +24,13 @@ Some desktop devices in an enterprise serve a special purpose, such as a PC in t
   
     A single-app kiosk is ideal for public use. Using [Shell Launcher](kiosk-shelllauncher.md), you can configure a kiosk device that runs a Windows desktop application as the user interface. The application that you specify replaces the default shell (explorer.exe) that usually runs when a user logs on. This type of single-app kiosk does not run above the lockscreen. 
 
-    ![Illustration of a full-screen kiosk experience](images/kiosk-fullscreen.png)
+    ![Illustration of a full-screen kiosk experience.](images/kiosk-fullscreen.png)
 
 - **A multi-app kiosk**, which runs one or more apps from the desktop. People using the kiosk see a customized Start that shows only the tiles for the apps that are allowed. With this approach, you can configure a locked-down experience for different account types. 
 
     A multi-app kiosk is appropriate for devices that are shared by multiple people. When you configure a multi-app kiosk, [specific policies are enforced](kiosk-policies.md) that will affect **all** non-administrator users on the device. 
 
-    ![Illustration of a kiosk Start screen](images/kiosk-desktop.png)
+    ![Illustration of a kiosk Start screen.](images/kiosk-desktop.png)
 
 Kiosk configurations are based on **Assigned Access**, a feature in Windows 10 that allows an administrator to manage the user's experience by limiting the application entry points exposed to the user. 
 
@@ -38,25 +38,25 @@ There are several kiosk configuration methods that you can choose from, dependin
 
 - **Which type of app will your kiosk run?**
 
-    ![icon that represents apps](images/office-logo.png) 
+    ![icon that represents apps.](images/office-logo.png) 
 
     Your kiosk can run a Universal Windows Platform (UWP) app or a Windows desktop application. For [digital signage](setup-digital-signage.md), simply select a digital sign player as your kiosk app. [Check out the guidelines for kiosk apps.](guidelines-for-assigned-access-app.md)
 
 - **Which type of kiosk do you need?**
 
-    ![icon that represents a kiosk](images/kiosk.png)
+    ![icon that represents a kiosk.](images/kiosk.png)
 
     If you want your kiosk to run a single app for anyone to see or use, consider a single-app kiosk that runs either a [Universal Windows Platform (UWP) app](#uwp) or a [Windows desktop application](#classic). For a kiosk that people can sign in to with their accounts or that runs more than one app, choose [a multi-app kiosk](#desktop).
 
 - **Which edition of Windows 10 will the kiosk run?**
 
-    ![icon that represents Windows](images/windows.png)
+    ![icon that represents Windows.](images/windows.png)
 
     All of the configuration methods work for Windows 10 Enterprise and Education; some of the methods work for Windows 10 Pro. Kiosk mode is not available on Windows 10 Home.
 
 - **Which type of user account will be the kiosk account?**
 
-    ![icon that represents a user account](images/user.png)
+    ![icon that represents a user account.](images/user.png)
 
     The kiosk account can be a local standard user account, a local administrator account, a domain account, or an Azure Active Directory (Azure AD) account, depending on the method that you use to configure the kiosk. If you want people to sign in and authenticate on the device, you should use a multi-app kiosk configuration. The single-app kiosk configuration doesn't require people to sign in to the device, although they can sign in to the kiosk app if you select an app that has a sign-in method.
 
diff --git a/windows/configuration/kiosk-prepare.md b/windows/configuration/kiosk-prepare.md
index 154b35c3d0..ba1aaa2b58 100644
--- a/windows/configuration/kiosk-prepare.md
+++ b/windows/configuration/kiosk-prepare.md
@@ -54,7 +54,7 @@ Disable removable media. |     Go to **Group Policy Editor** &gt; **Computer Con
 
 Logs can help you [troubleshoot issues](./kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
 
-![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png)
+![Event Viewer, right-click Operational, select enable log.](images/enable-assigned-access-log.png)
 
 ## Automatic logon
 
@@ -257,7 +257,7 @@ A single-app kiosk configuration runs an app above the lock screen. It doesn't w
 
 When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** is not selected in the **View** menu; that means it's a basic session.
 
-![VM windows, View menu, Extended session is not selected](images/vm-kiosk.png)
+![VM windows, View menu, Extended session is not selected.](images/vm-kiosk.png)
 
 To connect to a VM in a basic session, do not select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog. 
 
diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md
index f510b637bd..73e724bd75 100644
--- a/windows/configuration/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk-shelllauncher.md
@@ -137,7 +137,7 @@ The OMA-URI path is `./Device/Vendor/MSFT/AssignedAccess/ShellLauncher`.
 
 For the value, you can select data type `String` and paste the desired configuration file content into the value box. If you wish to upload the xml instead of pasting the content, choose data type `String (XML file)`. 
 
-![Screenshot of custom OMA-URI settings](images/slv2-oma-uri.png)
+![Screenshot of custom OMA-URI settings.](images/slv2-oma-uri.png)
 
 After you configure the profile containing the custom Shell Launcher setting, select **All Devices** or selected groups of devices to apply the profile to. Don't assign the profile to users or user groups.
 
diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index 8baee6a466..eac49be093 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -24,7 +24,7 @@ ms.topic: article
 
 A single-app kiosk uses the Assigned Access feature to run a single app above the lockscreen. When the kiosk account signs in, the app is launched automatically. The person using the kiosk cannot do anything on the device outside of the kiosk app.
 
-![Illustration of a single-app kiosk experience](images/kiosk-fullscreen-sm.png)
+![Illustration of a single-app kiosk experience.](images/kiosk-fullscreen-sm.png)
 
 >[!IMPORTANT]
 >[User account control (UAC)](/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode.
@@ -66,7 +66,7 @@ When your kiosk is a local device that is not managed by Active Directory or Azu
 
 - If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
 
-![Screenshot of automatic sign-in setting](images/auto-signin.png)
+![Screenshot of automatic sign-in setting.](images/auto-signin.png)
 
 ### Instructions for Windows 10, version 1809
 
@@ -98,7 +98,7 @@ To remove assigned access, select the account tile on the **Set up a kiosk** pag
 
 When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
 
-![The Set up assigned access page in Settings](images/kiosk-settings.png)
+![The Set up assigned access page in Settings.](images/kiosk-settings.png)
 
 **To set up assigned access in PC settings**
 
@@ -131,7 +131,7 @@ To remove assigned access, choose **Turn off assigned access and sign out of the
 >
 >Account type: Local standard user
 
-![PowerShell windows displaying Set-AssignedAccess cmdlet](images/set-assignedaccess.png)
+![PowerShell windows displaying Set-AssignedAccess cmdlet.](images/set-assignedaccess.png)
 
 You can use any of the following PowerShell cmdlets to set up assigned access on multiple devices. 
 
@@ -191,7 +191,7 @@ Clear-AssignedAccess
 >
 >Account type: Local standard user, Active Directory 
 
-![Kiosk wizard option in Windows Configuration Designer](images/kiosk-wizard.png)
+![Kiosk wizard option in Windows Configuration Designer.](images/kiosk-wizard.png)
 
 
 >[!IMPORTANT]
diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md
index 75781737fb..e34bee8204 100644
--- a/windows/configuration/kiosk-troubleshoot.md
+++ b/windows/configuration/kiosk-troubleshoot.md
@@ -53,7 +53,7 @@ For example:
 3. Verify that the configuration XML file is authored and formatted correctly. Correct any configuration errors, then create and apply a new provisioning package. Sign out and sign in again to check the new configuration.
 4. Additional logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
 
-![Event Viewer, right-click Operational, select enable log](images/enable-assigned-access-log.png)
+![Event Viewer, right-click Operational, select enable log.](images/enable-assigned-access-log.png)
 
 
 ### Automatic logon issues 
diff --git a/windows/configuration/lock-down-windows-10-applocker.md b/windows/configuration/lock-down-windows-10-applocker.md
index c2221b549a..5c2cfa795b 100644
--- a/windows/configuration/lock-down-windows-10-applocker.md
+++ b/windows/configuration/lock-down-windows-10-applocker.md
@@ -34,7 +34,7 @@ AppLocker rules are organized into collections based on file format. If no AppLo
 
 This topic describes how to lock down apps on a local device. You can also use AppLocker to set rules for applications in a domain by using Group Policy.
 
-![install create lockdown customize](images/lockdownapps.png)
+![install create lockdown customize.](images/lockdownapps.png)
 
 ## Install apps
 
@@ -50,13 +50,13 @@ After you install the desired apps, set up AppLocker rules to only allow specifi
 
 2.  Go to **Security Settings** &gt; **Application Control Policies** &gt; **AppLocker**, and select **Configure rule enforcement**.
 
-    ![configure rule enforcement](images/apprule.png)
+    ![configure rule enforcement.](images/apprule.png)
 
 3.  Check **Configured** under **Executable rules**, and then click **OK**.
 
 4.  Right-click **Executable Rules** and then click **Automatically generate rules**.
 
-    ![automatically generate rules](images/genrule.png)
+    ![automatically generate rules.](images/genrule.png)
 
 5.  Select the folder that contains the apps that you want to permit, or select C:\\ to analyze all apps.
 
@@ -68,7 +68,7 @@ After you install the desired apps, set up AppLocker rules to only allow specifi
 
 9.  Read the message and click **Yes**.
 
-    ![default rules warning](images/appwarning.png)
+    ![default rules warning.](images/appwarning.png)
 
 10. (optional) If you want a rule to apply to a specific set of users, right-click on the rule and select **Properties**. Then use the dialog to choose a different user or group of users.
 
diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 702221c085..2bbcd7f1a3 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -81,7 +81,7 @@ Let's start by looking at the basic structure of the XML file.
 
 - A profile has no effect if it’s not associated to a config section.
 
-    ![profile = app and config = account](images/profile-config.png)
+    ![profile = app and config = account.](images/profile-config.png)
 
 You can start your file by pasting the following XML (or any other examples in this topic) into a XML editor, and saving the file as *filename*.xml. Each section of this XML is explained in this topic. You can see a full sample version in the [Assigned access XML reference.](kiosk-xml.md)
 
@@ -271,7 +271,7 @@ This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint,
 >[!NOTE]
 >If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen.
 
-![What the Start screen looks like when the XML sample is applied](images/sample-start.png)
+![What the Start screen looks like when the XML sample is applied.](images/sample-start.png)
 
 ##### Taskbar
 
@@ -494,7 +494,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
 7. In the center pane, click **Browse** to locate and select the assigned access configuration XML file that you created.
 
-   ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png)
+   ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer.](images/multiappassignedaccesssettings.png)
 
 8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
 
@@ -544,7 +544,7 @@ Provisioning packages can be applied to a device during the first-run experience
 
 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
 
-    ![The first screen to set up a new PC](images/oobe.jpg)
+    ![The first screen to set up a new PC.](images/oobe.jpg)
 
 2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
 
@@ -552,11 +552,11 @@ Provisioning packages can be applied to a device during the first-run experience
 
 3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
 
-    ![Provision this device](images/prov.jpg)
+    ![Provision this device.](images/prov.jpg)
 
 4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
 
-    ![Choose a package](images/choose-package.png)
+    ![Choose a package.](images/choose-package.png)
 
 5. Select **Yes, add it**.
 
@@ -570,7 +570,7 @@ Provisioning packages can be applied to a device during the first-run experience
 >[!NOTE]
 >if your provisioning package doesn’t include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.
 
-![add a package option](images/package.png)
+![add a package option.](images/package.png)
 
 <span id="alternate-methods" />
 ### Use MDM to deploy the multi-app configuration
diff --git a/windows/configuration/manage-wifi-sense-in-enterprise.md b/windows/configuration/manage-wifi-sense-in-enterprise.md
index d577b69cff..6dc4c73ddb 100644
--- a/windows/configuration/manage-wifi-sense-in-enterprise.md
+++ b/windows/configuration/manage-wifi-sense-in-enterprise.md
@@ -46,7 +46,7 @@ You can manage your Wi-Fi Sense settings by using Group Policy and your Group Po
 
 1.  Open your Group Policy editor and go to the `Computer Configuration\Administrative Templates\Network\WLAN Service\WLAN Settings\Allow Windows to automatically connect to suggested open hotspots, to networks shared by contacts, and to hotspots offering paid services` setting.
 
-    ![Group Policy Editor, showing the Wi-Fi Sense setting](images/wifisense-grouppolicy.png)
+    ![Group Policy Editor, showing the Wi-Fi Sense setting.](images/wifisense-grouppolicy.png)
 
 2.  Turn Wi-Fi Sense on (enabled) or off (disabled), based on your company's environment.
 
@@ -60,7 +60,7 @@ You can manage your Wi-Fi Sense settings by using registry keys and the Registry
 2. Create and set a new **DWORD (32-bit) Value** named, **AutoConnectAllowedOEM**, with a **Value data** of **0 (zero)**.
    <p>Setting this value to <strong>0</strong> turns off Wi-Fi Sense and all Wi-Fi sense features. When turned off, the Wi-Fi Sense settings still appear on the <strong>Wi-Fi Settings</strong> screen, but can&#39;t be controlled by the employee and all of the Wi-Fi Sense features are turned off. For more info, see <a href="/troubleshoot/windows-client/networking/configure-wifi-sense-and-paid-wifi-service" data-raw-source="[How to configure Wi-Fi Sense on Windows 10 in an enterprise](/troubleshoot/windows-client/networking/configure-wifi-sense-and-paid-wifi-service)">How to configure Wi-Fi Sense on Windows 10 in an enterprise</a>.
 
-   ![Registry Editor, showing the creation of a new DWORD value](images/wifisense-registry.png)
+   ![Registry Editor, showing the creation of a new DWORD value.](images/wifisense-registry.png)
 
 ### Using the Windows Provisioning settings
 You can manage your Wi-Fi Sense settings by changing the Windows provisioning setting, **WiFISenseAllowed**.
@@ -81,7 +81,7 @@ If your company still uses Unattend, you can manage your Wi-Fi Sense settings by
 ### How employees can change their own Wi-Fi Sense settings
 If you don’t turn off the ability for your employees to use Wi-Fi Sense, they can turn it on locally by selecting **Settings &gt; Network & Internet &gt; Wi-Fi &gt; Manage Wi-Fi settings**, and then turning on **Connect to suggested open hotspots**.
 
-![Wi-Fi Sense options shown to employees if it's not turned off](images/wifisense-settingscreens.png)
+![Wi-Fi Sense options shown to employees if it's not turned off.](images/wifisense-settingscreens.png)
 
 **Important**<br>The service that was used to share networks with Facebook friends, Outlook.com contacts, or Skype contacts is no longer available. This means:
 
diff --git a/windows/configuration/mobile-devices/lockdown-xml.md b/windows/configuration/mobile-devices/lockdown-xml.md
index ecf485cb1d..87f2b7b7cf 100644
--- a/windows/configuration/mobile-devices/lockdown-xml.md
+++ b/windows/configuration/mobile-devices/lockdown-xml.md
@@ -62,7 +62,7 @@ The settings for the Default role and other roles must be listed in your XML fil
 
 ## Action Center
 
-![XML for Action Center](../images/ActionCenterXML.jpg)
+![XML for Action Center.](../images/ActionCenterXML.jpg)
 
 The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both.
 
@@ -92,7 +92,7 @@ The following example is a complete lockdown XML file that disables Action Cente
 
 ## Apps
 
-![XML for Apps](../images/AppsXML.png)
+![XML for Apps.](../images/AppsXML.png)
 
 The Apps setting serves as an allow list and specifies the applications that will be available in the All apps list. Apps that are not included in this setting are hidden from the user and blocked from running. 
 
@@ -110,7 +110,7 @@ The following example makes Outlook Calendar available on the device.
 
 When you list an app, you can also set the app to be pinned to the Start screen by specifying the tile size and location. Tip: draw a grid and mark your app tiles on it to make sure you get the result you want. The width (X axis) in the following example is the limit for Windows 10 Mobile, but the length (Y axis) is unlimited. The number of columns available to you depends on the value for [StartScreenSize](#start-screen-size).
 
-![Grid to lay out tiles for Start](../images/StartGrid.jpg)
+![Grid to lay out tiles for Start.](../images/StartGrid.jpg)
 
 Tile sizes are:
 * Small: 1x1
@@ -152,7 +152,7 @@ In the following example, Outlook Calendar and Outlook Mail are pinned to the St
 
 That layout would appear on a device like this:
 
-![Example of the layout on a Start screen](../images/StartGridPinnedApps.jpg)
+![Example of the layout on a Start screen.](../images/StartGridPinnedApps.jpg)
 
 You can create and pin folders to Start by using the Apps setting. Each folder requires a **folderId**, which must be a consecutive positive integer starting with `1`. You can also specify a **folderName** (optional) which will be displayed on Start.
 
@@ -203,7 +203,7 @@ When an app is contained in a folder, its **PinToStart** configuration (tile siz
 
 ## Buttons
 
-![XML for buttons](../images/ButtonsXML.jpg)
+![XML for buttons.](../images/ButtonsXML.jpg)
 
 In the Buttons setting, you use ButtonLockdownList to disable hardware buttons and ButtonRemapList to change button events to open an app that you specify. 
 
@@ -213,11 +213,11 @@ When a user taps a button that is in the lockdown list, nothing will happen. The
 
 Button | Press | PressAndHold | All
 ---|:---:|:---:|:--:|-
-Start | ![no](../images/crossmark.png) | ![yes](../images/checkmark.png) | ![no](../images/crossmark.png)
-Back | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) 
-Search | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
-Camera | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
-Custom 1, 2, and 3 | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
+Start | ![no.](../images/crossmark.png) | ![yes](../images/checkmark.png) | ![no](../images/crossmark.png)
+Back | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png) 
+Search | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
+Camera | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
+Custom 1, 2, and 3 | ![yes.](../images/checkmark.png) | ![yes](../images/checkmark.png) | ![yes](../images/checkmark.png)
 
 > [!NOTE]
 >  Custom buttons are hardware buttons that can be added to devices by OEMs.
@@ -270,7 +270,7 @@ In the following example, when a user presses the Search button, the phone diale
 
 ## CSPRunner
 
-![XML for CSP Runner](../images/CSPRunnerXML.jpg)
+![XML for CSP Runner.](../images/CSPRunnerXML.jpg)
 
 You can use CSPRunner to include settings that are not defined in AssignedAccessXML. For example, you can include settings from other sections of EnterpriseAssignedAccess CSP, such as lockscreen, theme, and time zone. You can also include settings from other CSPs, such as [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) or [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
 
@@ -317,7 +317,7 @@ SyncML entry | Description
 
 ## Menu items
 
-![XML for menu items](../images/MenuItemsXML.png)
+![XML for menu items.](../images/MenuItemsXML.png)
 
 Use DisableMenuItems to prevent use of the context menu, which is displayed when a user presses and holds an application in the All Apps list. You can include this entry in the default profile and in any additional user role profiles that you create.
 
@@ -329,7 +329,7 @@ Use DisableMenuItems to prevent use of the context menu, which is displayed when
 
 ## Settings
 
-![XML for settings](../images/SettingsXML.png)
+![XML for settings.](../images/SettingsXML.png)
 
 The **Settings** section contains an `allow` list of pages in the Settings app and quick actions. The following example allows all settings.
 
@@ -363,7 +363,7 @@ For a list of the settings and quick actions that you can allow or block, see [S
 
  ## Tiles
 
- ![XML for tiles](../images/TilesXML.png)
+ ![XML for tiles.](../images/TilesXML.png)
 
  By default, under Assigned Access, tile manipulation is turned off (blocked) and only available if enabled in the user’s profile. If tile manipulation is enabled in the user’s profile, they can pin/unpin, move, and resize tiles based on their preferences. When multiple people use one device and you want to enable tile manipulation for multiple users, you must enable it for each user in their user profile. 
 
@@ -446,7 +446,7 @@ Use the Windows ICD tool included in the Windows Assessment and Deployment Kit (
 
 3.  In the center pane, click **Browse** to locate and select the lockdown XML file that you created.
 
-    ![browse button](../images/icdbrowse.png)
+    ![browse button.](../images/icdbrowse.png)
 
 4.  On the **File** menu, select **Save.**
 
diff --git a/windows/configuration/mobile-devices/mobile-lockdown-designer.md b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
index 68774e0da5..a7d82f6088 100644
--- a/windows/configuration/mobile-devices/mobile-lockdown-designer.md
+++ b/windows/configuration/mobile-devices/mobile-lockdown-designer.md
@@ -16,7 +16,7 @@ manager: dansimp
 
 # Use the Lockdown Designer app to create a Lockdown XML file
 
-![Lockdown Designer in the Store](../images/ldstore.png)
+![Lockdown Designer in the Store.](../images/ldstore.png)
 
 Windows 10 Mobile allows enterprises to lock down a device, define multiple user roles, and configure custom layouts on a device. For example, the enterprise can lock down a device so that only applications and settings in an allow list are available. This is accomplished using Lockdown XML, an XML file that contains settings for Windows 10 Mobile. 
 
@@ -55,7 +55,7 @@ Perform these steps on the device running Windows 10 Mobile that you will use to
 >[!IMPORTANT]
 >Check **Settings > Personalization > Start > Show more tiles** on the test mobile device. If **Show more tiles** is **On**, you must select **Large** on the [**Start screen** page](#start) in Lockdown Designer. If you want to apply a **Small** layout, set **Show more tiles** on the test mobile device to **Off**.
 >
->![turn off show more tiles for small start screen size](../images/show-more-tiles.png) 
+>![turn off show more tiles for small start screen size.](../images/show-more-tiles.png) 
 
 ## Prepare the PC
 
@@ -89,7 +89,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf
 
 3. Click **Pair**. 
 
-    ![Pair](../images/ld-pair.png)
+    ![Pair.](../images/ld-pair.png)
 
     **Connect to remote device** appears. 
 
@@ -99,7 +99,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf
 
 6. Next, click **Sync** to pull information from the device in to Lockdown Designer.
 
-    ![Sync](../images/ld-sync.png)
+    ![Sync.](../images/ld-sync.png)
 
 7. Click the **Save** icon and enter a name for your project. 
 
@@ -113,7 +113,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf
 
 3. On the **Project setting** > **General settings** page, click **Pair**. 
 
-    ![Pair](../images/ld-pair.png)
+    ![Pair.](../images/ld-pair.png)
 
     **Connect to remote device** appears. 
 
@@ -123,7 +123,7 @@ If you want to connect the PC and the test mobile device using a USB cable, perf
 
 6. Next, click **Sync** to pull information from the device in to Lockdown Designer.
 
-    ![Sync](../images/ld-sync.png)
+    ![Sync.](../images/ld-sync.png)
 
 7. Click the **Save** icon and enter a name for your project. 
 
@@ -134,13 +134,13 @@ The apps and settings available in the pages of Lockdown Designer should now be
 
 | Page | Description |
 | --- | --- |
-| ![Applications](../images/ld-apps.png) | Each app from the test mobile device is listed. Select the apps that you want visible to users.</br></br>You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. |
-| ![CSP Runner](../images/ld-csp.png) | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner)  |
-| ![Settings](../images/ld-settings.png)  |  On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI.  |
-| ![Quick actions](../images/ld-quick.png)  |  On this page, you select the settings that you want visible to users. |
-| ![Buttons](../images/ld-buttons.png)  |  Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.</br></br>Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. |
-| ![Other settings](../images/ld-other.png)  | This page contains several settings that you can configure:</br></br>- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.</br></br>- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.</br></br>- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both.  |
-| <span id="start" />![Start screen](../images/ld-start.png)  | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)</br></br>On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.</br></br>When you are done changing the layout on the test mobile device, click **Accept** on the PC. |
+| ![Applications.](../images/ld-apps.png) | Each app from the test mobile device is listed. Select the apps that you want visible to users.</br></br>You can select an app to run automatically when a user signs in to the device. The **Select Auto-Run** menu is populated by the apps that you select to allow on the device. |
+| ![CSP Runner.](../images/ld-csp.png) | CSPRunner enables you to include settings and policies that are not defined in other sections of the app. To make use of CSPRunner, you must create the SyncML block that contains the settings, and then import the SyncML in Lockdown Designer. [Learn how to use CSPRunner and author SyncML.](lockdown-xml.md#csprunner)  |
+| ![Settings.](../images/ld-settings.png)  |  On this page, you select the settings that you want visible to users. See the [ms settings: URI scheme reference](/windows/uwp/launch-resume/launch-settings-app#ms-settings-uri-scheme-reference) to see which Settings page maps to a URI.  |
+| ![Quick actions.](../images/ld-quick.png)  |  On this page, you select the settings that you want visible to users. |
+| ![Buttons.](../images/ld-buttons.png)  |  Each hardware button on a mobile device has different actions that can be disabled. In addition, the behavior for **Search** button can be changed to open an app other than **Search**.</br></br>Some devices may have additional hardware buttons provided by the OEM. These are listed as Custom1, Custom2, and Custom3. If your device has custom hardware buttons, contact your equipment provider to identify how their custom buttons are defined. |
+| ![Other settings.](../images/ld-other.png)  | This page contains several settings that you can configure:</br></br>- The context menu is displayed when a user presses and holds an application in the All Apps list. You can enable or disable the context menu.</br></br>- Tile manipulation allows users to pin, unpin, move, and resize tiles on the Start screen. You can enable or disable tile manipulation.</br></br>- The Action Center setting controls whether the user can open the Action Center on the device. When the Action Center is disabled, notifications on the lockscreen and toasts are also disabled. You can use optional attributes with the Action Center element to change that behavior for either notifications, toasts, or both.  |
+| <span id="start" />![Start screen.](../images/ld-start.png)  | On this page, you can start a remote simulation session with the test mobile device. Click **Start remote simulation**. You will see a **Start screen remote simulation in progress** message on the PC. (If the **Start remote simulation** button is not active, [pair the mobile device with the PC again](#pair).)</br></br>On the test mobile device, tiles for the apps that you allowed on the **Applications** page are displayed on the screen. You can move, resize, or unpin these tiles to achieve the desired layout.</br></br>When you are done changing the layout on the test mobile device, click **Accept** on the PC. |
 
 
 ## Validate and export
@@ -169,4 +169,4 @@ You can create additional roles for the device and have unique configurations fo
 
 4. Configure the settings for the role as above, but make sure on each page that you select the correct role.
 
-    ![Current role selection box](../images/ld-role.png)
\ No newline at end of file
+    ![Current role selection box.](../images/ld-role.png)
\ No newline at end of file
diff --git a/windows/configuration/mobile-devices/provisioning-configure-mobile.md b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
index 1d321fd9cb..ebd4218503 100644
--- a/windows/configuration/mobile-devices/provisioning-configure-mobile.md
+++ b/windows/configuration/mobile-devices/provisioning-configure-mobile.md
@@ -66,13 +66,13 @@ You can apply a provisioning package to a device running Windows 10 Mobile by us
 1. Insert an SD card containing the provisioning package into the device.
 2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. 
 
-    ![add a package option](../images/packages-mobile.png)
+    ![add a package option.](../images/packages-mobile.png)
 
 3. Click **Add**.
 
 4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
 
-    ![Is this package from a source you trust](../images/package-trust.png)
+    ![Is this package from a source you trust.](../images/package-trust.png)
     
 ### Copying the provisioning package to the device
 
@@ -82,7 +82,7 @@ You can apply a provisioning package to a device running Windows 10 Mobile by us
 
 3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
 
-    ![Is this package from a source you trust](../images/package-trust.png)
+    ![Is this package from a source you trust.](../images/package-trust.png)
 
 
 ## Related topics
diff --git a/windows/configuration/mobile-devices/provisioning-nfc.md b/windows/configuration/mobile-devices/provisioning-nfc.md
index 571a1488af..42ff3ff229 100644
--- a/windows/configuration/mobile-devices/provisioning-nfc.md
+++ b/windows/configuration/mobile-devices/provisioning-nfc.md
@@ -31,7 +31,7 @@ All Windows 10 Mobile Enterprise and Windows 10 Mobile images have the NFC provi
 
 On all Windows devices, device provisioning during OOBE can be triggered by 5 fast taps on the Windows hardware key, which shows the **Provision this device** screen. In the **Provision this device** screen, select **NFC** for NFC-based provisioning. 
 
-![Example of Provision this device screen](../images/nfc.png)
+![Example of Provision this device screen.](../images/nfc.png)
 
 If there is an error during NFC provisioning, the device will show a message if any of the following errors occur:
 
diff --git a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
index 711f3cfc4e..a265a544e3 100644
--- a/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
+++ b/windows/configuration/mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
@@ -168,28 +168,28 @@ Apps Corner lets you set up a custom Start screen on your Windows 10 Mobile or
 
 **To set up Apps Corner**
 
-1.  On Start ![start](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner**.
+1.  On Start ![start.](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner**.
 
-2.  Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![done icon](images/doneicon.png).
+2.  Tap **Apps**, tap to select the app that you want people to use in the kiosk mode, and then tap done ![done icon.](images/doneicon.png).
 
-3.  If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back](../images/backicon.png) to the Apps Corner settings.
+3.  If your phone doesn't already have a lock screen password, you can set one now to ensure that people can't get to your Start screen from Apps Corner. Tap **Protect my phone with a password**, click **Add**, type a PIN in the **New PIN** box, type it again in the **Confirm PIN** box, and then tap **OK**. Press **Back** ![back.](../images/backicon.png) to the Apps Corner settings.
 
 4.  Turn **Action center** on or off, depending on whether you want people to be able to use these features when using the device in kiosk mode.
 
 5.  Tap **advanced**, and then turn features on or off, depending on whether you want people to be able to use them.
 
-6.  Press **Back** ![back](../images/backicon.png) when you're done.
+6.  Press **Back** ![back.](../images/backicon.png) when you're done.
 
 **To use Apps Corner**
 
-1.  On Start ![start](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner** &gt; launch ![launch](../images/launchicon.png).
+1.  On Start ![start.](../images/starticon.png), swipe over to the App list, then tap **Settings** ![settings](../images/settingsicon.png) &gt; **Accounts** &gt; **Apps Corner** &gt; launch ![launch](../images/launchicon.png).
 
     >[!TIP]
     >Want to get to Apps Corner with one tap? In **Settings**, tap **Apps Corner** &gt; **pin** to pin the Apps Corner tile to your Start screen.
   
 2.  Give the device to someone else, so they can use the device and only the one app you chose.
 
-3.  When they're done and you get the device back, press and hold Power ![power](../images/powericon.png), and then swipe right to exit Apps Corner.
+3.  When they're done and you get the device back, press and hold Power ![power.](../images/powericon.png), and then swipe right to exit Apps Corner.
 
 ## Related topics
 
diff --git a/windows/configuration/mobile-devices/start-layout-xml-mobile.md b/windows/configuration/mobile-devices/start-layout-xml-mobile.md
index 41fc17fe04..858de39174 100644
--- a/windows/configuration/mobile-devices/start-layout-xml-mobile.md
+++ b/windows/configuration/mobile-devices/start-layout-xml-mobile.md
@@ -36,7 +36,7 @@ On Windows 10 Mobile, the customized Start works by:
 
 The following diagrams show the default Windows 10, version 1607 Start layouts for single SIM and dual SIM devices with Cortana support, and single SIM and dual SIM devices with no Cortana support. 
 
-![Start layout for Windows 10 Mobile](../images/mobile-start-layout.png)
+![Start layout for Windows 10 Mobile.](../images/mobile-start-layout.png)
 
 The diagrams show:
 
diff --git a/windows/configuration/provisioning-apn.md b/windows/configuration/provisioning-apn.md
index 326ea5b8b8..a8d47b38e2 100644
--- a/windows/configuration/provisioning-apn.md
+++ b/windows/configuration/provisioning-apn.md
@@ -53,11 +53,11 @@ For users who work in different locations, you can configure one APN to connect
 
 5. Enter a name for the connection, and then click **Add**.
 
-    ![Example of APN connection name](images/apn-add.png)
+    ![Example of APN connection name.](images/apn-add.png)
     
 6. The connection appears in the **Available customizations** pane. Select it to view the settings that you can configure for the connection.
 
-    ![settings for new connection](images/apn-add-details.png)
+    ![settings for new connection.](images/apn-add-details.png)
     
 7. The following table describes the settings available for the connection.
 
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index 67c28a8b90..38d6791423 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -38,7 +38,7 @@ Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](/win
 
 CSPs are behind many of the management tasks and policies for Windows 10, both in Microsoft Intune and in non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
 
-![how intune maps to csp](../images/policytocsp.png)
+![how intune maps to csp.](../images/policytocsp.png)
 
 CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Endpoint Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge.
 
@@ -66,7 +66,7 @@ You can use Windows Configuration Designer to create [provisioning packages](./p
 
 Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
 
-![how help content appears in icd](../images/cspinicd.png)
+![how help content appears in icd.](../images/cspinicd.png)
 
 [Provisioning packages in Windows 10](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package.
 
@@ -86,7 +86,7 @@ All CSPs in Windows 10 are documented in the [Configuration service provider ref
 
 The [main CSP topic](/windows/client-management/mdm/configuration-service-provider-reference) tells you which CSPs are supported on each edition of Windows 10, and links to the documentation for each individual CSP.
 
-![csp per windows edition](../images/csptable.png)
+![csp per windows edition.](../images/csptable.png)
 
 The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format.
 
@@ -94,7 +94,7 @@ The full path to a specific configuration setting is represented by its Open Mob
 
 The following example shows the diagram for the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes, and rectangular elements are settings or policies for which a value must be supplied.
 
-![assigned access csp tree](../images/provisioning-csp-assignedaccess.png)
+![assigned access csp tree.](../images/provisioning-csp-assignedaccess.png)
 
 The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see that it uses the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp).
 
@@ -104,7 +104,7 @@ The element in the tree diagram after the root node tells you the name of the CS
 
 When an element in the diagram uses _italic_ font, it indicates a placeholder for specific information, such as the tenant ID in the following example.
 
-![placeholder in csp tree](../images/csp-placeholder.png)
+![placeholder in csp tree.](../images/csp-placeholder.png)
 
 After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed.
 
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
index 38b7e01c09..818a935488 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@@ -58,7 +58,7 @@ Provisioning packages can include management instructions and policies, installa
 > [!TIP]
 > Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
 >
->![open advanced editor](../images/icd-simple-edit.png)
+>![open advanced editor.](../images/icd-simple-edit.png)
 
 ## Create the provisioning package
 
@@ -68,11 +68,11 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
 2. Click **Provision desktop devices**.
 
-   ![ICD start options](../images/icd-create-options-1703.png)   
+   ![ICD start options.](../images/icd-create-options-1703.png)   
 
 3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps.
 
-   ![ICD desktop provisioning](../images/icd-desktop-1703.png)
+   ![ICD desktop provisioning.](../images/icd-desktop-1703.png)
   
 > [!IMPORTANT]
 > When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
index a71916bfab..68cfcc37af 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps-and-certificates.md
@@ -46,7 +46,7 @@ Use the Windows Imaging and Configuration Designer (ICD) tool included in the Wi
 
 2. Click **Advanced provisioning**.
 
-   ![ICD start options](../images/icdstart-option.png)  
+   ![ICD start options.](../images/icdstart-option.png)  
   
 3. Name your project and click **Next**.
 
@@ -73,19 +73,19 @@ Universal apps that you can distribute in the provisioning package can be line-o
 
 2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page.
 
-    ![details for offline app package](../images/uwp-family.png)
+    ![details for offline app package.](../images/uwp-family.png)
 
 3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
 
 4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. 
 
-    ![required frameworks for offline app package](../images/uwp-dependencies.png)
+    ![required frameworks for offline app package.](../images/uwp-dependencies.png)
 
 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. 
 
     - In Microsoft Store for Business, generate the unencoded license for the app on the app's download page, and change the extension of the license file from **.xml** to **.ms-windows-store-license**.
 
-        ![generate license for offline app](../images/uwp-license.png)
+        ![generate license for offline app.](../images/uwp-license.png)
         
     - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**.
     
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index cca8b46be8..f6f7f9876b 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -74,11 +74,11 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
 
 2. Enter a name for the first app, and then click **Add**.
 
-    ![enter name for first app](../images/wcd-app-name.png)
+    ![enter name for first app.](../images/wcd-app-name.png)
 
 3. Configure the settings for the appropriate installer type.
 
-    ![enter settings for first app](../images/wcd-app-commands.png)
+    ![enter settings for first app.](../images/wcd-app-commands.png)
 
 ## Add a universal app to your package
 
@@ -88,19 +88,19 @@ Universal apps that you can distribute in the provisioning package can be line-o
 
 2. For **DeviceContextApp**, specify the **PackageFamilyName** for the app. In Microsoft Store for Business, the package family name is listed in the **Package details** section of the download page.
 
-    ![details for offline app package](../images/uwp-family.png)
+    ![details for offline app package.](../images/uwp-family.png)
 
 3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
 
 4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page. 
 
-    ![required frameworks for offline app package](../images/uwp-dependencies.png)
+    ![required frameworks for offline app package.](../images/uwp-dependencies.png)
 
 5. For **DeviceContextAppLicense**, enter the **LicenseProductID**. 
 
     - In Microsoft Store for Business, generate the unencoded license for the app on the app's download page. 
 
-        ![generate license for offline app](../images/uwp-license.png)
+        ![generate license for offline app.](../images/uwp-license.png)
         
     - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**.
     
diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md
index 4a1bb159ac..4a9381ab1c 100644
--- a/windows/configuration/provisioning-packages/provisioning-apply-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md
@@ -35,7 +35,7 @@ Provisioning packages can be applied to a device during the first-run experience
 
 1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
 
-    ![The first screen to set up a new PC](../images/oobe.jpg)
+    ![The first screen to set up a new PC.](../images/oobe.jpg)
 
 2. Insert the USB drive. Windows Setup will recognize the drive and ask if you want to set up the device. Select **Set up**.
 
@@ -43,11 +43,11 @@ Provisioning packages can be applied to a device during the first-run experience
 
 3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
 
-    ![Provision this device](../images/prov.jpg)
+    ![Provision this device.](../images/prov.jpg)
     
 4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
 
-    ![Choose a package](../images/choose-package.png)
+    ![Choose a package.](../images/choose-package.png)
 
 5. Select **Yes, add it**.
 
@@ -59,7 +59,7 @@ Provisioning packages can be applied to a device during the first-run experience
 
 Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
 
-![add a package option](../images/package.png)
+![add a package option.](../images/package.png)
     
 ## Mobile editions
 
@@ -68,13 +68,13 @@ Insert the USB drive to a desktop computer, navigate to **Settings** > **Account
 1. Insert an SD card containing the provisioning package into the device.
 2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. 
 
-    ![add a package option](../images/packages-mobile.png)
+    ![add a package option.](../images/packages-mobile.png)
 
 3. Click **Add**.
 
 4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
 
-    ![Is this package from a source you trust](../images/package-trust.png)
+    ![Is this package from a source you trust.](../images/package-trust.png)
     
 ### Copying the provisioning package to the device
 
@@ -84,7 +84,7 @@ Insert the USB drive to a desktop computer, navigate to **Settings** > **Account
 
 3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
 
-    ![Is this package from a source you trust](../images/package-trust.png)
+    ![Is this package from a source you trust.](../images/package-trust.png)
 
 
 
diff --git a/windows/configuration/provisioning-packages/provisioning-create-package.md b/windows/configuration/provisioning-packages/provisioning-create-package.md
index b67e28b34d..0aa10c16b5 100644
--- a/windows/configuration/provisioning-packages/provisioning-create-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-create-package.md
@@ -39,7 +39,7 @@ You can use Windows Configuration Designer to create a provisioning package (.pp
 
 2. Select your desired option on the **Start** page, which offers multiple options for creating a provisioning package, as shown in the following image:
 
-    ![Configuration Designer wizards](../images/icd-create-options-1703.png)
+    ![Configuration Designer wizards.](../images/icd-create-options-1703.png)
 
     - The following wizard options provide a simple interface for configuring common settings for desktop, mobile, and kiosk devices: 
 
@@ -56,7 +56,7 @@ You can use Windows Configuration Designer to create a provisioning package (.pp
         >[!TIP]
         > You can start a project in the simple wizard editor and then switch the project to the advanced editor.
         >
-        > ![Switch to advanced editor](../images/icd-switch.png)
+        > ![Switch to advanced editor.](../images/icd-switch.png)
 
 3. Enter a name for your project, and then select **Next**.
 
@@ -87,7 +87,7 @@ You can use Windows Configuration Designer to create a provisioning package (.pp
 
 For an advanced provisioning project, Windows Configuration Designer opens the **Available customizations** pane. The example in the following image is based on **All Windows desktop editions** settings.
 
-![What the ICD interface looks like](../images/icd-runtime.png)
+![What the ICD interface looks like.](../images/icd-runtime.png)
 
 The settings in Windows Configuration Designer are based on Windows 10 configuration service providers (CSPs). To learn more about CSPs, see [Introduction to configuration service providers (CSPs) for IT pros](./how-it-pros-can-use-configuration-service-providers.md).
 
@@ -103,14 +103,14 @@ The process for configuring settings is similar for all settings. The following
 
 For details on each specific setting, see [Windows Provisioning settings reference](../wcd/wcd.md). The reference topic for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image.
 
-![Windows Configuration Designer opens the reference topic when you select a setting](../images/icd-setting-help.png) 
+![Windows Configuration Designer opens the reference topic when you select a setting.](../images/icd-setting-help.png) 
 
 
  ## Build package
 
 1. After you're done configuring your customizations, select **Export**, and then select **Provisioning Package**.
 
-    ![Export on top bar](../images/icd-export-menu.png)
+    ![Export on top bar.](../images/icd-export-menu.png)
 
 2. In the **Describe the provisioning package** window, enter the following information, and then select **Next**:
     - **Name** - This field is pre-populated with the project name. You can change this value by entering a different name in the **Name** field.
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index 8a7b9c464d..1a467d4e6d 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -66,7 +66,7 @@ On devices running Windows 10, you can install [the Windows Configuration Design
 
 6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**.
 
-    ![Only Configuration Designer selected for installation](../images/icd-install.png)
+    ![Only Configuration Designer selected for installation.](../images/icd-install.png)
 
 ## Current Windows Configuration Designer limitations
 
diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md
index e5d60aba7f..6e54b39009 100644
--- a/windows/configuration/provisioning-packages/provisioning-multivariant.md
+++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md
@@ -35,7 +35,7 @@ In the XML file, you provide an **Id**, or friendly name, for each **Target**. E
 
 A **Target** can have more than one **TargetState**, and a **TargetState** can have more than one **Condition**. 
 
-![Target with multiple target states and conditions](../images/multi-target.png)
+![Target with multiple target states and conditions.](../images/multi-target.png)
 
 The following table describes the logic for the target definition.
 
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index 2313b0e929..a3b4e25f84 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -124,7 +124,7 @@ For details about the settings you can customize in provisioning packages, see [
 
 Windows ICD for Windows 10, version 1607, simplified common provisioning scenarios. 
 
-![Configuration Designer options](../images/icd.png)
+![Configuration Designer options.](../images/icd.png)
 
 Windows ICD in Windows 10, version 1607, supported the following scenarios for IT administrators:
 
diff --git a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
index a616731808..6e01640c44 100644
--- a/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
+++ b/windows/configuration/provisioning-packages/provisioning-script-to-install-app.md
@@ -189,13 +189,13 @@ cmd /c InstallMyApp.bat
 
 In Windows Configuration Designer, this looks like:
 
-![Command line in Selected customizations](../images/icd-script1.png)
+![Command line in Selected customizations.](../images/icd-script1.png)
 
 You also need to add the relevant assets for that command line including the orchestrator script and any other assets it references such as installers or .cab files.
 
 In Windows Configuration Designer, that is done by adding files under the `ProvisioningCommands/DeviceContext/CommandFiles` setting.
 
-![Command files in Selected customizations](../images/icd-script2.png)
+![Command files in Selected customizations.](../images/icd-script2.png)
 
 When you are done, [build the package](provisioning-create-package.md#build-package). 
  
diff --git a/windows/configuration/set-up-shared-or-guest-pc.md b/windows/configuration/set-up-shared-or-guest-pc.md
index e4327a7b35..ed5c4ee3a3 100644
--- a/windows/configuration/set-up-shared-or-guest-pc.md
+++ b/windows/configuration/set-up-shared-or-guest-pc.md
@@ -108,13 +108,13 @@ You can configure Windows to be in shared PC mode in a couple different ways:
   8. On the **Configuration settings** page, set the ‘Shared PC Mode’ value to **Enabled**.
 
      > [!div class="mx-imgBorder"]
-     > ![Shared PC mode in the Configuration settings page](images/shared_pc_3.png) 
+     > ![Shared PC mode in the Configuration settings page.](images/shared_pc_3.png) 
 
   11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**.
 
 - A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**.
 
-     ![Shared PC settings in ICD](images/icd-adv-shared-pc.png)
+     ![Shared PC settings in ICD.](images/icd-adv-shared-pc.png)
 
 - WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the [MDM_SharedPC class](/windows/win32/dmwmibridgeprov/mdm-sharedpc). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:
     
@@ -189,7 +189,7 @@ You can apply the provisioning package to a PC during initial setup or to a PC t
 
 1. Start with a PC on the setup screen. 
 
-    ![The first screen to set up a new PC](images/oobe.jpg)
+    ![The first screen to set up a new PC.](images/oobe.jpg)
 
 2. Insert the USB drive. If nothing happens when you insert the USB drive, press the Windows key five times.
 
@@ -206,7 +206,7 @@ You can apply the provisioning package to a PC during initial setup or to a PC t
 
 On a desktop computer, navigate to **Settings** &gt; **Accounts** &gt; **Work access** &gt; **Add or remove a management package** &gt; **Add a package**, and selects the package to install. 
 
-![add a package option](images/package.png)
+![add a package option.](images/package.png)
 
 > [!NOTE]
 > If you apply the setup file to a computer that has already been set up, existing accounts and data might be lost.
diff --git a/windows/configuration/start-layout-troubleshoot.md b/windows/configuration/start-layout-troubleshoot.md
index 24dbcd1b32..5a39031455 100644
--- a/windows/configuration/start-layout-troubleshoot.md
+++ b/windows/configuration/start-layout-troubleshoot.md
@@ -42,7 +42,7 @@ When troubleshooting basic Start issues (and for the most part, all other Window
   - `get-AppXPackage -Name Microsoft.Windows.ShellExperienceHost`
   - `get-AppXPackage -Name Microsoft.Windows.Cortana`
 
-    ![Example of output from cmdlets](images/start-ts-1.png)
+    ![Example of output from cmdlets.](images/start-ts-1.png)
 
     Failure messages will appear if they aren't installed
 
@@ -188,7 +188,7 @@ Events for both PDC and Background Tasks Infrastructure Service will be recorded
 
 ### Symptom: Application tiles like Alarm, Calculator, and Edge are missing from Start menu and the Settings app fails to open on Windows 10, version 1709 when a local user profile is deleted
 
-![Screenshots that show download icons on app tiles and missing app tiles](images/start-ts-2.png)
+![Screenshots that show download icons on app tiles and missing app tiles.](images/start-ts-2.png)
 
 **Cause**: This issue is known. The first-time sign-in experience is not detected and does not trigger the install of some apps.
 
@@ -236,11 +236,11 @@ Specifically, behaviors include
 - If a new roaming user is created, the first sign-in appears normal, but on subsequent sign-ins, tiles are missing.
 
 
-![Example of a working layout](images/start-ts-3.png)
+![Example of a working layout.](images/start-ts-3.png)
 
 *Working layout on first sign-in of a new roaming user profile*
 
-![Example of a failing layout](images/start-ts-4.png)
+![Example of a failing layout.](images/start-ts-4.png)
 
 *Failing layout on subsequent sign-ins*
 
@@ -256,15 +256,15 @@ Specifically, behaviors include
 
 Before the upgrade:
  
-  ![Example of Start screen with customizations applied](images/start-ts-5.jpg)
+  ![Example of Start screen with customizations applied.](images/start-ts-5.jpg)
 
 After the upgrade the user pinned tiles are missing:
 
-  ![Example of Start screen with previously pinned tiles missing](images/start-ts-6.png)
+  ![Example of Start screen with previously pinned tiles missing.](images/start-ts-6.png)
  
 Additionally, users may see blank tiles if sign-in was attempted without network connectivity.
 
-  ![Example of blank tiles](images/start-ts-7.png)
+  ![Example of blank tiles.](images/start-ts-7.png)
  
 
 **Resolution**: This issue was fixed in the [October 2017 update](https://support.microsoft.com/en-us/help/4041676).
diff --git a/windows/configuration/start-secondary-tiles.md b/windows/configuration/start-secondary-tiles.md
index d988f11531..351f09ce8e 100644
--- a/windows/configuration/start-secondary-tiles.md
+++ b/windows/configuration/start-secondary-tiles.md
@@ -31,15 +31,15 @@ In a Start layout for Windows 10, version 1703, you can include secondary tiles
 
 Suppose that the [Start layout that you export](customize-and-export-start-layout.md) had two secondary tiles, such as in the following image:
 
-![tile for MSN and for a SharePoint site](images/edge-with-logo.png)
+![tile for MSN and for a SharePoint site.](images/edge-with-logo.png)
 
 In prior versions of Windows 10, when you applied the Start layout to a device, the tiles would display as shown in the following image:
 
-![tile for MSN and for a SharePoint site with no logos](images/edge-without-logo.png)
+![tile for MSN and for a SharePoint site with no logos.](images/edge-without-logo.png)
 
 In Windows 10, version 1703, by using the PowerShell cmdlet `export-StartLayoutEdgeAssets` and the policy setting `ImportEdgeAssets`, the tiles will now display the same as they did on the device from which you exported the Start layout.
 
-![tile for MSN and for a SharePoint site](images/edge-with-logo.png)
+![tile for MSN and for a SharePoint site.](images/edge-with-logo.png)
 
 **Example of secondary tiles in XML generated by Export-StartLayout**
 
@@ -156,7 +156,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
 12. Open the customizations.xml file in a text editor. The **&lt;Customizations&gt;** section will look like this:
 
-     ![Customizations file with the placeholder text to replace highlighted](images/customization-start-edge.png)
+     ![Customizations file with the placeholder text to replace highlighted.](images/customization-start-edge.png)
 
 13. Replace **layout.xml** with the text from the layout.xml file, [with markup characters replaced with escape characters](#escape).
 
diff --git a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
index 83744db2ca..75fcbcdad0 100644
--- a/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
+++ b/windows/configuration/ue-v/uev-deploy-uev-for-custom-applications.md
@@ -121,7 +121,7 @@ UE-V for Windows 10, version 1607 includes a new template generator. If you are
 <img src="media/image1.png" width="537" height="394" />
 -->
 
-![Selecting UE-V features in ADK](images/uev-adk-select-uev-feature.png)
+![Selecting UE-V features in ADK.](images/uev-adk-select-uev-feature.png)
 
 3. To open the generator, select **Microsoft Application Virtualization Generator** from the **Start** menu. 
 
diff --git a/windows/configuration/ue-v/uev-for-windows.md b/windows/configuration/ue-v/uev-for-windows.md
index bb6d70d870..0d091fe1bb 100644
--- a/windows/configuration/ue-v/uev-for-windows.md
+++ b/windows/configuration/ue-v/uev-for-windows.md
@@ -41,7 +41,7 @@ The diagram below illustrates how UE-V components work together to synchronize u
 <img src="images/uev-archdiagram.png" alt="UE-V architecture, with server share, desktop, and UE-V service" width="625" height="351" />
 
 <!--  SIMPLER METHOD FOR CODING IMAGE
-![UE-V architecture, with server share, desktop, and UE-V service](images/uev-archdiagram.png)
+![UE-V architecture, with server share, desktop, and UE-V service.](images/uev-archdiagram.png)
 -->
 
 | **Component**            | **Function**     |
@@ -65,7 +65,7 @@ Use these UE-V components to create and manage custom templates for your third-p
 <img src="media/image2.gif" width="595" height="330" />
 -->
 
-![UE-V template generator process](images/uev-generator-process.png)
+![UE-V template generator process.](images/uev-generator-process.png)
 
 ## Settings synchronized by default
 
diff --git a/windows/configuration/ue-v/uev-prepare-for-deployment.md b/windows/configuration/ue-v/uev-prepare-for-deployment.md
index bfc7cfa6f3..08853f5b22 100644
--- a/windows/configuration/ue-v/uev-prepare-for-deployment.md
+++ b/windows/configuration/ue-v/uev-prepare-for-deployment.md
@@ -44,7 +44,7 @@ If you want to use UE-V to synchronize user-defined settings for custom applicat
 
 The workflow diagram below illustrates a typical UE-V deployment and the decisions you need to be prepared to make.
 
-![UE-V deployment preparation](images/uev-deployment-preparation.png)
+![UE-V deployment preparation.](images/uev-deployment-preparation.png)
 
 <!-- PRESERVING ^ORIGINAL IMAGE CODING JUST IN CASE
 <img src="media/image1.png" width="446" height="362" />
@@ -171,13 +171,13 @@ If you’ve decided that you need to synchronize settings for custom application
 
 | &nbsp;   | **Description**  |
 |-------|--------------------------|
-| ![Checklist box](images/uev-checklist-box.gif) | Does this application contain settings that the user can customize? |
-| ![Checklist box](images/uev-checklist-box.gif) | Is it important for the user that these settings are synchronized? |
-| ![Checklist box](images/uev-checklist-box.gif) | Are these user settings already managed by an application management or settings policy solution? UE-V applies application settings at application startup and Windows settings at logon, unlock, or remote connect events. If you use UE-V with other settings sharing solutions, users might experience inconsistency across synchronized settings. |
-| ![Checklist box](images/uev-checklist-box.gif) | Are the application settings specific to the computer? Application preferences and customizations that are associated with hardware or specific computer configurations do not consistently synchronize across sessions and can cause a poor application experience. |
-| ![Checklist box](images/uev-checklist-box.gif) | Does the application store settings in the Program Files directory or in the file directory that is located in the **Users**\\ \[User name\] \\**AppData**\\**LocalLow** directory? Application data that is stored in either of these locations usually should not synchronize with the user, because this data is specific to the computer or because the data is too large to synchronize. |
-| ![Checklist box](images/uev-checklist-box.gif) | Does the application store any settings in a file that contains other application data that should not synchronize? UE-V synchronizes files as a single unit. If settings are stored in files that include application data other than settings, then synchronizing this additional data can cause a poor application experience.|
-| ![Checklist box](images/uev-checklist-box.gif) | How large are the files that contain the settings? The performance of the settings synchronization can be affected by large files. Including large files can affect the performance of settings synchronization. |
+| ![Checklist box.](images/uev-checklist-box.gif) | Does this application contain settings that the user can customize? |
+| ![Checklist box.](images/uev-checklist-box.gif) | Is it important for the user that these settings are synchronized? |
+| ![Checklist box.](images/uev-checklist-box.gif) | Are these user settings already managed by an application management or settings policy solution? UE-V applies application settings at application startup and Windows settings at logon, unlock, or remote connect events. If you use UE-V with other settings sharing solutions, users might experience inconsistency across synchronized settings. |
+| ![Checklist box.](images/uev-checklist-box.gif) | Are the application settings specific to the computer? Application preferences and customizations that are associated with hardware or specific computer configurations do not consistently synchronize across sessions and can cause a poor application experience. |
+| ![Checklist box.](images/uev-checklist-box.gif) | Does the application store settings in the Program Files directory or in the file directory that is located in the **Users**\\ \[User name\] \\**AppData**\\**LocalLow** directory? Application data that is stored in either of these locations usually should not synchronize with the user, because this data is specific to the computer or because the data is too large to synchronize. |
+| ![Checklist box.](images/uev-checklist-box.gif) | Does the application store any settings in a file that contains other application data that should not synchronize? UE-V synchronizes files as a single unit. If settings are stored in files that include application data other than settings, then synchronizing this additional data can cause a poor application experience.|
+| ![Checklist box.](images/uev-checklist-box.gif) | How large are the files that contain the settings? The performance of the settings synchronization can be affected by large files. Including large files can affect the performance of settings synchronization. |
 
 ## Other considerations when preparing a UE-V deployment
 
diff --git a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
index 44febde285..c291585ed5 100644
--- a/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
+++ b/windows/configuration/ue-v/uev-upgrade-uev-from-previous-releases.md
@@ -101,7 +101,7 @@ The UE-V template generator is included in the Windows Assessment and Deployment
 
 2. Select the **Get Windows ADK for Windows 10** button on this page to start the ADK installer. On the screen pictured below, select **Microsoft User Experience Virtualization (UE-V) Template Generator** and then select **Install**.
 
-    ![Selecting UE-V features in ADK](images/uev-adk-select-uev-feature.png)
+    ![Selecting UE-V features in ADK.](images/uev-adk-select-uev-feature.png)
  
 3. To open the generator, open the **Start** menu and navigate to **Windows Kits** > **Microsoft User Experience Virtualization (UE-V) Template Generator**. 
 
diff --git a/windows/configuration/wcd/wcd-admxingestion.md b/windows/configuration/wcd/wcd-admxingestion.md
index 2a64e58ca8..9a474ff6c8 100644
--- a/windows/configuration/wcd/wcd-admxingestion.md
+++ b/windows/configuration/wcd/wcd-admxingestion.md
@@ -87,11 +87,11 @@ $path="file path"
 
 The following images show snippets of the ADMX file for Office 16 that are used in the examples in the procedures above. The first image highlights the category names.
 
-![Snippet of ADMX shows category names highlighted](../images/admx-category.png)
+![Snippet of ADMX shows category names highlighted.](../images/admx-category.png)
 
 The next image highlights the specific policy.
 
-![Snipped of ADMX shows policy setting highlighted](../images/admx-policy.png)
+![Snipped of ADMX shows policy setting highlighted.](../images/admx-policy.png)
 
 
 ## Related topics
diff --git a/windows/configuration/windows-10-start-layout-options-and-policies.md b/windows/configuration/windows-10-start-layout-options-and-policies.md
index e0816bbb6f..b426a02ca2 100644
--- a/windows/configuration/windows-10-start-layout-options-and-policies.md
+++ b/windows/configuration/windows-10-start-layout-options-and-policies.md
@@ -71,7 +71,7 @@ For more information, see [Use MDM to customize Windows 10 Start and taskbar](cu
 
 ## Start menu policy settings
 
-![start layout sections](images/startannotated.png)
+![start layout sections.](images/startannotated.png)
 
 The following list includes the different Start options, and any policy or local settings. The settings in the list can also be used in a provisioning package. If you use a provisioning package, see the [Windows Configuration Designer reference](./wcd/wcd-policies.md#start).
 
@@ -180,7 +180,7 @@ The following example shows how apps are pinned. In OS configured to use a right
 - Apps pinned by the user in the center (orange triangle)
 - Apps that you pin using XML to the right (green square)
 
-![Windows left, user center, enterprise to the right](images/taskbar-generic.png)
+![Windows left, user center, enterprise to the right.](images/taskbar-generic.png)
 
 If you apply the taskbar configuration to a clean install or an update, users can still:
 
diff --git a/windows/configuration/windows-spotlight.md b/windows/configuration/windows-spotlight.md
index 1b43de2520..08afef11a3 100644
--- a/windows/configuration/windows-spotlight.md
+++ b/windows/configuration/windows-spotlight.md
@@ -40,20 +40,20 @@ For managed devices running Windows 10 Enterprise and Windows 10 Education, en
 
     The Windows Spotlight displays a new image on the lock screen each day. The initial background image is included during installation. Additional images are downloaded on ongoing basis.
 
-    ![lock screen image](images/lockscreen.png)
+    ![lock screen image.](images/lockscreen.png)
 
 -   **Feature suggestions, fun facts, tips**
 
     The lock screen background will occasionally make recommendations on how to enhance your productivity and enjoyment of Microsoft products including suggesting other relevant Microsoft products and services.
     
-    ![fun facts](images/funfacts.png)
+    ![fun facts.](images/funfacts.png)
 
 ## How do you turn off Windows Spotlight locally?
 
 
 To turn off Windows Spotlight locally, go to **Settings** &gt; **Personalization** &gt; **Lock screen** &gt; **Background** &gt; **Windows spotlight** &gt; select a different lock screen background
 
-![personalization background](images/spotlight.png)
+![personalization background.](images/spotlight.png)
 
 ## How do you disable Windows Spotlight for managed devices?
 
@@ -81,7 +81,7 @@ Windows Spotlight is enabled by default. Windows 10 provides Group Policy and mo
  >If you want to use a custom lock screen image that contains text, see [Resolution for custom lock screen image](#resolution-for-custom-lock-screen-image).
 
 
-![lockscreen policy details](images/lockscreenpolicy.png)
+![lockscreen policy details.](images/lockscreenpolicy.png)
 
 Pay attention to the checkbox in **Options**. In addition to providing the path to the lock screen image, administrators can choose to allow or **Turn off fun facts, tips, tricks, and more on lock screen**. If the checkbox is not selected, users will see the lock screen image that is defined in the policy setting, and will also see occasional messages.
 
diff --git a/windows/deployment/TOC.yml b/windows/deployment/TOC.yml
index d61509c788..967f57f92e 100644
--- a/windows/deployment/TOC.yml
+++ b/windows/deployment/TOC.yml
@@ -271,6 +271,8 @@
           href: update/how-windows-update-works.md
         - name: Windows 10 upgrade paths
           href: upgrade/windows-10-upgrade-paths.md
+        - name: Windows 10 edition upgrade
+          href: upgrade/windows-10-edition-upgrades.md
         - name: Deploy Windows 10 with Microsoft 365
           href: deploy-m365.md
         - name: Understand the Unified Update Platform
diff --git a/windows/deployment/deploy-enterprise-licenses.md b/windows/deployment/deploy-enterprise-licenses.md
index 612b3619c6..1101efd400 100644
--- a/windows/deployment/deploy-enterprise-licenses.md
+++ b/windows/deployment/deploy-enterprise-licenses.md
@@ -82,7 +82,7 @@ You might ask why you need to synchronize these identities. The answer is so tha
 
 **Figure 1** illustrates the integration between the on-premises AD DS domain with Azure AD. [Microsoft Azure Active Directory Connect](https://www.microsoft.com/download/details.aspx?id=47594) (Azure AD Connect) is responsible for synchronization of identities between the on-premises AD DS domain and Azure AD. Azure AD Connect is a service that you can install on-premises or in a virtual machine in Azure.
 
-![Illustration of Azure Active Directory Connect](images/enterprise-e3-ad-connect.png)
+![Illustration of Azure Active Directory Connect.](images/enterprise-e3-ad-connect.png)
 
 **Figure 1. On-premises AD DS integrated with Azure AD**
 
@@ -103,7 +103,7 @@ Devices must be running Windows 10 Pro, version 1703, and be Azure Active Direct
 Upon acquisition of Windows 10 subscription has been completed (Windows 10 Business, E3 or E5), customers will receive an email that will provide guidance on how to use Windows as an online service:
 
 > [!div class="mx-imgBorder"]
-> ![profile](images/al01.png)
+> ![profile.](images/al01.png)
 
 The following methods are available to assign licenses:
 
@@ -111,7 +111,7 @@ The following methods are available to assign licenses:
 
 2. You can sign in to portal.office.com and manually assign licenses:
 
-    ![portal](images/al02.png)
+    ![portal.](images/al02.png)
 
 3. You can assign licenses by uploading a spreadsheet.
 
diff --git a/windows/deployment/deploy-m365.md b/windows/deployment/deploy-m365.md
index 25b5de33e1..9758211e0a 100644
--- a/windows/deployment/deploy-m365.md
+++ b/windows/deployment/deploy-m365.md
@@ -62,14 +62,14 @@ Examples of these two deployment advisors are shown below.
 - [Windows Analytics deployment advisor example](#windows-analytics-deployment-advisor-example)
 
 ## Microsoft 365 deployment advisor example
-![Microsoft 365 deployment advisor](images/m365da.png)
+![Microsoft 365 deployment advisor.](images/m365da.png)
 
 ## Windows Analytics deployment advisor example
 
 
 ## M365 Enterprise poster
 
-[![M365 Enterprise poster](images/m365e.png)](https://aka.ms/m365eposter)
+[![M365 Enterprise poster.](images/m365e.png)](https://aka.ms/m365eposter)
 
 ## Related Topics
 
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index 084c1d13cc..b092bc6e3c 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -102,7 +102,7 @@ The following Delivery Optimization policies are removed in the Windows 10, vers
 
 Microsoft previously announced that we are [extending support](https://www.microsoft.com/microsoft-365/blog/2018/09/06/helping-customers-shift-to-a-modern-desktop) for Windows 10 Enterprise and Windows 10 Education editions to 30 months from the version release date. This includes all past versions and future versions that are targeted for release in September (versions ending in 09, ex: 1809). Future releases that are targeted for release in March (versions ending in 03, ex: 1903) will continue to be supported for 18 months from their release date. All releases of Windows 10 Home, Windows 10 Pro, and Microsoft 365 Apps for enterprise will continue to be supported for 18 months (there is no change for these editions).  These support policies are summarized in the table below.
 
-![Support lifecycle](images/support-cycle.png)
+![Support lifecycle.](images/support-cycle.png)
 
 ## Windows 10 Enterprise upgrade
 
diff --git a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
index d5890631a6..399232f5fe 100644
--- a/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-a-windows-10-operating-system-image-using-configuration-manager.md
@@ -42,7 +42,7 @@ An existing Configuration Manager infrastructure that is integrated with MDT is
 1.  Using File Explorer, in the **D:\\Sources\\OSD\\OS** folder, create a subfolder named **Windows 10 Enterprise x64 RTM**.
 2.  Copy the REFW10-X64-001.wim file to the **D:\\Sources\\OSD\\OS\\Windows 10 Enterprise x64 RTM** folder.
 
-    ![figure 17](../images/ref-image.png)
+    ![figure 17.](../images/ref-image.png)
 
     The Windows 10 image being copied to the Sources folder structure.
 
@@ -53,7 +53,7 @@ An existing Configuration Manager infrastructure that is integrated with MDT is
 7.  In the Distribute Content Wizard, add the CM01 distribution point, click **Next** and click **Close**.
 8.  View the content status for the Windows 10 Enterprise x64 RTM package. Do not continue until the distribution is completed (it might take a few minutes). You also can review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for the **STATMSG: ID=2301** line.
 
-    ![figure 18](../images/fig18-distwindows.png)
+    ![figure 18.](../images/fig18-distwindows.png)
 
     The distributed Windows 10 Enterprise x64 RTM package.
 
diff --git a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
index 3c4382a940..0da40d6702 100644
--- a/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/add-drivers-to-a-windows-10-deployment-with-windows-pe-using-configuration-manager.md
@@ -38,7 +38,7 @@ This section will show you how to import some network and storage drivers for Wi
 
 This section assumes you have downloaded some drivers to the **D:\\Sources\\OSD\\DriverSources\\WinPE x64** folder on CM01.
 
-![Drivers](../images/cm01-drivers.png)
+![Drivers.](../images/cm01-drivers.png)
 
 Driver folder structure on CM01
 
@@ -52,10 +52,10 @@ On **CM01**:
 6. In the popup window that appears, click **Yes** to automatically update the distribution point.
 7. Click **Next**, wait for the image to be updated, and then click **Close**.
 
-  ![Add drivers to Windows PE step 1](../images/fig21-add-drivers1.png)<br>
-  ![Add drivers to Windows PE step 2](../images/fig21-add-drivers2.png)<br>
-  ![Add drivers to Windows PE step 3](../images/fig21-add-drivers3.png)<br>
-  ![Add drivers to Windows PE step 4](../images/fig21-add-drivers4.png)
+  ![Add drivers to Windows PE step 1.](../images/fig21-add-drivers1.png)<br>
+  ![Add drivers to Windows PE step 2.](../images/fig21-add-drivers2.png)<br>
+  ![Add drivers to Windows PE step 3.](../images/fig21-add-drivers3.png)<br>
+  ![Add drivers to Windows PE step 4.](../images/fig21-add-drivers4.png)
 
   Add drivers to Windows PE
 
@@ -65,7 +65,7 @@ This section illustrates how to add drivers for Windows 10 using the HP EliteBoo
 
 For the purposes of this section, we assume that you have downloaded the Windows 10 drivers for the HP EliteBook 8560w model and copied them to the **D:\Sources$\OSD\DriverSources\Windows 10 x64\Hewlett-Packard\HP EliteBook 8560w** folder on CM01.
 
-![Drivers in Windows](../images/cm01-drivers-windows.png)
+![Drivers in Windows.](../images/cm01-drivers-windows.png)
 
 Driver folder structure on CM01
 
@@ -75,7 +75,7 @@ On **CM01**:
 2. In the Import New Driver Wizard, on the **Specify a location to import driver** page, select the **Import all drivers in the following network path (UNC)** option, browse to the **\\\\CM01\\Sources$\\OSD\\DriverSources\\Windows 10 x64\\Hewlett-Packard\\HP EliteBook 8560w** folder and click **Next**. Wait a minute for driver information to be validated.
 3. On the **Specify the details for the imported driver** page, click **Categories**, create a category named **Windows 10 x64 - HP EliteBook 8560w**, click **OK**, and then click **Next**.
 
-    ![Create driver categories](../images/fig22-createcategories.png "Create driver categories")
+    ![Create driver categories.](../images/fig22-createcategories.png "Create driver categories")
 
     Create driver categories
 
@@ -93,7 +93,7 @@ On **CM01**:
     >[!NOTE]
     >If you want to monitor the driver import process more closely, you can open the SMSProv.log file during driver import.
   
-    ![Drivers imported and a new driver package created](../images/cm01-drivers-packages.png "Drivers imported and a new driver package created")
+    ![Drivers imported and a new driver package created.](../images/cm01-drivers-packages.png "Drivers imported and a new driver package created")
   
     Drivers imported and a new driver package created
 
diff --git a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
index 1943afe9b2..eb6a7f33e2 100644
--- a/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md
@@ -61,7 +61,7 @@ On **CM01**:
 4.  On the **Options** page, select the **x64** platform, and click **Next**.
 5.  On the **Components** page, in addition to the default selected **Microsoft Data Access Components (MDAC/ADO)** support, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** check box and click **Next**.
 
-    ![Add the DaRT component to the Configuration Manager boot image](../images/mdt-06-fig16.png "Add the DaRT component to the Configuration Manager boot image")
+    ![Add the DaRT component to the Configuration Manager boot image.](../images/mdt-06-fig16.png "Add the DaRT component to the Configuration Manager boot image")
 
     Add the DaRT component to the Configuration Manager boot image.
 
@@ -72,8 +72,8 @@ On **CM01**:
 8.  In the Distribute Content Wizard, add the CM01 distribution point, and complete the wizard.
 9.  Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Do not continue until you can see that the boot image is distributed. Look for the line that reads **STATMSG: ID=2301**. You also can monitor Content Status in the Configuration Manager Console at **\Monitoring\Overview\Distribution Status\Content Status\Zero Touch WinPE x64**. See the following examples:
 
-    ![Content status for the Zero Touch WinPE x64 boot image step 1](../images/fig16-contentstatus1.png)<br>
-    ![Content status for the Zero Touch WinPE x64 boot image step 2](../images/fig16-contentstatus2.png)
+    ![Content status for the Zero Touch WinPE x64 boot image step 1.](../images/fig16-contentstatus1.png)<br>
+    ![Content status for the Zero Touch WinPE x64 boot image step 2.](../images/fig16-contentstatus2.png)
 
     Content status for the Zero Touch WinPE x64 boot image
 
@@ -82,8 +82,8 @@ On **CM01**:
 12. Using Configuration Manager Trace, review the D:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file and look for this text: **Expanding PS100009 to D:\\RemoteInstall\\SMSImages**.
 13. Review the **D:\\RemoteInstall\\SMSImages** folder. You should see three folders containing boot images. Two are from the default boot images, and the third folder (PS100009) is from your new boot image with DaRT. See the examples below:
 
-    ![PS100009 step 1](../images/ps100009-1.png)<br>
-    ![PS100009 step 2](../images/ps100009-2.png)
+    ![PS100009 step 1.](../images/ps100009-1.png)<br>
+    ![PS100009 step 2.](../images/ps100009-2.png)
 
 >Note: Depending on your infrastructure and the number of packages and boot images present, the Image ID might be a different number than PS100009.
 
diff --git a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
index 7f539c965d..8bba45f997 100644
--- a/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
+++ b/windows/deployment/deploy-windows-cm/create-a-task-sequence-with-configuration-manager-and-mdt.md
@@ -87,14 +87,14 @@ On **CM01**:
     >[!NOTE]
     >You also can add a Query WMI condition with the following query: SELECT \* FROM Win32\_ComputerSystem WHERE Model LIKE '%HP EliteBook 8560w%'
     
-    ![Driver package options](../images/fig27-driverpackage.png "Driver package options")
+    ![Driver package options.](../images/fig27-driverpackage.png "Driver package options")
     
     The driver package options
 
 7.  In the **State Restore / Install Applications** group, select the **Install Application** action.
 8.  Select the **Install the following applications** radio button, and add the OSD / Adobe Reader DC - OSD Install application to the list.
 
-    ![Add an application to the task sequence](../images/fig28-addapp.png "Add an application to the task sequence")
+    ![Add an application to the task sequence.](../images/fig28-addapp.png "Add an application to the task sequence")
 
     Add an application to the Configuration Manager task sequence
 
diff --git a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
index 90f2ec38e6..1fadc2be61 100644
--- a/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/create-an-application-to-deploy-with-windows-10-using-configuration-manager.md
@@ -54,7 +54,7 @@ On **CM01**:
     * Type: Windows Installer (\*.msi file)
     * Location: \\\\CM01\\Sources$\\Software\\Adobe\\AcroRead.msi
 
-    ![The Create Application Wizard](../images/mdt-06-fig20.png "The Create Application Wizard")
+    ![The Create Application Wizard.](../images/mdt-06-fig20.png "The Create Application Wizard")
 
     The Create Application Wizard
 
@@ -65,7 +65,7 @@ On **CM01**:
   >[!NOTE]
   >Because it is not possible to reference an application deployment type in the task sequence, you should have a single deployment type for applications deployed by the task sequence. If you are deploying applications via both the task sequence and normal application deployment, and you have multiple deployment types, you should have two applications of the same software. In this section, you add the "OSD Install" suffix to applications that are deployed via the task sequence. If using packages, you can still reference both package and program in the task sequence.
   
-  ![Add the OSD Install suffix to the application name](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name")
+  ![Add the OSD Install suffix to the application name.](../images/mdt-06-fig21.png "Add the OSD Install suffix to the application name")
   
   Add the "OSD Install" suffix to the application name
 
diff --git a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
index a36d3b0ba3..ff7ad50540 100644
--- a/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/deploy-windows-10-using-pxe-and-configuration-manager.md
@@ -65,7 +65,7 @@ All server and client computers referenced in this guide are on the same subnet.
     >[!NOTE]
     >You also can use the built-in reports to get information about ongoing deployments. For example, a task sequence report gives you a quick overview of the task sequence progress.
 
-    ![MDT monitoring](../images/pc0001-monitor.png)
+    ![MDT monitoring.](../images/pc0001-monitor.png)
 
     Monitoring the deployment with MDT.
 
@@ -73,20 +73,20 @@ All server and client computers referenced in this guide are on the same subnet.
 
 Examples are provided below of various stages of deployment:
 
-![pc0001a](../images/pc0001a.png)<br>
-![pc0001b](../images/pc0001b.png)<br>
-![pc0001c](../images/pc0001c.png)<br>
-![pc0001d](../images/pc0001d.png)<br>
-![pc0001e](../images/pc0001e.png)<br>
-![pc0001f](../images/pc0001f.png)<br>
-![pc0001g](../images/pc0001g.png)<br>
-![pc0001h](../images/pc0001h.png)<br>
-![pc0001i](../images/pc0001i.png)<br>
-![pc0001j](../images/pc0001j.png)<br>
-![pc0001k](../images/pc0001k.png)<br>
-![pc0001l](../images/pc0001l.png)<br>
-![pc0001m](../images/pc0001m.png)<br>
-![pc0001n](../images/pc0001n.png)
+![pc0001a.](../images/pc0001a.png)<br>
+![pc0001b.](../images/pc0001b.png)<br>
+![pc0001c.](../images/pc0001c.png)<br>
+![pc0001d.](../images/pc0001d.png)<br>
+![pc0001e.](../images/pc0001e.png)<br>
+![pc0001f.](../images/pc0001f.png)<br>
+![pc0001g.](../images/pc0001g.png)<br>
+![pc0001h.](../images/pc0001h.png)<br>
+![pc0001i.](../images/pc0001i.png)<br>
+![pc0001j.](../images/pc0001j.png)<br>
+![pc0001k.](../images/pc0001k.png)<br>
+![pc0001l.](../images/pc0001l.png)<br>
+![pc0001m.](../images/pc0001m.png)<br>
+![pc0001n.](../images/pc0001n.png)
 
 Next, see [Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager](refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md).
 
diff --git a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
index 2534b0e7da..7304a6b9c2 100644
--- a/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/finalize-the-os-configuration-for-windows-10-deployment-with-configuration-manager.md
@@ -44,7 +44,7 @@ On **CM01**:
 
 2.  Right-click the **MDT Production** deployment share, and click **Properties**. On the **Monitoring** tab, select the **Enable monitoring for this deployment share** check box, and click **OK**.
 
-    ![Enable MDT monitoring for Configuration Manager](../images/mdt-06-fig31.png)
+    ![Enable MDT monitoring for Configuration Manager.](../images/mdt-06-fig31.png)
 
     Enable MDT monitoring for Configuration Manager
 
@@ -80,7 +80,7 @@ On **CM01**:
    ApplyGPOPack=NO
    ```
 
-   ![Settings package during deployment](../images/fig30-settingspack.png)
+   ![Settings package during deployment.](../images/fig30-settingspack.png)
 
    The Settings package, holding the rules and the Unattend.xml template used during deployment
 
@@ -99,7 +99,7 @@ On **CM01**:
 2.  In the Distribute Content Wizard, click **Next** twice then on the **Specify the content destination** page add the Distribution Point: **CM01.CONTOSO.COM**, and then complete the wizard.
 3.  Using the CMTrace tool, verify the distribution to the CM01 distribution point by reviewing the distmgr.log file, or use the Distribution Status / Content Status option in the Monitoring workspace. Do not continue until you see all the new packages being distributed successfully.
 
-   ![Content status](../images/cm01-content-status1.png)
+   ![Content status.](../images/cm01-content-status1.png)
 
    Content status
 
@@ -116,7 +116,7 @@ On **CM01**:
    * Purpose: Available
    * Make available to the following: Only media and PXE
 
-   ![Configure the deployment settings](../images/mdt-06-fig33.png)
+   ![Configure the deployment settings.](../images/mdt-06-fig33.png)
     
    Configure the deployment settings
 
@@ -125,7 +125,7 @@ On **CM01**:
 6. On the **Alerts** page, accept the default settings and click **Next**.
 7. On the **Distribution Points** page, accept the default settings, click **Next** twice, and then click **Close**.
 
-   ![Task sequence deployed](../images/fig32-deploywiz.png)
+   ![Task sequence deployed.](../images/fig32-deploywiz.png)
 
    The Windows 10 Enterprise x64 RTM task sequence deployed to the All Unknown Computers collections available for media and PXE
 
@@ -149,7 +149,7 @@ On **CM01**:
    >[!NOTE]
    >Configuration Manager can prompt for information in many ways. Using a collection variable with an empty value is just one of them. Another option is the User-Driven Installation (UDI) wizard.
    
-   ![Configure a collection variable](../images/mdt-06-fig35.png)
+   ![Configure a collection variable.](../images/mdt-06-fig35.png)
    
    Configure a collection variable
 
diff --git a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
index dfb02baa06..9217f5b5c5 100644
--- a/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/prepare-for-zero-touch-installation-of-windows-10-with-configuration-manager.md
@@ -209,7 +209,7 @@ On **CM01**:
    * Site Server Name: CM01.contoso.com
    * Site code: PS1
 
-![figure 8](../images/mdt-06-fig08.png)
+![figure 8.](../images/mdt-06-fig08.png)
 
 MDT integration with Configuration Manager.
 
@@ -223,11 +223,11 @@ On **CM01**:
 2.  In the right pane, right-click **Default Client Settings** and then click **Properties**.
 3.  In the **Computer Agent** node, in the **Organization name displayed in Software Center** text box, type in **Contoso** and click **OK**.
 
-![figure 9](../images/mdt-06-fig10.png)
+![figure 9.](../images/mdt-06-fig10.png)
 
 Configure the organization name in client settings.
 
-![figure 10](../images/fig10-contosoinstall.png)
+![figure 10.](../images/fig10-contosoinstall.png)
 
 The Contoso organization name displayed during deployment.
 
@@ -241,7 +241,7 @@ On **CM01**:
 2.  Right-click **PS1 - Primary Site 1**, point to **Configure Site Components**, and then select **Software Distribution**.
 3.  On the **Network Access Account** tab, select **Specify the account that accesses network locations** and add the *New Account* **CONTOSO\\CM\_NAA** as the Network Access account (password: pass@word1). Use the new **Verify** option to verify that the account can connect to the **\\\\DC01\\sysvol** network share.
 
-![figure 11](../images/mdt-06-fig12.png)
+![figure 11.](../images/mdt-06-fig12.png)
 
 Test the connection for the Network Access account.
 
@@ -261,7 +261,7 @@ On **CM01**:
     * Require a password when computers use PXE
     * Password and Confirm password: pass@word1
 
-    ![figure 12](../images/mdt-06-fig13.png)
+    ![figure 12.](../images/mdt-06-fig13.png)
 
     Configure the CM01 distribution point for PXE.
 
@@ -270,13 +270,13 @@ On **CM01**:
 
 4.  Using the CMTrace tool, review the C:\\Program Files\\Microsoft Configuration Manager\\Logs\\distmgr.log file. Look for ConfigurePXE and CcmInstallPXE lines.
 
-    ![figure 13](../images/mdt-06-fig14.png)
+    ![figure 13.](../images/mdt-06-fig14.png)
 
     The distmgr.log displays a successful configuration of PXE on the distribution point.
 
 5.  Verify that you have seven files in each of the folders **D:\\RemoteInstall\\SMSBoot\\x86** and **D:\\RemoteInstall\\SMSBoot\\x64**.
 
-    ![figure 14](../images/mdt-06-fig15.png)
+    ![figure 14.](../images/mdt-06-fig15.png)
 
     The contents of the D:\\RemoteInstall\\SMSBoot\\x64 folder after you enable PXE.
 
@@ -341,7 +341,7 @@ The task sequence uses instructions that allow you to reduce the number of task
     MachineObjectOU=ou=desktops,ou=Contoso,dc=contoso,dc=com
     ```
 
-![figure 2](../images/fig2-gather.png)
+![figure 2.](../images/fig2-gather.png)
 
 The Gather action in the task sequence is reading the rules.
 
@@ -349,7 +349,7 @@ The Gather action in the task sequence is reading the rules.
 
 When testing a deployment, it is important to be able to quickly test any changes you make to the deployment without needing to run through an entire deployment. MDT rules can be tested very quickly, saving significant testing time in a deployment project. For more information, see [Configure MDT settings](../deploy-windows-mdt/configure-mdt-settings.md).
 
-![figure 3](../images/mdt-06-fig03.png)
+![figure 3.](../images/mdt-06-fig03.png)
 
 The folder that contains the rules, a few scripts from MDT, and a custom script (Gather.ps1).
 
@@ -357,7 +357,7 @@ The folder that contains the rules, a few scripts from MDT, and a custom script
 
 With MDT integration, you can follow your deployments in real time, and if you have access to Microsoft Diagnostics and Recovery Toolkit (DaRT), you can even remote into Windows Preinstallation Environment (Windows PE) during deployment. The real-time monitoring data can be viewed from within the MDT Deployment Workbench, via a web browser, Windows PowerShell, the Event Viewer, or Microsoft Excel 2013. In fact, any script or app that can read an Open Data (OData) feed can read the information.
 
-![figure 4](../images/mdt-06-fig04.png)
+![figure 4.](../images/mdt-06-fig04.png)
 
 View the real-time monitoring data with PowerShell.
 
@@ -365,7 +365,7 @@ View the real-time monitoring data with PowerShell.
 
 For some deployment scenarios, you may need to prompt the user for information during deployment such as the computer name, the correct organizational unit (OU) for the computer, or which applications should be installed by the task sequence. With MDT integration, you can enable the User-Driven Installation (UDI) wizard to gather the required information, and customize the wizard using the UDI Wizard Designer.
 
-![figure 5](../images/mdt-06-fig05.png)
+![figure 5.](../images/mdt-06-fig05.png)
 
 The optional UDI wizard open in the UDI Wizard Designer.
 
diff --git a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
index b07364dbe5..4c8dbad35e 100644
--- a/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/refresh-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -60,7 +60,7 @@ On **PC0003**:
 2. On the **Site** tab, click **Configure Settings**, then click **Find Site**.
 3. Verify that Configuration Manager has successfully found a site to manage this client is displayed. See the following example.
 
-![Found a site to manage this client](../images/pc0003a.png)
+![Found a site to manage this client.](../images/pc0003a.png)
 
 ## Create a device collection and add the PC0003 computer
 
@@ -124,16 +124,16 @@ On **PC0003**:
 2.  In the **Software Center** warning dialog box, click **Install Operating System**. 
 3. The client computer will run the Configuration Manager task sequence, boot into Windows PE, and install the new OS and applications. See the following examples:
 
-![Task sequence example 1](../images/pc0003b.png)<br>
-![Task sequence example 2](../images/pc0003c.png)<br>
-![Task sequence example 3](../images/pc0003d.png)<br>
-![Task sequence example 4](../images/pc0003e.png)<br>
-![Task sequence example 5](../images/pc0003f.png)<br>
-![Task sequence example 6](../images/pc0003g.png)<br>
-![Task sequence example 7](../images/pc0003h.png)<br>
-![Task sequence example 8](../images/pc0003i.png)<br>
-![Task sequence example 9](../images/pc0003j.png)<br>
-![Task sequence example 10](../images/pc0003k.png)
+![Task sequence example 1.](../images/pc0003b.png)<br>
+![Task sequence example 2.](../images/pc0003c.png)<br>
+![Task sequence example 3.](../images/pc0003d.png)<br>
+![Task sequence example 4.](../images/pc0003e.png)<br>
+![Task sequence example 5.](../images/pc0003f.png)<br>
+![Task sequence example 6.](../images/pc0003g.png)<br>
+![Task sequence example 7.](../images/pc0003h.png)<br>
+![Task sequence example 8.](../images/pc0003i.png)<br>
+![Task sequence example 9.](../images/pc0003j.png)<br>
+![Task sequence example 10.](../images/pc0003k.png)
 
 Next, see [Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager](replace-a-windows-7-client-with-windows-10-using-configuration-manager.md).
 
diff --git a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
index a30a182bb9..43b188d08e 100644
--- a/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
+++ b/windows/deployment/deploy-windows-cm/replace-a-windows-7-client-with-windows-10-using-configuration-manager.md
@@ -69,7 +69,7 @@ On **CM01**:
     >[!NOTE]
     >This task sequence has many fewer actions than the normal client task sequence. If it doesn't seem different, make sure you selected the **Client Replace Task Sequence** template when creating the task sequence.
 
-![The back-up only task sequence](../images/mdt-06-fig42.png "The back-up only task sequence")
+![The back-up only task sequence.](../images/mdt-06-fig42.png "The back-up only task sequence")
 
 The backup-only task sequence (named Replace Task Sequence).
 
@@ -91,7 +91,7 @@ On **CM01**:
     * MAC Address: &lt;the mac address that you wrote down&gt;
     * Source Computer: PC0004
 
-    ![Create the computer association](../images/mdt-06-fig43.png "Create the computer association")
+    ![Create the computer association.](../images/mdt-06-fig43.png "Create the computer association")
 
     Creating the computer association between PC0004 and PC0006.
 
@@ -160,7 +160,7 @@ On **PC0004**:
 4.  Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
 5.  Allow the Replace Task Sequence to complete. The PC0004 computer will gather user data, boot into Windows PE and gather more data, then boot back to the full OS. The entire process should only take a few minutes.
 
-![Task sequence example](../images/pc0004b.png)
+![Task sequence example.](../images/pc0004b.png)
 
 Capturing the user state
 
@@ -191,15 +191,15 @@ On **PC0006**:
 
 When the process is complete, you will have a new Windows 10 computer in your domain with user data and settings restored. See the following examples:
 
-![User data and setting restored example 1](../images/pc0006a.png)<br>
-![User data and setting restored example 2](../images/pc0006b.png)<br>
-![User data and setting restored example 3](../images/pc0006c.png)<br>
-![User data and setting restored example 4](../images/pc0006d.png)<br>
-![User data and setting restored example 5](../images/pc0006e.png)<br>
-![User data and setting restored example 6](../images/pc0006f.png)<br>
-![User data and setting restored example 7](../images/pc0006g.png)<br>
-![User data and setting restored example 8](../images/pc0006h.png)<br>
-![User data and setting restored example 9](../images/pc0006i.png)
+![User data and setting restored example 1.](../images/pc0006a.png)<br>
+![User data and setting restored example 2.](../images/pc0006b.png)<br>
+![User data and setting restored example 3.](../images/pc0006c.png)<br>
+![User data and setting restored example 4.](../images/pc0006d.png)<br>
+![User data and setting restored example 5.](../images/pc0006e.png)<br>
+![User data and setting restored example 6.](../images/pc0006f.png)<br>
+![User data and setting restored example 7.](../images/pc0006g.png)<br>
+![User data and setting restored example 8.](../images/pc0006h.png)<br>
+![User data and setting restored example 9.](../images/pc0006i.png)
 
 Next, see [Perform an in-place upgrade to Windows 10 using Configuration Manager](upgrade-to-windows-10-with-configuraton-manager.md).
 
diff --git a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
index 7d1c05e34c..da8eb45f78 100644
--- a/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
+++ b/windows/deployment/deploy-windows-cm/upgrade-to-windows-10-with-configuraton-manager.md
@@ -71,7 +71,7 @@ On **CM01**:
 4. Complete the wizard, and click **Close**.
 5. Review the Upgrade Task Sequence.
 
-![The upgrade task sequence](../images/cm-upgrade-ts.png)
+![The upgrade task sequence.](../images/cm-upgrade-ts.png)
 
 The Configuration Manager upgrade task sequence
 
@@ -127,13 +127,13 @@ On **PC0004**:
 4.  Confirm you want to upgrade the operating system on this computer by clicking **Install** again.
 5.  Allow the Upgrade Task Sequence to complete. The PC0004 computer will download the install.wim file, perform an in-place upgrade, and install your added applications. See the following examples:
 
-![Upgrade task sequence example 1](../images/pc0004-a.png)<br>
-![Upgrade task sequence example 2](../images/pc0004-b.png)<br>
-![Upgrade task sequence example 3](../images/pc0004-c.png)<br>
-![Upgrade task sequence example 4](../images/pc0004-d.png)<br>
-![Upgrade task sequence example 5](../images/pc0004-e.png)<br>
-![Upgrade task sequence example 6](../images/pc0004-f.png)<br>
-![Upgrade task sequence example 7](../images/pc0004-g.png)
+![Upgrade task sequence example 1.](../images/pc0004-a.png)<br>
+![Upgrade task sequence example 2.](../images/pc0004-b.png)<br>
+![Upgrade task sequence example 3.](../images/pc0004-c.png)<br>
+![Upgrade task sequence example 4.](../images/pc0004-d.png)<br>
+![Upgrade task sequence example 5.](../images/pc0004-e.png)<br>
+![Upgrade task sequence example 6.](../images/pc0004-f.png)<br>
+![Upgrade task sequence example 7.](../images/pc0004-g.png)
 
 In-place upgrade with Configuration Manager
 
diff --git a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
index 40992cf7a3..427daf44e9 100644
--- a/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/assign-applications-using-roles-in-mdt.md
@@ -28,7 +28,7 @@ This topic will show you how to add applications to a role in the MDT database a
     2.  Applications / Lite Touch Applications:
     3.  Install - Adobe Reader XI - x86
 
-![figure 12](../images/mdt-09-fig12.png)
+![figure 12.](../images/mdt-09-fig12.png)
 
 Figure 12. The Standard PC role with the application added
 
@@ -39,7 +39,7 @@ After creating the role, you can associate it with one or more computer entries.
 2.  In the **Computers** node, double-click the **PC00075** entry, and add the following setting:
     -   Roles: Standard PC
 
-![figure 13](../images/mdt-09-fig13.png)
+![figure 13.](../images/mdt-09-fig13.png)
 
 Figure 13. The Standard PC role added to PC00075 (having ID 1 in the database).
 
@@ -120,7 +120,7 @@ When the database is populated, you can use the MDT simulation environment to si
 
     ```
 
-![figure 14](../images/mdt-09-fig14.png)
+![figure 14.](../images/mdt-09-fig14.png)
 
 Figure 14. ZTIGather.log displaying the application GUID belonging to the Adobe Reader XI application that would have been installed if you deployed this machine.
 
diff --git a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
index 67daeba302..06399d410a 100644
--- a/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
+++ b/windows/deployment/deploy-windows-mdt/build-a-distributed-environment-for-windows-10-deployment.md
@@ -27,7 +27,7 @@ Four computers are used in this topic: DC01, MDT01, MDT02, and PC0006. DC01 is a
 
 For the purposes of this article, we assume that MDT02 is prepared with the same network and storage capabilities that were specified for MDT01, except that MDT02 is located on a different subnet than MDT01. For more details on the infrastructure setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
 
-![figure 1](../images/mdt-10-fig01.png)
+![figure 1.](../images/mdt-10-fig01.png)
 
 Computers used in this topic.
 
@@ -149,7 +149,7 @@ On **MDT01**:
 4. After the update is complete, use the Windows Deployment Services console on MDT01. In the **Boot Images** node, right-click the **MDT Production x64** boot image and select **Replace Image**.
 5. Browse and select the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** boot image, and then complete Replace Boot Image Wizard using the default settings.
 
-   ![figure 5](../images/mdt-10-fig05.png)
+   ![figure 5.](../images/mdt-10-fig05.png)
 
    Replacing the updated boot image in WDS.
 
@@ -167,7 +167,7 @@ On **MDT01**:
 8. On the **Name and Domain** page, assign the **MDTProduction** name, and click **Next**.
 9. On the **Replication Group Members** page, click **Add**, add **MDT01** and **MDT02**, and then click **Next**.
 
-    ![figure 6](../images/mdt-10-fig06.png)
+    ![figure 6.](../images/mdt-10-fig06.png)
 
     Adding the Replication Group Members.
 
@@ -223,7 +223,7 @@ On **MDT02**:
 7. On the **Review Settings and Create Report** page, click **Create**.
 8. Open the report in Internet Explorer, and if necessary, select the **Allow blocked content** option.
 
-![figure 9](../images/mdt-10-fig09.png)
+![figure 9.](../images/mdt-10-fig09.png)
 
 The DFS Replication Health Report.
 
@@ -258,7 +258,7 @@ Now you should have a solution ready for deploying the Windows 10 client to the
     2.  Install applications.
     3.  Update the operating system using your local Windows Server Update Services (WSUS) server.
 
-![pc0001](../images/pc0006.png)
+![pc0001.](../images/pc0006.png)
 
 ## Related topics
 
diff --git a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
index 9ec7f0adba..5259d8bafe 100644
--- a/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
+++ b/windows/deployment/deploy-windows-mdt/configure-mdt-settings.md
@@ -21,7 +21,7 @@ ms.topic: article
 One of the most powerful features in Microsoft Deployment Toolkit (MDT) is its extension capabilities; there is virtually no limitation to what you can do in terms of customization. In this topic, you learn about configuring customizations for your environment.
 For the purposes of this topic, we will use four machines: DC01, MDT01, HV01, and PC0001. DC01 is a domain controller, MDT01 is a Windows Server 2012 R2 Standard server, and PC0001 is a Windows 10 Enterprise x64 client used for the MDT simulation environment. OR01 has Microsoft System Center 2012 R2 Orchestrator installed. MDT01, OR01, and PC0001 are members of the domain contoso.com for the fictitious Contoso Corporation. For more details on the setup for this topic, please see [Deploy Windows 10 with the Microsoft Deployment Toolkit](./prepare-for-windows-deployment-with-mdt.md).
 
-![figure 1](../images/mdt-09-fig01.png)
+![figure 1.](../images/mdt-09-fig01.png)
 
 The computers used in this topic.
 
diff --git a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
index 92bdcde554..33d92b8cc9 100644
--- a/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
+++ b/windows/deployment/deploy-windows-mdt/create-a-windows-10-reference-image.md
@@ -31,7 +31,7 @@ For the purposes of this topic, we will use three computers: DC01, MDT01, and HV
    - MDT01 is a contoso.com domain member server.
    - HV01 is a Hyper-V server that will be used to build the reference image.
  
-   ![devices](../images/mdt-08-fig01.png)
+   ![devices.](../images/mdt-08-fig01.png)
 
    Computers used in this topic.
 
@@ -62,7 +62,7 @@ On **MDT01**:
 - Review the Summary page, click **Next**, wait for the deployment share to be created, then click **Finish**.
 - Verify that you can access the <b>\\\\MDT01\\MDTBuildLab$</b> share.
 
-   ![figure 2](../images/mdt-08-fig02.png)
+   ![figure 2.](../images/mdt-08-fig02.png)
 
    The Deployment Workbench with the MDT Build Lab deployment share.
 
@@ -101,7 +101,7 @@ On **MDT01**:
 
 1. Sign in as **contoso\\administrator** and copy the content of a Windows 10 Enterprise x64 DVD/ISO to the **D:\\Downloads\\Windows 10 Enterprise x64** folder on MDT01, or just insert the DVD or mount an ISO on MDT01. The following example shows the files copied to the D:\\Downloads folder, but you can also choose to import the OS directly from an ISO or DVD.
 
-    ![ISO](../images/iso-data.png)
+    ![ISO.](../images/iso-data.png)
 
 2. Using the Deployment Workbench, expand the **Deployment Shares** node, and then expand **MDT Build Lab**.
 3. Right-click the **Operating Systems** node, and create a new folder named **Windows 10**.
@@ -111,7 +111,7 @@ On **MDT01**:
     - Destination directory name: <b>W10EX64RTM</b>
 5. After adding the operating system, in the **Operating Systems / Windows 10** folder, double-click it and change the name to: **Windows 10 Enterprise x64 RTM Default Image**. See the following example.
 
-    ![Default image](../images/deployment-workbench01.png)
+    ![Default image.](../images/deployment-workbench01.png)
 
 >Depending on the DVD you used, there might be multiple editions available. For the purposes of this guide, we are using the Windows 10 Enterprise image, but other images will also work.
 
@@ -188,7 +188,7 @@ Download all three items in this list to the D:\\Downloads folder on MDT01.
 
 3. Ensure the configuration.xml file is in the D:\\Downloads\\Office365 folder. See the following example of the extracted files plus the configuration.xml file in the Downloads\\Office365 folder:
 
-    ![folder](../images/office-folder.png)
+    ![folder.](../images/office-folder.png)
 
   Assuming you have named the file "configuration.xml" as shown above, we will use the command "**setup.exe /configure configuration.xml**" when we create the application in MDT. This will perform the installation of Microsoft 365 Apps for enterprise using the configuration settings in the configuration.xml file. Do not perform this step yet.
 
@@ -346,7 +346,7 @@ On **MDT01**:
         >[!IMPORTANT]
         >This is probably the most important step when creating a reference image. Many applications need the .NET Framework, and we strongly recommend having it available in the image. The one thing that makes this different from other components is that .NET Framework 3.5.1 is not included in the WIM file. It is installed from the **Sources\\SxS** folder on the media, and that makes it more difficult to add after the image has been deployed.
          
-        ![task sequence](../images/fig8-cust-tasks.png)
+        ![task sequence.](../images/fig8-cust-tasks.png)
 
         The task sequence after creating the Custom Tasks (Pre-Windows Update) group and adding the Install - Microsoft NET Framework 3.5.1 action.
 
@@ -356,18 +356,18 @@ On **MDT01**:
     7.  Repeat these steps (add a new **Install Application**) to add Microsoft Visual C++ Redistributable 2019 - x64 and Microsoft 365 Apps for enterprise as well.
 3. Click **OK**.
 
- ![apps](../images/mdt-apps.png) 
+ ![apps.](../images/mdt-apps.png) 
 
 
 ### Optional configuration: Add a suspend action
 
 The goal when creating a reference image is of course to automate everything. But sometimes you have a special configuration or application setup that is too time-consuming to automate. If you need to do some manual configuration, you can add a little-known feature called Lite Touch Installation (LTI) Suspend. If you add the LTISuspend.wsf script as a custom action in the task sequence, it will suspend the task sequence until you click the Resume Task Sequence shortcut icon on the desktop. In addition to using the LTI Suspend feature for manual configuration or installation, you can also use it simply for verifying a reference image before you allow the task sequence to continue and use Sysprep and capture the virtual machine.
 
-   ![figure 8](../images/fig8-suspend.png)
+   ![figure 8.](../images/fig8-suspend.png)
 
    A task sequence with optional Suspend action (LTISuspend.wsf) added.
 
-   ![figure 9](../images/fig9-resumetaskseq.png)
+   ![figure 9.](../images/fig9-resumetaskseq.png)
 
    The Windows 10 desktop with the Resume Task Sequence shortcut.
 
@@ -402,7 +402,7 @@ On **MDT01**:
      - Note: If errors are reported that certain display values are incorrect, you can ignore this or browse to **7oobeSystem\\amd64_Microsoft-Windows-Shell-Setup__neutral\\Display** and enter the following: ColorDepth 32, HorizontalResolution 1, RefreshRate 60, VerticalResolution 1.
 6. On the Windows 10 Enterprise x64 RTM Default Image Properties, click **OK**.
 
-    ![figure 10](../images/fig10-unattend.png)
+    ![figure 10.](../images/fig10-unattend.png)
 
     Windows System Image Manager with the Windows 10 Unattend.xml.
 
@@ -455,7 +455,7 @@ On **MDT01**:
     SkipFinalSummary=YES
     ```
 
-    ![figure 11](../images/mdt-rules.png)
+    ![figure 11.](../images/mdt-rules.png)
 
     The server-side rules for the MDT Build Lab deployment share.
  
@@ -642,7 +642,7 @@ On **HV01**:
        -   Location: \\\\MDT01\\MDTBuildLab$\\Captures
     3. File name: REFW10X64-001.wim
 
-        ![capture image](../images/captureimage.png)
+        ![capture image.](../images/captureimage.png)
 
         The Windows Deployment Wizard for the Windows 10 reference image.
 
@@ -657,7 +657,7 @@ On **HV01**:
 
 After some time, you will have a Windows 10 Enterprise x64 image that is fully patched and has run through Sysprep, located in the D:\\MDTBuildLab\\Captures folder on your deployment server. The file name is REFW10X64-001.wim.
 
-   ![image](../images/image-captured.png)
+   ![image.](../images/image-captured.png)
 
 ## Troubleshooting
 
@@ -666,7 +666,7 @@ After some time, you will have a Windows 10 Enterprise x64 image that is fully
 
 If you [enabled monitoring](#enable-monitoring), you can check the progress of the task sequence.
 
-   ![monitoring](../images/mdt-monitoring.png)
+   ![monitoring.](../images/mdt-monitoring.png)
 
 If there are problems with your task sequence, you can troubleshoot in Windows PE by pressing F8 to open a command prompt. There are several [MDT log files](/configmgr/mdt/troubleshooting-reference#mdt-logs) created that can be helpful determining the origin of an error, such as BDD.log.  From the command line in Windows PE you can copy these logs from the client to your MDT server for viewing with CMTrace. For example: copy BDD.log \\\\mdt01\\logs$.
 
diff --git a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
index 5eec9e233a..b6a311471f 100644
--- a/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/deploy-a-windows-10-image-using-mdt.md
@@ -34,7 +34,7 @@ For the purposes of this topic, we will use four computers: DC01, MDT01, HV01 an
 
 MDT01 and PC0005 are members of the domain contoso.com for the fictitious Contoso Corporation.  HV01 used to test deployment of PC0005 in a virtual environment.
 
-   ![devices](../images/mdt-07-fig01.png)
+   ![devices.](../images/mdt-07-fig01.png)
 
 >[!NOTE]
 >For details about the setup for the procedures in this article, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
@@ -135,7 +135,7 @@ In these steps, we assume that you have completed the steps in the [Create a Win
 >The reason for adding the setup files has changed since earlier versions of MDT. MDT 2010 used the setup files to install Windows. MDT uses DISM to apply the image; however, you still need the setup files because some components in roles and features are stored outside the main image.
  
 
-![imported OS](../images/fig2-importedos.png)
+![imported OS.](../images/fig2-importedos.png)
 
 ## Step 4: Add an application
 
@@ -162,7 +162,7 @@ On **MDT01**:
 
 10. On the **Command Details** page, in the **Command Line** text box, type **msiexec /i AcroRead.msi /q**, click **Next** twice, and then click **Finish**.
 
-    ![acroread image](../images/acroread.png)
+    ![acroread image.](../images/acroread.png)
 
     The Adobe Reader application added to the Deployment Workbench.
 
@@ -238,7 +238,7 @@ wmic csproduct get name
 
 If you want a more standardized naming convention, try the **ModelAliasExit.vbs script** from the Deployment Guys blog post, entitled [Using and Extending Model Aliases for Hardware Specific Application Installation](/archive/blogs/deploymentguys/using-and-extending-model-aliases-for-hardware-specific-application-installation).
 
-![drivers](../images/fig4-oob-drivers.png)
+![drivers.](../images/fig4-oob-drivers.png)
 
 The Out-of-Box Drivers structure in the Deployment Workbench.
 
@@ -260,7 +260,7 @@ On **MDT01**:
     2.  Folders: Select the WinPE x64 folder in Out-of-Box Drivers.
     3.  Click **Next**, **Next** and **Finish**.
 
-    ![figure 5](../images/fig5-selectprofile.png)
+    ![figure 5.](../images/fig5-selectprofile.png)
 
     Creating the WinPE x64 selection profile.
 
@@ -284,7 +284,7 @@ On **MDT01**:
 For the ThinkStation P500 model, you use the Lenovo ThinkVantage Update Retriever software to download the drivers. With Update Retriever, you need to specify the correct Lenovo Machine Type for the actual hardware (the first four characters of the model name). As an example, the Lenovo ThinkStation P500 model has the 30A6003TUS model name, meaning the Machine Type is 30A6.
 
 > [!div class="mx-imgBorder"]
-> ![ThinkStation image](../images/thinkstation.png)
+> ![ThinkStation image.](../images/thinkstation.png)
 
 To get the updates, download the drivers from the Lenovo ThinkVantage Update Retriever using its export function. You can also download the drivers by searching PC Support on the [Lenovo website](https://go.microsoft.com/fwlink/p/?LinkId=619543).
 
@@ -386,7 +386,7 @@ On **MDT01**:
 
 3. Click **OK**.
 
-   ![drivergroup](../images/fig6-taskseq.png)
+   ![drivergroup.](../images/fig6-taskseq.png)
 
    The task sequence for production deployment.
 
@@ -488,7 +488,7 @@ On **MDT01**:
     >[!NOTE]
     >It will take a while for the Deployment Workbench to create the monitoring database and web service.
  
-    ![figure 8](../images/mdt-07-fig08.png)
+    ![figure 8.](../images/mdt-07-fig08.png)
 
     The Windows PE tab for the x64 boot image.
 
@@ -586,7 +586,7 @@ On **MDT01**:
 
 2. Install DaRT 10 (MSDaRT10.msi) using the default settings.
 
-   ![DaRT image](../images/dart.png)
+   ![DaRT image.](../images/dart.png)
 
 2. Copy the two tools CAB files from **C:\\Program Files\\Microsoft DaRT\\v10** (**Toolsx86.cab** and **Toolsx64.cab**) to the production deployment share at **D:\\MDTProduction\\Tools\\x86** and **D:\\MDTProduction\\Tools\\x64**, respectively.
 
@@ -596,7 +596,7 @@ On **MDT01**:
 
 5. On the **Features** sub tab, select the **Microsoft Diagnostics and Recovery Toolkit (DaRT)** checkbox.
 
-   ![DaRT selection](../images/mdt-07-fig09.png)
+   ![DaRT selection.](../images/mdt-07-fig09.png)
 
    Selecting the DaRT 10 feature in the deployment share.
 
@@ -633,7 +633,7 @@ On **MDT01**:
 
 3. Browse to the **D:\\MDTProduction\\Boot\\LiteTouchPE\_x64.wim** file and add the image with the default settings.
 
-   ![figure 9](../images/mdt-07-fig10.png)
+   ![figure 9.](../images/mdt-07-fig10.png)
 
    The boot image added to the WDS console.
 
@@ -655,7 +655,7 @@ On **HV01**:
 
 2.  Start the PC0005 virtual machine, and press **Enter** to start the PXE boot. The VM will now load the Windows PE boot image from the WDS server.
 
-    ![figure 10](../images/mdt-07-fig11.png)
+    ![figure 10.](../images/mdt-07-fig11.png)
 
     The initial PXE boot process of PC0005.
 
@@ -671,13 +671,13 @@ On **HV01**:
     - Installs the added application.
     - Updates the operating system via your local Windows Server Update Services (WSUS) server.
 
-    ![pc0005 image1](../images/pc0005-vm.png)
+    ![pc0005 image1.](../images/pc0005-vm.png)
 
 ### Application installation
 
 Following OS installation, Microsoft Office 365 Pro Plus - x64 is installed automatically.
 
- ![pc0005 image2](../images/pc0005-vm-office.png)
+ ![pc0005 image2.](../images/pc0005-vm-office.png)
 
 ### Use the MDT monitoring feature
 
@@ -691,7 +691,7 @@ On **MDT01**:
 
 3.  Double-click PC0005, and review the information.
 
-    ![figure 11](../images/mdt-07-fig13.png)
+    ![figure 11.](../images/mdt-07-fig13.png)
 
     The Monitoring node, showing the deployment progress of PC0005.
 
@@ -699,7 +699,7 @@ On **MDT01**:
 
 When monitoring is enabled, MDT also writes information to the event viewer on MDT01. This information can be used to trigger notifications via scheduled tasks when deployment is completed. For example, you can configure scheduled tasks to send an email when a certain event is created in the event log.
 
-![figure 12](../images/mdt-07-fig14.png)
+![figure 12.](../images/mdt-07-fig14.png)
 
 The Event Viewer showing a successful deployment of PC0005.
 
@@ -723,7 +723,7 @@ On **MDT01**:
 3.  Right-click the **MDT Production** deployment share folder and select **Update Deployment Share**.
 4.  After updating the deployment share, use the Windows Deployment Services console to, verify that the multicast namespace was created.
 
-    ![figure 13](../images/mdt-07-fig15.png)
+    ![figure 13.](../images/mdt-07-fig15.png)
 
     The newly created multicast namespace.
 
@@ -753,7 +753,7 @@ On **MDT01**:
       - Out-Of-Box Drivers / Windows 10 x64
       - Task Sequences / Windows 10
 
-      ![offline media](../images/mdt-offline-media.png)
+      ![offline media.](../images/mdt-offline-media.png)
 
 ### Create the offline media
 
@@ -831,7 +831,7 @@ Follow these steps to create a bootable USB stick from the offline media content
 
 As referenced in [Windows 10 deployment scenarios and tools](../windows-deployment-scenarios-and-tools.md), Unified Extensible Firmware Interface (UEFI)-based deployments are becoming more common. In fact, when you create a generation 2 virtual machine in Hyper-V, you get a UEFI-based computer. During deployment, MDT automatically detects that you have an UEFI-based machine and creates the partitions UEFI requires. You do not need to update or change your task sequences in any way to accommodate UEFI.
 
-![figure 14](../images/mdt-07-fig16.png)
+![figure 14.](../images/mdt-07-fig16.png)
 
 The partitions when deploying an UEFI-based machine.
 
diff --git a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
index 03e9e01012..dc5907ae88 100644
--- a/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/get-started-with-the-microsoft-deployment-toolkit.md
@@ -43,7 +43,7 @@ MDT has many useful features, such as:
 - **GPT support.** Supports deployment to machines that require the new GPT partition table format. This is related to UEFI.
 - **Enhanced Windows PowerShell support.** Provides support for running PowerShell scripts.
 
-    ![figure 2](../images/mdt-05-fig02.png)
+    ![figure 2.](../images/mdt-05-fig02.png)
 
     The deployment share mounted as a standard PSDrive allows for administration using PowerShell.
 
@@ -58,7 +58,7 @@ MDT has many useful features, such as:
 - **Offline BitLocker.** Provides the capability to have BitLocker enabled during the Windows Preinstallation Environment (Windows PE) phase, thus saving hours of encryption time.
 - **USMT offline user-state migration.** Provides support for running the User State Migration Tool (USMT) capture offline, during the Windows PE phase of the deployment.
 
-    ![figure 3](../images/mdt-05-fig03.png)
+    ![figure 3.](../images/mdt-05-fig03.png)
 
     The offline USMT backup in action.
 
@@ -76,7 +76,7 @@ Many features in MDT support Lite Touch Installation (LTI) for Windows 10. An L
 
 When deploying the Windows operating system using MDT, most of the administration and configuration is done through the Deployment Workbench, but you also can perform many of the tasks using Windows PowerShell. The easiest way to find out how to use PowerShell in MDT is to use the Deployment Workbench to perform an operation and at the end of that task, click View Script. That will give you the PowerShell command.
 
-![figure 4](../images/mdt-05-fig04.png)
+![figure 4.](../images/mdt-05-fig04.png)
 
 If you click **View Script** on the right side, you will get the PowerShell code that was used to perform the task.
 
@@ -93,7 +93,7 @@ The rules (CustomSettings.ini and Bootstrap.ini) make up the brain of MDT. The r
 - Regional settings
 You can manage hundreds of settings in the rules. For more information, see the [Microsoft Deployment Toolkit resource center](/mem/configmgr/mdt/).
 
-![figure 5](../images/mdt-05-fig05.png)
+![figure 5.](../images/mdt-05-fig05.png)
 
 Example of a MDT rule. In this example, the new computer name is being calculated based on PC- plus the first seven (Left) characters from the serial number
 
diff --git a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
index c1039d7404..97d1ca6701 100644
--- a/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md
@@ -75,7 +75,7 @@ The following generic credentials are used in this guide. You should replace the
 
 The following OU structure is used in this guide. Instructions are provided [below](#create-the-ou-structure) to help you create the required OUs.
 
-![figure 2](../images/mdt-01-fig02.jpg)
+![figure 2.](../images/mdt-01-fig02.jpg)
 
 ## Install the Windows ADK
 
@@ -182,7 +182,7 @@ Set-Location $home\Setup\Scripts
 
 This will create an OU structure as shown below.
 
-![OU structure](../images/mdt-05-fig07.png)
+![OU structure.](../images/mdt-05-fig07.png)
 
 To use the Active Directory Users and Computers console (instead of PowerShell):
 
@@ -233,18 +233,18 @@ On **MDT01**:
 
 See the following example:
 
-![Logs folder](../images/mdt-05-fig08.png)
+![Logs folder.](../images/mdt-05-fig08.png)
 
 ## Use CMTrace to read log files (optional)
 
 The log files in MDT Lite Touch are formatted to be read by Configuration Manager Trace ([CMTrace](/sccm/core/support/cmtrace)), which is available as part of the [Microsoft System 2012 R2 Center Configuration Manager Toolkit](https://go.microsoft.com/fwlink/p/?LinkId=734717). You should also download this tool.  
 You can use Notepad (example below):
 
-![figure 8](../images/mdt-05-fig09.png)
+![figure 8.](../images/mdt-05-fig09.png)
 
 Alternatively, CMTrace formatting makes the logs much easier to read. See the same log file below, opened in CMTrace:
 
-![figure 9](../images/mdt-05-fig10.png)
+![figure 9.](../images/mdt-05-fig10.png)
 
 After installing the ConfigMgrTools.msi file, you can search for **cmtrace** and pin the tool to your taskbar for easy access.
 
diff --git a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
index 2bba58db5a..f1aa143648 100644
--- a/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
+++ b/windows/deployment/deploy-windows-mdt/refresh-a-windows-7-computer-with-windows-10.md
@@ -30,7 +30,7 @@ For the purposes of this topic, we will use three computers: DC01, MDT01, and PC
 
 Both DC01 and MDT01 are running Windows Server 2019; however any supported version of Windows Server can be used. For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
 
-![computers](../images/mdt-04-fig01.png "Computers used in this topic")
+![computers.](../images/mdt-04-fig01.png "Computers used in this topic")
 
 The computers used in this topic.
 
@@ -93,7 +93,7 @@ It is also assumed that you have a domain member client computer named PC0001 in
      >Skip this optional full WIM backup that we are choosing not to perform. The USMT backup will still run.
    * Select one or more applications to install: Install - Adobe Reader
 
-     ![Computer refresh](../images/fig2-taskseq.png "Start the computer refresh")
+     ![Computer refresh.](../images/fig2-taskseq.png "Start the computer refresh")
 
 4. Setup starts and does the following:
     
@@ -105,7 +105,7 @@ It is also assumed that you have a domain member client computer named PC0001 in
 
 5. You can monitor progress of the deployment using the deployment workbench on MDT01. See the following example:
 
-     ![monitor deployment](../images/monitor-pc0001.png)
+     ![monitor deployment.](../images/monitor-pc0001.png)
 
 6. After the refresh process completes, sign in to the Windows 10 computer and verify that user accounts, data and settings were migrated.
 
diff --git a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
index 84daf20005..fb7cfe97e1 100644
--- a/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
+++ b/windows/deployment/deploy-windows-mdt/replace-a-windows-7-computer-with-a-windows-10-computer.md
@@ -32,7 +32,7 @@ For the purposes of this topic, we will use four computers: DC01, MDT01, PC0002,
 
 For more details on the setup for this topic, please see [Prepare for deployment with MDT](prepare-for-windows-deployment-with-mdt.md).
 
-![The computers used in this topic](../images/mdt-03-fig01.png)
+![The computers used in this topic.](../images/mdt-03-fig01.png)
 
 The computers used in this topic.
 
@@ -73,7 +73,7 @@ On **MDT01**:
 
 4. In the **Other** folder, double-click **Backup Only Task Sequence**, and then in the **Task Sequence** tab, review the sequence. Notice that it only contains a subset of the normal client task sequence actions.
 
-   ![The Backup Only Task Sequence action list](../images/mdt-03-fig02.png "The Backup Only Task Sequence action list")
+   ![The Backup Only Task Sequence action list.](../images/mdt-03-fig02.png "The Backup Only Task Sequence action list")
 
    The Backup Only Task Sequence action list.
 
@@ -103,13 +103,13 @@ On **PC0002**:
 
     The task sequence will now run USMT (Scanstate.exe) to capture user data and settings of the computer.
 
-    ![The new task sequence](../images/mdt-03-fig03.png "The new task sequence")
+    ![The new task sequence.](../images/mdt-03-fig03.png "The new task sequence")
 
     The new task sequence running the Capture User State action on PC0002.
 
 4.  On **MDT01**, verify that you have an USMT.MIG compressed backup file in the **D:\\MigData\\PC0002\\USMT** folder.
 
-    ![The USMT backup](../images/mdt-03-fig04.png "The USMT backup")
+    ![The USMT backup.](../images/mdt-03-fig04.png "The USMT backup")
 
     The USMT backup of PC0002.
 
@@ -130,7 +130,7 @@ On **HV01**:
 
 2.  Start the PC0007 virtual machine, and press **Enter** to start the Pre-Boot Execution Environment (PXE) boot. The VM will now load the Windows PE boot image from MDT01 (or MDT02 if at a remote site).
 
-    ![The initial PXE boot process](../images/mdt-03-fig05.png "The initial PXE boot process")
+    ![The initial PXE boot process.](../images/mdt-03-fig05.png "The initial PXE boot process")
 
     The initial PXE boot process of PC0007.
 
@@ -153,7 +153,7 @@ On **HV01**:
 
 You can view progress of the process by clicking the Monitoring node in the Deployment Workbrench on MDT01.
 
-![Monitor progress](../images/mdt-replace.png)
+![Monitor progress.](../images/mdt-replace.png)
 
 ## Related topics
 
diff --git a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
index 62cb47a58a..8d2743cfa3 100644
--- a/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
+++ b/windows/deployment/deploy-windows-mdt/set-up-mdt-for-bitlocker.md
@@ -52,7 +52,7 @@ To enable BitLocker to store the recovery key and TPM information in Active Dire
 
 In Windows Server version from 2008 R2 and later, you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.
 
-![figure 2](../images/mdt-09-fig02.png)
+![figure 2.](../images/mdt-09-fig02.png)
 
 The BitLocker Recovery information on a computer object in the contoso.com domain.
 
@@ -71,7 +71,7 @@ The BitLocker Drive Encryption Administration Utilities are added as features vi
     3. BitLocker Recovery Password Viewer
 7. On the **Confirm installation selections** page, click **Install**, and then click **Close**.
 
-![figure 3](../images/mdt-09-fig03.png)
+![figure 3.](../images/mdt-09-fig03.png)
 
 Selecting the BitLocker Drive Encryption Administration Utilities.
 
@@ -104,7 +104,7 @@ In addition to the Group Policy created previously, you need to configure permis
     cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
     ```
 
-![figure 4](../images/mdt-09-fig04.png)
+![figure 4.](../images/mdt-09-fig04.png)
 
 Running the Add-TPMSelfWriteACE.vbs script on DC01.
 
diff --git a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
index e0c0bd23c1..4ec7b22c9d 100644
--- a/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
+++ b/windows/deployment/deploy-windows-mdt/simulate-a-windows-10-deployment-in-a-test-environment.md
@@ -46,7 +46,7 @@ On **PC0001**:
 8. In the **C:\\MDT** folder, create a subfolder named **X64**.
 9. From the **\\\\MDT01\\MDTProduction$\\Tools\\X64** folder, copy the Microsoft.BDD.Utility.dll file to **C:\\MDT\\X64**.
 
-   ![files](../images/mdt-09-fig06.png)
+   ![files.](../images/mdt-09-fig06.png)
 
    The C:\\MDT folder with the files added for the simulation environment.
 
@@ -62,7 +62,7 @@ On **PC0001**:
     **Note**  
     Warnings or errors with regard to the Wizard.hta are expected. If the log file looks okay, you are ready to try a real deployment.
  
-   ![ztigather](../images/mdt-09-fig07.png)
+   ![ztigather.](../images/mdt-09-fig07.png)
 
    The ZTIGather.log file from PC0001.
 
diff --git a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
index ad18311cbc..41cd6d8006 100644
--- a/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
+++ b/windows/deployment/deploy-windows-mdt/upgrade-to-windows-10-with-the-microsoft-deployment-toolkit.md
@@ -34,7 +34,7 @@ Three computers are used in this topic: DC01, MDT01, and PC0002.
 - MDT01 is a domain member server 
 - PC0002 is a domain member computer running Windows 7 SP1, targeted for the Windows 10 upgrade
 
- ![computers](../images/mdt-upgrade.png)
+ ![computers.](../images/mdt-upgrade.png)
 
  The computers used in this topic.
 
@@ -96,15 +96,15 @@ On **PC0002**:
 4. On the **Ready** tab, click **Begin** to start the task sequence.
    When the task sequence begins, it automatically initiates the in-place upgrade process by invoking the Windows setup program (Setup.exe) with the necessary command-line parameters to perform an automated upgrade, which preserves all data, settings, apps, and drivers.
 
-![upgrade1](../images/upgrademdt-fig5-winupgrade.png)
+![upgrade1.](../images/upgrademdt-fig5-winupgrade.png)
 
 <br>
 
-![upgrade2](../images/mdt-upgrade-proc.png)
+![upgrade2.](../images/mdt-upgrade-proc.png)
 
 <br>
 
-![upgrade3](../images/mdt-post-upg.png)
+![upgrade3.](../images/mdt-post-upg.png)
 
 After the task sequence completes, the computer will be fully upgraded to Windows 10.
 
diff --git a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
index f948eab51d..48516703b7 100644
--- a/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-orchestrator-runbooks-with-mdt.md
@@ -47,13 +47,13 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
    **Note**  
    Make sure File Explorer is configured to show known file extensions so the file is not named DeployLog.txt.txt.
      
-   ![figure 23](../images/mdt-09-fig23.png)
+   ![figure 23.](../images/mdt-09-fig23.png)
 
    Figure 23. The DeployLog.txt file.
 
 3. Using System Center 2012 R2 Orchestrator Runbook Designer, in the **Runbooks** node, create the **1.0 MDT** folder.
 
-   ![figure 24](../images/mdt-09-fig24.png)
+   ![figure 24.](../images/mdt-09-fig24.png)
 
    Figure 24. Folder created in the Runbooks node.
 
@@ -65,14 +65,14 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
    2.  Text File Management / Append Line
 8. Connect **Initialize Data** to **Append Line**.
 
-   ![figure 25](../images/mdt-09-fig25.png)
+   ![figure 25.](../images/mdt-09-fig25.png)
 
    Figure 25. Activities added and connected.
 
 9. Right-click the **Initialize Data** activity, and select **Properties**
 10. On **the Initialize Data Properties** page, click **Add**, change **Parameter 1** to **OSDComputerName**, and then click **Finish**.
 
-    ![figure 26](../images/mdt-09-fig26.png)
+    ![figure 26.](../images/mdt-09-fig26.png)
 
     Figure 26. The Initialize Data Properties window.
 
@@ -81,13 +81,13 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
 13. In the **File** encoding drop-down list, select **ASCII**.
 14. In the **Append** area, right-click inside the **Text** text box and select **Expand**.
 
-    ![figure 27](../images/mdt-09-fig27.png)
+    ![figure 27.](../images/mdt-09-fig27.png)
 
     Figure 27. Expanding the Text area.
 
 15. In the blank text box, right-click and select **Subscribe / Published Data**.
 
-    ![figure 28](../images/mdt-09-fig28.png)
+    ![figure 28.](../images/mdt-09-fig28.png)
 
     Figure 28. Subscribing to data.
 
@@ -95,7 +95,7 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
 17. After the **{OSDComputerName from "Initialize Data"}** text, type in **has been deployed at** and, once again, right-click and select **Subscribe / Published Data**.
 18. In the **Published Data** window, select the **Show common Published Data** check box, select the **Activity end time** item, and click **OK**.
 
-    ![figure 29](../images/mdt-09-fig29.png)
+    ![figure 29.](../images/mdt-09-fig29.png)
 
     Figure 29. The expanded text box after all subscriptions have been added.
 
@@ -109,7 +109,7 @@ This section assumes you have Orchestrator 2012 R2 installed on a server named O
 23. Close the **Runbook Tester**.
 24. On the ribbon bar, click **Check In**.
 
-![figure 30](../images/mdt-09-fig30.png)
+![figure 30.](../images/mdt-09-fig30.png)
 
 Figure 30. All tests completed.
 
@@ -133,7 +133,7 @@ Figure 30. All tests completed.
     2.  Use Browse to select **1.0 MDT / MDT Sample**.
 8.  Click **OK**.
 
-![figure 31](../images/mdt-09-fig31.png)
+![figure 31.](../images/mdt-09-fig31.png)
 
 Figure 31. The ready-made task sequence.
 
@@ -157,7 +157,7 @@ Make sure the account you are using has permissions to run runbooks on the Orche
         3.  Domain: CONTOSO
 4.  Wait until the task sequence is completed and then verify that the DeployLog.txt file in the E:\\Logfile folder on OR01 was updated.
 
-![figure 32](../images/mdt-09-fig32.png)
+![figure 32.](../images/mdt-09-fig32.png)
 
 Figure 32. The ready-made task sequence.
 
diff --git a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
index aaad299ceb..3c191c4712 100644
--- a/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
+++ b/windows/deployment/deploy-windows-mdt/use-the-mdt-database-to-stage-windows-10-deployment-information.md
@@ -43,7 +43,7 @@ The MDT database is by default created and managed from the Deployment Workbench
 3.  On the **Database** page, select **Create a new database**; in the **Database** field, type **MDT** and click **Next**.
 4.  On the **SQL Share** page, in the **SQL Share** field, type **Logs$** and click **Next**. Click **Next** again and then click **Finish**.
 
-![figure 8](../images/mdt-09-fig08.png)
+![figure 8.](../images/mdt-09-fig08.png)
 
 Figure 8. The MDT database added to MDT01.
 
@@ -54,7 +54,7 @@ After creating the database, you need to assign permissions to it. In MDT, the a
 2.  In the **Connect to Server** dialog box, in the **Server name** list, select **MDT01\\SQLEXPRESS** and click **Connect**.
 3.  In the **Object Explorer** pane, expand the top-level **Security** node, right-click **Logins**, and select **New Login**.
 
-    ![figure 9](../images/mdt-09-fig09.png)
+    ![figure 9.](../images/mdt-09-fig09.png)
 
     Figure 9. The top-level Security node.
 
@@ -64,7 +64,7 @@ After creating the database, you need to assign permissions to it. In MDT, the a
     3.  public (default)
 5.  Click **OK**, and close SQL Server Management Studio.
 
-![figure 10](../images/mdt-09-fig10.png)
+![figure 10.](../images/mdt-09-fig10.png)
 
 Figure 10. Creating the login and settings permissions to the MDT database.
 
@@ -77,7 +77,7 @@ To start using the database, you add a computer entry and assign a description a
     2.  MacAddress: &lt;PC00075 MAC Address in the 00:00:00:00:00:00 format&gt;
     3.  Details Tab / OSDComputerName: PC00075
 
-![figure 11](../images/mdt-09-fig11.png)
+![figure 11.](../images/mdt-09-fig11.png)
 
 Figure 11. Adding the PC00075 computer to the database.
 
diff --git a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
index 2d1cffeadc..68336c929b 100644
--- a/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
+++ b/windows/deployment/deploy-windows-mdt/use-web-services-in-mdt.md
@@ -33,7 +33,7 @@ In these steps we assume you have installed Microsoft Visual Studio Express 2013
     1.  Web.config
     2.  mdtsample.asmx
 
-![figure 15](../images/mdt-09-fig15.png)
+![figure 15.](../images/mdt-09-fig15.png)
 
 Figure 15. The sample project in Microsoft Visual Studio Express 2013 for Web.
 
@@ -49,7 +49,7 @@ This section assumes that you have enabled the Web Server (IIS) role on MDT01.
     4.  Select the **Start application pool immediately** check box.
     5.  Click **OK**.
 
-![figure 16](../images/mdt-09-fig16.png)
+![figure 16.](../images/mdt-09-fig16.png)
 
 Figure 16. The new MDTSample application.
 
@@ -60,7 +60,7 @@ Figure 16. The new MDTSample application.
     2.  Application pool: MDTSample
     3.  Physical Path: E:\\MDTSample
 
-    ![figure 17](../images/mdt-09-fig17.png)
+    ![figure 17.](../images/mdt-09-fig17.png)
 
     Figure 17. Adding the MDTSample web application.
 
@@ -68,7 +68,7 @@ Figure 16. The new MDTSample application.
     1.  Anonymous Authentication: Enabled
     2.  ASP.NET Impersonation: Disabled
 
-![figure 18](../images/mdt-09-fig18.png)
+![figure 18.](../images/mdt-09-fig18.png)
 
 Figure 18. Configuring Authentication for the MDTSample web service.
 
@@ -77,14 +77,14 @@ Figure 18. Configuring Authentication for the MDTSample web service.
 1.  On PC0001, using Internet Explorer, navigate to: **http://MDT01/MDTSample/mdtsample.asmx**.
 2.  Click the **GetComputerName** link.
 
-    ![figure 19](../images/mdt-09-fig19.png)
+    ![figure 19.](../images/mdt-09-fig19.png)
 
     Figure 19. The MDT Sample web service.
 3.  On the **GetComputerName** page, type in the following settings, and click **Invoke**:
     1.  Model: Hewlett-Packard
     2.  SerialNumber: 123456789
 
-![figure 20](../images/mdt-09-fig20.png)
+![figure 20.](../images/mdt-09-fig20.png)
 
 Figure 20. The result from the MDT Sample web service.
 
@@ -103,7 +103,7 @@ After verifying the web service using Internet Explorer, you are ready to do the
    Parameters=Model,SerialNumber
    OSDComputerName=string
    ```
-   ![figure 21](../images/mdt-09-fig21.png)
+   ![figure 21.](../images/mdt-09-fig21.png)
 
    Figure 21. The updated CustomSettings.ini file.
 
@@ -115,7 +115,7 @@ After verifying the web service using Internet Explorer, you are ready to do the
    ```
 4. Review the ZTIGather.log in the **C:\\MININT\\SMSOSD\\OSDLOGS** folder.
 
-![figure 22](../images/mdt-09-fig22.png)
+![figure 22.](../images/mdt-09-fig22.png)
 
 Figure 22. The OSDCOMPUTERNAME value obtained from the web service.
 
diff --git a/windows/deployment/index.yml b/windows/deployment/index.yml
index d938c4922b..1bb703d0bf 100644
--- a/windows/deployment/index.yml
+++ b/windows/deployment/index.yml
@@ -67,7 +67,7 @@ landingContent:
           - text: What's new in Windows deployment
             url: deploy-whats-new.md
           - text: Windows 11 overview
-            url: /windows/whats-new/windows-11.md
+            url: /windows/whats-new/windows-11
           - text: Windows client deployment scenarios
             url: windows-10-deployment-scenarios.md
           - text: Basics of Windows updates, channels, and tools
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 496c96e73b..879fa0f7f0 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -376,7 +376,7 @@ Number Friendly Name      Serial Number        HealthStatus OperationalStatus To
 
 You can also view the partition type of a disk by opening the Disk Management tool, right-clicking the disk number, clicking **Properties**, and then clicking the **Volumes** tab. See the following example:
 
-![Volumes](images/mbr2gpt-volume.png)
+![Volumes.](images/mbr2gpt-volume.png)
 
 
 If Windows PowerShell and Disk Management are not available, such as when you are using Windows PE, you can determine the partition type at a command prompt with the DiskPart tool. To determine the partition style from a command line, type **diskpart** and then type **list disk**. See the following example:
diff --git a/windows/deployment/planning/compatibility-administrator-users-guide.md b/windows/deployment/planning/compatibility-administrator-users-guide.md
index 30dcd0de23..9b6a2402c6 100644
--- a/windows/deployment/planning/compatibility-administrator-users-guide.md
+++ b/windows/deployment/planning/compatibility-administrator-users-guide.md
@@ -37,7 +37,7 @@ The Compatibility Administrator tool helps you resolve potential application-com
 
 The following flowchart shows the steps for using the Compatibility Administrator tool to create your compatibility fixes, compatibility modes, and AppHelp messages.
 
-![act compatibility admin flowchart](images/dep-win8-l-act-compatadminflowchart.jpg)
+![act compatibility admin flowchart.](images/dep-win8-l-act-compatadminflowchart.jpg)
 
 > [!IMPORTANT]
 > Application Compatibility Toolkit (ACT) installs a 32-bit and a 64-bit version of the Compatibility Administrator tool. You must use the 32-bit version to create and work with custom databases for 32-bit applications, and the 64-bit version to create and work with custom databases for 64-bit applications.
diff --git a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
index 704abaad66..51718fd6c5 100644
--- a/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
+++ b/windows/deployment/planning/deployment-considerations-for-windows-to-go.md
@@ -46,11 +46,11 @@ The following sections discuss the boot experience, deployment methods, and tool
 
 The following diagrams illustrate the two different methods you could use to provide Windows To Go drives to your users. The experiences differ depending on whether the user will be booting the device initially on-premises or off-premises:
 
-![initial boot on-premises](images/wtg-first-boot-work.gif)
+![initial boot on-premises.](images/wtg-first-boot-work.gif)
 
 When a Windows To Go workspace is first used at the workplace, the Windows To Go workspace can be joined to the domain through the normal procedures that occur when a new computer is introduced. It obtains a lease, applicable policies are applied and set, and user account tokens are placed appropriately. BitLocker protection can be applied and the BitLocker recovery key automatically stored in Active Directory Domain Services. The user can access network resources to install software and get access to data sources. When the workspace is subsequently booted at a different location either on or off premises, the configuration required for it to connect back to the work network using either DirectAccess or a virtual private network connection can be configured. It is not necessary to configure the workspace for offline domain join. DirectAccess can make connecting to organizational resources easier, but is not required.
 
-![initial boot off-premises](images/wtg-first-boot-home.gif)
+![initial boot off-premises.](images/wtg-first-boot-home.gif)
 
 When the Windows To Go workspace is going to be used first on an off-premises computer, such as one at the employee's home, then the IT professional preparing the Windows To Go drives should configure the drive to be able to connect to organizational resources and to maintain the security of the workspace. In this situation, the Windows To Go workspace needs to be configured for offline domain join and BitLocker needs to be enabled before the workspace has been initialized.
 
@@ -63,7 +63,7 @@ DirectAccess can be used to ensure that the user can log in with their domain cr
 
 The Image Deployment process can be accomplished either by a centralized IT process for your organization or by individual users creating their own Windows To Go workspaces. You must have local Administrator access and access to a Windows 10 Enterprise or Windows 10 Education image to create a Windows To Go workspace, or you must be using System Center 2012 Configuration Manager Service Pack 1 or later to distribute Windows To Go workspaces to users. The image deployment process takes a blank USB drive and a Windows 10 Enterprise image (WIM) and turns it into a Windows To Go drive.
 
-![windows to go image deployment](images/wtg-image-deployment.gif)
+![windows to go image deployment.](images/wtg-image-deployment.gif)
 
 The simplest way to provision a Windows To Go drive is to use the Windows To Go Creator. After a single Windows To Go workspace has been created, it can be duplicated as many times as necessary using widely available USB duplicator products as long as the device has not been booted. After the Windows To Go drive is initialized, it should not be duplicated. Alternatively, Windows To Go Workspace Creator can be run multiple times to create multiple Windows To Go drives.
 
@@ -265,13 +265,13 @@ If you are going to be using a Windows 7 computer as a host-PC, see the wiki art
 
 Windows supports two types of PC firmware: Unified Extensible Firmware Interface (UEFI), which is the new standard, and legacy BIOS firmware, which was used in most PCs shipping with Windows 7 or earlier version of Windows. Each firmware type has completely different Windows boot components that are incompatible with each other. Beyond the different boot components, Windows supports different partition styles and layout requirements for each type of firmware as shown in the following diagrams.
 
-![bios layout](images/wtg-mbr-bios.gif)![uefi layout](images/wtg-gpt-uefi.gif)
+![bios layout.](images/wtg-mbr-bios.gif)![uefi layout](images/wtg-gpt-uefi.gif)
 
 This presented a unique challenge for Windows To Go because the firmware type is not easily determined by end users—a UEFI computer looks just like a legacy BIOS computer and Windows To Go must boot on both types of firmware.
 
 To enable booting Windows To Go on both types of firmware, a new disk layout is provided for Windows 8 or later that contains both sets of boot components on a FAT32 system partition and a new command-line option was added to bcdboot.exe to support this configuration. The **/f** option is used with the **bcdboot /s** command to specify the firmware type of the target system partition by appending either **UEFI**, **BIOS** or **ALL**. When creating Windows To Go drives manually you must use the **ALL** parameter to provide the Windows To Go drive the ability to boot on both types of firmware. For example, on volume H: (your Windows To Go USB drive letter), you would use the command **bcdboot C:\\windows /s H: /f ALL**. The following diagram illustrates the disk layout that results from that command:
 
-![firmware roaming disk layout](images/wtg-mbr-firmware-roaming.gif)
+![firmware roaming disk layout.](images/wtg-mbr-firmware-roaming.gif)
 
 This is the only supported disk configuration for Windows To Go. With this disk configuration, a single Windows To Go drive can be booted on computers with UEFI and legacy BIOS firmware.
 
@@ -283,7 +283,7 @@ Windows To Go Startup Options is a setting available on Windows 10-based PCs tha
 
 1. On the Start screen, type, type **Windows To Go Startup Options**, click **Settings** and, then press Enter.
 
-  ![windows to go startup options](images/wtg-startup-options.gif)
+  ![windows to go startup options.](images/wtg-startup-options.gif)
 
 2. Select **Yes** to enable the startup options.
 
diff --git a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
index fe43dd8983..2c76f871a0 100644
--- a/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
+++ b/windows/deployment/planning/understanding-and-using-compatibility-fixes.md
@@ -33,11 +33,11 @@ The Compatibility Fix infrastructure uses the linking ability of APIs to redirec
 
 The Windows Portable Executable File Format includes headers that contain the data directories that are used to provide a layer of indirection between the application and the linked file. API calls to the external binary files take place through the Import Address Table (IAT), which then directly calls the Windows operating system, as shown in the following figure.
 
-![act app calls operating system through iat](images/dep-win8-l-act-appcallosthroughiat.jpg)
+![act app calls operating system through iat.](images/dep-win8-l-act-appcallosthroughiat.jpg)
 
 Specifically, the process modifies the address of the affected Windows function in the IAT to point to the compatibility fix code, as shown in the following figure.
 
-![act app redirect with compatibility fix](images/dep-win8-l-act-appredirectwithcompatfix.jpg)
+![act app redirect with compatibility fix.](images/dep-win8-l-act-appredirectwithcompatfix.jpg)
 
 >[!NOTE]
 >For statically linked DLLs, the code redirection occurs as the application loads. You can also fix dynamically linked DLLs by hooking into the GetProcAddress API.
diff --git a/windows/deployment/planning/using-the-sua-tool.md b/windows/deployment/planning/using-the-sua-tool.md
index e1293703ac..38f884b93d 100644
--- a/windows/deployment/planning/using-the-sua-tool.md
+++ b/windows/deployment/planning/using-the-sua-tool.md
@@ -42,7 +42,7 @@ Before you can use the SUA tool, you must install Application Verifier. You must
 
 The following flowchart shows the process of using the SUA tool.
 
-![act sua flowchart](images/dep-win8-l-act-suaflowchart.jpg)
+![act sua flowchart.](images/dep-win8-l-act-suaflowchart.jpg)
 
 **To collect UAC-related issues by using the SUA tool**
 
diff --git a/windows/deployment/planning/using-the-sua-wizard.md b/windows/deployment/planning/using-the-sua-wizard.md
index 786d9d2fcf..4ee4675b0d 100644
--- a/windows/deployment/planning/using-the-sua-wizard.md
+++ b/windows/deployment/planning/using-the-sua-wizard.md
@@ -38,7 +38,7 @@ You must install Application Verifier before you can use the SUA Wizard. If Appl
 
 The following flowchart shows the process of using the SUA Wizard.
 
-![act sua wizard flowchart](images/dep-win8-l-act-suawizardflowchart.jpg)
+![act sua wizard flowchart.](images/dep-win8-l-act-suawizardflowchart.jpg)
 
 **To test an application by using the SUA Wizard**
 
diff --git a/windows/deployment/planning/windows-10-infrastructure-requirements.md b/windows/deployment/planning/windows-10-infrastructure-requirements.md
index cbb4f663b4..005813b401 100644
--- a/windows/deployment/planning/windows-10-infrastructure-requirements.md
+++ b/windows/deployment/planning/windows-10-infrastructure-requirements.md
@@ -68,7 +68,7 @@ Windows Server Update Services (WSUS) requires some additional configuration to
 2.  In the **Products** tree, select the **Windows 10** and **Windows 10 LTSB** products and any other Windows 10-related items that you want. Click **OK**.
 3.  From the **Synchronizations** node, right-click and choose **Synchronize Now**.
 
-![figure 1](images/fig4-wsuslist.png)
+![figure 1.](images/fig4-wsuslist.png)
 
 WSUS product list with Windows 10 choices
 
diff --git a/windows/deployment/s-mode.md b/windows/deployment/s-mode.md
index 9878ff1124..be1b44ecc6 100644
--- a/windows/deployment/s-mode.md
+++ b/windows/deployment/s-mode.md
@@ -21,7 +21,7 @@ ms.custom: seo-marvel-apr2020
 
 S mode is an evolution of the S SKU introduced with Windows 10 April 2018 Update. It's a configuration that's available on all Windows Editions when enabled at the time of manufacturing. The edition of Windows can be upgrade at any time as shown below. However, the switch from S mode is a onetime switch and can only be undone by a wipe and reload of the OS.
 
-![Configuration and features of S mode](images/smodeconfig.png)
+![Configuration and features of S mode.](images/smodeconfig.png)
 
 ## S mode key features
 
@@ -37,7 +37,7 @@ Start-ups are quick, and S mode is built to keep them that way. With Microsoft E
 
 Save your files to your favorite cloud, like OneDrive or Dropbox, and access them from any device you choose. Browse the Microsoft Store for thousands of apps, and if you don’t find exactly what you want, you can easily [switch out of S mode](./windows-10-pro-in-s-mode.md) to Windows 10 Home, Pro, or Enterprise editions at any time and search the web for more choices, as shown below.
 
-![Switching out of S mode flow chart](images/s-mode-flow-chart.png)
+![Switching out of S mode flow chart.](images/s-mode-flow-chart.png)
 
 
 ## Deployment
diff --git a/windows/deployment/update/PSFxWhitepaper.md b/windows/deployment/update/PSFxWhitepaper.md
index 4a6d9ab0f1..64f85cf6f1 100644
--- a/windows/deployment/update/PSFxWhitepaper.md
+++ b/windows/deployment/update/PSFxWhitepaper.md
@@ -45,17 +45,17 @@ its reverse differential back to the base version. Both forward and reverse
 differentials are then packaged as an update and distributed to the endpoints
 running the software to be updated. The update package contents can be symbolized as follows:
 
-![Symbolic representation of update package contents. A box containing two expressions: delta sub zero transform to sub N, followed delta sub N transform to sub zero](images/PSF1.png)
+![Symbolic representation of update package contents. A box containing two expressions: delta sub zero transform to sub N, followed delta sub N transform to sub zero.](images/PSF1.png)
 
 The endpoints that have the base version of the file (V<sub>0</sub>) hydrate the target
 revision (V<sub>N</sub>) by applying a simple transformation:
 
-![Equation: V sub zero + delta sub zero transform to sub N = V sub n](images/PSF2.png)
+![Equation: V sub zero + delta sub zero transform to sub N = V sub n.](images/PSF2.png)
 
 The endpoints that have revision N of the file (V<sub>N</sub>), hydrate the target revision
 (V<sub>R</sub>) by applying the following set of transformations:
 
-![Equation 1: V sub n + delta sub n transform to 0 = V sun 0; Equation 2: V sub zero + delta sub 0 transform to R = V sub R](images/PSF3.png)
+![Equation 1: V sub n + delta sub n transform to 0 = V sun 0; Equation 2: V sub zero + delta sub 0 transform to R = V sub R.](images/PSF3.png)
 
 The endpoints retain the reverse differentials for the software revision they
 are on, so that it can be used for hydrating and applying next revision update.
@@ -85,7 +85,7 @@ Windows 10 quality update packages will contain forward differentials from quali
 
 There can be cases where new files are added to the system during servicing. These files will not have RTM baselines, thus forward and reverse differentials cannot be used. In these scenarios, null differentials will be used to handle servicing. Null differentials are the slightly compressed and optimized version of the full binaries. Update packages can have either forward or reverse differentials, or null differential of any given binary in them. The following image symbolizes the content of a Windows 10 quality update installer:
 
-![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containing four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.)](images/PSF4.png)
+![Outer box labeled .msu containing two sub-boxes: 1) Applicability Logic, 2) box labeled .cab containing four sub-boxes: 1) update metadata, 2) content manifests, 3) delta sub RTM transform to sub N (file 1, file2, etc.), and 4) delta sub N transform to RTM (file 1, file 2, etc.).](images/PSF4.png)
 
 ### Hydration and installation 
 
diff --git a/windows/deployment/update/WIP4Biz-intro.md b/windows/deployment/update/WIP4Biz-intro.md
index 72ed75e2d8..ae8c69d273 100644
--- a/windows/deployment/update/WIP4Biz-intro.md
+++ b/windows/deployment/update/WIP4Biz-intro.md
@@ -37,7 +37,7 @@ Microsoft recommends that all organizations have at least a few devices enrolled
 
 The Windows Insider Program doesn't replace Semi-Annual Channel deployments in an organization. Rather, it provides IT Pros and other interested parties with pre-release Windows builds that they can test and ultimately provide feedback on to Microsoft.
 
-[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the Semi-Annual Channel Targeted ring for Pilot deployment, and the Semi-Annual Channel for broad deployment](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)<br>
+[![Illustration showing the Windows Insider PreviewFast Ring for exploration, the Slow Ring for validation, the Semi-Annual Channel Targeted ring for Pilot deployment, and the Semi-Annual Channel for broad deployment.](images/WIP4Biz_deployment.png)](images/WIP4Biz_deployment.png)<br>
 Windows 10 Insider Preview builds enable organizations to prepare sooner for Windows Semi-Annual releases and reduce the overall validation effort required with traditional deployments. 
 
 ## Explore new Windows 10 features in Insider Previews
diff --git a/windows/deployment/update/check-release-health.md b/windows/deployment/update/check-release-health.md
index da5f9cb7a3..753d519263 100644
--- a/windows/deployment/update/check-release-health.md
+++ b/windows/deployment/update/check-release-health.md
@@ -50,15 +50,15 @@ To be informed about the latest updates and releases, follow us on Twitter [@Win
 
    The **All versions** tab (the default view) shows all Windows products with access to their posted known issues.
 
-   ![View of current issues in release health](images/WRH-menu.png)
+   ![View of current issues in release health.](images/WRH-menu.png)
 
    A known issue is an issue that has been identified in a Windows monthly update or feature update that impacts Windows devices. The **Active and recently resolved** column provides a link to the **Known issues** tab filtered to the version selected. Selecting the **Known issues** tab will show known issues that are active or resolved within the last 30 days. 
    
-   ![View of known issues in release health](images/WRH-known-issues-20H2.png)
+   ![View of known issues in release health.](images/WRH-known-issues-20H2.png)
    
    The **History** tab shows the history of known issues that have been resolved for up to 6 months.
 
-   ![View of history issues in release health](images/WRH-history-20H2.png)
+   ![View of history issues in release health.](images/WRH-history-20H2.png)
 
    The known issue summary provides the following information:
 
@@ -70,7 +70,7 @@ To be informed about the latest updates and releases, follow us on Twitter [@Win
 
    Select the **Issue title** to access more information, including a link to the history of all status updates posted while we work on a solution. Here is an example:
 
-   ![A screenshot showing issue details](images/WRH-known-issue-detail.png)
+   ![A screenshot showing issue details.](images/WRH-known-issue-detail.png)
      
 ## Status definitions
 
@@ -91,11 +91,11 @@ In the **Windows release health** experience, every known issue is assigned as s
 
 The Windows release health page lets you view the history of all status updates posted for a specific known issue. To view all past updates posted for a given issue, select **View history** on the issue detail page.
   
-![Show link to view message history](images/WRH-view-message-history-padded.png)
+![Show link to view message history.](images/WRH-view-message-history-padded.png)
   
 A list of all status updates posted in the selected timeframe will be displayed, as shown below. You can expand any row to view the specific information provided in that status update.  
 
-![View message history](images/WRH-message-history-example-padded.png)
+![View message history.](images/WRH-message-history-example-padded.png)
   
 ## Frequently asked questions
 
diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md
index b7bccbb684..4eca196e15 100644
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@@ -33,7 +33,7 @@ The service is privacy focused and backed by leading industry compliance certifi
 
 The deployment service complements existing Windows Update for Business capabilities, including existing device policies and [Update Compliance](update-compliance-monitor.md).
 
-:::image type="content" source="media/wufbds-product-large.png" alt-text="Elements in following text":::
+:::image type="content" source="media/wufbds-product-large.png" alt-text="Elements in following text.":::
 
 Windows Update for Business comprises three elements:
 - Client policy to govern update experiences and timing – available through Group Policy and CSPs
@@ -42,7 +42,7 @@ Windows Update for Business comprises three elements:
 
 Unlike existing client policy, the deployment service does not interact with devices directly. The service is native to the cloud and all operations take place between various Microsoft services. It creates a direct communication channel between a management tool (including scripting tools such as Windows PowerShell) and the Windows Update service so that the approval and offering of content can be directly controlled by an IT Pro.
 
-:::image type="content" source="media/wufbds-interaction-small.png" alt-text="Process described in following text":::
+:::image type="content" source="media/wufbds-interaction-small.png" alt-text="Process described in following text.":::
 
 Using the deployment service typically follows a common pattern:
 1. IT Pro uses a management tool to select devices and approve content to be deployed. This tool could be PowerShell, a Microsoft Graph app or a more complete management solution such as Microsoft Endpoint Manager.
diff --git a/windows/deployment/update/get-started-updates-channels-tools.md b/windows/deployment/update/get-started-updates-channels-tools.md
index a647e33fd6..b034e4e658 100644
--- a/windows/deployment/update/get-started-updates-channels-tools.md
+++ b/windows/deployment/update/get-started-updates-channels-tools.md
@@ -72,12 +72,12 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi
 
 | Windows 10 edition | Semi-Annual Channel | Insider Program | Long-Term Servicing Channel |
 | --- | --- | --- | --- |
-| Home | ![yes](images/checkmark.png)|![no](images/crossmark.png)    | ![no](images/crossmark.png)|
-| Pro | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |  ![no](images/crossmark.png)|
-| Enterprise  | ![yes](images/checkmark.png) |![yes](images/checkmark.png)  |  ![no](images/crossmark.png)|
-| Enterprise LTSB  | ![no](images/crossmark.png) |![no](images/crossmark.png) |   ![yes](images/checkmark.png)|
-| Pro Education | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |  ![no](images/crossmark.png)|
-| Education  | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |  ![no](images/crossmark.png)|
+| Home | ![yes.](images/checkmark.png)|![no](images/crossmark.png)    | ![no](images/crossmark.png)|
+| Pro | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) |  ![no](images/crossmark.png)|
+| Enterprise  | ![yes.](images/checkmark.png) |![yes](images/checkmark.png)  |  ![no](images/crossmark.png)|
+| Enterprise LTSB  | ![no.](images/crossmark.png) |![no](images/crossmark.png) |   ![yes](images/checkmark.png)|
+| Pro Education | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) |  ![no](images/crossmark.png)|
+| Education  | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) |  ![no](images/crossmark.png)|
 
 ## Servicing tools
 
diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
index 44bbae9ebf..a926abfb28 100644
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -49,7 +49,7 @@ The Windows Update workflow has four core areas of functionality:
 During the updating process, the Windows Update Orchestrator operates in the background to scan, download, and install updates. It does these actions automatically, according to your settings, and silently so that doesn't disrupt your computer usage. 
 
 ## Scanning updates 
-![Windows Update scanning step](images/update-scan-step.png)
+![Windows Update scanning step.](images/update-scan-step.png)
 
 The Windows Update Orchestrator on your PC checks the Microsoft Update server or your WSUS endpoint for new updates at random intervals. The randomization ensures that the Windows Update server isn't overloaded with requests all at the same time. The Update Orchestrator searches only for updates that have been added since the last time updates were searched, allowing it to find updates quickly and efficiently.  
 
@@ -86,14 +86,14 @@ When users start scanning in Windows Update through the Settings panel, the foll
    - Updates are identified by the different IDs ("ID = 10", "ID = 11") and from the different thread ID numbers. 
    - Windows Update uses the thread ID filtering to concentrate on one particular task. 
 
-      ![Windows Update scan log 1](images/update-scan-log-1.png)
+      ![Windows Update scan log 1.](images/update-scan-log-1.png)
 
 #### Identifies service IDs
 
 - Service IDs indicate which update source is being scanned. 
 
 - The Windows Update engine treats every service as a separate entity, even though multiple services may contain the same updates. 
-   ![Windows Update scan log 2](images/update-scan-log-2.png)
+   ![Windows Update scan log 2.](images/update-scan-log-2.png)
 - Common service IDs 
 
    > [!IMPORTANT]
@@ -120,10 +120,10 @@ Common update failure is caused due to network issues. To find the root of the i
    > If the search is against WSUS or Configuration Manager, you can ignore warning messages for the Service Locator Service. 
 
 - On sites that only use WSUS or Configuration Manager, the Service Locator Service might be blocked at the firewall. In this case the request will fail, and though the service can’t scan against Windows Update or Microsoft Update, it can still scan against WSUS or Configuration Manager, since it’s locally configured.
-   ![Windows Update scan log 3](images/update-scan-log-3.png)
+   ![Windows Update scan log 3.](images/update-scan-log-3.png)
    
 ## Downloading updates 
-![Windows Update download step](images/update-download-step.png)
+![Windows Update download step.](images/update-download-step.png)
 
 Once the Windows Update Orchestrator determines which updates apply to your computer, it will begin downloading the updates, if you have selected the option to automatically download updates. It does operation in the background without interrupting your normal use of the device.  
 
@@ -132,14 +132,14 @@ To ensure that your other downloads aren't affected or slowed down because updat
 For more information, see [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md). 
 
 ## Installing updates 
-![Windows Update install step](images/update-install-step.png)
+![Windows Update install step.](images/update-install-step.png)
 
 When an update is applicable, the "Arbiter" and metadata are downloaded. Depending on your Windows Update settings, when downloading is complete, the Arbiter will gather details from the device, and compare that with the downloaded metadata to create an "action list".  
 
 The action list describes all the files needed from Windows Update, and what the installation agent (such as CBS or Setup) should do with them. The action list is provided to the installation agent along with the payload to begin the installation. 
  
 ## Committing Updates 
-![Windows Update commit step](images/update-commit-step.png)
+![Windows Update commit step.](images/update-commit-step.png)
 
 When the option to automatically install updates is configured, the Windows Update Orchestrator, in most cases, automatically restarts the device for you after installing the updates. It has to restart the device because it might be insecure, or not fully updated, until it restarts. You can use Group Policy settings, mobile device management (MDM), or the registry (not recommended) to configure when devices will restart after a Windows 10 update is installed.  
 
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 49943752c3..3758d0c313 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -40,7 +40,7 @@ Devices must be able to connect to the internet to obtain Dynamic Updates. In so
 
 You can obtain Dynamic Update packages from the [Microsoft Update Catalog](https://www.catalog.update.microsoft.com/Home.aspx). At that site, use the search bar in the upper right to find the Dynamic Update packages for a particular release. For example, you could enter *1809 Dynamic Update x64*, which would return results like this:
 
-![Table with columns labeled Title, Products, Classification, Last Updated, Version, and Size and four rows listing various dynamic updates and associated KB articles](images/update-catalog.png)
+![Table with columns labeled Title, Products, Classification, Last Updated, Version, and Size and four rows listing various dynamic updates and associated KB articles.](images/update-catalog.png)
 
 The various Dynamic Update packages might not all be present in the results from a single search, so you might have to search with different keywords to find all of the updates. And you'll need to check various parts of the results to be sure you've identified the needed files. This table shows in **bold** the key items to search for or look for in the results. For example, to find the relevant "Setup Dynamic Update," you'll have to check the detailed description for the download by selecting the link in the **Title** column of the search results.
 
diff --git a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
index e232d88043..1c557d6128 100644
--- a/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
+++ b/windows/deployment/update/olympia/olympia-enrollment-guidelines.md
@@ -55,20 +55,20 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi
 
 1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
 
-    ![Settings -> Accounts](images/1-1.png)
+    ![Settings -> Accounts.](images/1-1.png)
 
 2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
 
 3. Click **Connect** and enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
 
-    ![Entering account information when setting up a work or school account](images/1-3.png)
+    ![Entering account information when setting up a work or school account.](images/1-3.png)
 
 4. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
 
     > [!NOTE]
     > Passwords should contain 8-16 characters, including at least one special character or number.
 
-    ![Update your password](images/1-4.png)
+    ![Update your password.](images/1-4.png)
 
 5. Read the **Terms and Conditions**. Click **Accept** to participate in the program.
 
@@ -94,24 +94,24 @@ This is the Bring Your Own Device (BYOD) method--your device will receive Olympi
 
 1. Go to **Start > Settings > Accounts > Access work or school**. To see this setting, you need to have administrator rights to your device (see [local administrator](https://support.microsoft.com/instantanswers/5de907f1-f8ba-4fd9-a89d-efd23fee918c/create-a-local-user-or-administrator-account-in-windows-10)).
 
-    ![Settings -> Accounts](images/1-1.png)
+    ![Settings -> Accounts.](images/1-1.png)
 
 2. If you are already connected to a domain, click the existing account and then click **Disconnect**. Click **Restart Later**.
     
 3. Click **Connect**, then click **Join this device to Azure Active Directory**.
 
-    ![Joining device to Azure AD]](images/2-3.png)
+    ![Joining device to Azure AD.]](images/2-3.png)
 
 4. Enter your **Olympia corporate account** (e.g., username@olympia.windows.com). Click **Next**.
 
-    ![Set up a work or school account](images/2-4.png)
+    ![Set up a work or school account.](images/2-4.png)
 
 5. Enter the temporary password that was sent to you. Click **Sign in**. Follow the instructions to set a new password.
 
     > [!NOTE]
     > Passwords should contain 8-16 characters, including at least one special character or number.
 
-    ![Entering temporary password](images/2-5.png)
+    ![Entering temporary password.](images/2-5.png)
 
 6. When asked to make sure this is your organization, verify that the information is correct. If so, click **Join**.
 
diff --git a/windows/deployment/update/plan-define-strategy.md b/windows/deployment/update/plan-define-strategy.md
index bb67966504..c18d2b0576 100644
--- a/windows/deployment/update/plan-define-strategy.md
+++ b/windows/deployment/update/plan-define-strategy.md
@@ -26,7 +26,7 @@ You can use a calendar approach for either a faster twice-per-year cadence or an
 ### Annual
 Here's a calendar showing an example schedule that applies one Windows 10 feature update per calendar year, aligned with Microsoft Endpoint Manager and Microsoft 365 Apps release cycles:
 
-[ ![Calendar showing an annual update cadence](images/annual-calendar.png) ](images/annual-calendar.png#lightbox)
+[ ![Calendar showing an annual update cadence.](images/annual-calendar.png) ](images/annual-calendar.png#lightbox)
 
 This approach provides approximately 12 months of use from each feature update before the next update is due to be installed. By aligning to the Windows 10, version H2 feature update, each release will be serviced for 30 months from the time of availability, giving you more flexibility when applying future feature updates.
 
@@ -41,7 +41,7 @@ This cadence might be most suitable for you if any of these conditions apply:
 ### Rapid
 This calendar shows an example schedule that installs each feature update as it is released, twice per year:
 
-[ ![Update calendar showing a faster update cadence](images/rapid-calendar.png) ](images/rapid-calendar.png#lightbox)
+[ ![Update calendar showing a faster update cadence.](images/rapid-calendar.png) ](images/rapid-calendar.png#lightbox)
 
 This cadence might be best for you if these conditions apply:
 
diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md
index ee1853ad2f..735acd6e97 100644
--- a/windows/deployment/update/safeguard-holds.md
+++ b/windows/deployment/update/safeguard-holds.md
@@ -30,7 +30,7 @@ Queries identify Safeguard IDs for each affected device, giving IT admins a deta
 On devices that use Windows Update (but not Windows Update for Business), the **Windows Update** page in the Settings app displays a message stating that an update is on its way, but not ready for the device. Instead of the option to download and install the update, users will see this message:
 
 
-![Feature update message reading "The Windows 10 May 2020 Update is on its way. Once it's ready for your device, you'll see the update available on this page](images/safeguard-hold-notification.png)
+![Feature update message reading "The Windows 10 May 2020 Update is on its way. Once it's ready for your device, you'll see the update available on this page.](images/safeguard-hold-notification.png)
 
 If you see this message, it means one or more holds affect your device. When the issue is fixed and the update is safe to install, we’ll release the hold and the update can resume safely.
 
diff --git a/windows/deployment/update/update-compliance-delivery-optimization.md b/windows/deployment/update/update-compliance-delivery-optimization.md
index b56a569d4c..1c544e9fbb 100644
--- a/windows/deployment/update/update-compliance-delivery-optimization.md
+++ b/windows/deployment/update/update-compliance-delivery-optimization.md
@@ -17,7 +17,7 @@ ms.custom: seo-marvel-apr2020
 ---
 
 # Delivery Optimization in Update Compliance
-![DO status](images/UC_workspace_DO_status.png)
+![DO status.](images/UC_workspace_DO_status.png)
 The Update Compliance solution provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
 
 ## Delivery Optimization Status
diff --git a/windows/deployment/update/update-compliance-feature-update-status.md b/windows/deployment/update/update-compliance-feature-update-status.md
index 12924ab50f..4476c5c96d 100644
--- a/windows/deployment/update/update-compliance-feature-update-status.md
+++ b/windows/deployment/update/update-compliance-feature-update-status.md
@@ -17,7 +17,7 @@ ms.custom: seo-marvel-apr2020
 
 # Feature Update Status
 
-[ ![The Feature Update Status report](images/UC_workspace_FU_status.png) ](images/UC_workspace_FU_status.png#lightbox)
+[ ![The Feature Update Status report.](images/UC_workspace_FU_status.png) ](images/UC_workspace_FU_status.png#lightbox)
 
 The Feature Update Status section provides information about the status of [feature updates](waas-quick-start.md#definitions) across all devices. This section tile in the [Overview Blade](update-compliance-using.md#overview-blade) gives a percentage of devices that are on the latest applicable feature update; [Servicing Channel](waas-overview.md#servicing-channels) is considered in determining applicability. Within this section are two blades; one providing a holistic view of feature updates, the other containing three **Deployment Status** tiles, each charged with tracking the deployment for a different [Servicing Channel](waas-overview.md#servicing-channels). 
 
diff --git a/windows/deployment/update/update-compliance-need-attention.md b/windows/deployment/update/update-compliance-need-attention.md
index 514d07419f..527be5a54e 100644
--- a/windows/deployment/update/update-compliance-need-attention.md
+++ b/windows/deployment/update/update-compliance-need-attention.md
@@ -14,7 +14,7 @@ ms.prod: w10
 ---
 
 # Needs attention!
-![Needs attention section](images/UC_workspace_needs_attention.png)
+![Needs attention section.](images/UC_workspace_needs_attention.png)
 
 The **Needs attention!** section provides a breakdown of all Windows 10 device and update issues detected by Update Compliance. The summary tile for this section counts the number of devices that have issues, while the blades within break down the issues encountered. Finally, a [list of queries](#list-of-queries) blade in this section contains queries that provide values but do not fit within any other main section. 
 
diff --git a/windows/deployment/update/update-compliance-security-update-status.md b/windows/deployment/update/update-compliance-security-update-status.md
index 085e47d153..27a37f5e71 100644
--- a/windows/deployment/update/update-compliance-security-update-status.md
+++ b/windows/deployment/update/update-compliance-security-update-status.md
@@ -15,7 +15,7 @@ ms.custom: seo-marvel-apr2020
 
 # Security Update Status
 
-![The Security Update Status report](images/UC_workspace_SU_status.png)
+![The Security Update Status report.](images/UC_workspace_SU_status.png)
 
 The Security Update Status section provides information about [security updates](waas-quick-start.md#definitions) across all devices. The section tile within the [Overview Blade](update-compliance-using.md#overview-blade) lists the percentage of devices on the latest security update available. Meanwhile, the blades within show the percentage of devices on the latest security update for each Windows 10 version and the deployment progress toward the latest two security updates.  
 
diff --git a/windows/deployment/update/update-compliance-using.md b/windows/deployment/update/update-compliance-using.md
index 2c6c4c591f..26c96388b7 100644
--- a/windows/deployment/update/update-compliance-using.md
+++ b/windows/deployment/update/update-compliance-using.md
@@ -30,23 +30,23 @@ Update Compliance:
 ## The Update Compliance tile
 After Update Compliance has successfully been [added to your Azure subscription](update-compliance-get-started.md#add-update-compliance-to-your-azure-subscription), you'll see this tile:
 
-![Update Compliance tile no data](images/UC_tile_assessing.png)
+![Update Compliance tile no data.](images/UC_tile_assessing.png)
 
 When the solution is added, data is not immediately available. Data will begin to be collected after data is sent up that belongs to the Commercial ID associated with the device. This process assumes that Windows diagnostic data is enabled and data sharing is enabled as described in [Enrolling devices in Update Compliance](update-compliance-get-started.md#enroll-devices-in-update-compliance). After Microsoft has collected and processed any device data associated with your Commercial ID, the tile will be replaced with the following summary:
 
-![Update Compliance tile with data](images/UC_tile_filled.png)
+![Update Compliance tile with data.](images/UC_tile_filled.png)
 
 The summary details the total number of devices that Microsoft has received data from with your Commercial ID. It also provides the number of devices that need attention if any. Finally, it details the last point at which your Update Compliance workspace was refreshed.
 
 ## The Update Compliance workspace
 
-![Update Compliance workspace view](images/UC_workspace_needs_attention.png)
+![Update Compliance workspace view.](images/UC_workspace_needs_attention.png)
 
 When you select this tile, you will be redirected to the Update Compliance workspace. The workspace is organized with the Overview blade providing a hub from which to navigate to different reports of your devices' data. 
 
 ### Overview blade
 
-![The Overview blade](images/UC_workspace_overview_blade.png)
+![The Overview blade.](images/UC_workspace_overview_blade.png)
 
 Update Compliance's overview blade summarizes all the data Update Compliance provides. It functions as a hub from which you can navigate to different sections. The total number of devices detected by Update Compliance is reported in the title of this blade. What follows is a distribution for all devices as to whether they are up to date on the following items:
 * Security updates: A device is up to date on quality updates whenever it has the latest applicable quality update installed. Quality updates are monthly cumulative updates that are specific to a version of Windows 10.
diff --git a/windows/deployment/update/waas-configure-wufb.md b/windows/deployment/update/waas-configure-wufb.md
index 31c1ef07ab..d0c4ab43af 100644
--- a/windows/deployment/update/waas-configure-wufb.md
+++ b/windows/deployment/update/waas-configure-wufb.md
@@ -56,7 +56,7 @@ With Windows Update for Business, you can set a device to be on either Windows I
 
 Starting with Windows 10, version 1703, users can configure the branch readiness level for their device by using **Settings > Update & security > Windows Update > Advanced options**.
 
-![Branch readiness level setting](images/waas-wufb-settings-branch.jpg)
+![Branch readiness level setting.](images/waas-wufb-settings-branch.jpg)
 
 >[!NOTE]
 >Users will not be able to change this setting if it was configured by policy.
diff --git a/windows/deployment/update/waas-delivery-optimization-setup.md b/windows/deployment/update/waas-delivery-optimization-setup.md
index ecd8ad8097..ef3f3040cc 100644
--- a/windows/deployment/update/waas-delivery-optimization-setup.md
+++ b/windows/deployment/update/waas-delivery-optimization-setup.md
@@ -211,6 +211,6 @@ Log entries are written to the PowerShell pipeline as objects. To dump logs to a
 
 Update Compliance provides you with information about your Delivery Optimization configuration, including the observed bandwidth savings across all devices that used peer-to-peer distribution over the past 28 days.
 
-[ ![DO status](images/UC_workspace_DO_status.png) ](images/UC_workspace_DO_status.png#lightbox)
+[ ![DO status.](images/UC_workspace_DO_status.png) ](images/UC_workspace_DO_status.png#lightbox)
 
 For details, see [Delivery Optimization in Update Compliance](update-compliance-delivery-optimization.md).
diff --git a/windows/deployment/update/waas-delivery-optimization.md b/windows/deployment/update/waas-delivery-optimization.md
index 96b1bc810e..ab8834382a 100644
--- a/windows/deployment/update/waas-delivery-optimization.md
+++ b/windows/deployment/update/waas-delivery-optimization.md
@@ -39,7 +39,7 @@ For information about setting up Delivery Optimization, including tips for the b
 
 - Enterprise network throttling: new settings have been added in Group Policy and mobile device management (MDM) to control foreground and background throttling as absolute values (Maximum Background Download Bandwidth in (in KB/s)). These settings are also available in the Windows user interface:
 
-  ![absolute bandwidth settings in delivery optimization interface](images/DO-absolute-bandwidth.png)
+  ![absolute bandwidth settings in delivery optimization interface.](images/DO-absolute-bandwidth.png)
 
 - Activity Monitor now identifies the cache server used for as the source for Microsoft Connected Cache. For more information about using Microsoft Connected Cache with Configuration Manager, see [Microsoft Connected Cache](/mem/configmgr/core/plan-design/hierarchy/microsoft-connected-cache).
 
diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
index 1e06d44fd8..52a1ec6f2c 100644
--- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
+++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
@@ -51,12 +51,12 @@ As Table 1 shows, each combination of servicing channel and deployment group is
 
 |&nbsp; |&nbsp; |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
-| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | Build deployment rings for Windows 10 updates (this topic) |
-| ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-| ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
+| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+| ![done.](images/checklistdone.png) | Build deployment rings for Windows 10 updates (this topic) |
+| ![to do.](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+| ![to do.](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
 
 ## Related topics
 
diff --git a/windows/deployment/update/waas-integrate-wufb.md b/windows/deployment/update/waas-integrate-wufb.md
index 965dd5871a..6460401d70 100644
--- a/windows/deployment/update/waas-integrate-wufb.md
+++ b/windows/deployment/update/waas-integrate-wufb.md
@@ -88,7 +88,7 @@ In this example, the deferral behavior for updates to Office and other non-Windo
 
 For Windows 10, version 1607, organizations already managing their systems with a Configuration Manager solution can also have their devices configured for Windows Update for Business (i.e. setting deferral policies on those devices). Such devices will be visible in the Configuration Manager console, however they will appear with a detection state of **Unknown**.
 
-![Example of unknown devices](images/wufb-sccm.png)
+![Example of unknown devices.](images/wufb-sccm.png)
 
 For more information, see [Integration with Windows Update for Business in Windows 10](/sccm/sum/deploy-use/integrate-windows-update-for-business-windows-10).
 
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index 1533a56a9b..d6f97a6fae 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -62,7 +62,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin
 
 3. Right-click **Your_Domain**, and then select **Create a GPO in this domain, and Link it here**.
 
-   ![Example of UI](images/waas-wsus-fig3.png) 
+   ![Example of UI.](images/waas-wsus-fig3.png) 
     
    >[!NOTE]
    >In this example, the **Configure Automatic Updates** and **Intranet Microsoft Update Service Location** Group Policy settings are specified for the entire domain. This is not a requirement; you can target these settings to any security group by using Security Filtering or a specific OU.
@@ -75,13 +75,13 @@ When using WSUS to manage updates on Windows client devices, start by configurin
 
 7. Right-click the **Configure Automatic Updates** setting, and then click **Edit**.
 
-   ![Example of UI](images/waas-wsus-fig4.png)
+   ![Example of UI.](images/waas-wsus-fig4.png)
     
 8. In the **Configure Automatic Updates** dialog box, select **Enable**.
 
 9. Under **Options**, from the **Configure automatic updating** list, select **3 - Auto download and notify for install**, and then click **OK**.
 
-   ![Example of UI](images/waas-wsus-fig5.png)
+   ![Example of UI.](images/waas-wsus-fig5.png)
    
    >[!IMPORTANT]
    > Use Regedit.exe to check that the following key is not enabled, because it can break Windows Store connectivity: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\DoNotConnectToWindowsUpdateInternetLocations
@@ -98,7 +98,7 @@ When using WSUS to manage updates on Windows client devices, start by configurin
     >[!NOTE]
     >The URL `http://CONTOSO-WSUS1.contoso.com:8530` in the following image is just an example. In your environment, be sure to use the server name and port number for your WSUS instance.
     
-     ![Example of UI](images/waas-wsus-fig6.png)
+     ![Example of UI.](images/waas-wsus-fig6.png)
      
      >[!NOTE]
      >The default HTTP port for WSUS is 8530, and the default HTTP over Secure Sockets Layer (HTTPS) port is 8531. (The other options are 80 and 443; no other ports are supported.)
@@ -118,7 +118,7 @@ You can use computer groups to target a subset of devices that have specific qua
 
 2. Go to *Server_Name*\Computers\All Computers, and then click **Add Computer Group**. 
 
-    ![Example of UI](images/waas-wsus-fig7.png)
+    ![Example of UI.](images/waas-wsus-fig7.png)
     
 3. Type **Ring 2 Pilot Business Users** for the name, and then click **Add**.
 
@@ -146,7 +146,7 @@ When new computers communicate with WSUS, they appear in the **Unassigned Comput
 
 2. Select both computers, right-click the selection, and then click **Change Membership**.
 
-    ![Example of UI](images/waas-wsus-fig8.png)
+    ![Example of UI.](images/waas-wsus-fig8.png)
 
 3. In the **Set Computer Group Membership** dialog box, select the **Ring 2 Pilot Business Users** deployment ring, and then click **OK**.
 
@@ -164,7 +164,7 @@ Another way to add multiple computers to a deployment ring in the WSUS Administr
 
 3. In the search results, select the computers, right-click the selection, and then click **Change Membership**.
 
-    ![Example of UI](images/waas-wsus-fig9.png)
+    ![Example of UI.](images/waas-wsus-fig9.png)
     
 4. Select the **Ring 3 Broad IT** deployment ring, and then click **OK**.
 
@@ -181,7 +181,7 @@ The WSUS Administration Console provides a friendly interface from which you can
 
 1. Open the WSUS Administration Console, and go to *Server_Name*\Options, and then click **Computers**.
 
-     ![Example of UI](images/waas-wsus-fig10.png)
+     ![Example of UI.](images/waas-wsus-fig10.png)
      
 2. In the **Computers** dialog box, select **Use Group Policy or registry settings on computers**, and then click **OK**.
 
@@ -205,7 +205,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
 
 5. Right-click the **WSUS – Client Targeting – Ring 4 Broad Business Users** GPO, and then click **Edit**.
 
-    ![Example of UI](images/waas-wsus-fig11.png)
+    ![Example of UI.](images/waas-wsus-fig11.png)
     
 6. In the Group Policy Management Editor, go to Computer Configuration\Policies\Administrative Templates\Windows Components\Windows Update.
 
@@ -215,7 +215,7 @@ Now that WSUS is ready for client-side targeting, complete the following steps t
 
 9. In the **Target group name for this computer** box, type *Ring 4 Broad Business Users*. This is the name of the deployment ring in WSUS to which these computers will be added.
 
-    ![Example of UI](images/waas-wsus-fig12.png)
+    ![Example of UI.](images/waas-wsus-fig12.png)
 
 > [!WARNING]
 > The target group name must match the computer group name.
@@ -232,7 +232,7 @@ Now you’re ready to deploy this GPO to the correct computer security group for
 
 3. Under **Security Filtering**, remove the default **AUTHENTICATED USERS** security group, and then add the **Ring 4 Broad Business Users** group.
 
-    ![Example of UI](images/waas-wsus-fig13.png)
+    ![Example of UI.](images/waas-wsus-fig13.png)
     
 The next time the clients in the **Ring 4 Broad Business Users** security group receive their computer policy and contact WSUS, they will be added to the **Ring 4 Broad Business Users** deployment ring. 
 
@@ -252,7 +252,7 @@ For clients that should have their feature updates approved as soon as they’re
 
 3. In the **Add Rule** dialog box, select the **When an update is in a specific classification**, **When an update is in a specific product**, and **Set a deadline for the approval** check boxes.
 
-     ![Example of UI](images/waas-wsus-fig14.png)
+     ![Example of UI.](images/waas-wsus-fig14.png)
      
 4. In the **Edit the properties** area, select **any classification**. Clear everything except **Upgrades**, and then click **OK**.
 
@@ -266,7 +266,7 @@ For clients that should have their feature updates approved as soon as they’re
 
 8. In the **Step 3: Specify a name** box, type **Windows 10 Upgrade Auto-approval for Ring 3 Broad IT**, and then click **OK**.
 
-    ![Example of UI](images/waas-wsus-fig15.png)
+    ![Example of UI.](images/waas-wsus-fig15.png)
     
 9. In the **Automatic Approvals** dialog box, click **OK**.
 
@@ -301,7 +301,7 @@ To simplify the manual approval process, start by creating a software update vie
     
 5. In the **Step 3: Specify a name** box, type **All Windows 10 Upgrades**, and then click **OK**.
 
-     ![Example of UI](images/waas-wsus-fig16.png)
+     ![Example of UI.](images/waas-wsus-fig16.png)
 
 Now that you have the **All Windows 10 Upgrades** view, complete the following steps to manually approve an update for the **Ring 4 Broad Business Users** deployment ring:
 
@@ -309,21 +309,21 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
 
 2. Right-click the feature update you want to deploy, and then click **Approve**.
 
-      ![Example of UI](images/waas-wsus-fig17.png)  
+      ![Example of UI.](images/waas-wsus-fig17.png)  
       
 3. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, select **Approved for Install**.
 
-      ![Example of UI](images/waas-wsus-fig18.png) 
+      ![Example of UI.](images/waas-wsus-fig18.png) 
       
 4. In the **Approve Updates** dialog box, from the **Ring 4 Broad Business Users** list, click **Deadline**, click **One Week**, and then click **OK**. 
 
-      ![Example of UI](images/waas-wsus-fig19.png) 
+      ![Example of UI.](images/waas-wsus-fig19.png) 
       
 5. If the **Microsoft Software License Terms** dialog box opens, click **Accept**.
 
     If the deployment is successful, you should receive a successful progress report.
     
-    ![Example of UI](images/waas-wsus-fig20.png) 
+    ![Example of UI.](images/waas-wsus-fig20.png) 
 
 6. In the **Approval Progress** dialog box, click **Close**.
 
@@ -333,12 +333,12 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
 
 |&nbsp; |&nbsp; |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
-| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or Deploy Windows 10 updates using Windows Server Update Services (this topic)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
+| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+| ![done.](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+| ![done.](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+| ![done.](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+| ![done.](images/checklistdone.png) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or Deploy Windows 10 updates using Windows Server Update Services (this topic)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
 
 
 
diff --git a/windows/deployment/update/waas-manage-updates-wufb.md b/windows/deployment/update/waas-manage-updates-wufb.md
index 1b52ddaf69..850d6cec44 100644
--- a/windows/deployment/update/waas-manage-updates-wufb.md
+++ b/windows/deployment/update/waas-manage-updates-wufb.md
@@ -204,7 +204,7 @@ For the best experience with Windows Update, follow these guidelines:
 
 Update Compliance provides a holistic view of operating system update compliance, update deployment progress, and failure troubleshooting for Windows 10 devices. This  service uses diagnostic data including installation progress, Windows Update configuration, and other information to provide such insights, at no extra cost and without extra infrastructure requirements. Whether used with Windows Update for Business or other management tools, you can be assured that your devices are properly updated.
 
-![Update Compliance Dashboard](images/waas-wufb-update-compliance.png)
+![Update Compliance Dashboard.](images/waas-wufb-update-compliance.png)
 
 For more information about Update Compliance, see [Monitor Windows Updates using Update Compliance](update-compliance-monitor.md).
 
@@ -213,9 +213,9 @@ For more information about Update Compliance, see [Monitor Windows Updates using
 
 | | |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
-| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | Deploy updates using Windows Update for Business (this topic) </br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
\ No newline at end of file
+| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
+| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+| ![done.](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+| ![done.](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+| ![done.](images/checklistdone.png) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+| ![done.](images/checklistdone.png) | Deploy updates using Windows Update for Business (this topic) </br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
\ No newline at end of file
diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md
index 4a9c314c35..672e2ff5a9 100644
--- a/windows/deployment/update/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/update/waas-optimize-windows-10-updates.md
@@ -39,8 +39,8 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
 
 | Method | Windows Update | Windows Update for Business | WSUS | Configuration Manager |
 | --- | --- | --- | --- | --- |
-| Delivery Optimization | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
-| BranchCache | ![no](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
+| Delivery Optimization | ![yes.](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
+| BranchCache | ![no.](images/crossmark.png) | ![no](images/crossmark.png) |![yes](images/checkmark.png) | ![yes](images/checkmark.png) |
 
 > [!NOTE]
 > Microsoft Endpoint Manager has an additional feature called Client Peer Cache that allows peer-to-peer content sharing between clients you use Microsoft Endpoint Manager to manage, in the same Configuration Manager boundary Group. For more information, see [Client Peer Cache](/configmgr/core/plan-design/hierarchy/client-peer-cache).
@@ -88,12 +88,12 @@ At this point, the download is complete and the update is ready to be installed.
 
 |&nbsp; |&nbsp; |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
-| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | Optimize update delivery for Windows 10 updates (this topic) |
-| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)<br/>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)<br/>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
+| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+| ![done.](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+| ![done.](images/checklistdone.png) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+| ![done.](images/checklistdone.png) | Optimize update delivery for Windows 10 updates (this topic) |
+| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)<br/>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)<br/>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
 
 
 ## Related topics
diff --git a/windows/deployment/update/waas-overview.md b/windows/deployment/update/waas-overview.md
index d34bb385f6..d24139a1e4 100644
--- a/windows/deployment/update/waas-overview.md
+++ b/windows/deployment/update/waas-overview.md
@@ -92,7 +92,7 @@ In Windows 10, rather than receiving several updates each month and trying to fi
 
 **Figure 1**
 
-![Comparison of patch environment in enterprise compared to test](images/waas-overview-patch.png)
+![Comparison of patch environment in enterprise compared to test.](images/waas-overview-patch.png)
 
 
 
@@ -184,12 +184,12 @@ With all these options, which an organization chooses depends on the resources,
 
 |&nbsp; |&nbsp; |
 | --- | --- |
-| ![done](images/checklistdone.png) | Learn about updates and servicing channels (this topic) |
-| ![to do](images/checklistbox.gif) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-| ![to do](images/checklistbox.gif) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-| ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+| ![done.](images/checklistdone.png) | Learn about updates and servicing channels (this topic) |
+| ![to do.](images/checklistbox.gif) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+| ![to do.](images/checklistbox.gif) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+| ![to do.](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+| ![to do.](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
 
 
 
diff --git a/windows/deployment/update/waas-restart.md b/windows/deployment/update/waas-restart.md
index 62a5078e43..5f04e54883 100644
--- a/windows/deployment/update/waas-restart.md
+++ b/windows/deployment/update/waas-restart.md
@@ -69,7 +69,7 @@ Administrators can use multiple ways to set active hours for managed devices:
 
 To configure active hours using Group Policy, go to **Computer Configuration\Administrative Templates\Windows Components\Windows Update** and open the **Turn off auto-restart for updates during active hours** policy setting. When the policy is enabled, you can set the start and end times for active hours.
 
-![Use Group Policy to configure active hours](images/waas-active-hours-policy.png)
+![Use Group Policy to configure active hours.](images/waas-active-hours-policy.png)
 
 ### Configuring active hours with MDM
 
@@ -89,7 +89,7 @@ For a detailed description of these registry keys, see [Registry keys used to ma
 >[!NOTE]
 >To configure active hours manually on a single device, go to **Settings** > **Update & security** > **Windows Update** and select **Change active hours**.
 >
->![Change active hours](images/waas-active-hours.png)
+>![Change active hours.](images/waas-active-hours.png)
 
 ### Configuring active hours max range
 
@@ -155,13 +155,14 @@ In the Group Policy editor, you will see a number of policy settings that pertai
 
 | Policy | Applies to Windows 10 | Notes |
 | --- | --- | --- |
-| Turn off auto-restart for updates during active hours | ![yes](images/checkmark.png) | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled.  |
-| Always automatically restart at the scheduled time | ![yes](images/checkmark.png) | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
-| Specify deadline before auto-restart for update installation | ![yes](images/checkmark.png)  | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled.  |
-| No auto-restart with logged on users for scheduled automatic updates installations | ![yes](images/checkmark.png) | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. |
-| Re-prompt for restart with scheduled installations | ![no](images/crossmark.png) |   |
-| Delay Restart for scheduled installations | ![no](images/crossmark.png) |   |
-| Reschedule Automatic Updates scheduled installations | ![no](images/crossmark.png) |   |
+| Turn off auto-restart for updates during active hours | ![yes.](images/checkmark.png) | Use this policy to configure active hours, during which the device will not be restarted. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled.  |
+| Always automatically restart at the scheduled time | ![yes.](images/checkmark.png) | Use this policy to configure a restart timer (between 15 and 180 minutes) that will start immediately after Windows Update installs important updates. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** policy is enabled. |
+| Specify deadline before auto-restart for update installation | ![yes.](images/checkmark.png)  | Use this policy to specify how many days (between 2 and 14) an automatic restart can be delayed. This policy has no effect if the **No auto-restart with logged on users for scheduled automatic updates installations** or **Always automatically restart at the scheduled time** policies are enabled.  |
+| No auto-restart with logged on users for scheduled automatic updates installations | ![yes.](images/checkmark.png) | Use this policy to prevent automatic restart when a user is logged on. This policy applies only when the **Configure Automatic Updates** policy is configured to perform scheduled installations of updates. <br>There is no equivalent MDM policy setting for Windows 10 Mobile. |
+| Re-prompt for restart with scheduled installations | ![no.](images/crossmark.png) |   |
+| Delay Restart for scheduled installations | ![no.](images/crossmark.png) |   |
+| Reschedule Automatic Updates scheduled installations | ![no.](images/crossmark.png) |   |
+
 
 >[!NOTE]
 >You can only choose one path for restart behavior.
diff --git a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
index 51430aba0c..689b5381a6 100644
--- a/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-channels-windows-10-updates.md
@@ -32,12 +32,12 @@ The Semi-Annual Channel is the default servicing channel for all Windows 10 devi
 
 | Windows 10 edition | Semi-Annual Channel | Long-Term Servicing Channel | Insider Program |
 | --- | --- | --- | --- |
-| Home | ![no](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
-| Pro | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
-| Enterprise  | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
-| Enterprise LTSB  | ![no](images/crossmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) |
-| Pro Education | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
-| Education  | ![yes](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
+| Home | ![no.](images/crossmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
+| Pro | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
+| Enterprise  | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
+| Enterprise LTSB  | ![no.](images/crossmark.png) | ![yes](images/checkmark.png) | ![no](images/crossmark.png) |
+| Pro Education | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
+| Education  | ![yes.](images/checkmark.png) | ![no](images/crossmark.png) | ![yes](images/checkmark.png) |
 
 
 >[!NOTE]
@@ -164,12 +164,12 @@ Administrators can disable the "Check for updates" option for users by enabling
 
 |&nbsp; |&nbsp; |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
-| ![done](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![done](images/checklistdone.png) | Assign devices to servicing channels for Windows 10 updates (this topic) |
-| ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
+| ![done.](images/checklistdone.png) | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
+| ![done.](images/checklistdone.png) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+| ![done.](images/checklistdone.png) | Assign devices to servicing channels for Windows 10 updates (this topic) |
+| ![to do.](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
 
 ## Related topics
 
diff --git a/windows/deployment/update/waas-servicing-differences.md b/windows/deployment/update/waas-servicing-differences.md
index 8ed552de4e..c240d7d1c1 100644
--- a/windows/deployment/update/waas-servicing-differences.md
+++ b/windows/deployment/update/waas-servicing-differences.md
@@ -42,7 +42,7 @@ This helps simplify servicing. Devices with the original Release to Market (RTM)
 Windows publishes the new LCU packages for each Windows 10 version (1607, 1709, etc.) on the second Tuesday of each month. This package is classified as a required security update and contains contents from the previous LCU as well as new security, non-security, and Internet Explorer 11 (IE11) fixes. A reboot of the device might be required to complete installation of the update.
 
 
-![High level cumulative update model](images/servicing-cadence.png)
+![High level cumulative update model.](images/servicing-cadence.png)
 *Figure 1.0 - High level cumulative update model*
 
 Another benefit of the LCU model is fewer steps. Devices that have the original Release to Market (RTM) version of a release can install the most recent LCU to get up to date in one step, rather than having to install multiple updates with reboots after each.
@@ -67,7 +67,7 @@ Customers saw the LCU model used for Windows 10 as having packages that were too
 
 The Monthly Rollup includes new non-security (if appropriate), security updates, Internet Explorer (IE) updates, and all updates from the previous month similar to the Windows 10 model. The Security-only package includes only new security updates for the month. This means that any security updates from any previous month are not included in current month's Security-Only Package. If a Security-Only update is missed, it is missed. Those updates will not appear in a future Security-Only update. Additionally, a cumulative package is offered for IE, which can be tested and installed separately, reducing the total update package size. The IE cumulative update includes both security and non-security fixes following the same model as Windows 10.
 
-![Legacy OS security-only update model](images/security-only-update.png)
+![Legacy OS security-only update model.](images/security-only-update.png)
 *Figure 2.0 - Legacy OS security-only update model*
 
 Moving to the cumulative model for legacy OS versions continues to improve predictability of update quality. The Windows legacy environments which have fully updated machines with Monthly Rollups are running the same baseline against which all legacy OS version updates are tested. These include all of the updates (security and non-security) prior to and after October 2016. Many customer environments do not have all updates prior to this change installed, which leaves some continued fragmentation in the ecosystem. Further, customers who are installing Security-Only Updates and potentially doing so inconsistently are also more fragmented than Microsoft's test environments for legacy OS version. This remaining fragmentation results in issues like those seen when the September 2016 Servicing Stack Update (SSU) was needed for smooth installation of the August 2018 security update. These environments did not have the SSU applied previously.
@@ -99,7 +99,7 @@ Windows 10 version 1709:
 - (10B) October 9, 2018 Update Tuesday / B release includes all fixes included in 9B, all fixes in 9C and introduces new security fixes and IE updates. This update is qualified as "Required, Security" and requires a system reboot.
 All of these updates are cumulative and build on each other for Windows 10. This is in contrast to legacy OS versions, where the 9C release becomes part of the "Monthly Rollup," but not the "Security Only" update. In other words, a Window 7 SP1 9C update is part of the cumulative "Monthly Rollup" but not included in the "Security Only" update because the fixes are qualified as "non-security". This is an important variation to note on the two models. 
 
-![Preview releases in the Windows 10 LCU model](images/servicing-previews.png)
+![Preview releases in the Windows 10 LCU model.](images/servicing-previews.png)
 *Figure 3.0 - Preview releases within the Windows 10 LCU model*
 
 ## Previews vs. on-demand releases
diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index a9e7039ffb..e22c1fd433 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -25,7 +25,7 @@ ms.collection: m365initiative-coredeploy
 In the past, traditional Windows deployments tended to be large, lengthy, and expensive. Windows 10 offers a new approach to deploying both quality and feature updates, making the process much simpler and therefore the planning much more straightforward. With Windows as a service, the methodology around updating Windows has changed, moving away from major upgrades every few years to iterative updates twice per year. Each iteration contains a smaller subset of changes so that they won’t seem like substantial differences, like they do today. This image illustrates the level of effort needed for traditional Windows deployments versus servicing Windows 10 and how it is now spread evenly over time versus spiking every few years.
 
 
-![Compare traditional servicing to Windows 10](images/waas-strategy-fig1a.png)
+![Compare traditional servicing to Windows 10.](images/waas-strategy-fig1a.png)
 
 Windows 10 spreads the traditional deployment effort of a Windows upgrade, which typically occurred every few years, over smaller, continuous updates. With this change, you must approach the ongoing deployment and servicing of Windows differently. A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update. Here’s an example of what this process might look like:
 
@@ -52,12 +52,12 @@ Each time Microsoft releases a Windows 10 feature update, the IT department shou
 
 |&nbsp; |&nbsp; |
 | --- | --- |
-| ![done](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
-| ![done](images/checklistdone.png) | Prepare servicing strategy for Windows 10 updates (this topic) |
-| ![to do](images/checklistbox.gif) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-| ![to do](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-| ![to do](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-| ![to do](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+| ![done.](images/checklistdone.png) | [Learn about updates and servicing channels](waas-overview.md) |
+| ![done.](images/checklistdone.png) | Prepare servicing strategy for Windows 10 updates (this topic) |
+| ![to do.](images/checklistbox.gif) | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
+| ![to do.](images/checklistbox.gif) | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+| ![to do.](images/checklistbox.gif) | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
+| ![to do.](images/checklistbox.gif) | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)</br>or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)</br>or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
 
 
 ## Related topics
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index ac652f7cbf..bdc0a8d662 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -72,19 +72,19 @@ A Windows Update for Business administrator can defer or pause updates. You can
 
 In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of ten days.
 
-![illustration of devices divided into three rings](images/waas-wufb-3-rings.png)
+![illustration of devices divided into three rings.](images/waas-wufb-3-rings.png)
 
 When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates.
 
 ##### Five days later
 The devices in the fast ring are offered the quality update the next time they scan for updates.
 
-![illustration of devices with fast ring deployed](images/waas-wufb-fast-ring.png)
+![illustration of devices with fast ring deployed.](images/waas-wufb-fast-ring.png)
 
 ##### Ten days later
 Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates.
 
-![illustration of devices with slow ring deployed](images/waas-wufb-slow-ring.png)
+![illustration of devices with slow ring deployed.](images/waas-wufb-slow-ring.png)
 
 If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves.
 
@@ -92,11 +92,11 @@ If no problems occur, all of the devices that scan for updates will be offered t
 
 In this example, some problem is discovered during the deployment of the update to the "pilot" ring.
 
-![illustration of devices divided with pilot ring experiencing a problem](images/waas-wufb-pilot-problem.png)
+![illustration of devices divided with pilot ring experiencing a problem.](images/waas-wufb-pilot-problem.png)
 
 At this point, the IT administrator can set a policy to pause the update. In this example, the admin selects the **Pause quality updates** check box.
 
-![illustration of rings with pause quality update check box selected](images/waas-wufb-pause.png)
+![illustration of rings with pause quality update check box selected.](images/waas-wufb-pause.png)
 
 Now all devices are paused from updating for 35 days. When the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again.
 
@@ -153,21 +153,21 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
 
    - After this period, the user receives this dialog:
 
-     ![The notification users get for an impending restart prior to deadline](images/wufb-update-deadline-warning.png)
+     ![The notification users get for an impending restart prior to deadline.](images/wufb-update-deadline-warning.png)
 
    - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur:
 
-     ![The notification users get for an impending restart 15 minutes prior to restart](images/wufb-restart-imminent-warning.png)
+     ![The notification users get for an impending restart 15 minutes prior to restart.](images/wufb-restart-imminent-warning.png)
 
  - **If the restart is still pending after the deadline passes:**
  
    - Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching:
 
-     ![The notification users get for an approaching restart deadline](images/wufb-pastdeadline-restart-warning.png)
+     ![The notification users get for an approaching restart deadline.](images/wufb-pastdeadline-restart-warning.png)
 
    - Once the deadline has passed, the user is forced to restart to keep their devices in compliance and receives this notification:
 
-     ![The notification users get for an imminent restart after the deadline](images/wufb-pastdeadline-restartnow.png)
+     ![The notification users get for an imminent restart after the deadline.](images/wufb-pastdeadline-restartnow.png)
 
 #### I want to manage the notifications a user sees
 
diff --git a/windows/deployment/update/waas-wufb-group-policy.md b/windows/deployment/update/waas-wufb-group-policy.md
index 48776410ef..3b2091e5fa 100644
--- a/windows/deployment/update/waas-wufb-group-policy.md
+++ b/windows/deployment/update/waas-wufb-group-policy.md
@@ -83,19 +83,19 @@ A Windows Update for Business administrator can defer or pause updates. You can
 
 In this example, there are three rings for quality updates. The first ring ("pilot") has a deferral period of 0 days. The second ring ("fast") has a deferral of five days. The third ring ("slow") has a deferral of ten days.
 
-![illustration of devices divided into three rings](images/waas-wufb-3-rings.png)
+![illustration of devices divided into three rings.](images/waas-wufb-3-rings.png)
 
 When the quality update is released, it is offered to devices in the pilot ring the next time they scan for updates.
 
 ##### Five days later
 The devices in the fast ring are offered the quality update the next time they scan for updates.
 
-![illustration of devices with fast ring deployed](images/waas-wufb-fast-ring.png)
+![illustration of devices with fast ring deployed.](images/waas-wufb-fast-ring.png)
 
 ##### Ten days later
 Ten days after the quality update is released, it is offered to the devices in the slow ring the next time they scan for updates.
 
-![illustration of devices with slow ring deployed](images/waas-wufb-slow-ring.png)
+![illustration of devices with slow ring deployed.](images/waas-wufb-slow-ring.png)
 
 If no problems occur, all of the devices that scan for updates will be offered the quality update within ten days of its release, in three waves.
 
@@ -103,11 +103,11 @@ If no problems occur, all of the devices that scan for updates will be offered t
 
 In this example, some problem is discovered during the deployment of the update to the "pilot" ring.
 
-![illustration of devices divided with pilot ring experiencing a problem](images/waas-wufb-pilot-problem.png)
+![illustration of devices divided with pilot ring experiencing a problem.](images/waas-wufb-pilot-problem.png)
 
 At this point, the IT administrator can set a policy to pause the update. In this example, the admin selects the **Pause quality updates** check box.
 
-![illustration of rings with pause quality update check box selected](images/waas-wufb-pause.png)
+![illustration of rings with pause quality update check box selected.](images/waas-wufb-pause.png)
 
 Now all devices are paused from updating for 35 days. When the pause is removed, they will be offered the *next* quality update, which ideally will not have the same issue. If there is still an issue, the IT admin can pause updates again.
 
@@ -150,21 +150,21 @@ When **Specify deadlines for automatic updates and restarts** is set (For Window
 
    - After this period, the user receives this dialog:
 
-     ![The notification users get for an impending restart prior to deadline](images/wufb-update-deadline-warning.png)
+     ![The notification users get for an impending restart prior to deadline.](images/wufb-update-deadline-warning.png)
 
    - If the user scheduled a restart, or if an auto restart is scheduled, 15 minutes before the scheduled time the user is receives this notification that the restart is about to occur:
 
-     ![The notification users get for an impending restart 15 minutes prior to restart](images/wufb-restart-imminent-warning.png)
+     ![The notification users get for an impending restart 15 minutes prior to restart.](images/wufb-restart-imminent-warning.png)
 
  - **If the restart is still pending after the deadline passes:**
  
    - Within 12 hours before the deadline passes, the user receives this notification that the deadline is approaching:
 
-     ![The notification users get for an approaching restart deadline](images/wufb-pastdeadline-restart-warning.png)
+     ![The notification users get for an approaching restart deadline.](images/wufb-pastdeadline-restart-warning.png)
 
    - Once the deadline has passed, the user is forced to restart to keep their devices in compliance and receives this notification:
 
-     ![The notification users get for an imminent restart after the deadline](images/wufb-pastdeadline-restartnow.png)
+     ![The notification users get for an imminent restart after the deadline.](images/wufb-pastdeadline-restartnow.png)
 
 #### I want to manage the notifications a user sees
 
diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md
index 804efbe96e..8922733a56 100644
--- a/windows/deployment/update/waas-wufb-intune.md
+++ b/windows/deployment/update/waas-wufb-intune.md
@@ -54,7 +54,7 @@ In this example, you use two security groups to manage your updates: **Ring 4 Br
 
 2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
 
-    ![Shows the UI for this step](images/waas-wufb-intune-step2a.png)
+    ![Shows the UI for this step.](images/waas-wufb-intune-step2a.png)
     
 3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
 
@@ -69,7 +69,7 @@ In this example, you use two security groups to manage your updates: **Ring 4 Br
     >[!NOTE]
     >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) for the proper syntax.
 
-    ![Settings for the RequireDeferUpgrade policy](images/waas-wufb-intune-step7a.png)
+    ![Settings for the RequireDeferUpgrade policy.](images/waas-wufb-intune-step7a.png)
     
 8. For this deployment ring, you're required to enable only CBB, so click **Save Policy**.
 
@@ -119,7 +119,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to e
 
     Three settings should appear in the **Windows Update for Business – CBB2** policy.
     
-    ![Settings for CBB2 policy](images/waas-wufb-intune-step19a.png)
+    ![Settings for CBB2 policy.](images/waas-wufb-intune-step19a.png)
     
 20. Click **Save Policy**, and then click **Yes** at the **Deploy Policy** prompt.
 
@@ -141,7 +141,7 @@ In this example, you use three security groups from Table 1 in [Build deployment
 
 2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
 
-    ![Shows the UI for this step](images/waas-wufb-intune-step2a.png)
+    ![Shows the UI for this step.](images/waas-wufb-intune-step2a.png)
     
 3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
 
@@ -156,7 +156,7 @@ In this example, you use three security groups from Table 1 in [Build deployment
     >[!NOTE]
     >The OMA-URI settings are case sensitive, so be sure to review [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider) for the proper syntax.
 
-    ![Settings for the BranchReadinessLevel policy](images/waas-wufb-intune-cb2a.png)
+    ![Settings for the BranchReadinessLevel policy.](images/waas-wufb-intune-cb2a.png)
     
 8. Because the **Ring 2 Pilot Business Users** deployment ring receives the CB feature updates after 28 days, in the **OMA-URI Settings** section, click **Add** to add another OMA-URI setting. 
 
@@ -164,7 +164,7 @@ In this example, you use three security groups from Table 1 in [Build deployment
 10. In the **OMA-URI** box, type **./Vendor/MSFT/Policy/Config/Update/DeferFeatureUpdatesPeriodInDays**.
 11. In the **Value** box, type **28**, and then click **OK**.
 
-    ![Settings for the DeferFeatureUpdatesPeriodInDays policy step 11](images/waas-wufb-intune-step11a.png)
+    ![Settings for the DeferFeatureUpdatesPeriodInDays policy step 11.](images/waas-wufb-intune-step11a.png)
 
 9. Click **Save Policy**.
 
@@ -181,7 +181,7 @@ You have now configured the **Ring 2 Pilot Business Users** deployment ring to e
 
 2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
 
-    ![Shows the UI for this step](images/waas-wufb-intune-step2a.png)
+    ![Shows the UI for this step.](images/waas-wufb-intune-step2a.png)
     
 3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
 
@@ -205,7 +205,7 @@ You have now configured the **Ring 2 Pilot Business Users** deployment ring to e
 
 11. In the **Value** box, type **0**, and then click **OK**.
 
-    ![Settings for the DeferFeatureUpdatesPeriodInDays policy for broad business](images/waas-wufb-intune-cbb1a.png)
+    ![Settings for the DeferFeatureUpdatesPeriodInDays policy for broad business.](images/waas-wufb-intune-cbb1a.png)
 
 12. Click **Save Policy**.
 
@@ -223,7 +223,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r
 
 2. Click the **Policy** workspace. In the middle pane, click **Configuration Policies**, and then click **Add** in the details pane.
 
-    ![Shows the UI for this step](images/waas-wufb-intune-step2a.png)
+    ![Shows the UI for this step.](images/waas-wufb-intune-step2a.png)
     
 3. In the Create a New Policy Wizard, select **Windows\Custom Configuration (Windows 10 Desktop and Mobile and later)**, and then click **Create Policy**.
 
@@ -255,7 +255,7 @@ You have now configured the **Ring 4 Broad business users** deployment ring to r
 
 15. In the **Value** box, type **14**, and then click **OK**.
 
-    ![Settings for the DeferFeatureUpdatesPeriodInDays policy](images/waas-wufb-intune-cbb2a.png)
+    ![Settings for the DeferFeatureUpdatesPeriodInDays policy.](images/waas-wufb-intune-cbb2a.png)
 
 16. Click **Save Policy**.
 
diff --git a/windows/deployment/update/windows-update-logs.md b/windows/deployment/update/windows-update-logs.md
index d6489c143d..8ef6e625b4 100644
--- a/windows/deployment/update/windows-update-logs.md
+++ b/windows/deployment/update/windows-update-logs.md
@@ -85,7 +85,7 @@ The time stamp indicates the time at which the logging occurs.
 - Messages are usually in chronological order, but there may be exceptions. 
 - A pause during a sync can indicate a network problem, even if the scan succeeds. 
 - A long pause near the end of a scan can indicate a supersedence chain issue.   
-   ![Windows Update time stamps](images/update-time-log.png)
+   ![Windows Update time stamps.](images/update-time-log.png)
 
 
 #### Process ID and thread ID  
@@ -93,7 +93,7 @@ The Process IDs and Thread IDs are random, and they can vary from log to log and
 - The first four hex digits are the process ID. 
 - The next four hex digits are the thread ID. 
 - Each component, such as the USO, Windows Update engine, COM API callers, and Windows Update installer handlers, has its own process ID.   
-   ![Windows Update process and thread IDs](images/update-process-id.png)
+   ![Windows Update process and thread IDs.](images/update-process-id.png)
 
 
 #### Component name  
@@ -106,7 +106,7 @@ Search for and identify the components that are associated with the IDs. Differe
 - DataStore - Caching update data locally 
 - IdleTimer - Tracking active calls, stopping service 
 
-![Windows Update component name](images/update-component-name.png)
+![Windows Update component name.](images/update-component-name.png)
 
 
 #### Update identifiers  
@@ -117,7 +117,7 @@ There are different identifiers for the same update in different contexts. It's
 - Revision number: A number incremented every time that a given update (that has a given update ID) is modified and republished on a service 
 - Revision numbers are reused from one update to another (not a unique identifier). 
 - The update ID and revision number are often shown together as "{GUID}.revision." 
-   ![Windows Update update identifiers](images/update-update-id.png)
+   ![Windows Update update identifiers.](images/update-update-id.png)
 
 
 ##### Revision ID 
@@ -141,7 +141,7 @@ There are different identifiers for the same update in different contexts. It's
    - Small integers that appear alongside an update ID are revision numbers 
    - Large integers are typically revision IDs 
    - Small integers (especially in Datastore) can be local IDs 
-      ![Windows Update inconsisten terminology](images/update-inconsistent.png)
+      ![Windows Update inconsisten terminology.](images/update-inconsistent.png)
 
 ## Windows Setup log files analysis using SetupDiag tool
 SetupDiag is a diagnostic tool that can be used for analysis of logs related to installation of Windows Updates. For detailed information, see [SetupDiag](../upgrade/setupdiag.md).
\ No newline at end of file
diff --git a/windows/deployment/update/windows-update-overview.md b/windows/deployment/update/windows-update-overview.md
index 9706a55a92..696e499750 100644
--- a/windows/deployment/update/windows-update-overview.md
+++ b/windows/deployment/update/windows-update-overview.md
@@ -32,7 +32,7 @@ Use the following information to get started with Windows Update:
 ## Unified Update Platform (UUP) architecture 
 To understand the changes to the Windows Update architecture that UUP introduces let's start with some new key terms. 
 
-![Windows Update terminology](images/update-terminology.png)
+![Windows Update terminology.](images/update-terminology.png)
 
 - **Update UI** – The user interface to initiate Windows Update check and history. Available under **Settings --> Update & Security --> Windows Update**. 
 - **Update Session Orchestrator (USO)**- A Windows OS component that orchestrates the sequence of downloading and installing various update types from Windows Update.  
diff --git a/windows/deployment/update/wufb-compliancedeadlines.md b/windows/deployment/update/wufb-compliancedeadlines.md
index f822925011..e56e7a3b5b 100644
--- a/windows/deployment/update/wufb-compliancedeadlines.md
+++ b/windows/deployment/update/wufb-compliancedeadlines.md
@@ -93,11 +93,11 @@ Once the device is in the pending restart state, it will attempt to restart the
 
 Notification users get for a quality update deadline:
 
-![The notification users get for an impending quality update deadline](images/wufb-quality-notification.png)
+![The notification users get for an impending quality update deadline.](images/wufb-quality-notification.png)
 
 Notification users get for a feature update deadline:
 
-![The notification users get for an impending feature update deadline](images/wufb-feature-notification.png)
+![The notification users get for an impending feature update deadline.](images/wufb-feature-notification.png)
 
 ### Deadline with user engagement
 
@@ -130,17 +130,17 @@ Before the deadline the device will be in two states: auto-restart period and en
 
 Notification users get for quality update engaged deadline:
 
-![The notification users get for an impending engaged quality update deadline example](images/wufb-quality-engaged-notification.png)
+![The notification users get for an impending engaged quality update deadline example.](images/wufb-quality-engaged-notification.png)
 
 Notification users get for a quality update deadline:
 
-![The notification users get for an impending quality update deadline example](images/wufb-quality-notification.png)
+![The notification users get for an impending quality update deadline example.](images/wufb-quality-notification.png)
 
 Notification users get for a feature update engaged deadline:
 
-![The notification users get for an impending feature update engaged deadline example](images/wufb-feature-update-engaged-notification.png)
+![The notification users get for an impending feature update engaged deadline example.](images/wufb-feature-update-engaged-notification.png)
 
 Notification users get for a feature update deadline:
 
-![The notification users get for an impending feature update deadline example](images/wufb-feature-update-deadline-notification.png)
+![The notification users get for an impending feature update deadline example.](images/wufb-feature-update-deadline-notification.png)
 
diff --git a/windows/deployment/update/wufb-manageupdate.md b/windows/deployment/update/wufb-manageupdate.md
index 93a5ab27b7..8589495141 100644
--- a/windows/deployment/update/wufb-manageupdate.md
+++ b/windows/deployment/update/wufb-manageupdate.md
@@ -40,7 +40,7 @@ If you don't need a wave deployment and have a small set of devices to manage, w
 |Do not allow update deferral policies to cause scans against Windows Update|GPO: Computer Configuration > Administrative Templates > Windows Components > Windows Update > Do not allow update deferral policies to cause scans against Windows Update|State: Disabled|
 
 ## Suggested configuration for a wave deployment
-![Graphic showing a deployment divided into rings for a wave deployment](images/wufb-wave-deployment.png)
+![Graphic showing a deployment divided into rings for a wave deployment.](images/wufb-wave-deployment.png)
 
 ## Early validation and testing
 Depending on your organizational size and requirements you might be able to test feature updates earlier to identify if there are impacts to Line of Business applications. Our recommendation is to enroll a set of devices that are a good representation of your device ecosystem (for example, devices with accounting software or engineering software). Learn more about [different deployment rings](https://insider.windows.com/how-to-pc/#working-with-rings).
diff --git a/windows/deployment/upgrade/quick-fixes.md b/windows/deployment/upgrade/quick-fixes.md
index e044463423..8aafc8f67d 100644
--- a/windows/deployment/upgrade/quick-fixes.md
+++ b/windows/deployment/upgrade/quick-fixes.md
@@ -174,7 +174,7 @@ To check your system for unsigned drivers:
 5. Type **sigverif** and press ENTER. 
 6. The File Signature Verification tool will open. Click **Start**.
 
-    ![File Signature Verification](../images/sigverif.png)
+    ![File Signature Verification.](../images/sigverif.png)
 
 7. After the scanning process is complete, if you see **Your files have been scanned and verified as digitally signed** then you have no unsigned drivers. Otherwise, you will see **The following files have not been digitally signed** and a list will be provided with name, location, and version of all unsigned drivers.
 8. To view and save a log file, click **Advanced**, and then click **View Log**. Save the log file if desired.
@@ -268,7 +268,7 @@ To obtain the proper firmware drivers, search for the most updated driver versio
 
 When you begin a Windows Update, the setup process will ask you to **Get important updates**. Answer **Yes** if the computer you are updating is connected to the Internet. See the following example:
 
-![Get important updates](../images/update.jpg)
+![Get important updates.](../images/update.jpg)
 
 ### Verify disk space
 
@@ -280,13 +280,13 @@ In File Explorer, click on **Computer** or **This PC** on the left, then look un
 
 The amount of space available on the system drive will be displayed under the drive. See the following example:
 
-![System drive](../images/drive.png)
+![System drive.](../images/drive.png)
 
 In the previous example, there is 703 GB of available free space on the system drive (C:).
 
 To free up additional space on the system drive, begin by running Disk Cleanup. You can access Disk Cleanup by right-clicking the hard drive icon and then clicking Properties. See the following example:
 
-![Disk cleanup](../images/cleanup.png)
+![Disk cleanup.](../images/cleanup.png)
 
 For instructions to run Disk Cleanup and other suggestions to free up hard drive space, see [Tips to free up drive space on your PC](https://support.microsoft.com/help/17421/windows-free-up-drive-space).
 
diff --git a/windows/deployment/upgrade/setupdiag.md b/windows/deployment/upgrade/setupdiag.md
index 9e7a29631c..1e87d9bff7 100644
--- a/windows/deployment/upgrade/setupdiag.md
+++ b/windows/deployment/upgrade/setupdiag.md
@@ -25,14 +25,14 @@ ms.topic: article
 >This is a 300 level topic (moderate advanced).<br>
 >See [Resolve Windows 10 upgrade errors](resolve-windows-10-upgrade-errors.md) for a full list of topics in this article.<br>
 
-&nbsp;[![Download SetupDiag](../images/download.png)](https://go.microsoft.com/fwlink/?linkid=870142)
+&nbsp;[![Download SetupDiag.](../images/download.png)](https://go.microsoft.com/fwlink/?linkid=870142)
 
 ## About SetupDiag
 
-<I>Current downloadable version of SetupDiag: 1.6.2107.27002</I>
->Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues.
+<I>Current downloadable version of SetupDiag: 1.6.2107.27002.</I> 
+> Always be sure to run the most recent version of SetupDiag, so that can access new functionality and fixes to known issues.
 
-SetupDiag is a standalone diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. 
+SetupDiag is a diagnostic tool that can be used to obtain details about why a Windows 10 upgrade was unsuccessful. 
 
 SetupDiag works by examining Windows Setup log files. It attempts to parse these log files to determine the root cause of a failure to update or upgrade the computer to Windows 10. SetupDiag can be run on the computer that failed to update, or you can export logs from the computer to another location and run SetupDiag in offline mode.
 
@@ -344,6 +344,10 @@ Each rule name and its associated unique rule identifier are listed with a descr
 
 ## Release notes
 
+07/27/2021 - SetupDiag v1.6.2107.27002 is released with 61 rules, as a standalone tool available in the Download Center.
+- This version contains compliance updates and minor bug fixes.
+- With this release and subsequent releases, the version number of the downloadable SetupDiag tool is different from the one included with Windows Setup.
+
 05/06/2021 - SetupDiag v1.6.1.0 is released with 61 rules, as a standalone tool available in the Download Center.  
 - This version of SetupDiag is included with Windows 10, version 21H1.
 - A new rule is added: UserProfileSuffixMismatch.
@@ -563,7 +567,7 @@ Refer to "https://docs.microsoft.com/windows/desktop/Debug/system-error-codes" f
 
 ## Sample registry key
 
-![Example of Addreg](./../images/addreg.png)
+![Example of Addreg.](./../images/addreg.png)
 
 ## Related topics
 
diff --git a/windows/deployment/upgrade/submit-errors.md b/windows/deployment/upgrade/submit-errors.md
index 580a08b67c..1cde13e1eb 100644
--- a/windows/deployment/upgrade/submit-errors.md
+++ b/windows/deployment/upgrade/submit-errors.md
@@ -61,7 +61,7 @@ Click **Submit** to send your feedback.
 
 See the following example:
 
-![feedback example](../images/feedback.png) 
+![feedback example.](../images/feedback.png) 
 
 After you click Submit, that's all you need to do. Microsoft will receive your feedback and begin analyzing the issue.  You can check on your feedback periodically to see what solutions have been provided.
 
@@ -69,7 +69,7 @@ After you click Submit, that's all you need to do. Microsoft will receive your f
 
 After your feedback is submitted, you can email or post links to it by opening the Feedback Hub, clicking My feedback at the top, clicking the feedback item you submitted, clicking **Share**, then copying the short link that is displayed.
 
-![share link](../images/share.jpg) 
+![share.](../images/share.jpg) 
 
 ## Related topics
 
diff --git a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
index 842e478dcf..bdb7e4814a 100644
--- a/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
+++ b/windows/deployment/upgrade/troubleshoot-upgrade-errors.md
@@ -59,31 +59,31 @@ When performing an operating system upgrade, Windows Setup uses phases described
 
 1. **Downlevel phase**: The downlevel phase is run within the previous operating system. Windows files are copied and installation components are gathered.
 
-    ![downlevel phase](../images/downlevel.png)  
+    ![downlevel phase.](../images/downlevel.png)  
 
 2. **Safe OS phase**: A recovery partition is configured, Windows files are expanded, and updates are installed. An OS rollback is prepared if needed. Example error codes: 0x2000C, 0x20017.
 
-    ![safeOS phase](../images/safeos.png) 
+    ![safeOS phase.](../images/safeos.png) 
 
 3. **First boot phase**: Initial settings are applied. Example error codes: 0x30018, 0x3000D.
 
-    ![first boot phase](../images/firstboot.png) 
+    ![first boot phase.](../images/firstboot.png) 
 
 4. **Second boot phase**: Final settings are applied. This is also called the **OOBE boot phase**. Example error codes: 0x4000D, 0x40017. 
 
     At the end of the second boot phase, the **Welcome to Windows 10** screen is displayed, preferences are configured, and the Windows 10 sign-in prompt is displayed.
 
-    ![second boot phase](../images/secondboot.png) 
+    ![second boot phase.](../images/secondboot.png) 
 
-    ![second boot phase](../images/secondboot2.png) 
+    ![second boot phase.](../images/secondboot2.png) 
 
-    ![second boot phase](../images/secondboot3.png) 
+    ![second boot phase.](../images/secondboot3.png) 
 
 5. **Uninstall phase**: This phase occurs if upgrade is unsuccessful (image not shown). Example error codes: 0x50000, 0x50015.
 
 **Figure 1**: Phases of a successful Windows 10 upgrade (uninstall is not shown):
 
-![Upgrade process](../images/upgrade-process.png)
+![Upgrade process.](../images/upgrade-process.png)
 
 DU = Driver/device updates.<br>
 OOBE = Out of box experience.<br>
diff --git a/windows/deployment/upgrade/windows-10-edition-upgrades.md b/windows/deployment/upgrade/windows-10-edition-upgrades.md
index 57307ee3d0..c8a2c54c5a 100644
--- a/windows/deployment/upgrade/windows-10-edition-upgrades.md
+++ b/windows/deployment/upgrade/windows-10-edition-upgrades.md
@@ -33,9 +33,9 @@ The following table shows the methods and paths available to change the edition
 > [!TIP]
 > Although it isn't displayed yet in the table, edition upgrade is also possible using [edition upgrade policy](/configmgr/compliance/deploy-use/upgrade-windows-version) in Microsoft Endpoint Configuration Manager.
 
-![not supported](../images/x_blk.png) (X) = not supported</br>
-![supported, reboot required](../images/check_grn.png) (green checkmark) = supported, reboot required</br>
-![supported, no reboot](../images/check_blu.png) (blue checkmark) = supported, no reboot required<br>
+![not supported.](../images/x_blk.png) (X) = not supported</br>
+![supported, reboot required.](../images/check_grn.png) (green checkmark) = supported, reboot required</br>
+![supported, no reboot.](../images/check_blu.png) (blue checkmark) = supported, no reboot required<br>
 
 <!-- OLD TABLE and key
 X = unsupported <BR>
@@ -44,28 +44,28 @@ X = unsupported <BR>
 
 |Method |Home > Pro |Home > Education |Pro > Education |Pro > Enterprise |Ent > Education |Mobile |
 |-------|-----------|-----------------|----------------|-----------------|----------------|--------|
-| Using mobile device management (MDM) |![unsupported](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |
-| Using a provisioning package |![unsupported](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |
-| Using a command-line tool |![unsupported](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![unsupported](../images/x_blk.png) |
-| Entering a product key manually |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![unsupported](../images/x_blk.png) |
-| Purchasing a license from the Microsoft Store |![supported](../images/check_grn.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |
+| Using mobile device management (MDM) |![unsupported.](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |
+| Using a provisioning package |![unsupported.](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |
+| Using a command-line tool |![unsupported.](../images/x_blk.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![unsupported](../images/x_blk.png) |
+| Entering a product key manually |![supported.](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_grn.png) |![supported](../images/check_blu.png) |![supported](../images/check_grn.png) |![unsupported](../images/x_blk.png) |
+| Purchasing a license from the Microsoft Store |![supported.](../images/check_grn.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |![unsupported](../images/x_blk.png) |
 -->
 
 | Edition upgrade | Using mobile device management (MDM) | Using a provisioning package | Using a command-line tool | Using Microsoft Store for Business or PC | Entering a product key manually | Purchasing a license from the Microsoft Store |
 |-----------------| ------------------------------------ | --------------------------- | ------------------------- | -------------------------------------- | ----------------------------------- | --------------------------------------------- |
-| **Home > Pro** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) |
-| **Home > Pro for Workstations** | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) |
-| **Home > Pro Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Home > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Pro > Pro for Workstations** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) |
-| **Pro > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Pro > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro for Workstations > Pro Education** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro for Workstations > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Pro for Workstations > Enterprise** | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
-| **Pro Education > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
-| **Enterprise > Education** | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
+| **Home > Pro** | ![not supported.](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) |
+| **Home > Pro for Workstations** | ![not supported.](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) |
+| **Home > Pro Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
+| **Home > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
+| **Pro > Pro for Workstations** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) |
+| **Pro > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
+| **Pro > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
+| **Pro > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
+| **Pro for Workstations > Pro Education** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
+| **Pro for Workstations > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
+| **Pro for Workstations > Enterprise** | ![supported, no reboot.](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) | ![supported, no reboot](../images/check_blu.png) <br>(1703 - PC)<br>(1709 - MSfB) | ![supported, no reboot](../images/check_blu.png) | ![not supported](../images/x_blk.png) |
+| **Pro Education > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
+| **Enterprise > Education** | ![supported, reboot required.](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) | ![supported, reboot required](../images/check_grn.png) <br>(MSfB) | ![supported, reboot required](../images/check_grn.png) | ![not supported](../images/x_blk.png) |
 
 > [!NOTE]
 > - For information about upgrade paths in Windows 10 in S mode (for Pro or Education), check out [Windows 10 Pro/Enterprise in S mode](../windows-10-pro-in-s-mode.md)
diff --git a/windows/deployment/upgrade/windows-error-reporting.md b/windows/deployment/upgrade/windows-error-reporting.md
index 08c4982f9c..50aad1782d 100644
--- a/windows/deployment/upgrade/windows-error-reporting.md
+++ b/windows/deployment/upgrade/windows-error-reporting.md
@@ -63,7 +63,7 @@ Ten parameters are listed in the event:
 
 The event will also contain links to log files that can be used to perform a detailed diagnosis of the error.  An example of this event from a successful upgrade is shown below.
 
-![Windows Error Reporting](../images/event.png)
+![Windows Error Reporting.](../images/event.png)
 
 ## Related topics
 
diff --git a/windows/deployment/usmt/migration-store-types-overview.md b/windows/deployment/usmt/migration-store-types-overview.md
index 84a87a0aac..52b489720f 100644
--- a/windows/deployment/usmt/migration-store-types-overview.md
+++ b/windows/deployment/usmt/migration-store-types-overview.md
@@ -49,7 +49,7 @@ You use a command-line option,**/hardlink** , to create a hard-link migration st
 
 The following flowchart illustrates the procedural differences between a local migration store and a remote migration store. In this example, a hard-link migration store is used for the local store.
 
-![migration store comparison](images/dep-win8-l-usmt-migrationcomparemigstores.gif)
+![migration store comparison.](images/dep-win8-l-usmt-migrationcomparemigstores.gif)
 
 ## <a href="" id="bkmk-localvremote"></a>Local Store vs. Remote Store
 
diff --git a/windows/deployment/usmt/usmt-common-migration-scenarios.md b/windows/deployment/usmt/usmt-common-migration-scenarios.md
index 30930ac481..b94bc3041b 100644
--- a/windows/deployment/usmt/usmt-common-migration-scenarios.md
+++ b/windows/deployment/usmt/usmt-common-migration-scenarios.md
@@ -49,7 +49,7 @@ The following diagram shows a PC-refresh migration, also known as a computer ref
 
  
 
-![usmt pc refresh scenario](images/dep-win8-l-usmt-pcrefresh.jpg)
+![usmt pc refresh scenario.](images/dep-win8-l-usmt-pcrefresh.jpg)
 
  
 
@@ -100,7 +100,7 @@ The following diagram shows a PC-replacement migration. First, the administrator
 
  
 
-![usmt pc replace scenario](images/dep-win8-l-usmt-pcreplace.jpg)
+![usmt pc replace scenario.](images/dep-win8-l-usmt-pcreplace.jpg)
 
  
 
diff --git a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
index f32ee0d61e..10e7c2e418 100644
--- a/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
+++ b/windows/deployment/volume-activation/activate-using-active-directory-based-activation-client.md
@@ -55,7 +55,7 @@ The process proceeds as follows:
 3. Client computers are activated by receiving the activation object from a domain controller during startup.
 
     > [!div class="mx-imgBorder"]
-    > ![Active Directory-based activation flow](../images/volumeactivationforwindows81-10.jpg)
+    > ![Active Directory-based activation flow.](../images/volumeactivationforwindows81-10.jpg)
 
     **Figure 10**. The Active Directory-based activation flow
 
@@ -80,31 +80,31 @@ When a reactivation event occurs, the client queries AD DS for the activation o
 
 3. Add the Volume Activation Services role, as shown in Figure 11.
 
-    ![Adding the Volume Activation Services role](../images/volumeactivationforwindows81-11.jpg)
+    ![Adding the Volume Activation Services role.](../images/volumeactivationforwindows81-11.jpg)
 
     **Figure 11**. Adding the Volume Activation Services role
 
 4. Click the link to launch the Volume Activation Tools (Figure 12).
 
-    ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-12.jpg)
+    ![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-12.jpg)
 
     **Figure 12**. Launching the Volume Activation Tools
 
 5. Select the **Active Directory-Based Activation** option (Figure 13).
 
-    ![Selecting Active Directory-Based Activation](../images/volumeactivationforwindows81-13.jpg)
+    ![Selecting Active Directory-Based Activation.](../images/volumeactivationforwindows81-13.jpg)
 
     **Figure 13**. Selecting Active Directory-Based Activation
 
 6. Enter your KMS host key and (optionally) a display name (Figure 14).
 
-    ![Choosing how to activate your product](../images/volumeactivationforwindows81-15.jpg)
+    ![Choosing how to activate your product.](../images/volumeactivationforwindows81-15.jpg)
 
     **Figure 14**. Entering your KMS host key
 
 7. Activate your KMS host key by phone or online (Figure 15).
 
-    ![Entering your KMS host key](../images/volumeactivationforwindows81-14.jpg)
+    ![Entering your KMS host key.](../images/volumeactivationforwindows81-14.jpg)
     
     **Figure 15**. Choosing how to activate your product
 
diff --git a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
index f9cfcf33ac..5fa4723874 100644
--- a/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
+++ b/windows/deployment/volume-activation/activate-using-key-management-service-vamt.md
@@ -80,39 +80,39 @@ This scenario is commonly used in larger organizations that do not find the over
 2. Launch Server Manager.
 3. Add the Volume Activation Services role, as shown in Figure 4.
 
-   ![Adding the Volume Activation Services role in Server Manager](../images/volumeactivationforwindows81-04.jpg)
+   ![Adding the Volume Activation Services role in Server Manager.](../images/volumeactivationforwindows81-04.jpg)
 
    **Figure 4**. Adding the Volume Activation Services role in Server Manager
 
 4. When the role installation is complete, click the link to launch the Volume Activation Tools (Figure 5).
 
-   ![Launching the Volume Activation Tools](../images/volumeactivationforwindows81-05.jpg)
+   ![Launching the Volume Activation Tools.](../images/volumeactivationforwindows81-05.jpg)
 
    **Figure 5**. Launching the Volume Activation Tools
 
 5. Select the **Key Management Service (KMS)** option, and specify the computer that will act as the KMS host (Figure 6).
       This can be the same computer on which you installed the role or another computer. For example, it can be a client computer running Windows 10.
 
-   ![Configuring the computer as a KMS host](../images/volumeactivationforwindows81-06.jpg)
+   ![Configuring the computer as a KMS host.](../images/volumeactivationforwindows81-06.jpg)
 
    **Figure 6**. Configuring the computer as a KMS host
 
 6. Install your KMS host key by typing it in the text box, and then click **Commit** (Figure 7).
 
-   ![Installing your KMS host key](../images/volumeactivationforwindows81-07.jpg)
+   ![Installing your KMS host key.](../images/volumeactivationforwindows81-07.jpg)
 
    **Figure 7**. Installing your KMS host key
 
 7. If asked to confirm replacement of an existing key, click **Yes**.
 8. After the product key is installed, you must activate it. Click **Next** (Figure 8).
 
-   ![Activating the software](../images/volumeactivationforwindows81-08.jpg)
+   ![Activating the software.](../images/volumeactivationforwindows81-08.jpg)
 
    **Figure 8**. Activating the software
 
    The KMS key can be activated online or by phone. See Figure 9.
 
-   ![Choosing to activate online](../images/volumeactivationforwindows81-09.jpg)
+   ![Choosing to activate online.](../images/volumeactivationforwindows81-09.jpg)
 
    **Figure 9**. Choosing to activate online
 
diff --git a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
index b88d65def4..728b60519b 100644
--- a/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
+++ b/windows/deployment/volume-activation/activate-windows-10-clients-vamt.md
@@ -99,12 +99,12 @@ A MAK is used for one-time activation with Microsoft’s hosted activation servi
 You can activate computers by using a MAK in two ways:
 -   **MAK independent activation**. Each computer independently connects and is activated with Microsoft over the Internet or by telephone. MAK independent activation is best suited to computers within an organization that do not maintain a connection to the corporate network. MAK independent activation is shown in Figure 16.
 
-    ![MAK independent activation](../images/volumeactivationforwindows81-16.jpg)
+    ![MAK independent activation.](../images/volumeactivationforwindows81-16.jpg)
     
     **Figure 16**. MAK independent activation
 -   **MAK proxy activation**. MAK proxy activation enables a centralized activation request on behalf of multiple computers with one connection to Microsoft. You configure MAK proxy activation by using the VAMT. MAK proxy activation is appropriate for environments in which security concerns restrict direct access to the Internet or the corporate network. It is also suited for development and test labs that lack this connectivity. MAK proxy activation with the VAMT is shown in Figure 17.
 
-    ![MAK proxy activation with the VAMT](../images/volumeactivationforwindows81-17.jpg)
+    ![MAK proxy activation with the VAMT.](../images/volumeactivationforwindows81-17.jpg)
     
     **Figure 17**. MAK proxy activation with the VAMT
 
diff --git a/windows/deployment/volume-activation/add-remove-computers-vamt.md b/windows/deployment/volume-activation/add-remove-computers-vamt.md
index 4e2248db96..e671e92d02 100644
--- a/windows/deployment/volume-activation/add-remove-computers-vamt.md
+++ b/windows/deployment/volume-activation/add-remove-computers-vamt.md
@@ -34,7 +34,7 @@ Before adding computers, ensure that the Windows Management Instrumentation (WMI
 5.  VAMT searches for the specified computers and adds them to the VAMT database. During the search, VAMT displays the **Finding computers** message shown below.
     To cancel the search, click **Cancel**. When the search is complete the names of the newly-discovered computers appear in the product list view in the center pane.
     
-    ![VAMT, Finding computers dialog box](images/dep-win8-l-vamt-findingcomputerdialog.gif)
+    ![VAMT, Finding computers dialog box.](images/dep-win8-l-vamt-findingcomputerdialog.gif)
     
     **Important**  
     This step adds only the computers to the VAMT database, and not the products that are installed on the computers. To add the products, you need to run the **Update license status** function.
diff --git a/windows/deployment/volume-activation/configure-client-computers-vamt.md b/windows/deployment/volume-activation/configure-client-computers-vamt.md
index 87cb8d7b0f..5cbd41f410 100644
--- a/windows/deployment/volume-activation/configure-client-computers-vamt.md
+++ b/windows/deployment/volume-activation/configure-client-computers-vamt.md
@@ -45,7 +45,7 @@ Enable the VAMT to access client computers using the **Windows Firewall** Contro
 
 Enable the VAMT to access client computers across multiple subnets using the **Windows Firewall with Advanced Security** Control Panel:
 
-![VAMT Firewall configuration for multiple subnets](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif)
+![VAMT Firewall configuration for multiple subnets.](images/dep-win8-l-vamt-firewallconfigurationformultiplesubnets.gif)
 
 1. Open the Control Panel and double-click **Administrative Tools**.
 2. Click **Windows Firewall with Advanced Security**.
diff --git a/windows/deployment/volume-activation/install-vamt.md b/windows/deployment/volume-activation/install-vamt.md
index f462f8655f..0b67293d6a 100644
--- a/windows/deployment/volume-activation/install-vamt.md
+++ b/windows/deployment/volume-activation/install-vamt.md
@@ -49,7 +49,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
 
 5. On the completion page, note the instance name for your installation, select **Close**, and then select **Yes**. 
 
-    ![In this example, the instance name is SQLEXPRESS01](images/sql-instance.png)
+    ![In this example, the instance name is SQLEXPRESS01.](images/sql-instance.png)
 
 ### Install VAMT using the ADK
 
@@ -73,7 +73,7 @@ You install VAMT as part of the Windows Assessment and Deployment Kit (ADK) for
 
 2. Enter the server instance name (for a remote SQL use the FQDN) and a name for the database, select **Connect**, and then select **Yes** to create the database. See the following image for an example for SQL.
 
-   ![Server name is .\SQLEXPRESS and database name is VAMT](images/vamt-db.png)
+   ![Server name is .\SQLEXPRESS and database name is VAMT.](images/vamt-db.png)
 
    For remote SQL Server, use `servername.yourdomain.com`.
 
diff --git a/windows/deployment/volume-activation/introduction-vamt.md b/windows/deployment/volume-activation/introduction-vamt.md
index 45619726e9..91d2d8540b 100644
--- a/windows/deployment/volume-activation/introduction-vamt.md
+++ b/windows/deployment/volume-activation/introduction-vamt.md
@@ -45,7 +45,7 @@ VAMT treats a KMS Host key (CSVLK) product key identically to a retail-type prod
 
 VAMT is commonly implemented in enterprise environments. The following illustrates three common environments—Core Network, Secure Zone, and Isolated Lab.
 
-![VAMT in the enterprise](images/dep-win8-l-vamt-image001-enterprise.jpg)
+![VAMT in the enterprise.](images/dep-win8-l-vamt-image001-enterprise.jpg)
 
 In the Core Network environment, all computers are within a common network managed by Active Directory® Domain Services (AD DS). The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
 The Isolated Lab environment is a workgroup that is physically separate from the Core Network, and its computers do not have Internet access. The network security policy states that no information that could identify a specific computer or user may be transferred out of the Isolated Lab.
@@ -54,7 +54,7 @@ The Isolated Lab environment is a workgroup that is physically separate from the
 
 The following screenshot shows the VAMT graphical user interface.
 
-![VAMT user interface](images/vamtuserinterfaceupdated.jpg)
+![VAMT user interface.](images/vamtuserinterfaceupdated.jpg)
 
 VAMT provides a single, graphical user interface for managing activations, and for performing other activation-related tasks such as:
 
diff --git a/windows/deployment/volume-activation/plan-for-volume-activation-client.md b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
index 443e1e417b..71d990f500 100644
--- a/windows/deployment/volume-activation/plan-for-volume-activation-client.md
+++ b/windows/deployment/volume-activation/plan-for-volume-activation-client.md
@@ -120,7 +120,7 @@ In the core network, a centralized KMS solution is recommended. You can also use
 
 A typical core network that includes a KMS host is shown in Figure 1.
 
-![Typical core network](../images/volumeactivationforwindows81-01.jpg)
+![Typical core network.](../images/volumeactivationforwindows81-01.jpg)
 
 **Figure 1**. Typical core network
 
@@ -140,7 +140,7 @@ If the isolated network cannot communicate with the core network’s KMS server,
 
 If the network is fully isolated, MAK-independent activation would be the recommended choice, perhaps using the telephone option. But VAMT proxy activation may also be possible. You can also use MAKs to activate new computers during setup, before they are placed in the isolated network.
 
-![New KMS host in an isolated network](../images/volumeactivationforwindows81-02.jpg)
+![New KMS host in an isolated network.](../images/volumeactivationforwindows81-02.jpg)
 
 **Figure 2**. New KMS host in an isolated network
 
@@ -222,7 +222,7 @@ The flow of KMS activation is shown in Figure 3, and it follows this sequence:
 7.  If the KMS host has a KMS host key that matches the products in the GVLK, the KMS host sends a single packet back to the client. This packet contains a count of the number of computers that have requested activation from this KMS host.
 8.  If the count exceeds the activation threshold for the product that is being activated, the client is activated. If the activation threshold has not yet been met, the client will try again.
 
-![KMS activation flow](../images/volumeactivationforwindows81-03.jpg)
+![KMS activation flow.](../images/volumeactivationforwindows81-03.jpg)
 
 **Figure 3**. KMS activation flow
 
diff --git a/windows/deployment/volume-activation/scenario-online-activation-vamt.md b/windows/deployment/volume-activation/scenario-online-activation-vamt.md
index 2716a475b8..118a656e49 100644
--- a/windows/deployment/volume-activation/scenario-online-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-online-activation-vamt.md
@@ -25,7 +25,7 @@ In this scenario, the Volume Activation Management Tool (VAMT) is deployed in th
 -   Retail
 The Secure Zone represents higher-security Core Network computers that have additional firewall protection.
 
-![VAMT firewall configuration for multiple subnets](images/dep-win8-l-vamt-makindependentactivationscenario.jpg)
+![VAMT firewall configuration for multiple subnets.](images/dep-win8-l-vamt-makindependentactivationscenario.jpg)
 
 ## In This Topic
 -   [Install and start VAMT on a networked host computer](#bkmk-partone)
diff --git a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
index 84e0a8ea19..d3b906680d 100644
--- a/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
+++ b/windows/deployment/volume-activation/scenario-proxy-activation-vamt.md
@@ -19,7 +19,7 @@ ms.topic: article
 
 In this scenario, the Volume Activation Management Tool (VAMT) is used to activate products that are installed on workgroup computers in an isolated lab environment. For workgroups which are isolated from the larger network, you can perform proxy activation of Multiple Activation Keys (MAKs), KMS Host keys (CSVLKs), Generic Volume License Keys (GVLKs) (or KMS client keys), or retail keys. Proxy activation is performed by installing a second instance of VAMT on a computer in the isolated workgroup. You can then use removable media to transfer VAMT Computer Information Lists (CILXs) between the instance of VAMT in the isolated workgroup and another VAMT host that has Internet access. The following diagram shows a Multiple Activation Key (MAK) proxy activation scenario:
 
-![VAMT MAK proxy activation scenario](images/dep-win8-l-vamt-makproxyactivationscenario.jpg)
+![VAMT MAK proxy activation scenario.](images/dep-win8-l-vamt-makproxyactivationscenario.jpg)
 
 ## Step 1: Install VAMT on a Workgroup Computer in the Isolated Lab
 
diff --git a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
index c8e7913ed2..562251c0a9 100644
--- a/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
+++ b/windows/deployment/volume-activation/use-the-volume-activation-management-tool-client.md
@@ -51,7 +51,7 @@ You can use the VAMT to complete the activation process in products by using MAK
 
 The VAMT provides an overview of the activation and licensing status of computers across your network, as shown in Figure 18. Several prebuilt reports are also available to help you proactively manage licensing.
 
-![VAMT showing the licensing status of multiple computers](../images/volumeactivationforwindows81-18.jpg)
+![VAMT showing the licensing status of multiple computers.](../images/volumeactivationforwindows81-18.jpg)
 
 **Figure 18**. The VAMT showing the licensing status of multiple computers
 
@@ -59,7 +59,7 @@ The VAMT provides an overview of the activation and licensing status of computer
 
 The VAMT makes it easier to track the various keys that are issued to your organization. You can enter each key into VAMT, and then the VAMT can use those keys for online or proxy activation of clients. The tool can also describe what type of key it is and to which product group it belongs. The VAMT is the most convenient way to quickly determine how many activations remain on a MAK. Figure 19 shows an example of key types and usage.
 
-![VAMT showing key types and usage](../images/volumeactivationforwindows81-19.jpg)
+![VAMT showing key types and usage.](../images/volumeactivationforwindows81-19.jpg)
 
 **Figure 19**. The VAMT showing key types and usage
 
diff --git a/windows/deployment/volume-activation/vamt-known-issues.md b/windows/deployment/volume-activation/vamt-known-issues.md
index 844c46ba14..55fd4c1684 100644
--- a/windows/deployment/volume-activation/vamt-known-issues.md
+++ b/windows/deployment/volume-activation/vamt-known-issues.md
@@ -30,7 +30,7 @@ The current known issues with the Volume Activation Management Tool (VAMT), vers
 
 Another known issue is that when you try to add a Windows 10 Key Management Service (KMS) Host key (CSVLK) or a Windows Server 2012 R2 for Windows 10 CSVLK into VAMT 3.1 (version 10.0.10240.0), you receive the error message shown here.
 
-![VAMT error message](./images/vamt-known-issue-message.png)
+![VAMT error message.](./images/vamt-known-issue-message.png)
 
 This issue occurs because VAMT 3.1 does not contain the correct Pkconfig files to recognize this kind of key. To work around this issue, use one of the following methods.
 
diff --git a/windows/deployment/windows-10-deployment-posters.md b/windows/deployment/windows-10-deployment-posters.md
index 3bda096ca5..2a0f0da2a9 100644
--- a/windows/deployment/windows-10-deployment-posters.md
+++ b/windows/deployment/windows-10-deployment-posters.md
@@ -26,13 +26,13 @@ The following posters step through various options for deploying Windows 10 with
 
 The Windows Autopilot poster is two pages in portrait mode (11x17). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10AutopilotFlowchart.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10Autopilotflowchart.vsdx) format.
 
-[![Deploy Windows 10 with Autopilot](./media/windows10-autopilot-flowchart.png)](./media/Windows10AutopilotFlowchart.pdf)
+[![Deploy Windows 10 with Autopilot.](./media/windows10-autopilot-flowchart.png)](./media/Windows10AutopilotFlowchart.pdf)
 
 ## Deploy Windows 10 with Microsoft Endpoint Configuration Manager
 
 The Configuration Manager poster is one page in landscape mode (17x11). Click the image to view a PDF in your browser. You can also download this poster in [PDF](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.pdf) or [Visio](https://github.com/MicrosoftDocs/windows-itpro-docs/raw/public/windows/deployment/media/Windows10DeploymentConfigManager.vsdx) format.
 
-[![Deploy Windows 10 with Configuration Manager](./media/windows10-deployment-config-manager.png)](./media/Windows10DeploymentConfigManager.pdf)
+[![Deploy Windows 10 with Configuration Manager.](./media/windows10-deployment-config-manager.png)](./media/Windows10DeploymentConfigManager.pdf)
 
 ## See also
 
diff --git a/windows/deployment/windows-10-media.md b/windows/deployment/windows-10-media.md
index a90baefd20..0e160f2943 100644
--- a/windows/deployment/windows-10-media.md
+++ b/windows/deployment/windows-10-media.md
@@ -42,7 +42,7 @@ Windows 10, version 1709 is available starting on 10/17/2017 in all relevant dis
 
 For ISOs that you download from the VLSC or Visual Studio Subscriptions, you can still search for the individual Windows editions. However, each of these editions (Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education) will point to the same ISO file, so you only need to download the ISO once. A single Windows image (WIM) file is included in the ISO that contains all the volume licensing images:
 
-![Images](images/table01.png)
+![Images.](images/table01.png)
 
 When using the contents of these ISOs with tools such as the Microsoft Deployment Toolkit or Microsoft Endpoint Configuration Manager, make sure you select the appropriate image index in any task sequences that you create or update.
 
@@ -69,7 +69,7 @@ This Semi-Annual Channel release of Windows 10 continues the Windows as a servic
 
 See the following example for Windows 10, version 1709:
 
-![Windows 10, version 1709 lang pack](images/lang-pack-1709.png)
+![Windows 10, version 1709 lang pack.](images/lang-pack-1709.png)
 
 ### Features on demand
 
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index 7e6d238721..9d18e1af46 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -284,7 +284,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
 
 10. In the **Operating Systems** > **Windows 10** node, double-click the operating system that was added to view its properties. Change the operating system name to **Windows 10 Enterprise x64 Custom Image** and then click **OK**. See the following example:
 
-    ![custom image](images/image.png)
+    ![custom image.](images/image.png)
 
 
 ### Create the deployment task sequence
@@ -459,7 +459,7 @@ This procedure will demonstrate how to deploy the reference image to the PoC env
 7. On SRV1, in the Deployment Workbench console, click on **Monitoring** and view the status of installation. Right-click **Monitoring** and click **Refresh** if no data is displayed.
 8. OS installation requires about 10 minutes. When the installation is complete, the system will reboot automatically, configure devices, and install updates, requiring another 10-20 minutes.  When the new client computer is finished updating, click **Finish**. You will be automatically signed in to the local computer as administrator.
     
-    ![finish](images/deploy-finish.png)
+    ![finish.](images/deploy-finish.png)
 
 
 This completes the demonstration of how to deploy a reference image to the network. To conserve resources, turn off the PC2 VM before starting the next section.
diff --git a/windows/deployment/windows-10-poc-sc-config-mgr.md b/windows/deployment/windows-10-poc-sc-config-mgr.md
index 603113f920..d69cc3b5db 100644
--- a/windows/deployment/windows-10-poc-sc-config-mgr.md
+++ b/windows/deployment/windows-10-poc-sc-config-mgr.md
@@ -331,7 +331,7 @@ WDSUTIL /Set-Server /AnswerClients:None
    - **Respond to PXE requests on specific network interfaces**: Click the yellow starburst and then enter the MAC address determined in the first step of this procedure.
 
      See the following example:
-     ![Config Mgr PXE](images/configmgr-pxe.png)
+     ![Config Mgr PXE.](images/configmgr-pxe.png)
 
 5. Click **OK**.
 6. Wait for a minute, then type the following command at an elevated Windows PowerShell prompt on SRV1, and verify that the files displayed are present:
@@ -803,7 +803,7 @@ In this first deployment scenario, we will deploy Windows 10 using PXE. This sce
 
 >Before starting this section, you can delete computer objects from Active Directory that were created as part of previous deployment procedures. Use the Active Directory Users and Computers console on DC1 to remove stale entries under contoso.com\Computers, but do not delete the computer account (hostname) for PC1. There should be at least two computer accounts present in the contoso.com\Computers container: one for SRV1, and one for the hostname of PC1. It is not required to delete the stale entries, this is only done to remove clutter.
 
-![contoso.com\Computers](images/poc-computers.png)
+![contoso.com\Computers.](images/poc-computers.png)
 
 In the replace procedure, PC1 will not be migrated to a new operating system. It is simplest to perform this procedure before performing the refresh procedure. After refreshing PC1, the operating system will be new. The next (replace) procedure does not install a new operating system on PC1 but rather performs a side-by-side migration of PC1 and another computer (PC4), to copy users and settings from PC1 to the new computer.
 
@@ -907,7 +907,7 @@ The **Client** column indicates that the Configuration Manager client is not cur
 
 14. Click the **Site** tab, click **Configure Settings**, and click **Find Site**. The client will report that it has found the PS1 site. See the following example:
 
-    ![site](images/configmgr-site.png)
+    ![site.](images/configmgr-site.png)
 
     If the client is not able to find the PS1 site, review any error messages that are displayed in **C:\Windows\CCM\Logs\ClientIDManagerStartup.log** and **LocationServices.log**. A common reason the site code is not located is because a previous configuration exists. For example, if a previous site code is configured at **HKLM\SOFTWARE\Microsoft\SMS\Mobile Client\GPRequestedSiteAssignmentCode** this must be deleted or updated.
 
@@ -915,7 +915,7 @@ The **Client** column indicates that the Configuration Manager client is not cur
 
 16. Click **All Desktop and Server Clients** and verify that the computer account for PC1 is displayed here with **Yes** and **Active** in the **Client** and **Client Activity** columns, respectively. You might have to refresh the view and wait few minutes for the client to appear here.  See the following example:
 
-    ![client](images/configmgr-client.png)
+    ![client.](images/configmgr-client.png)
 
     >It might take several minutes for the client to fully register with the site and complete a client check. When it is complete you will see a green check mark over the client icon as shown above. To refresh the client, click it and then press **F5** or right-click the client and click **Refresh**.
 
@@ -976,7 +976,7 @@ The **Client** column indicates that the Configuration Manager client is not cur
 
 11. Click **Device Collections** and then double-click **Install Windows 10 Enterprise x64**. Verify that **PC4** is displayed in the collection. You might have to update and refresh the collection, or wait a few minutes, but do not proceed until PC4 is available. See the following example:
 
-    ![collection](images/configmgr-collection.png)
+    ![collection.](images/configmgr-collection.png)
 
 ### Create a device collection for PC1
 
@@ -1026,7 +1026,7 @@ In the Configuration Manager console, in the Software Library workspace under Op
 
 4. In the Software Center , click **Available Software** and then select the **Replace Task Sequence** checkbox. See the following example:
 
-    ![software](images/configmgr-software-cntr.png)
+    ![software.](images/configmgr-software-cntr.png)
 
     >If you do not see any available software, try running step #2 again to start the Machine Policy Retrieval & Evaluation Cycle. You should see an alert that new software is available.
 
@@ -1064,17 +1064,17 @@ In the Configuration Manager console, in the Software Library workspace under Op
 3. On PC1, in the notification area, click **New software is available** and then click **Open Software Center**.
 4. In the Software Center, click **Operating Systems**, click **Windows 10 Enterprise x64**, click **Install** and then click **INSTALL OPERATING SYSTEM**. See the following example:
 
-    ![installOS](images/configmgr-install-os.png)
+    ![installOS.](images/configmgr-install-os.png)
 
     The computer will restart several times during the installation process. Installation includes downloading updates, reinstalling the Configuration Manager Client Agent, and restoring the user state. You can view status of the installation in the Configuration Manager console by accessing the Monitoring workspace, clicking **Deployments**, and then double-clicking the deployment associated with the **Install Windows 10 Enterprise x64** collection. Under **Asset Details**, right-click the device and then click **More Details**. Click the **Status** tab to see a list of tasks that have been performed.  See the following example:
 
-    ![asset](images/configmgr-asset.png)
+    ![asset.](images/configmgr-asset.png)
 
     You can also monitor progress of the installation by using the MDT deployment workbench and viewing the **Monitoring** node under **Deployment Shares\MDT Production**.
 
     When installation has completed, sign in using the contoso\administrator account or the contoso\user1 account and verify that applications and settings have been successfully backed up and restored to your new Windows 10 Enterprise operating system.
 
-    ![post-refresh](images/configmgr-post-refresh.png) 
+    ![post-refresh.](images/configmgr-post-refresh.png) 
 
 ## Related Topics
 
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index 319121950d..d4a667a65b 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -150,7 +150,7 @@ Hardware requirements are displayed below:
 
 The lab architecture is summarized in the following diagram:
 
-![PoC diagram](images/poc.png)
+![PoC diagram.](images/poc.png)
 
 - Computer 1 is configured to host four VMs on a private, PoC network.
     - Two VMs are running Windows Server 2012 R2 with required network services and tools installed.
@@ -224,9 +224,9 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
 
     >Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
 
-    ![hyper-v features](images/hyper-v-feature.png)
+    ![hyper-v features.](images/hyper-v-feature.png)
 
-    ![hyper-v](images/svr_mgr2.png)
+    ![hyper-v.](images/svr_mgr2.png)
 
     <P>If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under <strong>Role Administration Tools\Hyper-V Management Tools</strong>.
 
@@ -449,7 +449,7 @@ Notes:<BR>
 3. Select the checkboxes next to the **C:\\** and the **system reserved** (BIOS/MBR) volumes. The system volume is not assigned a drive letter, but will be displayed in the Disk2VHD tool with a volume label similar to **\\?\Volume{**. See the following example. **Important**: You must include the system volume in order to create a bootable VHD. If this volume is not displayed in the disk2vhd tool, then the computer is likely to be using the GPT partition style. For more information, see [Determine VM generation](#determine-vm-generation).
 4. Specify a location to save the resulting VHD or VHDX file (F:\VHD\w7.vhdx in the following example) and click **Create**. See the following example:
 
-    ![disk2vhd 1](images/disk2vhd.png)
+    ![disk2vhd 1.](images/disk2vhd.png)
 
     >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
 
@@ -482,7 +482,7 @@ Notes:<BR>
 
 5. Specify a location to save the resulting VHD or VHDX file (F:\VHD\PC1.vhdx in the following example) and click **Create**. See the following example:
 
-    ![disk2vhd 2](images/disk2vhd-gen2.png)
+    ![disk2vhd 2.](images/disk2vhd-gen2.png)
 
     >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
 
@@ -506,7 +506,7 @@ Notes:<BR>
 3. Select the checkbox next to the **C:\\** volume and clear the checkbox next to **Use Vhdx**. Note: the system volume is not copied in this scenario, it will be added later.
 4. Specify a location to save the resulting VHD file (F:\VHD\w7.vhd in the following example) and click **Create**. See the following example:
 
-    ![disk2vhd 3](images/disk2vhd4.png)
+    ![disk2vhd 3.](images/disk2vhd4.png)
 
     >Disk2vhd can save VHDs to local hard drives, even if they are the same as the volumes being converted. Performance is better however when the VHD is saved on a disk different than those being converted, such as a flash drive.
 
@@ -821,7 +821,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 
 15. After signing in, the operating system detects that it is running in a new environment. New drivers will be automatically installed, including the network adapter driver. The network adapter driver must be updated before you can proceed, so that you will be able to join the contoso.com domain. Depending on the resources allocated to PC1, installing the network adapter driver might take a few minutes. You can monitor device driver installation by clicking **Show hidden icons** in the notification area.
 
-    ![PoC 1](images/installing-drivers.png)
+    ![PoC 1.](images/installing-drivers.png)
 
     >If the client was configured with a static address, you must change this to a dynamic one so that it can obtain a DHCP lease.
 
@@ -879,7 +879,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
 
     See the following example:
 
-    ![ISE 1](images/ISE.png)
+    ![ISE 1.](images/ISE.png)
 
 19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
 20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 447ea81cfb..16e8c70c2a 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -65,7 +65,7 @@ To support Inherited Activation, both the host computer and the VM must be runni
 
 The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic.
 
-![Illustration of how Windows 10 deployment has evolved](images/sa-evolution.png)
+![Illustration of how Windows 10 deployment has evolved.](images/sa-evolution.png)
 
 - **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.<br>
 
@@ -117,11 +117,11 @@ If the device is running Windows 10, version 1809 or later:
 
 - When the user signs in on a Hybrid Azure AD joined device with MFA enabled, a notification will indicate that there is a problem. Click the notification and then click **Fix now** to step through the subscription activation process. See the example below:
 
-   ![Subscription Activation with MFA example 1](images/sa-mfa1.png)<br>
+   ![Subscription Activation with MFA example 1.](images/sa-mfa1.png)<br>
 
-   ![Subscription Activation with MFA example 2](images/sa-mfa2.png)<br>
+   ![Subscription Activation with MFA example 2.](images/sa-mfa2.png)<br>
 
-   ![Subscription Activation with MFA example 3](images/sa-mfa3.png)
+   ![Subscription Activation with MFA example 3.](images/sa-mfa3.png)
 
 ### Windows 10 Education requirements
 
@@ -162,7 +162,7 @@ The device is AAD joined from **Settings > Accounts > Access work or school**.
 
 The IT administrator assigns Windows 10 Enterprise to a user. See the following figure.
 
-![Windows 10 Enterprise](images/ent.png)
+![Windows 10 Enterprise.](images/ent.png)
 
 When a licensed user signs in to a device that meets requirements using their Azure AD credentials, the operating system steps up from Windows 10 Pro to Windows 10 Enterprise (or Windows 10 Pro Education to Windows 10 Education) and all the appropriate Windows 10 Enterprise/Education features are unlocked. When a user’s subscription expires or is transferred to another user, the device reverts seamlessly to Windows 10 Pro / Windows 10 Pro Education edition, once current subscription validity expires.
 
@@ -171,10 +171,10 @@ Devices running Windows 10 Pro, version 1703 or Windows 10 Pro Education, versio
 The following figures summarize how the Subscription Activation model works:
 
 Before Windows 10, version 1903:<br>
-![1703](images/before.png)
+![1703.](images/before.png)
 
 After Windows 10, version 1903:<br>
-![1903](images/after.png)
+![1903.](images/after.png)
 
 > [!NOTE]
 > 
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index d132aa99a6..74e099fc82 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -115,9 +115,9 @@ When you are prompted to restart the computer, choose **Yes**. The computer migh
 
 Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
 
-   ![Hyper-V feature](images/hyper-v-feature.png)
+   ![Hyper-V feature.](images/hyper-v-feature.png)
 
-   ![Hyper-V](images/svr_mgr2.png)
+   ![Hyper-V.](images/svr_mgr2.png)
 
 <P>If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under <strong>Role Administration Tools\Hyper-V Management Tools</strong>.
 
@@ -232,21 +232,21 @@ PS C:\autopilot&gt;
 
 Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
 
-   ![Windows setup example 1](images/winsetup1.png)
-   ![Windows setup example 2](images/winsetup2.png)
-   ![Windows setup example 3](images/winsetup3.png)
-   ![Windows setup example 4](images/winsetup4.png)
-   ![Windows setup example 5](images/winsetup5.png)
-   ![Windows setup example 6](images/winsetup6.png)
+   ![Windows setup example 1.](images/winsetup1.png)
+   ![Windows setup example 2.](images/winsetup2.png)
+   ![Windows setup example 3.](images/winsetup3.png)
+   ![Windows setup example 4.](images/winsetup4.png)
+   ![Windows setup example 5.](images/winsetup5.png)
+   ![Windows setup example 6.](images/winsetup6.png)
 
 After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen.  This will offer the fastest way to the desktop. For example:
 
-   ![Windows setup example 7](images/winsetup7.png)
+   ![Windows setup example 7.](images/winsetup7.png)
 
 Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state.
 
    > [!div class="mx-imgBorder"]
-   > ![Windows setup example 8](images/winsetup8.png)
+   > ![Windows setup example 8.](images/winsetup8.png)
 
 To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
 
@@ -322,7 +322,7 @@ Follow these steps to run the PowerShell script:
    > [!NOTE]
    > Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
 
-   ![Serial number and hardware hash](images/hwid.png)
+   ![Serial number and hardware hash.](images/hwid.png)
 
    You will need to upload this data into Intune to register your device for Autopilot, so the next step is to transfer this file to the computer you will use to access the Azure portal.  If you are using a physical device instead of a VM, you can copy the file to a USB stick.  If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
 
@@ -338,11 +338,11 @@ With the hardware ID captured in a file, prepare your Virtual Machine for Window
 On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
 Select **Remove everything** and **Just remove my files**. If you are asked **How would you like to reinstall Windows**, select Local reinstall. Finally, click on **Reset**.
 
-![Reset this PC final prompt](images/autopilot-reset-prompt.jpg)
+![Reset this PC final prompt.](images/autopilot-reset-prompt.jpg)
 
 Resetting the VM or device can take a while. Proceed to the next step (verify subscription level) during the reset process.
 
-![Reset this PC screen capture](images/autopilot-reset-progress.jpg)
+![Reset this PC screen capture.](images/autopilot-reset-progress.jpg)
 
 ## Verify subscription level
 
@@ -350,13 +350,13 @@ For this lab, you need an AAD Premium subscription.  You can tell if you have a
 
 **Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**
 
-![MDM and Intune](images/mdm-intune2.png)
+![MDM and Intune.](images/mdm-intune2.png)
 
 If the configuration blade shown above does not appear, it's likely that you don't have a **Premium** subscription.  Auto-enrollment is a feature only available in AAD Premium.
 
 To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
 
-![License conversion option](images/aad-lic1.png)
+![License conversion option.](images/aad-lic1.png)
 
 ## Configure company branding
 
@@ -367,7 +367,7 @@ If you already have company branding configured in Azure Active Directory, you c
 
 Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
 
-![Configure company branding](images/branding.png)
+![Configure company branding.](images/branding.png)
 
 When you are finished, click **Save**.
 
@@ -382,7 +382,7 @@ Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com
 
 For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**.
 
-![MDM user scope in the Mobility blade](images/ap-aad-mdm.png)
+![MDM user scope in the Mobility blade.](images/ap-aad-mdm.png)
 
 ## Register your VM
 
@@ -392,14 +392,14 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
 
 1. In the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/), choose **Devices** > **Device enrollment | Enroll devices** > **Windows enrollment** > **Windows Autopilot Deployment Program | Devices** and then on the **Windows Autopilot devices** page, choose **Import**.
 
-    ![Intune device import](images/enroll1.png)
+    ![Intune device import.](images/enroll1.png)
 
     > [!NOTE]
     > If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI.  You might need to provide Intune configuration privileges in a challenge window that appeared.
 
 2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer.  The file should contain the serial number and 4K HH of your VM (or device).  It's okay if other fields (Windows Product ID) are left blank.
 
-    ![HWID CSV](images/enroll2.png)
+    ![HWID CSV.](images/enroll2.png)
 
     You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
 
@@ -407,7 +407,7 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
 
 4. Click **Refresh** to verify your VM or device has been added. See the following example.
 
-   ![Import HWID](images/enroll3.png)
+   ![Import HWID.](images/enroll3.png)
 
 ### Autopilot registration using MSfB
 
@@ -426,11 +426,11 @@ Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.
 
 Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:
 
-![Microsoft Store for Business](images/msfb.png)
+![Microsoft Store for Business.](images/msfb.png)
 
 Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added.
 
-![Microsoft Store for Business Devices](images/msfb-device.png)
+![Microsoft Store for Business Devices.](images/msfb-device.png)
 
 ## Create and assign a Windows Autopilot deployment profile
 
@@ -446,7 +446,7 @@ Pick one:
 > [!NOTE]
 > Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list.
 
-![Devices](images/enroll4.png)
+![Devices.](images/enroll4.png)
 
 #### Create a device group
 
@@ -463,7 +463,7 @@ The Autopilot deployment profile wizard will ask for a device group, so we must
 3. Click **Members** and add the Autopilot VM to the group. See the following example:
 
    > [!div class="mx-imgBorder"]
-   > ![add members](images/group1.png)
+   > ![add members.](images/group1.png)
 
 4. Click **Create**. 
 
@@ -472,12 +472,12 @@ The Autopilot deployment profile wizard will ask for a device group, so we must
 To create a Windows Autopilot profile, scroll back to the left hand pane and click **Devices**, then under **Enroll devices | Windows enrollment** select **Deployment Profiles**.
 
 > [!div class="mx-imgBorder"]
-> ![Deployment profiles](images/dp.png)
+> ![Deployment profiles.](images/dp.png)
 
 Click on **Create profile** and then select **Windows PC**.
 
 > [!div class="mx-imgBorder"]
-> ![Create deployment profile](images/create-profile.png)
+> ![Create deployment profile.](images/create-profile.png)
 
 On the **Create profile** blade, use the following values:
 
@@ -512,7 +512,7 @@ Click **Next** to continue with the **Assignments** settings:
 2. Click the **Autopilot Lab** group, and then click **Select**.
 3. Click **Next** to continue and then click **Create**. See the following example:
 
-![Deployment profile](images/profile.png)
+![Deployment profile.](images/profile.png)
 
 Click on **OK** and then click on **Create**.
 
@@ -529,7 +529,7 @@ First, sign in to the [Microsoft Store for Business](https://businessstore.micro
 
 Click **Manage** from the top menu, then click **Devices** from the left navigation tree.
 
-![MSfB manage](images/msfb-manage.png)
+![MSfB manage.](images/msfb-manage.png)
 
 Click the **Windows Autopilot Deployment Program** link in the **Devices** tile.
 
@@ -538,17 +538,17 @@ To CREATE the profile:
 Select your device from the **Devices** list:
 
 > [!div class="mx-imgBorder"]
-> ![MSfB create step 1](images/msfb-create1.png)
+> ![MSfB create step 1.](images/msfb-create1.png)
 
 On the Autopilot deployment dropdown menu, select **Create new profile**:
 
 > [!div class="mx-imgBorder"]
-> ![MSfB create step 2](images/msfb-create2.png)
+> ![MSfB create step 2.](images/msfb-create2.png)
 
 Name the profile, choose your desired settings, and then click **Create**:
 
 > [!div class="mx-imgBorder"]
-> ![MSfB create step 3](images/msfb-create3.png)
+> ![MSfB create step 3.](images/msfb-create3.png)
 
 The new profile is added to the Autopilot deployment list.
 
@@ -557,12 +557,12 @@ To ASSIGN the profile:
 To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
 
 > [!div class="mx-imgBorder"]
-> ![MSfB assign step 1](images/msfb-assign1.png)
+> ![MSfB assign step 1.](images/msfb-assign1.png)
 
 Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
 
 > [!div class="mx-imgBorder"]
-> ![MSfB assign step 2](images/msfb-assign2.png)
+> ![MSfB assign step 2.](images/msfb-assign2.png)
 
 > [!IMPORTANT]
 > The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
@@ -572,7 +572,7 @@ Confirm the profile was successfully assigned to the intended device by checking
 If you shut down your VM after the last reset, it's time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
 
 > [!div class="mx-imgBorder"]
-> ![Device status](images/device-status.png)
+> ![Device status.](images/device-status.png)
 
 Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
 
@@ -583,12 +583,12 @@ Also, make sure to wait at least 30 minutes from the time you've [configured com
 - Turn on the device
 - Verify that the appropriate OOBE screens (with appropriate Company Branding) appear.  You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
 
-![OOBE sign-in page](images/autopilot-oobe.png)
+![OOBE sign-in page.](images/autopilot-oobe.png)
 
 Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device.  Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
 
 > [!div class="mx-imgBorder"]
-> ![Device enabled](images/devices1.png)
+> ![Device enabled.](images/devices1.png)
 
 Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
 
@@ -606,7 +606,7 @@ To use the device (or VM) for other purposes after completion of this lab, you w
 You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into the MEM admin center, then navigate to **Intune > Devices > All Devices**.  Select the device you want to delete, then click the Delete button along the top menu.
 
 > [!div class="mx-imgBorder"]
-> ![Delete device step 1](images/delete-device1.png)
+> ![Delete device step 1.](images/delete-device1.png)
 
 This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
 
@@ -618,7 +618,7 @@ The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment
 To remove the device from the Autopilot program, select the device and click **Delete**. You will get a popup dialog box to confirm deletion.
 
 > [!div class="mx-imgBorder"]
-> ![Delete device](images/delete-device2.png)
+> ![Delete device.](images/delete-device2.png)
 
 At this point, your device has been unenrolled from Intune and also deregistered from Autopilot.  After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
 
@@ -686,7 +686,7 @@ Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-ms
 Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
 
 > [!div class="mx-imgBorder"]
-> ![Add app example](images/app01.png)
+> ![Add app example.](images/app01.png)
 
 After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
 
@@ -696,20 +696,20 @@ Log into the Azure portal and select **Intune**.
 
 Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
 
-![Add app step 1](images/app02.png)
+![Add app step 1.](images/app02.png)
 
 Under **App Type**, select **Windows app (Win32)**:
 
-![Add app step 2](images/app03.png)
+![Add app step 2.](images/app03.png)
 
 On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
 
 > [!div class="mx-imgBorder"]
-> ![Add app step 3](images/app04.png)
+> ![Add app step 3.](images/app04.png)
 
 On the **App Information Configure** blade, provide a friendly name, description, and publisher, such as:
 
-![Add app step 4](images/app05.png)
+![Add app step 4.](images/app05.png)
 
 On the **Program Configuration** blade, supply the install and uninstall commands:
 
@@ -721,7 +721,7 @@ Uninstall:  msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
 > [!NOTE]
 > Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
 
-![Add app step 5](images/app06.png)
+![Add app step 5.](images/app06.png)
 
 Simply using an install command like "notepad++.exe /S" will not actually install Notepad++; it will only launch the app.  To actually install the program, we need to use the .msi file instead.  Notepad++ doesn't actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
 
@@ -730,23 +730,23 @@ Click **OK** to save your input and activate the **Requirements** blade.
 On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
 
 > [!div class="mx-imgBorder"]
-> ![Add app step 6](images/app07.png)
+> ![Add app step 6.](images/app07.png)
 
 Next, configure the **Detection rules**.  For our purposes, we will select manual format:
 
 > [!div class="mx-imgBorder"]
-> ![Add app step 7](images/app08.png)
+> ![Add app step 7.](images/app08.png)
 
 Click **Add** to define the rule properties.  For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
 
-![Add app step 8](images/app09.png)
+![Add app step 8.](images/app09.png)
 
 Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
 
 **Return codes**:  For our purposes, leave the return codes at their default values:
 
 > [!div class="mx-imgBorder"]
-> ![Add app step 9](images/app10.png)
+> ![Add app step 9.](images/app10.png)
 
 Click **OK** to exit.
 
@@ -757,12 +757,12 @@ Click the **Add** button to finalize and save your app package.
 Once the indicator message says the addition has completed.
 
 > [!div class="mx-imgBorder"]
-> ![Add app step 10](images/app11.png)
+> ![Add app step 10.](images/app11.png)
 
 You will be able to find your app in your app list:
 
 > [!div class="mx-imgBorder"]
-> ![Add app step 11](images/app12.png)
+> ![Add app step 11.](images/app12.png)
 
 #### Assign the app to your Intune profile
 
@@ -772,7 +772,7 @@ You will be able to find your app in your app list:
 In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade.  Then click **Assignments** from the menu:
 
 > [!div class="mx-imgBorder"]
-> ![Assign app step 1](images/app13.png)
+> ![Assign app step 1.](images/app13.png)
 
 Select **Add Group** to open the **Add group** pane that is related to the app.
 
@@ -783,10 +783,10 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu
 
 Select **Included Groups** and assign the groups you previously created that will use this app:
 
-![Assign app step 2](images/app14.png)
+![Assign app step 2.](images/app14.png)
 
 > [!div class="mx-imgBorder"]
-> ![Assign app step 3](images/app15.png)
+> ![Assign app step 3.](images/app15.png)
 
 In the **Select groups** pane, click the **Select** button.
 
@@ -797,7 +797,7 @@ In the **Add group** pane, select **OK**.
 In the app **Assignments** pane, select **Save**.
 
 > [!div class="mx-imgBorder"]
-> ![Assign app step 4](images/app16.png)
+> ![Assign app step 4.](images/app16.png)
 
 At this point, you have completed steps to add a Win32 app to Intune.
 
@@ -811,16 +811,16 @@ Log into the Azure portal and select **Intune**.
 
 Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
 
-![Create app step 1](images/app17.png)
+![Create app step 1.](images/app17.png)
 
 Under **App Type**, select **Office 365 Suite > Windows 10**:
 
-![Create app step 2](images/app18.png)
+![Create app step 2.](images/app18.png)
 
 Under the **Configure App Suite** pane, select the Office apps you want to install.  For the purposes of this labe we have only selected Excel:
 
 > [!div class="mx-imgBorder"]
-> ![Create app step 3](images/app19.png)
+> ![Create app step 3.](images/app19.png)
 
 Click **OK**.
 
@@ -829,13 +829,13 @@ In the **App Suite Information** pane, enter a <i>unique</i> suite name, and a s
 Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
 
 > [!div class="mx-imgBorder"]
-> ![Create app step 4](images/app20.png)
+> ![Create app step 4.](images/app20.png)
 
 Click **OK**.
 
 In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab).  Also select **Yes** for **Automatically accept the app end user license agreement**:
 
-![Create app step 5](images/app21.png)
+![Create app step 5.](images/app21.png)
 
 Click **OK** and then click **Add**.
 
@@ -847,7 +847,7 @@ Click **OK** and then click **Add**.
 In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade.  Then click **Assignments** from the menu:
 
 > [!div class="mx-imgBorder"]
-> ![Create app step 6](images/app22.png)
+> ![Create app step 6.](images/app22.png)
 
 Select **Add Group** to open the **Add group** pane that is related to the app.
 
@@ -857,10 +857,10 @@ For our purposes, select **Required** from the **Assignment type** dropdown menu
 
 Select **Included Groups** and assign the groups you previously created that will use this app:
 
-![Create app step 7](images/app23.png)
+![Create app step 7.](images/app23.png)
 
 > [!div class="mx-imgBorder"]
-> ![Create app step 8](images/app24.png)
+> ![Create app step 8.](images/app24.png)
 
 In the **Select groups** pane, click the **Select** button.
 
@@ -870,7 +870,7 @@ In the **Add group** pane, select **OK**.
 
 In the app **Assignments** pane, select **Save**.
 
-![Create app step 9](images/app25.png)
+![Create app step 9.](images/app25.png)
 
 At this point, you have completed steps to add Office to Intune.
 
@@ -878,7 +878,7 @@ For more information on adding Office apps to Intune, see [Assign Office 365 app
 
 If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
 
-![Create app step 10](images/app26.png)
+![Create app step 10.](images/app26.png)
 
 ## Glossary
 
diff --git a/windows/deployment/windows-deployment-scenarios-and-tools.md b/windows/deployment/windows-deployment-scenarios-and-tools.md
index 0d04abd1e0..04f798b127 100644
--- a/windows/deployment/windows-deployment-scenarios-and-tools.md
+++ b/windows/deployment/windows-deployment-scenarios-and-tools.md
@@ -29,7 +29,7 @@ In this topic, you also learn about different types of reference images that you
 
 Windows ADK contains core assessment and deployment tools and technologies, including Deployment Image Servicing and Management (DISM), Windows Imaging and Configuration Designer (Windows ICD), Windows System Image Manager (Windows SIM), User State Migration Tool (USMT), Volume Activation Management Tool (VAMT), Windows Preinstallation Environment (Windows PE), Windows Assessment Services, Windows Performance Toolkit (WPT), Application Compatibility Toolkit (ACT), and Microsoft SQL Server 2012 Express. For more details, see [Windows ADK for Windows 10](/windows-hardware/get-started/adk-install) or [Windows ADK for Windows 10 scenarios for IT Pros](windows-adk-scenarios-for-it-pros.md).
 
-![figure 1](images/win-10-adk-select.png)
+![figure 1.](images/win-10-adk-select.png)
 
 The Windows 10 ADK feature selection page.
 
@@ -50,7 +50,7 @@ Enable-WindowsOptionalFeature -Online -FeatureName NetFx3 -All
 -Source D:\Sources\SxS -LimitAccess
 ```
 
-![figure 2](images/mdt-11-fig05.png)
+![figure 2.](images/mdt-11-fig05.png)
 
 Using DISM functions in PowerShell.
 
@@ -77,7 +77,7 @@ In addition to these tools, there are also XML templates that manage which data
 -   **Custom templates.** Custom templates that you create.
 -   **Config template.** An optional template, called Config.xml, which you can use to exclude or include components in a migration without modifying the other standard XML templates.
 
-![figure 3](images/mdt-11-fig06.png)
+![figure 3.](images/mdt-11-fig06.png)
 
 A sample USMT migration file that will exclude .MP3 files on all local drives and include the folder C:\\Data and all its files, including its subdirectories and their files.
 
@@ -100,7 +100,7 @@ These are the settings migrated by the default MigUser.xml and MigApp.xml templa
 
 Windows Imaging and Configuration Designer (Windows ICD) is a tool designed to assist with the creation of provisioning packages that can be used to dynamically configure a Windows device (PCs, tablets, and phones). This is particularly useful for setting up new devices, without the need for re-imaging the device with a custom image.
 
-![figure 4](images/windows-icd.png)
+![figure 4.](images/windows-icd.png)
 
 Windows Imaging and Configuration Designer.
 
@@ -110,7 +110,7 @@ For more information, see [Windows Imaging and Configuration Designer](/windows/
 
 Windows SIM is an authoring tool for Unattend.xml files. When using MDT and/or Configuration Manager, you don’t need Windows SIM very often because those systems automatically update the Unattend.xml file during the deployment, greatly simplifying the process overall.
 
-![figure 7](images/mdt-11-fig07.png)
+![figure 7.](images/mdt-11-fig07.png)
 
 Windows answer file opened in Windows SIM.
 
@@ -120,7 +120,7 @@ For more information, see [Windows System Image Manager Technical Reference]( ht
 
 If you don’t use KMS, you can still manage your MAKs centrally with the Volume Activation Management Tool (VAMT). With this tool, you can install and manage product keys throughout the organization. VAMT also can activate on behalf of clients without Internet access, acting as a MAK proxy.
 
-![figure 6](images/mdt-11-fig08.png)
+![figure 6.](images/mdt-11-fig08.png)
 
 The updated Volume Activation Management Tool.
 
@@ -138,7 +138,7 @@ Windows PE is a “Lite” version of Windows 10 and was created to act as a dep
 
 The key thing to know about Windows PE is that, like the operating system, it needs drivers for at least network and storage devices in each PC. Luckily Windows PE includes the same drivers as the full Windows 10 operating system, which means much of your hardware will work out of the box.
 
-![figure 7](images/mdt-11-fig09.png)
+![figure 7.](images/mdt-11-fig09.png)
 
 A machine booted with the Windows ADK default Windows PE boot image.
 
@@ -149,7 +149,7 @@ For more details on Windows PE, see [Windows PE (WinPE)](/windows-hardware/manuf
 
 Windows Recovery Environment (Windows RE) is a diagnostics and recovery toolset included in Windows Vista and later operating systems. The latest version of Windows RE is based on Windows PE. You can also extend Windows RE and add your own tools if needed. If a Windows installation fails to start and Windows RE is installed, you will see an automatic failover into Windows RE.
 
-![figure 8](images/mdt-11-fig10.png)
+![figure 8.](images/mdt-11-fig10.png)
 
 A Windows 10 client booted into Windows RE, showing Advanced options.
 
@@ -160,7 +160,7 @@ For more information on Windows RE, see [Windows Recovery Environment](/windows-
 
 Windows Deployment Services (WDS) has been updated and improved in several ways starting with Windows 8. Remember that the two main functions you will use are the PXE boot support and multicast. Most of the changes are related to management and increased performance. In Windows Server 2012 R2, WDS also can be used for the Network Unlock feature in BitLocker.
 
-![figure 9](images/mdt-11-fig11.png)
+![figure 9.](images/mdt-11-fig11.png)
 
 Windows Deployment Services using multicast to deploy three machines.
 
@@ -176,7 +176,7 @@ Also, there are a few new features related to TFTP performance:
 -   **Scalable port management.** Provides the capability to service clients with shared UDP port allocation, increasing scalability.
 -   **Variable-size transmission window (Variable Windows Extension).** Improves TFTP performance by allowing the client and server to determine the largest workable window size.
 
-![figure 10](images/mdt-11-fig12.png)
+![figure 10.](images/mdt-11-fig12.png)
 
 TFTP changes are now easy to perform.
 
@@ -192,7 +192,7 @@ Lite Touch and Zero Touch are marketing names for the two solutions that MDT sup
 
  
 
-![figure 11](images/mdt-11-fig13.png)
+![figure 11.](images/mdt-11-fig13.png)
 
 The Deployment Workbench in, showing a task sequence.
 
@@ -203,7 +203,7 @@ For more information on MDT, see the [Microsoft Deployment Toolkit](/mem/configm
 
 [Microsoft SCM](https://go.microsoft.com/fwlink/p/?LinkId=619246) is a free utility used to create baseline security settings for the Windows client and server environment. The baselines can be exported and then deployed via Group Policy, local policies, MDT, or Configuration Manager. The current version of Security Compliance Manager includes baselines for Windows 8.1 and several earlier versions of Windows, Windows Server, and Internet Explorer.
 
-![figure 12](images/mdt-11-fig14.png)
+![figure 12.](images/mdt-11-fig14.png)
 
 The SCM console showing a baseline configuration for a fictional client's computer security compliance.
 
@@ -228,7 +228,7 @@ For more information on the benefits of an MDOP subscription, see [Microsoft Des
 
 There has been a version of IEAK for every version of Internet Explorer since 3.0. It gives you the capability to customize Internet Explorer as you would like. The end result of using IEAK is an Internet Explorer package that can be deployed unattended. The wizard creates one .exe file and one .msi file.
 
-![figure 13](images/mdt-11-fig15.png)
+![figure 13.](images/mdt-11-fig15.png)
 
 The User Experience selection screen in IEAK 11.
 
@@ -239,7 +239,7 @@ To download IEAK 11, see the [Internet Explorer Administration Kit (IEAK) Inform
 
 WSUS is a server role in Windows Server 2012 R2 that enables you to maintain a local repository of Microsoft updates and then distribute them to machines on your network. WSUS offers approval control and reporting of update status in your environment.
 
-![figure 14](images/mdt-11-fig16.png)
+![figure 14.](images/mdt-11-fig16.png)
 
 The Windows Server Update Services console.
 
diff --git a/windows/privacy/Microsoft-DiagnosticDataViewer.md b/windows/privacy/Microsoft-DiagnosticDataViewer.md
index 930819c367..5852e85928 100644
--- a/windows/privacy/Microsoft-DiagnosticDataViewer.md
+++ b/windows/privacy/Microsoft-DiagnosticDataViewer.md
@@ -64,7 +64,7 @@ Note that this setting does not control whether your device sends diagnostic dat
 
 2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option.
 
-    ![Location to turn on data viewing](images/ddv-data-viewing.png)
+    ![Location to turn on data viewing.](images/ddv-data-viewing.png)
 
 **To turn on data viewing through PowerShell**
 
@@ -134,7 +134,7 @@ When you're done reviewing your diagnostic data, we recommend turning off data v
 
 2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option.
 
-    ![Location to turn off data viewing](images/ddv-settings-off.png)
+    ![Location to turn off data viewing.](images/ddv-settings-off.png)
 
 **To turn off data viewing through PowerShell** 
 
diff --git a/windows/privacy/diagnostic-data-viewer-overview.md b/windows/privacy/diagnostic-data-viewer-overview.md
index 3b40651ee2..dc9a127179 100644
--- a/windows/privacy/diagnostic-data-viewer-overview.md
+++ b/windows/privacy/diagnostic-data-viewer-overview.md
@@ -38,7 +38,7 @@ Before you can use this tool for viewing Windows diagnostic data, you must turn
 
 2. Under **Diagnostic data**, turn on the **If data viewing is enabled, you can see your diagnostics data** option.
 
-    ![Location to turn on data viewing](images/ddv-data-viewing.png)
+    ![Location to turn on data viewing.](images/ddv-data-viewing.png)
 
 ### Download the Diagnostic Data Viewer
 Download the app from the [Microsoft Store Diagnostic Data Viewer](https://www.microsoft.com/store/p/diagnostic-data-viewer/9n8wtrrsq8f7?rtc=1) page.
@@ -54,7 +54,7 @@ You can start this app from the **Settings** panel.
 
 2. Under **Diagnostic data**, select the **Diagnostic Data Viewer** button.
 
-    ![Location to turn on the Diagnostic Data Viewer](images/ddv-settings-launch.png)<br><br>-OR-<br><br>
+    ![Location to turn on the Diagnostic Data Viewer.](images/ddv-settings-launch.png)<br><br>-OR-<br><br>
     
     Go to **Start** and search for _Diagnostic Data Viewer_.
 
@@ -73,7 +73,7 @@ The Diagnostic Data Viewer provides you with the following features to view and
     >[!Important]
     >Seeing an event does not necessarily mean it has been uploaded yet. It’s possible that some events are still queued and will be uploaded at a later time.
 
-     ![View your diagnostic events](images/ddv-event-view.jpg)
+     ![View your diagnostic events.](images/ddv-event-view.jpg)
 
 - **Search your diagnostic events.** The **Search** box at the top of the screen lets you search amongst all of the diagnostic event details. The returned search results include any diagnostic event that contains the matching text. 
 
@@ -83,7 +83,7 @@ The Diagnostic Data Viewer provides you with the following features to view and
 
 - **Help to make your Windows experience better.** Microsoft only needs diagnostic data from a small amount of devices to make big improvements to the Windows operating system and ultimately, your experience. If you’re a part of this small device group and you experience issues, Microsoft will collect the associated event diagnostic data, allowing your info to potentially help fix the issue for others.
 
-    To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). 
+    To signify your contribution, you’ll see this icon (![Icon to review the device-level sampling.](images/ddv-device-sample.png)) if your device is part of the group. In addition, if any of your diagnostic data events are sent from your device to Microsoft to help make improvements, you’ll see this icon (![Icon to review the event-level sampling](images/ddv-event-sample.png)). 
 
 - **Provide diagnostic event feedback.** The **Feedback** icon in the upper right corner of the window opens the Feedback Hub app, letting you provide feedback about the Diagnostic Data Viewer and the diagnostic events.
 
@@ -99,7 +99,7 @@ The Diagnostic Data Viewer provides you with the following features to view and
     >[!Important]
     >This content is a reflection of the history of Windows data the app has stored. If you'd like to have extended analyses, please modify the storage capacity of Diagnostic Data Viewer. 
 
-    ![Look at an overview of what data you've shared with Microsoft through the 'About my data' page in Diagnostic Data Viewer](images/ddv-analytics.png) 
+    ![Look at an overview of what data you've shared with Microsoft through the 'About my data' page in Diagnostic Data Viewer.](images/ddv-analytics.png) 
 
 ## View Office Diagnostic Data
 By default, Diagnostic Data Viewer shows you Windows data. You can also view Office diagnostic data by enabling the feature in the app settings page. To learn more about how to view Office diagnostic data, please visit this [page](https://go.microsoft.com/fwlink/?linkid=2023830). 
@@ -112,7 +112,7 @@ When you're done reviewing your diagnostic data, you should turn of data viewing
 
 2. Under **Diagnostic data**, turn off the **If data viewing is enabled, you can see your diagnostics data** option.
 
-    ![Location to turn off data viewing](images/ddv-settings-off.png)
+    ![Location to turn off data viewing.](images/ddv-settings-off.png)
 
 ## Modifying the size of your data history
 By default, Diagnostic Data Viewer shows you up to 1GB or 30 days of data (whichever comes first) for Windows diagnostic data. Once either the time or space limit is reached, the data is incrementally dropped with the oldest data points dropped first. 
@@ -139,7 +139,7 @@ You can also use the Windows Error Reporting tool available in the Control Panel
 
 Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer.  
 
-![Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer](images/ddv-problem-reports.png)
+![Starting with Windows 1809 and higher, you can review Windows Error Reporting diagnostic data in the Diagnostic Data Viewer.](images/ddv-problem-reports.png)
 
 **To view your Windows Error Reporting diagnostic data using the Control Panel**
 
@@ -147,7 +147,7 @@ Go to **Start**, select **Control Panel** > **All Control Panel Items** > **Secu
 Go to **Start** and search for _Problem Reports_.
 The **Review problem reports** tool opens, showing you your Windows Error Reporting reports, along with a status about whether it was sent to Microsoft.
 
-![View problem reports tool with report statuses](images/control-panel-problem-reports-screen.png)
+![View problem reports tool with report statuses.](images/control-panel-problem-reports-screen.png)
 
 ## Known Issues with Diagnostic Data Viewer
 
diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index aad2616468..f1f0d9469a 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -57,60 +57,60 @@ The following table lists management options for each setting, beginning with Wi
 
 | Setting | UI | Group Policy | Registry |
 | - | :-: | :-: | :-: |
-| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [8. Internet Explorer](#bkmk-ie) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [9. License Manager](#bkmk-licmgr) | | |  ![Check mark](images/checkmark.png) |
-| [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) |
-| [12. Microsoft Account](#bkmk-microsoft-account) | | |  ![Check mark](images/checkmark.png) |
-| [13. Microsoft Edge](#bkmk-edge) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) |
+| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) |
+| [3. Date & Time](#bkmk-datetime) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) |
+| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) |
+| [5. Find My Device](#find-my-device) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) |
+| [6. Font streaming](#font-streaming) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) |
+| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) |
+| [8. Internet Explorer](#bkmk-ie) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) |
+| [9. License Manager](#bkmk-licmgr) | | |  ![Check mark.](images/checkmark.png) |
+| [10. Live Tiles](#live-tiles) | | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) |
+| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark.](images/checkmark.png) | | ![Check mark.](images/checkmark.png) |
+| [12. Microsoft Account](#bkmk-microsoft-account) | | |  ![Check mark.](images/checkmark.png) |
+| [13. Microsoft Edge](#bkmk-edge) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [16. OneDrive](#bkmk-onedrive) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | |
 | [18. Settings > Privacy](#bkmk-settingssection) | | | |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)|
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.6 Speech](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark](images/checkmark.png) | |  ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.22 Activity History](#bkmk-act-history) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.23 Voice Activation](#bkmk-voice-act) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
-| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [20. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.1 General](#bkmk-general) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.2 Location](#bkmk-priv-location) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.3 Camera](#bkmk-priv-camera) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.4 Microphone](#bkmk-priv-microphone) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.5 Notifications](#bkmk-priv-notifications) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png)|
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.6 Speech](#bkmk-priv-speech) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.7 Account info](#bkmk-priv-accounts) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.8 Contacts](#bkmk-priv-contacts) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.9 Calendar](#bkmk-priv-calendar) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.10 Call history](#bkmk-priv-callhistory) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.11 Email](#bkmk-priv-email) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.12 Messaging](#bkmk-priv-messaging) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.14 Radios](#bkmk-priv-radios) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.17 Background apps](#bkmk-priv-background) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.18 Motion](#bkmk-priv-motion) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.19 Tasks](#bkmk-priv-tasks) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark.](images/checkmark.png) | |  ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.22 Activity History](#bkmk-act-history) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.23 Voice Activation](#bkmk-voice-act) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
+| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [20. Storage Health](#bkmk-storage-health) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [22. Teredo](#bkmk-teredo) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [28. Delivery Optimization](#bkmk-updates) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [29. Windows Update](#bkmk-wu) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) |  |
-| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [31. Services Configuration](#bkmk-svccfg) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 
 
 ### Settings for Windows Server 2016 with Desktop Experience
@@ -119,20 +119,20 @@ See the following table for a summary of the management settings for Windows Ser
 
 | Setting | UI | Group Policy | Registry |
 | - | :-: | :-: | :-: |
-| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [8. Internet Explorer](#bkmk-ie) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [2. Cortana and Search](#bkmk-cortana) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [3. Date & Time](#bkmk-datetime) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [6. Font streaming](#font-streaming) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark.](images/checkmark.png) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [8. Internet Explorer](#bkmk-ie) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [10. Live Tiles](#live-tiles) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [12. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) |
-| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [16. OneDrive](#bkmk-onedrive) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [18. Settings > Privacy](#bkmk-settingssection) | | | |
-| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [19. Software Protection Platform](#bkmk-spp) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [22. Teredo](#bkmk-teredo) | | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
@@ -172,54 +172,54 @@ See the following table for a summary of the management settings for Windows Ser
 | - | :-: | :-: | :-: |
 | [1. Automatic Root Certificates Update](#automatic-root-certificates-update) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [2. Cortana and Search](#bkmk-cortana) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [3. Date & Time](#bkmk-datetime) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [3. Date & Time](#bkmk-datetime) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [4. Device metadata retrieval](#bkmk-devinst) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [5. Find My Device](#find-my-device) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [5. Find My Device](#find-my-device) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [6. Font streaming](#font-streaming) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [7. Insider Preview builds](#bkmk-previewbuilds) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [8. Internet Explorer](#bkmk-ie) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [10. Live Tiles](#live-tiles) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) |
+| [11. Mail synchronization](#bkmk-mailsync) | ![Check mark.](images/checkmark.png) | | ![Check mark](images/checkmark.png) |
 | [12. Microsoft Account](#bkmk-microsoft-account) | | | ![Check mark](images/checkmark.png) |
 | [13. Microsoft Edge](#bkmk-edge) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [15. Offline maps](#bkmk-offlinemaps) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | |
 | [18. Settings > Privacy](#bkmk-settingssection) | | | |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.1 General](#bkmk-general) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.2 Location](#bkmk-priv-location) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.3 Camera](#bkmk-priv-camera) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.4 Microphone](#bkmk-priv-microphone) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.5 Notifications](#bkmk-priv-notifications) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)|
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.6 Speech](#bkmk-priv-speech) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.7 Account info](#bkmk-priv-accounts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.8 Contacts](#bkmk-priv-contacts) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.9 Calendar](#bkmk-priv-calendar) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.10 Call history](#bkmk-priv-callhistory) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.11 Email](#bkmk-priv-email) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.12 Messaging](#bkmk-priv-messaging) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.14 Radios](#bkmk-priv-radios) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.17 Background apps](#bkmk-priv-background) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.18 Motion](#bkmk-priv-motion) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.19 Tasks](#bkmk-priv-tasks) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark](images/checkmark.png) | |  ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.22 Activity History](#bkmk-act-history) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
-| &nbsp;&nbsp;&nbsp;&nbsp;[18.23 Voice Activation](#bkmk-voice-act) | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.1 General](#bkmk-general) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.2 Location](#bkmk-priv-location) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.3 Camera](#bkmk-priv-camera) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.4 Microphone](#bkmk-priv-microphone) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.5 Notifications](#bkmk-priv-notifications) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)|
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.6 Speech](#bkmk-priv-speech) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.7 Account info](#bkmk-priv-accounts) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.8 Contacts](#bkmk-priv-contacts) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.9 Calendar](#bkmk-priv-calendar) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.10 Call history](#bkmk-priv-callhistory) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.11 Email](#bkmk-priv-email) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.12 Messaging](#bkmk-priv-messaging) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.13 Phone calls](#bkmk-priv-phone-calls) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.14 Radios](#bkmk-priv-radios) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.15 Other devices](#bkmk-priv-other-devices) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.16 Feedback & diagnostics](#bkmk-priv-feedback) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.17 Background apps](#bkmk-priv-background) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.18 Motion](#bkmk-priv-motion) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.19 Tasks](#bkmk-priv-tasks) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.20 App Diagnostics](#bkmk-priv-diag) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.21 Inking & Typing](#bkmk-priv-ink) | ![Check mark.](images/checkmark.png) | |  ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.22 Activity History](#bkmk-act-history) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
+| &nbsp;&nbsp;&nbsp;&nbsp;[18.23 Voice Activation](#bkmk-voice-act) | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
 | [19. Software Protection Platform](#bkmk-spp) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [20. Storage Health](#bkmk-storage-health) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png)  |
-| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [21. Sync your settings](#bkmk-syncsettings) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [22. Teredo](#bkmk-teredo) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [23. Wi-Fi Sense](#bkmk-wifisense) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [24. Microsoft Defender Antivirus](#bkmk-defender) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [25. Windows Spotlight](#bkmk-spotlight) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [26. Microsoft Store](#bkmk-windowsstore) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark](images/checkmark.png) |![Check mark](images/checkmark.png) |
-| [28. Delivery Optimization](#bkmk-updates) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [27. Apps for websites](#bkmk-apps-for-websites) | | ![Check mark.](images/checkmark.png) |![Check mark](images/checkmark.png) |
+| [28. Delivery Optimization](#bkmk-updates) | ![Check mark.](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [29. Windows Update](#bkmk-wu) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [30. Cloud Clipboard](#bkmk-clcp) | | ![Check mark](images/checkmark.png) |  |
 | [31. Services Configuration](#bkmk-svccfg) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
diff --git a/windows/security/identity-protection/access-control/active-directory-accounts.md b/windows/security/identity-protection/access-control/active-directory-accounts.md
index 8ac3729427..69dba47679 100644
--- a/windows/security/identity-protection/access-control/active-directory-accounts.md
+++ b/windows/security/identity-protection/access-control/active-directory-accounts.md
@@ -592,7 +592,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s
 
     > **Note**&nbsp;&nbsp;You might have to delegate permissions to join computers to the domain if the account that joins the workstations to the domain does not already have them. For more information, see [Delegation of Administration in Active Directory](https://social.technet.microsoft.com/wiki/contents/articles/20292.delegation-of-administration-in-active-directory.aspx).
 
-    ![Active Directory local accounts](images/adlocalaccounts-proc1-sample1.gif)
+    ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample1.gif)
 
 3.  Close Active Directory Users and Computers.
 
@@ -600,13 +600,13 @@ In this procedure, the workstations are dedicated to domain administrators. By s
 
 5.  Right-click the new OU, and &gt; **Create a GPO in this domain, and Link it here**.
 
-    ![Active Directory local accounts](images/adlocalaccounts-proc1-sample2.png)
+    ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample2.png)
 
 6.  Name the GPO, and &gt; **OK**.
 
 7.  Expand the GPO, right-click the new GPO, and &gt; **Edit**.
 
-    ![Active Directory local accounts](images/adlocalaccounts-proc1-sample3.png)
+    ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample3.png)
 
 8.  Configure which members of accounts can log on locally to these administrative workstations as follows:
 
@@ -625,7 +625,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s
 
     5.  Click **Add User or Group**, type **Administrators**, and &gt; **OK**.
 
-        ![Active Directory local accounts](images/adlocalaccounts-proc1-sample4.png)
+        ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample4.png)
 
 9.  Configure the proxy configuration:
 
@@ -633,7 +633,7 @@ In this procedure, the workstations are dedicated to domain administrators. By s
 
     2.  Double-click **Proxy Settings**, select the **Enable proxy settings** check box, type **127.0.0.1** (the network Loopback IP address) as the proxy address, and &gt; **OK**.
 
-        ![Active Directory local accounts](images/adlocalaccounts-proc1-sample5.png)
+        ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample5.png)
 
 10. Configure the loopback processing mode to enable the user Group Policy proxy setting to apply to all users on the computer as follows:
 
@@ -696,11 +696,11 @@ In this procedure, the workstations are dedicated to domain administrators. By s
 
     1.  Right-click **Windows Firewall with Advanced Security LDAP://path**, and &gt; **Properties**.
 
-        ![Active Directory local accounts](images/adlocalaccounts-proc1-sample6.png)
+        ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample6.png)
 
     2.  On each profile, ensure that the firewall is enabled and that inbound connections are set to **Block all connections**.
 
-        ![Active Directory local accounts](images/adlocalaccounts-proc1-sample7.png)
+        ![Active Directory local accounts.](images/adlocalaccounts-proc1-sample7.png)
 
     3.  Click **OK** to complete the configuration.
 
@@ -738,11 +738,11 @@ For this procedure, do not link accounts to the OU that contain workstations for
 
 3.  Right-click **Group Policy Objects**, and &gt; **New**.
 
-    ![Active Directory local accounts](images/adlocalaccounts-proc2-sample1.png)
+    ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample1.png)
 
 4.  In the **New GPO** dialog box, name the GPO that restricts administrators from signing in to workstations, and &gt; **OK**.
 
-    ![Active Directory local accounts](images/adlocalaccounts-proc2-sample2.png)
+    ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample2.png)
 
 5.  Right-click **New GPO**, and &gt; **Edit**.
 
@@ -756,7 +756,7 @@ For this procedure, do not link accounts to the OU that contain workstations for
 
     3.  Click **Add User or Group**, click **Browse**, type **Domain Admins**, and &gt; **OK**.
 
-        ![Active Directory local accounts](images/adlocalaccounts-proc2-sample3.png)
+        ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample3.png)
 
         **Note**  
         You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
@@ -778,7 +778,7 @@ For this procedure, do not link accounts to the OU that contain workstations for
 
     3.  Click **Add User or Group** &gt; **Browse**, type **Domain Admins**, and &gt; **OK**.
 
-        ![Active Directory local accounts](images/adlocalaccounts-proc2-sample4.png)
+        ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample4.png)
 
         **Note**  
         You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
@@ -791,7 +791,7 @@ For this procedure, do not link accounts to the OU that contain workstations for
 
     6.  Click **Add User or Group** &gt; **Browse**, type **Domain Admins**, and &gt; **OK**.
 
-        ![Active Directory local accounts](images/adlocalaccounts-proc2-sample5.png)
+        ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample5.png)
 
         **Note**  
         You can optionally add any groups that contain server administrators who you want to restrict from signing in to workstations.
@@ -804,11 +804,11 @@ For this procedure, do not link accounts to the OU that contain workstations for
 
     1.  Right-click the workstation OU, and then &gt; **Link an Existing GPO**.
 
-        ![Active Directory local accounts](images/adlocalaccounts-proc2-sample6.png)
+        ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample6.png)
 
     2.  Select the GPO that you just created, and &gt; **OK**.
 
-        ![Active Directory local accounts](images/adlocalaccounts-proc2-sample7.png)
+        ![Active Directory local accounts.](images/adlocalaccounts-proc2-sample7.png)
 
 10. Test the functionality of enterprise applications on workstations in the first OU and resolve any issues caused by the new policy.
 
@@ -831,7 +831,7 @@ It is a best practice to configure the user objects for all sensitive accounts i
 
 As with any configuration change, test this enabled setting fully to ensure that it performs correctly before you implement it.
 
-![Active Directory local accounts](images/adlocalaccounts-proc3-sample1.png)
+![Active Directory local accounts.](images/adlocalaccounts-proc3-sample1.png)
 
 ## <a href="" id="sec-secure-manage-dcs"></a>Secure and manage domain controllers
 
diff --git a/windows/security/identity-protection/access-control/local-accounts.md b/windows/security/identity-protection/access-control/local-accounts.md
index d67808e585..6ad17afded 100644
--- a/windows/security/identity-protection/access-control/local-accounts.md
+++ b/windows/security/identity-protection/access-control/local-accounts.md
@@ -367,15 +367,15 @@ The following table shows the Group Policy and registry settings that are used t
 
 3.  In the console tree, right-click **Group Policy Objects**, and &gt; **New**.
 
-    ![local accounts 1](images/localaccounts-proc1-sample1.png)
+    ![local accounts 1.](images/localaccounts-proc1-sample1.png)
 
 4.  In the **New GPO** dialog box, type &lt;**gpo\_name**&gt;, and &gt; **OK** where *gpo\_name* is the name of the new GPO. The GPO name indicates that the GPO is used to restrict local administrator rights from being carried over to another computer.
 
-    ![local accounts 2](images/localaccounts-proc1-sample2.png)
+    ![local accounts 2.](images/localaccounts-proc1-sample2.png)
 
 5.  In the details pane, right-click &lt;**gpo\_name**&gt;, and &gt; **Edit**.
 
-    ![local accounts 3](images/localaccounts-proc1-sample3.png)
+    ![local accounts 3.](images/localaccounts-proc1-sample3.png)
 
 6.  Ensure that UAC is enabled and that UAC restrictions apply to the default Administrator account by doing the following:
 
@@ -391,7 +391,7 @@ The following table shows the Group Policy and registry settings that are used t
 
     2.  Right-click **Registry**, and &gt; **New** &gt; **Registry Item**.
 
-        ![local accounts 4](images/localaccounts-proc1-sample4.png)
+        ![local accounts 4.](images/localaccounts-proc1-sample4.png)
 
     3.  In the **New Registry Properties** dialog box, on the **General** tab, change the setting in the **Action** box to **Replace**.
 
@@ -407,7 +407,7 @@ The following table shows the Group Policy and registry settings that are used t
 
     9.  Verify this configuration, and &gt; **OK**.
 
-        ![local accounts 5](images/localaccounts-proc1-sample5.png)
+        ![local accounts 5.](images/localaccounts-proc1-sample5.png)
 
 8.  Link the GPO to the first **Workstations** organizational unit (OU) by doing the following:
 
@@ -415,7 +415,7 @@ The following table shows the Group Policy and registry settings that are used t
 
     2.  Right-click the **Workstations** OU, and &gt; **Link an existing GPO**.
 
-        ![local accounts 6](images/localaccounts-proc1-sample6.png)
+        ![local accounts 6.](images/localaccounts-proc1-sample6.png)
 
     3.  Select the GPO that you just created, and &gt; **OK**.
 
@@ -495,11 +495,11 @@ The following table shows the Group Policy settings that are used to deny networ
 
 4.  In the **New GPO** dialog box, type &lt;**gpo\_name**&gt;, and then &gt; **OK** where *gpo\_name* is the name of the new GPO indicates that it is being used to restrict the local administrative accounts from interactively signing in to the computer.
 
-    ![local accounts 7](images/localaccounts-proc2-sample1.png)
+    ![local accounts 7.](images/localaccounts-proc2-sample1.png)
 
 5.  In the details pane, right-click &lt;**gpo\_name**&gt;, and &gt; **Edit**.
 
-    ![local accounts 8](images/localaccounts-proc2-sample2.png)
+    ![local accounts 8.](images/localaccounts-proc2-sample2.png)
 
 6.  Configure the user rights to deny network logons for administrative local accounts as follows:
 
diff --git a/windows/security/identity-protection/access-control/security-identifiers.md b/windows/security/identity-protection/access-control/security-identifiers.md
index e770d29de4..be0a573f71 100644
--- a/windows/security/identity-protection/access-control/security-identifiers.md
+++ b/windows/security/identity-protection/access-control/security-identifiers.md
@@ -52,7 +52,7 @@ SIDs always remain unique. Security authorities never issue the same SID twice,
 
 A security identifier is a data structure in binary format that contains a variable number of values. The first values in the structure contain information about the SID structure. The remaining values are arranged in a hierarchy (similar to a telephone number), and they identify the SID-issuing authority (for example, “NT Authority”), the SID-issuing domain, and a particular security principal or group. The following image illustrates the structure of a SID.
 
-![Security identifier architecture](images/security-identifider-architecture.jpg)
+![Security identifier architecture.](images/security-identifider-architecture.jpg)
 
 The individual values of a SID are described in the following table.
 
diff --git a/windows/security/identity-protection/access-control/security-principals.md b/windows/security/identity-protection/access-control/security-principals.md
index 26564af45a..293acd13c9 100644
--- a/windows/security/identity-protection/access-control/security-principals.md
+++ b/windows/security/identity-protection/access-control/security-principals.md
@@ -42,7 +42,7 @@ The following diagram illustrates the Windows authorization and access control
 
 **Authorization and access control process**
 
-![authorization and access control process](images/authorizationandaccesscontrolprocess.gif)
+![authorization and access control process.](images/authorizationandaccesscontrolprocess.gif)
 
 Security principals are closely related to the following components and technologies:
 
diff --git a/windows/security/identity-protection/configure-s-mime.md b/windows/security/identity-protection/configure-s-mime.md
index f055141697..9423de2923 100644
--- a/windows/security/identity-protection/configure-s-mime.md
+++ b/windows/security/identity-protection/configure-s-mime.md
@@ -52,11 +52,11 @@ On the device, perform the following steps: (add select certificate)
 
 2.  Open **Settings** by tapping the gear icon on a PC, or the ellipsis (...) and then the gear icon on a phone.
 
-	:::image type="content" alt-text="settings icon in mail app" source="images/mailsettings.png":::
+	:::image type="content" alt-text="settings icon in mail app." source="images/mailsettings.png":::
 
 3.  Tap **Email security**.
 
-	:::image type="content" alt-text="email security settings" source="images/emailsecurity.png":::
+	:::image type="content" alt-text="email security settings." source="images/emailsecurity.png":::
 
 4.  In **Select an account**, select the account for which you want to configure S/MIME options.
 
@@ -77,7 +77,7 @@ On the device, perform the following steps: (add select certificate)
 
 2.  Use **Sign** and **Encrypt** icons to turn on digital signature and encryption for this message.
 
-	:::image type="content" alt-text="sign or encrypt message" source="images/signencrypt.png":::
+	:::image type="content" alt-text="sign or encrypt message." source="images/signencrypt.png":::
 
 ## Read signed or encrypted messages
 
@@ -93,5 +93,5 @@ When you receive a signed email, the app provide feature to install correspondin
 
 3.  Tap **Install.**
 
-	:::image type="content" alt-text="message security information" source="images/installcert.png":::
+	:::image type="content" alt-text="message security information." source="images/installcert.png":::
  
\ No newline at end of file
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
index 8d0219c5dd..b122158529 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-how-it-works.md
@@ -33,7 +33,7 @@ When Windows Defender Credential Guard is enabled, Kerberos does not allow uncon
 
 Here's a high-level overview on how the LSA is isolated by using virtualization-based security:
 
-![Windows Defender Credential Guard overview](images/credguard.png)  
+![Windows Defender Credential Guard overview.](images/credguard.png)  
 
 ## See also
 
diff --git a/windows/security/identity-protection/credential-guard/credential-guard-manage.md b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
index c737034fd5..936172770d 100644
--- a/windows/security/identity-protection/credential-guard/credential-guard-manage.md
+++ b/windows/security/identity-protection/credential-guard/credential-guard-manage.md
@@ -45,7 +45,7 @@ You can use Group Policy to enable Windows Defender Credential Guard. This will
 
 5.  In the **Secure Launch Configuration** box, choose **Not Configured**, **Enabled** or **Disabled**. Check [this article](../../threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md) for more details.
 
-    ![Windows Defender Credential Guard Group Policy setting](images/credguard-gp-2.png)
+    ![Windows Defender Credential Guard Group Policy setting.](images/credguard-gp-2.png)
 
 6.  Close the Group Policy Management Console.
 
@@ -168,7 +168,7 @@ You can view System Information to check that Windows Defender Credential Guard
     Here's an example:
 
     > [!div class="mx-imgBorder"]
-    > ![System Information](images/credguard-msinfo32.png)
+    > ![System Information.](images/credguard-msinfo32.png)
 
 You can also check that Windows Defender Credential Guard is running by using the [HVCI and Windows Defender Credential Guard hardware readiness tool](dg-readiness-tool.md).
 
diff --git a/windows/security/identity-protection/enterprise-certificate-pinning.md b/windows/security/identity-protection/enterprise-certificate-pinning.md
index 8a678b6ff4..fea29a3fc3 100644
--- a/windows/security/identity-protection/enterprise-certificate-pinning.md
+++ b/windows/security/identity-protection/enterprise-certificate-pinning.md
@@ -176,7 +176,7 @@ Certutil writes the binary information to the following registration location:
 | Value | Binary contents from the certificate pin rules certificate trust list file |
 | Data type | REG_BINARY |
 
-![Registry binary information](images/enterprise-pinning-registry-binary-information.png)
+![Registry binary information.](images/enterprise-pinning-registry-binary-information.png)
 
 ### Deploying Enterprise Pin Rule Settings using Group Policy
 
@@ -203,7 +203,7 @@ Sign-in to the reference computer using domain administrator equivalent credenti
 
 11. The **Key Path** should contain the selected registry key. The **Value name** configuration should contain the registry value name **_PinRules_**. **Value type** should read **_REG\_BINARY_** and **Value data** should contain a long series of numbers from 0-9 and letters ranging from A-F (hexadecimal).  Click **OK** to save your settings and close the dialog box.
 
-    ![PinRules Properties](images/enterprise-certificate-pinning-pinrules-properties.png)
+    ![PinRules Properties.](images/enterprise-certificate-pinning-pinrules-properties.png)
 
 12. Close the **Group Policy Management Editor** to save your settings.
 13. Link the **Enterprise Certificate Pinning Rules** Group Policy object to apply to computers that run Windows 10, version 1703 in your enterprise. When these domain-joined computers apply Group Policy, the registry information configured in the Group Policy object is applied to the computer.
@@ -258,7 +258,7 @@ These dates must be properly formatted and represented in UTC.
 You can use Windows PowerShell to format these dates.  
 You can then copy and paste the output of the cmdlet into the XML file. 
 
-![Representing a date](images/enterprise-certificate-pinning-representing-a-date.png)
+![Representing a date.](images/enterprise-certificate-pinning-representing-a-date.png)
 
 For simplicity, you can truncate decimal point (.) and the numbers after it. 
 However, be certain to append the uppercase “Z” to the end of the XML date string.
@@ -272,7 +272,7 @@ However, be certain to append the uppercase “Z” to the end of the XML date s
 
 You can also use Windows PowerShell to validate convert an XML date into a human readable date to validate it’s the correct date.
 
-![Converting an XML date](images/enterprise-certificate-pinning-converting-an-xml-date.png)
+![Converting an XML date.](images/enterprise-certificate-pinning-converting-an-xml-date.png)
 
 ## Representing a Duration in XML
 
@@ -280,13 +280,13 @@ Some elements may be configured to use a duration rather than a date.
 You must represent the duration as an XML timespan data type. 
 You can use Windows PowerShell to properly format and validate durations (timespans) and copy and paste them into your XML file.
 
-![Representing a duration](images/enterprise-certificate-pinning-representing-a-duration.png)
+![Representing a duration.](images/enterprise-certificate-pinning-representing-a-duration.png)
 
 ## Converting an XML Duration
 
 You can convert a XML formatted timespan into a timespan variable that you can read. 
 
-![Converting an XML duration](images/enterprise-certificate-pinning-converting-a-duration.png)
+![Converting an XML duration.](images/enterprise-certificate-pinning-converting-a-duration.png)
 
 ## Certificate Trust List XML Schema Definition (XSD)
 
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index b7018e4477..f80ffec25c 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -372,11 +372,11 @@ The Group Policy object contains the policy settings needed to trigger Windows H
 
 7. Expand **Administrative Templates > Windows Component**, and select **Windows Hello for Business**.
 
-   ![Group Policy Editor](images/multifactorUnlock/gpme.png)
+   ![Group Policy Editor.](images/multifactorUnlock/gpme.png)
    
 8. In the content pane, double-click **Configure device unlock factors**. Click **Enable**.  The **Options** section populates the policy setting with default values.
 
-   ![Multifactor Policy Setting](images/multifactorUnlock/gp-setting.png)
+   ![Multifactor Policy Setting.](images/multifactorUnlock/gp-setting.png)
    
 9. Configure first and second unlock factors using the information in [Configure Unlock Factors](#configuring-unlock-factors).
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 16be1aa6bc..25d27e28d3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -38,23 +38,23 @@ Determining an adequate number of Windows Server domain controllers is important
 
 Consider a controlled environment where there are 1000 client computers and the authentication load of these 1000 client computers is evenly distributed across 10 domain controllers in the environment. The Kerberos AS requests load would look something like the following:
 
-![dc-chart1](images/plan/dc-chart1.png)
+![dc-chart1.](images/plan/dc-chart1.png)
 
 The environment changes. The first change includes DC1 upgraded to Windows Server 2016 or later to support Windows Hello for Business key-trust authentication. Next, 100 clients enroll for Windows Hello for Business using the public key trust deployment. Given all other factors stay constant, the authentication would now look like the following:
 
-![dc-chart2](images/plan/dc-chart2.png)
+![dc-chart2.](images/plan/dc-chart2.png)
 
 The Windows Server 2016 or later domain controller is handling 100 percent of all public key trust authentication. However, it is also handling 10 percent of password authentication. Why? This behavior occurs because domain controllers 2 - 10 only support password and certificate trust authentication; only a Windows Server 2016 and above domain controller supports public key trust authentication. The Windows Server 2016 and above domain controller still understands how to authenticate password and certificate trust authentication and will continue to share the load of authenticating those clients. Because DC1 can handle all forms of authentication, it will bear more of the authentication load, and easily become overloaded. What if another Windows Server 2016 or later domain controller is added, but without deploying Windows Hello for Business to any more clients?
 
-![dc-chart3](images/plan/dc-chart3.png)
+![dc-chart3.](images/plan/dc-chart3.png)
 
 Upgrading another domain controller to Windows Server 2016 or later distributes the public key trust authentication across two domain controllers - each supporting 50 percent of the load.  But it doesn't change the distribution of password and certificate trust authentication. Both Windows Server 2019 domain controllers still share 10 percent of this load. Now look at the scenario when half of the domain controllers are upgraded to Windows Server 2016 or later, but the number of WHFB clients remains the same.
 
-![dc-chart4](images/plan/dc-chart4.png)
+![dc-chart4.](images/plan/dc-chart4.png)
 
 Domain controllers 1 through 5 now share the public key trust authentication load where each domain controller handles 20 percent of the public key trust load but they each still handle 10 percent of the password and certificate trust authentication. These domain controllers still have a heavier load than domain controllers 6 through 10; however, the load is adequately distributed. Now look the scenario when half of the client computers are upgraded to Windows Hello for Business using a key-trust deployment.
 
-![dc-chart5](images/plan/dc-chart5.png)
+![dc-chart5.](images/plan/dc-chart5.png)
 
 You'll notice the distribution did not change.  Each Windows Server 2016 or later domain controller handles 20 percent of the public key trust authentication. However, increasing the volume of authentication (by increasing the number of clients) increases the amount of work that is represented by the same 20 percent. In the previous example, 20 percent of public key trust authentication equated to a volume of 20 authentications per domain controller capable of public key trust authentication. However, with upgraded clients, that same 20 percent represents a volume of 100 public key trust authentications per public key trust capable domain controller. Also, the distribution of non-public key trust authentication remained at 10 percent, but the volume of password and certificate trust authentications decreased across the older domain controllers.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
index ab73eab4f9..f354ae19d4 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-adfs.md
@@ -91,7 +91,7 @@ Sign-in the federation server with domain administrator equivalent credentials.
 5. Click **Next** on the **Select Certificate Enrollment Policy** page.
 6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link   
-    ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png)
+    ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/hello-internal-web-server-cert.png)
 8. Under **Subject name**, select **Common Name** from the **Type** list.  Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**.  
 9. Under **Alternative name**, select **DNS** from the **Type** list.  Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role.  Click **Add**. Repeat the same to add device registration service name (*enterpriseregistration.contoso.com*) as another alternative name. Click **OK** when finished.
 10. Click **Enroll**.
@@ -184,7 +184,7 @@ Sign-in the federation server with _domain administrator_ equivalent credentials
 
 1. Start **Server Manager**.
 2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.
-![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png)
+![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png)
 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
 4. Click **Next** on the **Connect to Active Directory Domain Services** page.
 5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list.  The certificate is likely named after your federation service, such as *fs.corp.contoso.com* or *fs.contoso.com*.
@@ -204,7 +204,7 @@ Sign-in the federation server with _domain administrator_ equivalent credentials
 
 1. Start **Server Manager**.
 2. Click the notification flag in the upper right corner.  Click **Configure federation services on this server**.
-![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png)
+![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png)
 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
 4. Click **Next** on the **Connect to Active Directory Domain Services** page.
 5. On the **Specify Service Properties** page, select the recently enrolled or imported certificate from the **SSL Certificate** list. The certificate is likely named after your federation service, such as fs.corp.mstepdemo.net or fs.mstepdemo.net.
@@ -456,7 +456,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
 6. On the **Select server roles** page, click **Next**.
 7. Select **Network Load Balancing** on the **Select features** page.
 8. Click **Install** to start the feature installation.
-   ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png)
+   ![Feature selection screen with NLB selected.](images/hello-nlb-feature-install.png)
 
 ### Configure Network Load Balancing for AD FS
 
@@ -465,25 +465,25 @@ Before you can load balance all the nodes in the AD FS farm, you must first crea
 Sign-in a node of the federation farm with _Admin_ equivalent credentials.
 
 1. Open **Network Load Balancing Manager** from **Administrative Tools**.
-    ![NLB Manager user interface](images/hello-nlb-manager.png)
+    ![NLB Manager user interface.](images/hello-nlb-manager.png)
 2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**.
 3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**.
-    ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png)
+    ![NLB Manager - Connect to new Cluster screen.](images/hello-nlb-connect.png)
 4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.)
 5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**.
 6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**.
-    ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png)
+    ![NLB Manager - Add IP to New Cluster screen.](images/hello-nlb-add-ip.png)
 7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster.
-    ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png)
+    ![NLB Manager - Cluster IP Configuration screen.](images/hello-nlb-cluster-ip-config.png)
 8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**.
 9. In Port Rules, click Edit to modify the default port rules to use port 443.
-    ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png)
+    ![NLB Manager - Add\Edit Port Rule screen.](images/hello-nlb-cluster-port-rule.png)
 
 ### Additional AD FS Servers
 
 1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**.
 2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same.
-    ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png)
+    ![NLB Manager - Cluster with nodes.](images/hello-nlb-cluster.png)
 
 ## Configure DNS for Device Registration
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
index 0686de8a9a..57f12a0692 100644
--- a/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-cert-trust-validate-ad-prereq.md
@@ -34,7 +34,7 @@ To locate the schema master role holder, open and command prompt and type:
 
 ```Netdom query fsmo | findstr -i “schema”```
 
-![Netdom example output](images/hello-cmd-netdom.png)
+![Netdom example output.](images/hello-cmd-netdom.png)
 
 The command should return the name of the domain controller where you need to adprep.exe.  Update the schema locally on the domain controller hosting the Schema master role.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
index bafde6afc2..0bbce98b00 100644
--- a/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-deployment-rdp-certs.md
@@ -51,7 +51,7 @@ Three approaches are documented here:
 
 1. Right-click the **Smartcard Logon** template and click **Duplicate Template**
 
-    ![Duplicating Smartcard Template](images/rdpcert/duplicatetemplate.png)
+    ![Duplicating Smartcard Template.](images/rdpcert/duplicatetemplate.png)
 
 1. On the **Compatibility** tab:
     1. Clear the **Show resulting changes** check box
@@ -109,7 +109,7 @@ Three approaches are documented here:
 
 1. In the Certificate Authority console, right-click **Certificate Templates**, select **New**, and select **Certificate Template to Issue**
 
-    ![Selecting Certificate Template to Issue](images/rdpcert/certificatetemplatetoissue.png)
+    ![Selecting Certificate Template to Issue.](images/rdpcert/certificatetemplatetoissue.png)
 
 1. From the list of templates, select the template you previously created (**WHFB Certificate Authentication**) and click **OK**. It can take some time for the template to replicate to all servers and become available in this list.
 
@@ -123,7 +123,7 @@ Three approaches are documented here:
 
 1. In the left pane of the MMC, right-click **Personal**, click **All Tasks**, and then click **Request New Certificate…**
 
-    ![Request a new certificate](images/rdpcert/requestnewcertificate.png)
+    ![Request a new certificate.](images/rdpcert/requestnewcertificate.png)
 
 1. On the Certificate Enrollment screen, click **Next**.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
index 476aed7683..48a0d130df 100644
--- a/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
+++ b/windows/security/identity-protection/hello-for-business/hello-errors-during-pin-creation.md
@@ -29,7 +29,7 @@ When you set up Windows Hello in Windows 10, you may get an error during the **
 
 The following image shows an example of an error during **Create a PIN**.
 
-![PIN error](images/pinerror.png)
+![PIN error.](images/pinerror.png)
 
 ## Error mitigations
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
index 0ecc622ba4..2fbed0b012 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-pin-reset.md
@@ -97,20 +97,20 @@ Before you can remotely reset PINs, you must on-board the Microsoft PIN reset se
 
 1. After you have logged in, choose **Accept** to give consent for the PIN reset service to access your account.
 
-   ![PIN reset service application in Azure](images/pinreset/pin-reset-service-prompt.png)
+   ![PIN reset service application in Azure.](images/pinreset/pin-reset-service-prompt.png)
 
 1. Go to the [Microsoft PIN Reset Client Production website](https://login.windows.net/common/oauth2/authorize?response_type=code&client_id=9115dd05-fad5-4f9c-acc7-305d08b1b04e&resource=https%3A%2F%2Fcred.microsoft.com%2F&redirect_uri=ms-appx-web%3A%2F%2FMicrosoft.AAD.BrokerPlugin%2F9115dd05-fad5-4f9c-acc7-305d08b1b04e&state=6765f8c5-f4a7-4029-b667-46a6776ad611&prompt=admin_consent), and sign in using the Global administrator account you use to manage your Azure Active Directory tenant.
 
 1. After you have logged in, choose **Accept** to give consent for the PIN reset client to access your account.
 
-   ![PIN reset client application in Azure](images/pinreset/pin-reset-client-prompt.png)
+   ![PIN reset client application in Azure.](images/pinreset/pin-reset-client-prompt.png)
 
    > [!NOTE]
    > After you have accepted the PIN reset service and client requests, you will land on a page that states "You do not have permission to view this directory or page." This behavior is expected. Be sure to confirm that the two PIN reset applications are listed for your tenant.
 
 1. In the [Azure portal](https://portal.azure.com), verify that the Microsoft PIN Reset Service and Microsoft PIN Reset Client are integrated from the **Enterprise applications** blade. Filter to application status "Enabled" and both Microsoft Pin Reset Service Production and Microsoft Pin Reset Client Production will show up in your tenant.
 
-   :::image type="content" alt-text="PIN reset service permissions page" source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications.png":::
+   :::image type="content" alt-text="PIN reset service permissions page." source="images/pinreset/pin-reset-applications.png" lightbox="images/pinreset/pin-reset-applications.png":::
 
 ### Configure Windows devices to use PIN reset using Group Policy
 
@@ -210,7 +210,7 @@ The [ConfigureWebSignInAllowedUrls](/windows/client-management/mdm/policy-csp-au
     - **Data type:** String
     - **Value**: Provide a semicolon delimited list of domains needed for authentication during the PIN reset scenario. An example value would be _signin.contoso.com;portal.contoso.com_ (without quotation marks)
 
-    :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy" source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png":::
+    :::image type="content" alt-text="Custom Configuration for ConfigureWebSignInAllowedUrls policy." source="images/pinreset/allowlist.png" lightbox="images/pinreset/allowlist.png":::
 
 1. Click the Save button to save the custom configuration.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
index 30dc6c78e6..b5361a656c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
+++ b/windows/security/identity-protection/hello-for-business/hello-feature-remote-desktop.md
@@ -55,7 +55,7 @@ Windows Hello for Business emulates a smart card for application compatibility.
 Users appreciate convenience of biometrics and administrators value the security however, you may experience compatibility issues with your applications and Windows Hello for Business certificates.  You can relax knowing a Group Policy setting and a [MDM URI](/windows/client-management/mdm/passportforwork-csp) exist to help you revert to the previous behavior for those users who need it.
 
 > [!div class="mx-imgBorder"]
-> ![WHFB Certificate GP Setting](images/rdpbio/rdpbiopolicysetting.png)
+> ![WHFB Certificate GP Setting.](images/rdpbio/rdpbiopolicysetting.png)
 
 > [!IMPORTANT]
 > The remote desktop with biometric feature does not work with [Dual Enrollment](hello-feature-dual-enrollment.md) feature or scenarios where the user provides alternative credentials.  Microsoft continues to investigate supporting the feature.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
index a90f1587c2..1efcc90b24 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-authentication.md
@@ -31,7 +31,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
 
 
 ## Azure AD join authentication to Azure Active Directory
-![Azure AD join authentication to Azure Active Directory](images/howitworks/auth-aadj-cloud.png)
+![Azure AD join authentication to Azure Active Directory.](images/howitworks/auth-aadj-cloud.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -42,7 +42,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
 |E | The Cloud AP provider returns a successful authentication response to lsass. Lsass caches the PRT, and informs winlogon of the success authentication.  Winlogon creates a logon session, loads the user's profile, and starts explorer.exe.| 
 
 ## Azure AD join authentication to Active Directory using a Key
-![Azure AD join authentication to Active Directory using a Key](images/howitworks/auth-aadj-keytrust-kerb.png)
+![Azure AD join authentication to Active Directory using a Key.](images/howitworks/auth-aadj-keytrust-kerb.png)
 
 
 | Phase  | Description  |
@@ -56,7 +56,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
 
 
 ## Azure AD join authentication to Active Directory using a Certificate
-![Azure AD join authentication to Active Directory using a Certificate](images/howitworks/auth-aadj-certtrust-kerb.png)
+![Azure AD join authentication to Active Directory using a Certificate.](images/howitworks/auth-aadj-certtrust-kerb.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -69,7 +69,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
 
 
 ## Hybrid Azure AD join authentication using a Key
-![Hybrid Azure AD join authentication using a Key](images/howitworks/auth-haadj-keytrust.png)
+![Hybrid Azure AD join authentication using a Key.](images/howitworks/auth-haadj-keytrust.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -85,7 +85,7 @@ Azure Active Directory joined devices authenticate to Azure during sign-in and c
 > In the above deployment model, a newly provisioned user will not be able to sign in using Windows Hello for Business until (a) Azure AD Connect successfully synchronizes the public key to the on-premises Active Directory and (b) device has line of sight to the domain controller for the first time.
 
 ## Hybrid Azure AD join authentication using a Certificate
-![Hybrid Azure AD join authentication using a Certificate](images/howitworks/auth-haadj-certtrust.png)
+![Hybrid Azure AD join authentication using a Certificate.](images/howitworks/auth-haadj-certtrust.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 0fb161ccb5..20008e7565 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -37,7 +37,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 
 
 ## Azure AD joined provisioning in a Managed environment
-![Azure AD joined provisioning in a Managed environment](images/howitworks/prov-aadj-managed.png)
+![Azure AD joined provisioning in a Managed environment.](images/howitworks/prov-aadj-managed.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -48,7 +48,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 
 [Return to top](#windows-hello-for-business-provisioning)
 ## Azure AD joined provisioning in a Federated environment
-![Azure AD joined provisioning in a Managed environment](images/howitworks/prov-aadj-federated.png)
+![Azure AD joined provisioning in a Managed environment.](images/howitworks/prov-aadj-federated.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -58,7 +58,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 
 [Return to top](#windows-hello-for-business-provisioning)
 ## Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment
-![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment](images/howitworks/prov-haadj-keytrust-managed.png)
+![Hybrid Azure AD joined provisioning in a Key Trust deployment in a Managed environment.](images/howitworks/prov-haadj-keytrust-managed.png)
 
 
 | Phase | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               |
@@ -76,7 +76,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 
 [Return to top](#windows-hello-for-business-provisioning)
 ## Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment
-![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment](images/howitworks/prov-haadj-instant-certtrust-federated.png)
+![Hybrid Azure AD joined provisioning in a synchronous Certificate Trust deployment in a Federated environment.](images/howitworks/prov-haadj-instant-certtrust-federated.png)
 
 
 | Phase | Description                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   |
@@ -94,7 +94,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 
 [Return to top](#windows-hello-for-business-provisioning)
 ## Domain joined provisioning in an On-premises Key Trust deployment
-![Domain joined provisioning in an On-premises Key Trust deployment](images/howitworks/prov-onprem-keytrust.png)
+![Domain joined provisioning in an On-premises Key Trust deployment.](images/howitworks/prov-onprem-keytrust.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
@@ -105,7 +105,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
 
 [Return to top](#windows-hello-for-business-provisioning)
 ## Domain joined provisioning in an On-premises Certificate Trust deployment
-![Domain joined provisioning in an On-premises Certificate Trust deployment](images/howitworks/prov-onprem-certtrust.png)
+![Domain joined provisioning in an On-premises Certificate Trust deployment.](images/howitworks/prov-onprem-certtrust.png)
 
 | Phase  | Description  |
 | :----: | :----------- |
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index 8e0a208a86..13246cec6f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -40,19 +40,19 @@ Before adding Azure Active Directory (Azure AD) joined devices to your existing
 Azure AD join, as well as hybrid Azure AD join devices register the user's Windows Hello for Business credential with Azure.  To enable on-premises authentication, the credential must be synchronized to the on-premises Active Directory, regardless whether you are using a key or a certificate.  Ensure you have Azure AD Connect installed and functioning properly.  To learn more about Azure AD Connect, read [Integrate your on-premises directories with Azure Active Directory](/azure/active-directory/connect/active-directory-aadconnect).
 
 If you upgraded your Active Directory schema to the Windows Server 2016 schema after installing Azure AD Connect, run Azure AD Connect and run **Refresh directory schema** from the list of tasks.
-![Azure AD Connect Schema Refresh](images/aadj/aadconnectschema.png)
+![Azure AD Connect Schema Refresh.](images/aadj/aadconnectschema.png)
 
 ### Azure Active Directory Device Registration
 A fundamental prerequisite of all cloud and hybrid Windows Hello for Business deployments is device registration.  A user cannot provision Windows Hello for Business unless the device from which they are trying to provision has registered with Azure Active Directory.  For more information about device registration, read [Introduction to device management in Azure Active Directory](/azure/active-directory/devices/overview).
 
 You can use the **dsregcmd.exe** command to determine if your device is registered to Azure Active Directory.
-![dsregcmd output](images/aadj/dsregcmd.png)
+![dsregcmd output.](images/aadj/dsregcmd.png)
 
 ### CRL Distribution Point (CDP)
 
 Certificates issued by a certificate authority can be revoked.  When a certificate authority revokes as certificate, it writes information about the certificate into a revocation list.  During certificate validation, Windows 10 consults the CRL distribution point within the certificate to get a list of revoked certificates.  Validation compares the current certificate with information in the certificate revocation list to determine if the certificate remains valid.  
 
-![Domain Controller Certificate with LDAP CDP](images/aadj/Certificate-CDP.png)
+![Domain Controller Certificate with LDAP CDP.](images/aadj/Certificate-CDP.png)
 
 The preceding domain controller certificate shows a CRL distribution path (CDP) using Active Directory.  You can determine this because the value in the URL begins with **ldap**.  Using Active Directory for domain joined devices provides a highly available CRL distribution point.  However, Azure Active Directory joined devices and users on Azure Active Directory joined devices cannot read data from Active Directory, and certificate validation does not provide an opportunity to authenticate prior to reading the certificate revocation list.  This becomes a circular problem as the user is attempting to authenticate, but must read Active Directory to complete the authentication, but the user cannot read Active Directory because they have not authenticated.
 
@@ -122,16 +122,16 @@ You need to host your new certificate revocation list of a web server so Azure A
 1. From **Windows Administrative Tools**, Open **Internet Information Services (IIS) Manager**.
 2. Expand the navigation pane to show **Default Web Site**.  Select and then right-click **Default Web site** and click **Add Virtual Directory...**.
 3. In the **Add Virtual Directory** dialog box, type **cdp** in **alias**.  For physical path, type or browse for the physical file location where you will host the certificate revocation list.  For this example, the path **c:\cdp** is used. Click **OK**.
-   ![Add Virtual Directory](images/aadj/iis-add-virtual-directory.png) 
+   ![Add Virtual Directory.](images/aadj/iis-add-virtual-directory.png) 
    > [!NOTE]
    > Make note of this path as you will use it later to configure share and file permissions.
 
 4. Select **CDP** under **Default Web Site** in the navigation pane.  Double-click **Directory Browsing** in the content pane.  Click **Enable** in the details pane.
 5. Select **CDP** under **Default Web Site** in the navigation pane.  Double-click **Configuration Editor**.
 6. In the **Section** list, navigate to **system.webServer/security/requestFiltering**.
-   ![IIS Configuration Editor requestFiltering](images/aadj/iis-config-editor-requestFiltering.png)   
+   ![IIS Configuration Editor requestFiltering.](images/aadj/iis-config-editor-requestFiltering.png)   
    In the list of named value-pairs in the content pane, configure **allowDoubleEscaping** to **True**.  Click **Apply** in the actions pane.
-   ![IIS Configuration Editor double escaping](images/aadj/iis-config-editor-allowDoubleEscaping.png)
+   ![IIS Configuration Editor double escaping.](images/aadj/iis-config-editor-allowDoubleEscaping.png)
 7. Close **Internet Information Services (IIS) Manager**. 
 
 #### Create a DNS resource record for the CRL distribution point URL 
@@ -139,7 +139,7 @@ You need to host your new certificate revocation list of a web server so Azure A
 1. On your DNS server or from an administrative workstation, open **DNS Manager** from **Administrative Tools**.
 2. Expand **Forward Lookup Zones** to show the DNS zone for your domain.  Right-click your domain name in the navigation pane and click **New Host (A or AAAA)...**.
 3. In the **New Host** dialog box, type **crl** in **Name**.  Type the IP address of the web server you configured in **IP Address**. Click **Add Host**.  Click **OK** to close the **DNS** dialog box.  Click **Done**.
-![Create DNS host record](images/aadj/dns-new-host-dialog.png)
+![Create DNS host record.](images/aadj/dns-new-host-dialog.png)
 4. Close the **DNS Manager**. 
 
 ### Prepare a file share to host the certificate revocation list
@@ -151,12 +151,12 @@ These procedures configure NTFS and share permissions on the web server to allow
 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
 2. Right-click the **cdp** folder and click **Properties**.  Click the **Sharing** tab.  Click **Advanced Sharing**.
 3. Select **Share this folder**. Type **cdp$** in **Share name**. Click **Permissions**.
-![cdp sharing](images/aadj/cdp-sharing.png)
+![cdp sharing.](images/aadj/cdp-sharing.png)
 4. In the **Permissions for cdp$** dialog box, click **Add**.
 5. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**.  In the **Object Types** dialog box, select **Computers**, and then click **OK**.
 7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the server running the certificate authority issuing the certificate revocation list, and then click **Check Names**. Click **OK**.
 8. In the **Permissions for cdp$** dialog box, select the certificate authority from the **Group or user names list**. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**.
-![CDP Share Permissions](images/aadj/cdp-share-permissions.png)
+![CDP Share Permissions.](images/aadj/cdp-share-permissions.png)
 9. In the **Advanced Sharing** dialog box, click **OK**.
 
 > [!Tip]
@@ -166,7 +166,7 @@ These procedures configure NTFS and share permissions on the web server to allow
 1. On the web server, open **Windows Explorer** and navigate to the **cdp** folder you created in step 3 of [Configure the Web Server](#configure-the-web-server).
 2. Right-click the **cdp** folder and click **Properties**.  Click the **Sharing** tab.  Click **Advanced Sharing**.
 3. Click **Caching**. Select **No files or programs from the shared folder are available offline**.
-![CDP disable caching](images/aadj/cdp-disable-caching.png)
+![CDP disable caching.](images/aadj/cdp-disable-caching.png)
 4. Click **OK**. 
 
 #### Configure NTFS permission for the CDP folder
@@ -175,7 +175,7 @@ These procedures configure NTFS and share permissions on the web server to allow
 2. Right-click the **cdp** folder and click **Properties**.  Click the **Security** tab.
 3. On the **Security** tab, click Edit.
 5. In the **Permissions for cdp** dialog box, click **Add**.
-![CDP NTFS Permissions](images/aadj/cdp-ntfs-permissions.png)
+![CDP NTFS Permissions.](images/aadj/cdp-ntfs-permissions.png)
 6. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, click **Object Types**.  In the **Object Types** dialog box, select **Computers**. Click **OK**.
 7. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, in **Enter the object names to select**, type the name of the certificate authority, and then click **Check Names**. Click **OK**.
 8. In the **Permissions for cdp** dialog box, select the name of the certificate authority from the **Group or user names** list. In the **Permissions for** section, select **Allow** for **Full control**. Click **OK**.
@@ -192,11 +192,11 @@ The web server is ready to host the CRL distribution point.  Now, configure the
 2. In the navigation pane, right-click the name of the certificate authority and click **Properties**
 3. Click **Extensions**.  On the **Extensions** tab, select **CRL Distribution Point (CDP)** from the **Select extension** list.
 4. On the **Extensions** tab, click **Add**. Type <b>http://crl.[domainname]/cdp/</b> in **location**.  For example, *<http://crl.corp.contoso.com/cdp/>* or *<http://crl.contoso.com/cdp/>* (do not forget the trailing forward slash). 
-   ![CDP New Location dialog box](images/aadj/cdp-extension-new-location.png)
+   ![CDP New Location dialog box.](images/aadj/cdp-extension-new-location.png)
 5. Select **\<CaName>** from the **Variable** list and click **Insert**.  Select **\<CRLNameSuffix>** from the **Variable** list and click **Insert**.  Select **\<DeltaCRLAllowed>** from the **Variable** list and click **Insert**.
 6. Type **.crl** at the end of the text in **Location**. Click **OK**.
 7. Select the CDP you just created.
-   ![CDP complete http](images/aadj/cdp-extension-complete-http.png)
+   ![CDP complete http.](images/aadj/cdp-extension-complete-http.png)
 8. Select **Include in CRLs.  Clients use this to find Delta CRL locations**.
 9. Select **Include in the CDP extension of issued certificates**.
 10. Click **Apply** save your selections.  Click **No** when ask to restart the service.
@@ -213,7 +213,7 @@ The web server is ready to host the CRL distribution point.  Now, configure the
 5. Select **\<CaName>** from the **Variable** list and click **Insert**.  Select **\<CRLNameSuffix>** from the **Variable** list and click **Insert**.  Select **\<DeltaCRLAllowed>** from the **Variable** list and click **Insert**.
 6. Type **.crl** at the end of the text in **Location**. Click **OK**.
 7. Select the CDP you just created.
-   ![CDP publishing location](images/aadj/cdp-extension-complete-unc.png)
+   ![CDP publishing location.](images/aadj/cdp-extension-complete-unc.png)
 8. Select **Publish CRLs to this location**.
 9. Select **Publish Delta CRLs to this location**.
 10. Click **Apply** save your selections.  Click **Yes** when ask to restart the service.  Click **OK** to close the properties dialog box.
@@ -222,7 +222,7 @@ The web server is ready to host the CRL distribution point.  Now, configure the
 
 1. On the issuing certificate authority, sign-in as a local administrator.  Start the **Certificate Authority** console from **Administrative Tools**.
 2. In the navigation pane, right-click **Revoked Certificates**, hover over **All Tasks**, and click **Publish**
-![Publish a New CRL](images/aadj/publish-new-crl.png)
+![Publish a New CRL.](images/aadj/publish-new-crl.png)
 3. In the **Publish CRL** dialog box, select **New CRL** and click **OK**.
 
 #### Validate CDP Publishing
@@ -230,7 +230,7 @@ The web server is ready to host the CRL distribution point.  Now, configure the
 Validate your new CRL distribution point is working. 
 
 1. Open a web browser. Navigate to <b>http://crl.[yourdomain].com/cdp</b>.  You should see two files created from publishing your new CRL.
-   ![Validate the new CRL](images/aadj/validate-cdp-using-browser.png)
+   ![Validate the new CRL.](images/aadj/validate-cdp-using-browser.png)
 
 ### Reissue domain controller certificates
 
@@ -239,9 +239,9 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
 1. Sign-in a domain controller using administrative credentials.
 2. Open the **Run** dialog box.  Type **certlm.msc** to open the **Certificate Manager** for the local computer.
 3. In the navigation pane, expand **Personal**.  Click **Certificates**.  In the details pane, select the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
-![Certificate Manager Personal store](images/aadj/certlm-personal-store.png)
+![Certificate Manager Personal store.](images/aadj/certlm-personal-store.png)
 4. Right-click the selected certificate.  Hover over **All Tasks** and then select **Renew Certificate with New Key...**.  In the **Certificate Enrollment** wizard, click **Next**.
-![Renew with New key](images/aadj/certlm-renew-with-new-key.png) 
+![Renew with New key.](images/aadj/certlm-renew-with-new-key.png) 
 5. In the **Request Certificates** page of the wizard, verify the selected certificate has the correct certificate template and ensure the status is available.  Click **Enroll**.
 6. After the enrollment completes, click **Finish** to close the wizard. 
 7. Repeat this procedure on all your domain controllers.
@@ -259,7 +259,7 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
 3. In the navigation pane, expand **Personal**.  Click **Certificates**.  In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
 4. Click the **Details** tab.  Scroll down the list until **CRL Distribution Points** is visible in the **Field** column of the list.  Select **CRL Distribution Point**.
 5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate.  Click **OK**.</br>
-![New Certificate with updated CDP](images/aadj/dc-cert-with-new-cdp.png)
+![New Certificate with updated CDP.](images/aadj/dc-cert-with-new-cdp.png)
 
 
 ## Configure and Assign a Trusted Certificate Device Configuration Profile
@@ -276,13 +276,13 @@ Steps you will perform include:
 2. Open the **Run** dialog box.  Type **certlm.msc** to open the **Certificate Manager** for the local computer.
 3. In the navigation pane, expand **Personal**.  Click **Certificates**.  In the details pane, double-click the existing domain controller certificate includes **KDC Authentication** in the list of **Intended Purposes**.
 4. Click the **Certification Path** tab.  In the **Certification path** view, select the top most node and click **View Certificate**.
-![Certificate Path](images/aadj/certlm-cert-path-tab.png)
+![Certificate Path.](images/aadj/certlm-cert-path-tab.png)
 5. In the new **Certificate** dialog box, click the **Details** tab. Click **Copy to File**.
-![Details tab and copy to file](images/aadj/certlm-root-cert-details-tab.png)
+![Details tab and copy to file.](images/aadj/certlm-root-cert-details-tab.png)
 6. In the **Certificate Export Wizard**, click **Next**.  
 7. On the **Export File Format** page of the wizard, click **Next**.  
 8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box.
-![Export root certificate](images/aadj/certlm-export-root-certificate.png)
+![Export root certificate.](images/aadj/certlm-export-root-certificate.png)
 9. Click **OK**  two times to return to the **Certificate Manager** for the local computer.  Close the **Certificate Manager**.
 
 ### Create and Assign a Trust Certificate Device Configuration Profile
@@ -291,12 +291,12 @@ A **Trusted Certificate** device configuration profile is how you deploy trusted
 
 1. Sign-in to the [Microsoft Azure Portal](https://portal.azure.com) and select **Microsoft Intune**.
 2. Click **Device configuration**.  In the **Device Configuration** blade, click **Create profile**.
-![Intune Create Profile](images/aadj/intune-create-device-config-profile.png)
+![Intune Create Profile.](images/aadj/intune-create-device-config-profile.png)
 3. In the **Create profile** blade, type **Enterprise Root Certificate** in **Name**.  Provide a description.  Select **Windows 10 and later** from the **Platform** list.  Select **Trusted certificate** from the **Profile type** list.  Click **Configure**.
 4. In the **Trusted Certificate** blade, use the folder icon to browse for the location of the enterprise root certificate file you created in step 8 of [Export Enterprise Root certificate](#export-enterprise-root-certificate).  Click **OK**.  Click **Create**.
-![Intune Trusted Certificate Profile](images/aadj/intune-create-trusted-certificate-profile.png)
+![Intune Trusted Certificate Profile.](images/aadj/intune-create-trusted-certificate-profile.png)
 5. In the **Enterprise Root Certificate** blade, click **Assignments**.  In the **Include** tab, select **All Devices** from the **Assign to** list.  Click **Save**.
-![Intune Profile assignment](images/aadj/intune-device-config-enterprise-root-assignment.png)
+![Intune Profile assignment.](images/aadj/intune-device-config-enterprise-root-assignment.png)
 6. Sign out of the Microsoft Azure Portal.
 > [!NOTE]
 > After the creation, the **supported platform** parameter of the profile will contain the value "Windows 8.1 and later", as the certificate configuration for Windows 8.1 and Windows 10 is the same.
@@ -310,7 +310,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 3. Choose **Enroll devices**.
 4. Select **Windows enrollment**.
 5. Under **Windows enrollment**, select **Windows Hello for Business**.
-   ![Create Windows Hello for Business Policy](images/aadj/MEM.png)
+   ![Create Windows Hello for Business Policy.](images/aadj/MEM.png)
 6. Select **Enabled** from the **Configure Windows Hello for Business** list.
 7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys.
 8. Enter the desired **Minimum PIN length** and **Maximum PIN length**.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index b8ce7af3da..e4ada9da90 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -82,7 +82,7 @@ The easiest way to verify the onPremisesDistingushedNamne attribute is synchroni
 2. Click **Login** and provide Azure credentials
 3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory.  Click **Go**
 4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute.  Ensure the attribute has a value and the value is accurate for the given user.
-   ![Azure AD Connect On-Prem DN Attribute](images/aadjcert/aadconnectonpremdn.png)
+   ![Azure AD Connect On-Prem DN Attribute.](images/aadjcert/aadconnectonpremdn.png)
 
 ## Prepare the Network Device Enrollment Services (NDES) Service Account
 
@@ -259,15 +259,15 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
 1. Open **Server Manager** on the NDES server.
 2. Click **Manage**.  Click **Add Roles and Features**.
 3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**.  Select **Role-based or feature-based installation** on the **Select installation type** page.  Click **Next**.  Click **Select a server from the server pool**.  Select the local server from the **Server Pool** list.  Click **Next**.
-   ![Server Manager destination server](images/aadjCert/servermanager-destination-server-ndes.png)
+   ![Server Manager destination server.](images/aadjCert/servermanager-destination-server-ndes.png)
 4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list.
-   ![Server Manager AD CS Role](images/aadjCert/servermanager-adcs-role.png)
+   ![Server Manager AD CS Role.](images/aadjCert/servermanager-adcs-role.png)
    Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Click **Next**.
-   ![Server Manager Add Features](images/aadjcert/serverManager-adcs-add-features.png)
+   ![Server Manager Add Features.](images/aadjcert/serverManager-adcs-add-features.png)
 5. On the **Features** page, expand **.NET Framework 3.5 Features**.  Select **HTTP Activation**.  Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Expand **.NET Framework 4.5 Features**.  Expand **WCF Services**.  Select **HTTP Activation**.  Click **Add Features** on the **Add Roles and Feature Wizard** dialog box.  Click **Next**.
-   ![Server Manager Feature HTTP Activation](images/aadjcert/servermanager-adcs-http-activation.png)
+   ![Server Manager Feature HTTP Activation.](images/aadjcert/servermanager-adcs-http-activation.png)
 6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**.  Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**.
-   ![Server Manager ADCS NDES Role](images/aadjcert/servermanager-adcs-ndes-role-checked.png)
+   ![Server Manager ADCS NDES Role.](images/aadjcert/servermanager-adcs-ndes-role-checked.png)
 7. Click **Next** on the **Web Server Role (IIS)** page.
 8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**.
    * **Web Server > Security > Request Filtering**
@@ -275,11 +275,11 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
    * **Web Server > Application Development > ASP.NET 4.5**.   .
    * **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility**
    * **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
-   ![Server Manager Web Server Role](images/aadjcert/servermanager-adcs-webserver-role.png)
+   ![Server Manager Web Server Role.](images/aadjcert/servermanager-adcs-webserver-role.png)
 9. Click **Install**. When the installation completes, continue with the next procedure.  **Do not click Close**.
    > [!IMPORTANT]
    > .NET Framework 3.5 is not included in the typical installation.  If the server is connected to the Internet, the installation attempts to get the files using Windows Update.  If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \<driveLetter>:\\Sources\SxS\
-   ![.NET Side by Side](images/aadjcert/dotNet35sidebyside.png)
+   ![.NET Side by Side.](images/aadjcert/dotNet35sidebyside.png)
 
 ### Configure the NDES service account
 This task adds the NDES service account to the local IIS_USRS group.  The task also configures the NDES service account for Kerberos authentication and delegation
@@ -308,7 +308,7 @@ Sign-in the NDES server with access equivalent to _Domain Admins_.
 > [!NOTE]
 > If you use the same service account for multiple NDES Servers, repeat the following task for each NDES server under which the NDES service runs.
 
-![Set SPN command prompt](images/aadjcert/setspn-commandprompt.png)
+![Set SPN command prompt.](images/aadjcert/setspn-commandprompt.png)
 
 #### Configure the NDES Service account for delegation
 The NDES service enrolls certificates on behalf of users.  Therefore, you want to limit the actions it can perform on behalf of the user. You do this through delegation.
@@ -317,16 +317,16 @@ Sign-in a domain controller with a minimum access equivalent to _Domain Admins_.
 
 1. Open **Active Directory Users and Computers**
 2. Locate the NDES Service account (NDESSvc). Right-click and select **Properties**. Click the **Delegation** tab.
-   ![NDES Delegation Tab](images/aadjcert/ndessvcdelegationtab.png)
+   ![NDES Delegation Tab.](images/aadjcert/ndessvcdelegationtab.png)
 3. Select **Trust this user for delegation to specified services only**.
 4. Select **Use any authentication protocol**.
 5. Click **Add**.
 6. Click **Users or Computers...**  Type the name of the _NDES Server_ you use to issue Windows Hello for Business authentication certificates to Azure AD joined devices.  From the **Avaiable services** list, select **HOST**.  Click **OK**.
-   ![NDES Service delegation to NDES host](images/aadjcert/ndessvcdelegation-host-ndes-spn.png)
+   ![NDES Service delegation to NDES host.](images/aadjcert/ndessvcdelegation-host-ndes-spn.png)
 7. Repeat steps 5 and 6 for each NDES server using this service account. Click **Add**.
 8. Click **Users or computers...**  Type the name of the issuing certificate authority this NDES service account uses to issue Windows Hello for Business authentication certificates to Azure AD joined devices.  From the **Available services** list, select **dcom**.  Hold the **CTRL** key and select **HOST**. Click **OK**.
 9. Repeat steps 8 and 9 for each issuing certificate authority from which one or more NDES servers request certificates.
-   ![NDES Service delegation complete](images/aadjcert/ndessvcdelegation-host-ca-spn.png)
+   ![NDES Service delegation complete.](images/aadjcert/ndessvcdelegation-host-ca-spn.png)
 10. Click **OK**.  Close **Active Directory Users and Computers**.
 
 ### Configure the NDES Role and Certificate Templates
@@ -338,21 +338,21 @@ Sign-in to the certificate authority or management workstations with an _Enterpr
 > [!NOTE]
 > If you closed Server Manger from the last set of tasks, start Server Manager and click the action flag that shows a yellow exclamation point.
 
-![Server Manager Post-Install Yellow flag](images/aadjcert/servermanager-post-ndes-yellowactionflag.png)
+![Server Manager Post-Install Yellow flag.](images/aadjcert/servermanager-post-ndes-yellowactionflag.png)
 
 1. Click the **Configure Active Directory Certificate Services on the destination server** link.
 2. On the **Credentials** page, click **Next**.
-   ![NDES Installation Credentials](images/aadjcert/ndesconfig01.png)
+   ![NDES Installation Credentials.](images/aadjcert/ndesconfig01.png)
 3. On the **Role Services** page, select **Network Device Enrollment Service** and then click **Next**
-   ![NDES Role Services](images/aadjcert/ndesconfig02.png)
+   ![NDES Role Services.](images/aadjcert/ndesconfig02.png)
 4. On the **Service Account for NDES** page, select **Specify service account (recommended)**.  Click **Select...**. Type the user name and password for the NDES service account in the **Windows Security** dialog box.  Click **Next**.
-   ![NDES Service Account for NDES](images/aadjcert/ndesconfig03b.png)
+   ![NDES Service Account for NDES.](images/aadjcert/ndesconfig03b.png)
 5. On the **CA for NDES** page, select **CA name**. Click **Select...**.  Select the issuing certificate authority from which the NDES server requests certificates.  Click **Next**.
-   ![NDES CA selection](images/aadjcert/ndesconfig04.png)
+   ![NDES CA selection.](images/aadjcert/ndesconfig04.png)
 6. On the **RA Information**, click **Next**.
 7. On the **Cryptography for NDES** page, click **Next**.
 8. Review the **Confirmation** page.  Click **Configure**.
-   ![NDES Confirmation](images/aadjcert/ndesconfig05.png)
+   ![NDES Confirmation.](images/aadjcert/ndesconfig05.png)
 8. Click **Close** after the configuration completes.
 
 #### Configure Certificate Templates on NDES
@@ -407,18 +407,18 @@ Sign-in a workstation with access equivalent to a _domain user_.
 2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, Click **Azure Active Directory**.
 3. Under **MANAGE**, click **Application proxy**.
 4. Click **Download connector service**.  Click **Accept terms & Download**.  Save the file (AADApplicationProxyConnectorInstaller.exe) in a location accessible by others on the domain.
-   ![Azure Application Proxy Connectors](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png)
+   ![Azure Application Proxy Connectors.](images/aadjcert/azureconsole-applicationproxy-connectors-empty.png)
 5. Sign-in the computer that will run the connector with access equivalent to a _domain user_.
    > [!IMPORTANT]
    > Install a minimum of two Azure Active Directory Proxy connectors for each NDES Application Proxy.  Strategically locate Azure AD application proxy connectors throughout your organization to ensure maximum availability.  Remember, devices running the connector must be able to communicate with Azure and the on-premises NDES servers.
 
 6. Start **AADApplicationProxyConnectorInstaller.exe**.
 7. Read the license terms and then select **I agree to the license terms and conditions**.  Click **Install**.
-   ![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-01.png)
+   ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-01.png)
 8. Sign-in to Microsoft Azure with access equivalent to **Global Administrator**.
-   ![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-02.png)
+   ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-02.png)
 9. When the installation completes. Read the information regarding outbound proxy servers.  Click **Close**.
-   ![Azure Application Proxy Connector](images/aadjcert/azureappproxyconnectorinstall-03.png)
+   ![Azure Application Proxy Connector.](images/aadjcert/azureappproxyconnectorinstall-03.png)
 10. Repeat steps 5 - 10 for each device that will run the Azure AD Application Proxy connector for Windows Hello for Business certificate deployments.
 
 #### Create a Connector Group
@@ -427,9 +427,9 @@ Sign-in a workstation with access equivalent to a _domain user_.
 1. Sign-in to the [Azure Portal](https://portal.azure.com/) with access equivalent to **Global Administrator**.
 2. Select **All Services**.  Type **Azure Active Directory** to filter the list of services.  Under **SERVICES**, Click **Azure Active Directory**.
 3. Under **MANAGE**, click **Application proxy**.
-   ![Azure Application Proxy Connector groups](images/aadjcert/azureconsole-applicationproxy-connectors-default.png)
+   ![Azure Application Proxy Connector groups.](images/aadjcert/azureconsole-applicationproxy-connectors-default.png)
 4. Click **New Connector Group**. Under **Name**, type **NDES WHFB Connectors**.
-   ![Azure Application New Connector Group](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png)
+   ![Azure Application New Connector Group.](images/aadjcert/azureconsole-applicationproxy-connectors-newconnectorgroup.png)
 5. Select each connector agent in the **Connectors** list that will service Windows Hello for Business certificate enrollment requests.
 6. Click **Save**.
 
@@ -443,7 +443,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 5. Under **Basic Settings** next to **Name**, type **WHFB NDES 01**.  Choose a name that correlates this Azure AD Application Proxy setting with the on-premises NDES server.  Each NDES server must have its own Azure AD Application Proxy as two NDES servers cannot share the same internal URL.
 6. Next to **Internal URL**, type the internal, fully qualified DNS name of the NDES server associated with this Azure AD Application Proxy.  For example, https://ndes.corp.mstepdemo.net).  You need to match the primary host name (AD Computer Account name) of the NDES server, and prefix the URL with **https**.
 7. Under **Internal URL**, select **https://** from the first list.  In the text box next to **https://**, type the hostname you want to use as your external hostname for the Azure AD Application Proxy.  In the list next to the hostname you typed, select a DNS suffix you want to use externally for the Azure AD Application Proxy.  It is recommended to use the default, -[tenantName].msapproxy.net where **[tenantName]** is your current Azure Active Directory tenant name (-mstephendemo.msappproxy.net).
-   ![Azure NDES Application Proxy Configuration](images/aadjcert/azureconsole-appproxyconfig.png)
+   ![Azure NDES Application Proxy Configuration.](images/aadjcert/azureconsole-appproxyconfig.png)
 8. Select **Passthrough** from the **Pre Authentication** list.
 9. Select **NDES WHFB Connectors** from the **Connector Group** list.
 10. Under **Additional Settings**, select **Default** from **Backend Application Timeout**.  Under the **Translate URLs In** section, select **Yes** next to **Headers** and select **No** next to **Application Body**.
@@ -465,7 +465,7 @@ Sign-in the NDES server with access equivalent to _local administrators_.
 5. Click **Next** on the **Select Certificate Enrollment Policy** page.
 6. On the **Request Certificates** page, Select the **NDES-Intune Authentication** check box.
 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link
-   ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png)
+   ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/aadjcert/ndes-TLS-Cert-Enroll-subjectNameWithExternalName.png)
 8. Under **Subject name**, select **Common Name** from the **Type** list.  Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**) and then click **Add**.
 9. Under **Alternative name**, select **DNS** from the **Type** list.  Type the internal URL used in the previous task (without the https://, for example **ndes.corp.mstepdemo.net**).  Click **Add**. Type the external URL used in the previous task (without the https://, for example **ndes-mstephendemo.msappproxy.net**). Click **Add**. Click **OK** when finished.
 9. Click **Enroll**
@@ -478,12 +478,12 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 
 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
 2. Expand the node that has the name of the NDES server.  Expand **Sites** and select **Default Web Site**.
-   ![NDES IIS Console](images/aadjcert/ndes-iis-console.png)
+   ![NDES IIS Console.](images/aadjcert/ndes-iis-console.png)
 3. Click **Bindings...*** under **Actions**.  Click **Add**.
-   ![NDES IIS Console](images/aadjcert/ndes-iis-bindings.png)
+   ![NDES IIS Console.](images/aadjcert/ndes-iis-bindings.png)
 4. Select **https** from **Type**. Confirm the value for **Port** is **443**.
 5. Select the certificate you previously enrolled from the **SSL certificate** list.  Select **OK**.
-   ![NDES IIS Console](images/aadjcert/ndes-iis-bindings-add-443.png)
+   ![NDES IIS Console.](images/aadjcert/ndes-iis-bindings-add-443.png)
 6. Select **http** from the **Site Bindings** list.  Click **Remove**.
 7. Click **Close** on the **Site Bindings** dialog box.
 8. Close **Internet Information Services (IIS) Manager**.
@@ -509,10 +509,10 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 
 A web page similar to the following should appear in your web browser.  If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights.  You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
 
-![NDES IIS Console](images/aadjcert/ndes-https-website-test-01.png)
+![NDES IIS Console.](images/aadjcert/ndes-https-website-test-01.png)
 
 Confirm the web site uses the server authentication certificate.
-![NDES IIS Console](images/aadjcert/ndes-https-website-test-01-show-cert.png)
+![NDES IIS Console.](images/aadjcert/ndes-https-website-test-01-show-cert.png)
 
 
 ## Configure Network Device Enrollment Services to work with Microsoft Intune
@@ -527,7 +527,7 @@ Sign-in the NDES server with access equivalent to _local administrator_.
 1. Start **Internet Information Services (IIS) Manager** from **Administrative Tools**.
 2. Expand the node that has the name of the NDES server.  Expand **Sites** and select **Default Web Site**.
 3. In the content pane, double-click **Request Filtering**.  Click **Edit Feature Settings...** in the action pane.
-   ![Intune NDES Request filtering](images/aadjcert/NDES-IIS-RequestFiltering.png)
+   ![Intune NDES Request filtering.](images/aadjcert/NDES-IIS-RequestFiltering.png)
 4. Select **Allow unlisted file name extensions**.
 5. Select **Allow unlisted verbs**.
 6. Select **Allow high-bit characters**.
@@ -554,7 +554,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
 2. Select **Tenant administration** > **Connectors and tokens** > **Certificate connectors** > **Add**.
 3. Click **Download the certificate connector software** under the **Install Certificate Connectors** section.
-   ![Intune Certificate Authority](images/aadjcert/profile01.png)
+   ![Intune Certificate Authority.](images/aadjcert/profile01.png)
 4. Save the downloaded file (NDESConnectorSetup.exe) to a location accessible from the NDES server.
 5. Sign-out of the Microsoft Endpoint Manager admin center.
 
@@ -564,26 +564,26 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
 1. Copy the Intune Certificate Connector Setup (NDESConnectorSetup.exe) downloaded in the previous task locally to the NDES server.
 2. Run **NDESConnectorSetup.exe** as an administrator. If the setup shows a dialog that reads **Microsoft Intune NDES Connector requires HTTP Activation**, ensure you started the application as an administrator, then check HTTP Activation is enabled on the NDES server.
 3. On the **Microsoft Intune** page, click **Next**.
-   ![Intune Connector Install 01](images/aadjcert/intunecertconnectorinstall-01.png)
+   ![Intune Connector Install 01.](images/aadjcert/intunecertconnectorinstall-01.png)
 4. Read the **End User License Agreement**.  Click **Next** to accept the agreement and to proceed with the installation.
 5. On the **Destination Folder** page, click **Next**.
 6. On the **Installation Options** page, select **SCEP and PFX Profile Distribution** and click **Next**.
-   ![Intune Connector Install 03](images/aadjcert/intunecertconnectorinstall-03.png)
+   ![Intune Connector Install 03.](images/aadjcert/intunecertconnectorinstall-03.png)
 7. On the **Client certificate for Microsoft Intune** page, Click **Select**.  Select the certificate previously enrolled for the NDES server. Click **Next**.
-   ![Intune Connector Install 05](images/aadjcert/intunecertconnectorinstall-05.png)
+   ![Intune Connector Install 05.](images/aadjcert/intunecertconnectorinstall-05.png)
 
    > [!NOTE]
    > The **Client certificate for Microsoft Intune** page does not update after selecting the client authentication certificate.  However, the application rembers the selection and shows it in the next page.
 
 8. On the **Client certificate for the NDES Policy Module** page, verify the certificate information and then click **Next**.
 9. ON the **Ready to install Microsoft Intune Connector** page. Click **Install**.
-   ![Intune Connector Install 06](images/aadjcert/intunecertconnectorinstall-06.png)
+   ![Intune Connector Install 06.](images/aadjcert/intunecertconnectorinstall-06.png)
 
    > [!NOTE]
    > You can review the results of the install using the **SetupMsi.log** file located in the **C:\\NDESConnectorSetupMsi** folder.
 
 10. When the installation completes, select **Launch Intune Connector** and click Finish. Proceed to the Configure the Intune Certificate Connector task.
-    ![Intune Connector install 07](images/aadjcert/intunecertconnectorinstall-07.png)
+    ![Intune Connector install 07.](images/aadjcert/intunecertconnectorinstall-07.png)
 
 ### Configure the Intune Certificate Connector
 Sign-in the NDES server with access equivalent to _domain administrator_.
@@ -594,10 +594,10 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
    > If the **NDES Connector** user interface is not open, you can start it from **\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**.
 
 2. If your organization uses a proxy server and the proxy is needed for the NDES server to access the Internet, select **Use proxy server**, and then enter the proxy server name, port, and credentials to connect.  Click **Apply**
-   ![Intune Certificate Connector Configuration 01](images/aadjcert/intunecertconnectorconfig-01.png)
+   ![Intune Certificate Connector Configuration 01.](images/aadjcert/intunecertconnectorconfig-01.png)
 
 3. Click **Sign-in**.  Type credentials for your Intune administrator, or tenant administrator that has the **Global Administrator** directory role.
-   ![Intune Certificate Connector Configuration 02](images/aadjcert/intunecertconnectorconfig-02.png)
+   ![Intune Certificate Connector Configuration 02.](images/aadjcert/intunecertconnectorconfig-02.png)
 
    > [!IMPORTANT]
    > The user account must have a valid Intune license assigned.  If the user account does not have a valid Intune license, the sign-in fails.
@@ -614,7 +614,7 @@ Sign-in the certificate authority used by the NDES Connector with access equival
 1. Start the **Certification Authority** management console.
 2. In the navigation pane, right-click the name of the certificate authority and select **Properties**.
 3. Click the **Security** tab.  Click **Add**. In **Enter the object names to select** box, type **NDESSvc** (or the name you gave the NDES Service account).  Click *Check Names*. Click **OK**.  Select the NDES Service account from the **Group or user names** list. Select **Allow** for the **Issue and Manage Certificates** permission.  Click **OK**.
-   ![Configure Intune certificate revocation 02](images/aadjcert/intuneconfigcertrevocation-02.png)
+   ![Configure Intune certificate revocation 02.](images/aadjcert/intuneconfigcertrevocation-02.png)
 4. Close the **Certification Authority**
 
 #### Enable the NDES Connector for certificate revocation
@@ -622,7 +622,7 @@ Sign-in the NDES server with access equivalent to _domain administrator_.
 
 1. Open the **NDES Connector** user interface (**\<install_Path>\NDESConnectorUI\NDESConnectorUI.exe**).
 2. Click the **Advanced** tab.  Select **Specify a different account username and password**.  Type the NDES service account username and password.  Click **Apply**.  Click **OK** to close the confirmation dialog box.  Click **Close**.
-   ![Intune Connector cert revocation configuration 04](images/aadjcert/intunecertconnectorconfig-04.png)
+   ![Intune Connector cert revocation configuration 04.](images/aadjcert/intunecertconnectorconfig-04.png)
 3. Restart the **Intune Connector Service** and the **World Wide Web Publishing Service**.
 
 ### Test the NDES Connector
@@ -641,7 +641,7 @@ Sign-in the NDES server with access equivalent to _domain admin_.
    ```
    where **[fqdnHostName]** is the fully qualified internal DNS host name of the NDES server.
    A web page showing a 403 error (similar to the following) should appear in your web browser.  If you do not see a similar page, or you get a **503 Service unavailable** message, ensure the NDES Service account has the proper user rights.  You can also review the application event log for events with the **NetworkDeviceEnrollmentSerice** source.
-   ![NDES web site test after Intune Certificate Connector](images/aadjcert/ndes-https-website-test-after-intune-connector.png)
+   ![NDES web site test after Intune Certificate Connector.](images/aadjcert/ndes-https-website-test-after-intune-connector.png)
 6. Using **Server Manager**, enable **Internet Explorer Enhanced Security Configuration**.
 
 ## Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile
@@ -656,7 +656,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 5. Under **Group Name**, type the name of the group.  For example, **AADJ WHFB Certificate Users**.
 6. Provide a **Group description**, if applicable.
 7. Select **Assigned** from the **Membership type** list.
-   ![Azure AD new group creation](images/aadjcert/azureadcreatewhfbcertgroup.png)
+   ![Azure AD new group creation.](images/aadjcert/azureadcreatewhfbcertgroup.png)
 8. Click **Members**.  Use the  **Select members** pane to add members to this group. When finished click **Select**.
 9. Click **Create**.
 
@@ -666,7 +666,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 1. Sign-in to the [Microsoft Endpoint Manager admin center](https://endpoint.microsoft.com/).
 2. Select **Devices**, and then click **Configuration Profiles**.
 3. Select **Create Profile**.
-   ![Intune Device Configuration Create Profile](images/aadjcert/profile02.png)
+   ![Intune Device Configuration Create Profile.](images/aadjcert/profile02.png)
 4. Select **Windows 10 and later** from the **Platform** list.
 5. Choose **SCEP certificate** from the **Profile** list, and select **Create**.
 6. The **SCEP Certificate** wizard should open. Next to **Name**, type **WHFB Certificate Enrollment**.
@@ -689,7 +689,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 14. Select a previously configured **Trusted certificate** profile that matches the root certificate of the issuing certificate authority as a root certificate for the profile.
 15. Under **Extended key usage**, type **Smart Card Logon** under **Name**. Type **1.3.6.1.4.1.311.20.2.2** under **Object identifier**. Click **Add**.
 16. Type a percentage (without the percent sign) next to **Renewal Threshold** to determine when the certificate should attempt to renew. The recommended value is **20**.
-    ![WHFB SCEP certificate Profile EKUs](images/aadjcert/profile03.png)
+    ![WHFB SCEP certificate Profile EKUs.](images/aadjcert/profile03.png)
 17. Under **SCEP Server URLs**, type the fully qualified external name of the Azure AD Application proxy you configured. Append to the name **/certsrv/mscep/mscep.dll**. For example, https://ndes-mtephendemo.msappproxy.net/certsrv/mscep/mscep.dll. Click **Add**. Repeat this step for each additional NDES Azure AD Application Proxy you configured to issue Windows Hello for Business certificates. Microsoft Intune round-robin load balances requests among the URLs listed in the SCEP certificate profile.
 18. Click **Next**.
 19. Click **Next** several times to skip the **Scope tags**, **Assignments**, and **Applicability Rules** steps of the wizard and click **Create**.
@@ -702,7 +702,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
 3. Click **WHFB Certificate Enrollment**.
 4. Select **Properties**, and then click **Edit** next to the **Assignments** section.
 5. In the **Assignments** pane, select **Selected Groups** from the **Assign to** list.  Click **Select groups to include**.
-   ![WHFB SCEP Profile Assignment](images/aadjcert/profile04.png)
+   ![WHFB SCEP Profile Assignment.](images/aadjcert/profile04.png)
 6. Select the **AADJ WHFB Certificate Users** group. Click **Select**.
 7. Click **Review + Save**, and then **Save**.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
index e80dc75f72..9e100bc146 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-devreg.md
@@ -70,7 +70,7 @@ To locate the schema master role holder, open and command prompt and type:
 
 ```Netdom query fsmo | findstr -i schema```
 
-![Netdom example output](images/hello-cmd-netdom.png)
+![Netdom example output.](images/hello-cmd-netdom.png)
 
 The command should return the name of the domain controller where you need to run adprep.exe.  Update the schema locally on the domain controller hosting the Schema master role.
 
@@ -114,14 +114,14 @@ When you are ready to install, follow the **Configuring federation with AD FS**
 ### Create AD objects for AD FS Device Authentication  
 If your AD FS farm is not already configured for Device Authentication (you can see this in the AD FS Management console under Service -> Device Registration), use the following steps to create the correct AD DS objects and configuration.  
 
-![Device Registration](images/hybridct/device1.png)
+![Device Registration.](images/hybridct/device1.png)
 
 > [!NOTE]
 > The below commands require Active Directory administration tools, so if your federation server is not also a domain controller, first install the tools using step 1 below.  Otherwise you can skip step 1.  
 
 1.  Run the **Add Roles & Features** wizard and select feature **Remote Server Administration Tools** -> **Role Administration Tools** -> **AD DS and AD LDS Tools** -> Choose both the **Active Directory module for Windows PowerShell** and the **AD DS Tools**.
 
-![Device Registration](images/hybridct/device2.png)
+![Device Registration.](images/hybridct/device2.png)
 
 2. On your AD FS primary server, ensure you are logged in as AD DS user with enterprise administrator privileges and open an elevated Windows PowerShell prompt.  Then, run the following commands:  
 
@@ -132,7 +132,7 @@ If your AD FS farm is not already configured for Device Authentication (you can
 > [!NOTE]
 > If your AD FS service is configured to use a GMSA account, enter the account name in the format "domain\accountname$"
 
-![Device Registration](images/hybridct/device3.png)  
+![Device Registration.](images/hybridct/device3.png)  
 
 The above PSH creates the following objects:  
 
@@ -140,11 +140,11 @@ The above PSH creates the following objects:
 - Device Registration Service container and object under Configuration --> Services --> Device Registration Configuration  
 - Device Registration Service DKM container and object under Configuration --> Services --> Device Registration Configuration  
 
-![Device Registration](images/hybridct/device4.png)  
+![Device Registration.](images/hybridct/device4.png)  
 
 4. Once this is done, you will see a successful completion message.
 
-![Device Registration](images/hybridct/device5.png) 
+![Device Registration.](images/hybridct/device5.png) 
 
 ### Create Service Connection Point (SCP) in Active Directory  
 If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS  
@@ -155,13 +155,13 @@ If you plan to use Windows 10 domain join (with automatic registration to Azure
 > [!NOTE]
 > If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server.  This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep
 
-![Device Registration](images/hybridct/device6.png)   
+![Device Registration.](images/hybridct/device6.png)   
 
 2. Provide your Azure AD global administrator credentials  
 
     `PS C:>$aadAdminCred = Get-Credential`
 
-![Device Registration](images/hybridct/device7.png) 
+![Device Registration.](images/hybridct/device7.png) 
 
 3. Run the following PowerShell command 
 
@@ -517,7 +517,7 @@ For your reference, below is a comprehensive list of the AD DS devices, containe
 - Container CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;
 - Container Device Registration Service DKM under the above container
 
-![Device Registration](images/hybridct/device8.png) 
+![Device Registration.](images/hybridct/device8.png) 
 
 - object of type serviceConnectionpoint at CN=&lt;guid&gt;, CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=&lt;domain&gt;  
   - read/write access to the specified AD connector account name on the new object 
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index cfaf049efd..35bd16ed3e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -27,22 +27,22 @@ ms.reviewer:
 ## Provisioning
 The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop.  Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
 
-![Event358 from User Device Registration log showing Windows Hello for Business prerequisite check result](images/Event358.png)
+![Event358 from User Device Registration log showing Windows Hello for Business prerequisite check result.](images/Event358.png)
 
 The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears.  Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**.
 
 
 Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name.  The user clicks **Setup a PIN**.
 
-![Setup a PIN Provisioning](images/setupapin.png)
+![Setup a PIN Provisioning.](images/setupapin.png)
 
 The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment.  Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA.  The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry.
   
-![MFA prompt during provisioning](images/mfa.png)
+![MFA prompt during provisioning.](images/mfa.png)
 
 After a successful MFA, the provisioning flow asks the user to create and validate a PIN.  This PIN must observe any PIN complexity requirements that you deployed to the environment.
 
-![Create a PIN during provisioning](images/createPin.png)
+![Create a PIN during provisioning.](images/createPin.png)
 
 The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment.
 * A successful single factor authentication (username and password at sign-in)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index 9caf362da6..e60e0b15f0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -27,22 +27,22 @@ ms.reviewer:
 ## Provisioning
 The Windows Hello for Business provisioning begins immediately after the user has signed in, after the user profile is loaded, but before the user receives their desktop.  Windows only launches the provisioning experience if all the prerequisite checks pass. You can determine the status of the prerequisite checks by viewing the **User Device Registration** in the **Event Viewer** under **Applications and Services Logs\Microsoft\Windows**.
 
-![Event358](images/Event358-2.png)
+![Event358.](images/Event358-2.png)
 
 The first thing to validate is the computer has processed device registration. You can view this from the User device registration logs where the check **Device is AAD joined (AADJ or DJ++): Yes** appears.  Additionally, you can validate this using the **dsregcmd /status** command from a console prompt where the value for **AzureADJoined** reads **Yes**.
 
 
 Windows Hello for Business provisioning begins with a full screen page with the title **Setup a PIN** and button with the same name.  The user clicks **Setup a PIN**.
 
-![Setup a PIN Provisioning](images/setupapin.png)
+![Setup a PIN Provisioning.](images/setupapin.png)
 
 The provisioning flow proceeds to the Multi-Factor authentication portion of the enrollment.  Provisioning informs the user that it is actively attempting to contact the user through their configured form of MFA.  The provisioning process does not proceed until authentication succeeds, fails or times out. A failed or timeout MFA results in an error and asks the user to retry.
   
-![MFA prompt during provisioning](images/mfa.png)
+![MFA prompt during provisioning.](images/mfa.png)
 
 After a successful MFA, the provisioning flow asks the user to create and validate a PIN.  This PIN must observe any PIN complexity requirements that you deployed to the environment.
 
-![Create a PIN during provisioning](images/createPin.png)
+![Create a PIN during provisioning.](images/createPin.png)
 
 The provisioning flow has all the information it needs to complete the Windows Hello for Business enrollment.
 * A successful single factor authentication (username and password at sign-in)
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index 99491fb5c3..4e83f31ec3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -73,7 +73,7 @@ Sign-in the federation server with domain administrator equivalent credentials.
 5. Click **Next** on the **Select Certificate Enrollment Policy** page.
 6. On the **Request Certificates** page, Select the **Internal Web Server** check box.
 7. Click the **More information is required to enroll for this certificate. Click here to configure settings** link   
-    ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link](images/hello-internal-web-server-cert.png)
+    ![Example of Certificate Properties Subject Tab - This is what shows when you click the above link.](images/hello-internal-web-server-cert.png)
 8. Under **Subject name**, select **Common Name** from the **Type** list.  Type the FQDN of the computer hosting the Active Directory Federation Services role and then click **Add**.  Under **Alternative name**, select **DNS** from the **Type** list.  Type the FQDN of the name you will use for your federation services (fs.corp.contoso.com). The name you use here MUST match the name you use when configuring the Active Directory Federation Services server role.  Click **Add**. Click **OK** when finished.
 9. Click **Enroll**.
 
@@ -155,7 +155,7 @@ Use the following procedures to configure AD FS when your environment uses **Win
 Sign-in the federation server with _Domain Admin_ equivalent credentials. These procedures assume you are configuring the first federation server in a federation server farm.
 1. Start **Server Manager**.
 2. Click the notification flag in the upper right corner. Click **Configure federation services on this server**.   
-   ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png)
+   ![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png)
 
 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
 4. Click **Next** on the **Connect to Active Directory Domain Services** page.
@@ -175,7 +175,7 @@ Use the following procedures to configure AD FS when your environment uses **Win
 Sign-in the federation server with _Domain Admin_ equivalent credentials.  These instructions assume you are configuring the first federation server in a federation server farm.
 1. Start **Server Manager**.
 2. Click the notification flag in the upper right corner.  Click **Configure federation services on this server**.   
-    ![Example of pop-up notification as described above](images/hello-adfs-configure-2012r2.png)
+    ![Example of pop-up notification as described above.](images/hello-adfs-configure-2012r2.png)
 
 3. On the **Welcome** page, click **Create the first federation server farm** and click **Next**.
 4. Click **Next** on the **Connect to Active Directory Domain Services** page.
@@ -262,7 +262,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
 6. On the **Select server roles** page, click **Next**.
 7. Select **Network Load Balancing** on the **Select features** page.
 8. Click **Install** to start the feature installation   
-    ![Feature selection screen with NLB selected](images/hello-nlb-feature-install.png)
+    ![Feature selection screen with NLB selected.](images/hello-nlb-feature-install.png)
 
 ### Configure Network Load Balancing for AD FS
 
@@ -270,25 +270,25 @@ Before you can load balance all the nodes in the AD FS farm, you must first crea
 
 Sign-in a node of the federation farm with _Admin_ equivalent credentials.
 1. Open **Network Load Balancing Manager** from **Administrative Tools**.   
-    ![NLB Manager user interface](images/hello-nlb-manager.png)
+    ![NLB Manager user interface.](images/hello-nlb-manager.png)
 2. Right-click **Network Load Balancing Clusters**, and then click **New Cluster**.
 3. To connect to the host that is to be a part of the new cluster, in the **Host** text box, type the name of the host, and then click **Connect**.   
-    ![NLB Manager - Connect to new Cluster screen](images/hello-nlb-connect.png)
+    ![NLB Manager - Connect to new Cluster screen.](images/hello-nlb-connect.png)
 4. Select the interface that you want to use with the cluster, and then click **Next**. (The interface hosts the virtual IP address and receives the client traffic to load balance.)
 5. In **Host Parameters**, select a value in **Priority (Unique host identifier)**. This parameter specifies a unique ID for each host. The host with the lowest numerical priority among the current members of the cluster handles all of the cluster's network traffic that is not covered by a port rule. Click **Next**.
 6. In **Cluster IP Addresses**, click **Add** and type the cluster IP address that is shared by every host in the cluster. NLB adds this IP address to the TCP/IP stack on the selected interface of all hosts that are chosen to be part of the cluster. Click **Next**.   
-    ![NLB Manager - Add IP to New Cluster screen](images/hello-nlb-add-ip.png)
+    ![NLB Manager - Add IP to New Cluster screen.](images/hello-nlb-add-ip.png)
 7. In **Cluster Parameters**, select values in **IP Address** and **Subnet mask** (for IPv6 addresses, a subnet mask value is not needed). Type the full Internet name that users will use to access this NLB cluster.   
-    ![NLB Manager - Cluster IP Configuration screen](images/hello-nlb-cluster-ip-config.png)
+    ![NLB Manager - Cluster IP Configuration screen.](images/hello-nlb-cluster-ip-config.png)
 8. In **Cluster operation mode**, click **Unicast** to specify that a unicast media access control (MAC) address should be used for cluster operations. In unicast mode, the MAC address of the cluster is assigned to the network adapter of the computer, and the built-in MAC address of the network adapter is not used. We recommend that you accept the unicast default settings. Click **Next**.
 9. In Port Rules, click Edit to modify the default port rules to use port 443.   
-    ![NLB Manager - Add\Edit Port Rule screen](images/hello-nlb-cluster-port-rule.png)
+    ![NLB Manager - Add\Edit Port Rule screen.](images/hello-nlb-cluster-port-rule.png)
 
 ### Additional AD FS Servers
 
 1. To add more hosts to the cluster, right-click the new cluster, and then click **Add Host to Cluster**.
 2. Configure the host parameters (including host priority, dedicated IP addresses, and load weight) for the additional hosts by following the same instructions that you used to configure the initial host. Because you are adding hosts to an already configured cluster, all the cluster-wide parameters remain the same.   
-    ![NLB Manager - Cluster with nodes](images/hello-nlb-cluster.png)
+    ![NLB Manager - Cluster with nodes.](images/hello-nlb-cluster.png)
 
 ## Configure DNS for Device Registration
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 00fa16c254..1a2b17c308 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -69,7 +69,7 @@ In Windows 10, Windows Hello replaces passwords. When the identity provider sup
 >[!NOTE]
 >Windows Hello as a convenience sign-in uses regular user name and password authentication, without the user entering the password.
 
-![How authentication works in Windows Hello](images/authflow.png)
+![How authentication works in Windows Hello.](images/authflow.png)
 
 Imagine that someone is looking over your shoulder as you get money from an ATM and sees the PIN that you enter. Having that PIN won't help them access your account because they don't have your ATM card. In the same way, learning your PIN for your device doesn't allow that attacker to access your account because the PIN is local to your specific device and doesn't enable any type of authentication from any other device.
 
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index 3ff85f511f..e7d6a0cea8 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -35,11 +35,11 @@ People who are currently using virtual or physical smart cards for authenticatio
 
 When someone sets up a new device, they are prompted to choose who owns the device. For corporate devices, they select **This device belongs to my organization**.
 
-![who owns this pc](images/corpown.png)
+![who owns this pc.](images/corpown.png)
 
 Next, they select a way to connect. Tell the people in your enterprise which option they should pick here.
 
-![choose how you'll connect](images/connect.png)
+![choose how you'll connect.](images/connect.png)
 
 They sign in, and are then asked to verify their identity. People have options to choose from a text message, phone call, or the authentication application. After verification, they create their PIN. The **Create a PIN** screen displays any complexity requirements that you have set, such as minimum length.
 
@@ -55,7 +55,7 @@ People can go to **Settings** &gt; **Accounts** &gt; **Work or school**, select
 
 If your policy allows it, people can use biometrics (fingerprint, iris, and facial recognition) with Windows Hello for Business, if the hardware supports it.
 
-![sign in to windows, apps, and services using fingerprint or face](images/hellosettings.png)
+![sign in to windows, apps, and services using fingerprint or face.](images/hellosettings.png)
 
 
 
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 87e71bc747..2b1c101fc0 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -21,7 +21,7 @@ ms.reviewer:
 ## Four steps to password freedom
 
 Over the past few years, Microsoft has continued their commitment to enabling a world without passwords. At Microsoft Ignite 2017, we shared our four-step approach to password freedom.
-![Passwordless approach](images/four-steps-passwordless.png)
+![Passwordless approach.](images/four-steps-passwordless.png)
 
 
 ### 1. Develop a password replacement offering
@@ -203,24 +203,24 @@ Windows provides two ways to prevent your users from using passwords. You can us
 
 ##### Security Policy
 You can use Group Policy to deploy an interactive logon security policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Windows Settings > Local Policy > Security Options**.  The name of the policy setting depends on the version of the operating systems you use to configure Group Policy.
-![securityPolicyLocation](images/passwordless/00-securityPolicy.png)
+![securityPolicyLocation.](images/passwordless/00-securityPolicy.png)
 
 **Windows Server 2016 and earlier**
 The policy name for these operating systems is **Interactive logon: Require smart card**.
-![securityPolicyBefore2016](images/passwordless/00-securitypolicy-2016.png)
+![securityPolicyBefore2016.](images/passwordless/00-securitypolicy-2016.png)
 
 **Windows 10, version 1703 or later using Remote Server Administrator Tools**
 The policy name for these operating systems is **Interactive logon: Require Windows Hello for Business or smart card**.
-![securityPolicyRSAT](images/passwordless/00-updatedsecuritypolicytext.png)
+![securityPolicyRSAT.](images/passwordless/00-updatedsecuritypolicytext.png)
 
 When you enable this security policy setting, Windows prevents users from signing in or unlocking with a password. The password credential provider remains visible to the user. If a user tries to use a password, Windows informs the user they must use Windows Hello for Business or a smart card.
 
 #### Excluding the password credential provider
 You can use Group Policy to deploy an administrative template policy setting to the computer. This policy setting is found under **Computer Configuration > Policies > Administrative Templates > System > Logon**
-![HideCredProvPolicy](images/passwordless/00-hidecredprov.png)
+![HideCredProvPolicy.](images/passwordless/00-hidecredprov.png)
 
 The name of the policy setting is **Exclude credential providers**. The value to enter in the policy to hide the password credential provider is **60b78e88-ead8-445c-9cfd-0b87f74ea6cd**.
-![HideCredProvPolicy2](images/passwordless/01-hidecredprov.png)
+![HideCredProvPolicy2.](images/passwordless/01-hidecredprov.png)
 
 Excluding the password credential provider hides the password credential provider from Windows and any application that attempts to load it. This prevents the user from entering a password using the credential provider. However, this does not prevent applications from creating their own password collection dialogs and prompting the user for a password using custom dialogs.
 
@@ -261,7 +261,7 @@ The account options on a user account includes an option -- **Smart card is requ
 > [!NOTE]
 > Do not confuse the Interactive Logon security policy for SCRIL. Security policies are enforced on the client (locally). A user account configured for SCRIL is enforced at the domain controller.
 
-![SCRIL setting on AD Users and Computers](images/passwordless/00-scril-dsa.png)
+![SCRIL setting on AD Users and Computers.](images/passwordless/00-scril-dsa.png)
 **SCRIL setting for a user on Active Directory Users and Computers.**
 
 When you configure a user account for SCRIL, Active Directory changes the affected user's password to a random 128 bits of data. Additionally, domain controllers hosting the user account do not allow the user to sign-in interactively with a password. Also, users will no longer be troubled with needing to change their password when it expires, because passwords for SCRIL users in domains with a Windows Server 2012 R2 or early domain functional level do not expire. The users are effectively passwordless because:
@@ -270,13 +270,13 @@ When you configure a user account for SCRIL, Active Directory changes the affect
 - the user is not asked to change their password
 - domain controllers do not allow passwords for interactive authentication
 
-![SCRIL setting from ADAC on Windows Server 2012](images/passwordless/01-scril-adac-2012.png)
+![SCRIL setting from ADAC on Windows Server 2012.](images/passwordless/01-scril-adac-2012.png)
 **SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2012.**
 
 > [!NOTE]
 > Although a SCRIL user's password never expires in early domains, you can toggle the SCRIL configuration on a user account (clear the check box, save the settings, select the check box and save the settings) to generate a new random 128 bit password. However, you should consider upgrading the domain to Windows Server 2016 domain forest functional level and allow the domain controller to do this for you automatically.
 
-![SCRIL setting from ADAC on Windows Server 2016](images/passwordless/01-scril-adac-2016.png)
+![SCRIL setting from ADAC on Windows Server 2016.](images/passwordless/01-scril-adac-2016.png)
 **SCRIL setting for a user in Active Directory Administrative Center on Windows Server 2016.**
 
 > [!NOTE]
@@ -286,7 +286,7 @@ When you configure a user account for SCRIL, Active Directory changes the affect
 Domains configured for Windows Server 2016 domain functional level can further secure the unknown password for SCRIL-enabled users by configuring the domain to automatically change the password for SCRIL users.
 
 In this configuration, passwords for SCRIL-configured users expire based on Active Directory password policy settings. When the SCRIL user authenticates from a domain controller, the domain controller recognizes the password has expired, and automatically generates a new random 128 bit password for the user as part of the authentication. What is great about this feature is your users do not experience any change password notifications or any authentication outages.
-![Rotate Password 2016](images/passwordless/02-rotate-scril-2016.png)
+![Rotate Password 2016.](images/passwordless/02-rotate-scril-2016.png)
 
 > [!NOTE]
 > Some components within Windows 10, such as Data Protection APIs and NTLM authentication, still need artifacts of a user possessing a password. This configuration provides interoperability by reducing the usage surface while Microsoft continues to close the gaps to remove the password completely.
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
index 5e24e71b64..2ad3bb1f3b 100644
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -54,7 +54,7 @@ It’s important to keep in mind that there are no physical containers on disk,
 
 The container actually contains a set of keys, some of which are used to protect other keys. The following image shows an example: the protector key is used to encrypt the authentication key, and the authentication key is used to encrypt the individual keys stored in the container.
  
-![Each logical container holds one or more sets of keys](../images/passport-fig3-logicalcontainer.png)
+![Each logical container holds one or more sets of keys.](../images/passport-fig3-logicalcontainer.png)
 
 Containers can contain several types of key material:
 
diff --git a/windows/security/identity-protection/remote-credential-guard.md b/windows/security/identity-protection/remote-credential-guard.md
index 57bbf194fc..65fa656745 100644
--- a/windows/security/identity-protection/remote-credential-guard.md
+++ b/windows/security/identity-protection/remote-credential-guard.md
@@ -34,13 +34,13 @@ Administrator credentials are highly privileged and must be protected. By using
 
 The following diagram helps you to understand how a standard Remote Desktop session to a server without Windows Defender Remote Credential Guard works:
 
-![RDP connection to a server without Windows Defender Remote Credential Guard.png](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png)
+![RDP connection to a server without Windows Defender Remote Credential Guard.png.](images/rdp-to-a-server-without-windows-defender-remote-credential-guard.png)
 
 <br />
 
 The following diagram helps you to understand how Windows Defender Remote Credential Guard works, what it helps to protect against, and compares it with the [Restricted Admin mode](https://social.technet.microsoft.com/wiki/contents/articles/32905.how-to-enable-restricted-admin-mode-for-remote-desktop.aspx) option:
 
-![Windows Defender Remote Credential Guard](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png)
+![Windows Defender Remote Credential Guard.](images/windows-defender-remote-credential-guard-with-remote-admin-mode.png)
 
 <br />
 As illustrated, Windows Defender Remote Credential Guard blocks NTLM (allowing only Kerberos), prevents Pass-the-Hash (PtH) attacks, and also prevents use of credentials after disconnection.
@@ -152,7 +152,7 @@ Beginning with Windows 10 version 1703, you can enable Windows Defender Remote C
 
 2. Double-click **Restrict delegation of credentials to remote servers**.
 
-    ![Windows Defender Remote Credential Guard Group Policy](images/remote-credential-guard-gp.png)
+    ![Windows Defender Remote Credential Guard Group Policy.](images/remote-credential-guard-gp.png)
 
 3. Under **Use the following restricted mode**:
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
index 635a9631d6..d5c9651f0f 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
@@ -34,7 +34,7 @@ Smart card support is required to enable many Remote Desktop Services scenarios.
 
 In a Remote Desktop scenario, a user is using a remote server for running services, and the smart card is local to the computer that the user is using. In a smart card sign-in scenario, the smart card service on the remote server redirects to the smart card reader that is connected to the local computer where the user is trying to sign in.
 
-![Smart card service redirects to smart card reader](images/sc-image101.png)
+![Smart card service redirects to smart card reader.](images/sc-image101.png)
 
 **Remote Desktop redirection**
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-architecture.md b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
index 0663f9a479..63cbad9b26 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-architecture.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-architecture.md
@@ -52,7 +52,7 @@ Interactive sign-in in Windows begins when the user presses CTRL+ALT+DEL. The CT
 
 After receiving the SAS, the UI then generates the sign-in tile from the information received from the registered credential providers. The following graphic shows the architecture for credential providers in the Windows operating system.
 
-![Credential provider architecture](images/sc-image201.gif)
+![Credential provider architecture.](images/sc-image201.gif)
 
 **Figure 1**&nbsp;&nbsp;**Credential provider architecture**
 
@@ -88,7 +88,7 @@ Vendors provide smart cards and smart card readers, and in many cases the vendor
 
 Figure 2 illustrates the relationship between the CryptoAPI, CSPs, the Smart Card Base Cryptographic Service Provider (Base CSP), and smart card minidrivers.
 
-![Base CSP and smart card minidriver architecture](images/sc-image203.gif)
+![Base CSP and smart card minidriver architecture.](images/sc-image203.gif)
 
 **Figure 2**&nbsp;&nbsp;**Base CSP and smart card minidriver architecture**
 
@@ -236,7 +236,7 @@ Applications can call the Base CSP with CRYPT\_DEFAULT\_CONTAINER\_OPTIONAL, set
 
 In some of the following scenarios, the user can be prompted to insert a smart card. If the user context is silent, this operation fails and no UI is displayed. Otherwise, in response to the UI, the user can insert a smart card or click **Cancel**. If the user cancels the operation, the operation fails. The flow chart in Figure 3 shows the selection steps performed by the Windows operating system.
 
-![Smart card selection process](images/sc-image205.png)
+![Smart card selection process.](images/sc-image205.png)
 
 **Figure 3**&nbsp;&nbsp;**Smart card selection behavior**
 
@@ -314,7 +314,7 @@ For other operations, the caller may be able to acquire a "verify" context again
 
 Figure 4 shows the Cryptography architecture that is used by the Windows operating system.
 
-![Cryptography architecture](images/sc-image206.gif)
+![Cryptography architecture.](images/sc-image206.gif)
 
 **Figure 4**&nbsp;&nbsp;**Cryptography architecture**
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
index ae671b4ace..dbcf86ee67 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-propagation-service.md
@@ -38,7 +38,7 @@ The following figure shows the flow of the certificate propagation service. The
 
 **Certificate propagation service**
 
-![Certificate propagation service](images/sc-image302.gif)
+![Certificate propagation service.](images/sc-image302.gif)
 
 1.  A signed-in user inserts a smart card.
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
index ef209588b9..a220e7e658 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
@@ -89,7 +89,7 @@ If you enable the **Allow signature keys valid for Logon** credential provider p
 
 The following diagram illustrates how smart card sign-in works in the supported versions of Windows.
 
-![Smart card sign-in flow](images/sc-image402.png)
+![Smart card sign-in flow.](images/sc-image402.png)
 
 **Smart card sign-in flow**
 
@@ -206,21 +206,21 @@ SSL/TLS can map certificates that do not have SAN, and the mapping is done by us
 
 **Certificate revocation list distribution points**
 
-![Certificate revocation list distribution points](images/sc-image403.png)
+![Certificate revocation list distribution points.](images/sc-image403.png)
 
 **UPN in Subject Alternative Name field**
 
-![UPN in Subject Alternative Name field](images/sc-image404.png)
+![UPN in Subject Alternative Name field.](images/sc-image404.png)
 
 **Subject and Issuer fields**
 
-![Subject and Issuer fields](images/sc-image405.png)
+![Subject and Issuer fields.](images/sc-image405.png)
 
 This account mapping is supported by the KDC in addition to six other mapping methods. The following figure demonstrates a flow of user account mapping logic that is used by the KDC.
 
 **High-level flow of certificate processing for sign-in**
 
-![High-level flow of certificate processing for sign-in](images/sc-image406.png)
+![High-level flow of certificate processing for sign-in.](images/sc-image406.png)
 
 The certificate object is parsed to look for content to perform user account mapping.
 
@@ -236,7 +236,7 @@ The following figure illustrates the process of mapping user accounts for sign-i
 
 **Certificate processing logic**
 
-![Certificate processing logic](images/sc-image407.png)
+![Certificate processing logic.](images/sc-image407.png)
 
 NT\_AUTH policy is best described in the CERT\_CHAIN\_POLICY\_NT\_AUTH parameter section of the CertVerifyCertificateChainPolicy function. For more information, see [CertVerifyCertificateChainPolicy](/windows/win32/api/wincrypt/nf-wincrypt-certverifycertificatechainpolicy).
 
diff --git a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
index fa36cf563f..3f72307e25 100644
--- a/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
+++ b/windows/security/identity-protection/smart-cards/smart-card-removal-policy-service.md
@@ -26,7 +26,7 @@ The smart card removal policy service is applicable when a user has signed in wi
 
 **Smart card removal policy service**
 
-![Smart card removal policy service](images/sc-image501.gif)
+![Smart card removal policy service.](images/sc-image501.gif)
 
 The numbers in the previous figure represent the following actions:
 
diff --git a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
index 10ffd31a84..76159c664d 100644
--- a/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
+++ b/windows/security/identity-protection/user-account-control/how-user-account-control-works.md
@@ -34,7 +34,7 @@ In order to better understand how this process happens, let's look at the Window
 
 The following shows how the logon process for an administrator differs from the logon process for a standard user.
 
-![uac windows logon process](images/uacwindowslogonprocess.gif)
+![uac windows logon process.](images/uacwindowslogonprocess.gif)
 
 By default, standard users and administrators access resources and run apps in the security context of standard users. When a user logs on to a computer, the system creates an access token for that user. The access token contains information about the level of access that the user is granted, including specific security identifiers (SIDs) and Windows privileges.
 
@@ -56,7 +56,7 @@ With UAC enabled, Windows 10 prompts for consent or prompts for credentials of
 
 The consent prompt is presented when a user attempts to perform a task that requires a user's administrative access token. The following is an example of the UAC consent prompt.
 
-![uac consent prompt](images/uacconsentprompt.gif)
+![uac consent prompt.](images/uacconsentprompt.gif)
 
 **The credential prompt**
 
@@ -64,7 +64,7 @@ The credential prompt is presented when a standard user attempts to perform a ta
 
 The following is an example of the UAC credential prompt.
 
-![uac credential prompt](images/uaccredentialprompt.gif)
+![uac credential prompt.](images/uaccredentialprompt.gif)
 
 **UAC elevation prompts**
 
@@ -81,7 +81,7 @@ The elevation prompt color-coding is as follows:
 
 Some Control Panel items, such as **Date and Time Properties**, contain a combination of administrator and standard user operations. Standard users can view the clock and change the time zone, but a full administrator access token is required to change the local system time. The following is a screen shot of the **Date and Time Properties** Control Panel item.
 
-![uac shield icon](images/uacshieldicon.png)
+![uac shield icon.](images/uacshieldicon.png)
 
 The shield icon on the **Change date and time** button indicates that the process requires a full administrator access token and will display a UAC elevation prompt.
 
@@ -99,7 +99,7 @@ While malware could present an imitation of the secure desktop, this issue canno
 
 The following diagram details the UAC architecture.
 
-![uac architecture](images/uacarchitecture.gif)
+![uac architecture.](images/uacarchitecture.gif)
 
 To better understand each component, review the table below:
 
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
index badf574468..4468785ff0 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
@@ -24,7 +24,7 @@ This topic for the IT professional discusses the factors to consider when you de
 
 Traditional identity devices, such as physical smart cards, follow a predictable lifecycle in any deployment, as shown in the following diagram.
 
-![Diagram of physical smart card lifecycle](images/vsc-physical-smart-card-lifecycle.png)
+![Diagram of physical smart card lifecycle.](images/vsc-physical-smart-card-lifecycle.png)
 
 Physical devices are created by a dedicated manufacturer and then purchased by the corporation that will ultimately deploy it. The device passes through the personalization stage, where its unique properties are set. In smart cards, these properties are the administrator key, Personal Identification Number (PIN), PIN Unlock Key (PUK), and its physical appearance. To provision the device, it is loaded with the required certificates, such as a sign-in certificate. After you provision the device, it is ready for use. The device must simply be maintained. For example, you must replace cards when they are lost or stolen and reset PINs when users forget them. Finally, you’ll retire devices when they exceed their intended lifetime or when employees leave the company.
 
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
index 6fb462eb81..044f7c1fe1 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
@@ -28,7 +28,7 @@ A crucial aspect of TPM virtual smart cards is their ability to securely store a
 
 The following diagram illustrates the secure key hierarchy and the process of accessing the user key.
 
-![Diagram of the process of accessing the user key](images/vsc-process-of-accessing-user-key.png)
+![Diagram of the process of accessing the user key.](images/vsc-process-of-accessing-user-key.png)
 
 The following keys are stored on the hard disk:
 
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
index 6810a79d95..c6ad4e0710 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
@@ -62,21 +62,21 @@ On your domain server, you need to create a template for the certificate that yo
 
 2. Click **File**, and then click **Add/Remove Snap-in**.
 
-   ![Add or remove snap-in](images/vsc-02-mmc-add-snap-in.png)
+   ![Add or remove snap-in.](images/vsc-02-mmc-add-snap-in.png)
 
 3. In the available snap-ins list, click **Certificate Templates**, and then click **Add**.
 
-   ![Add Certificate Templates snap-in](images/vsc-03-add-certificate-templates-snap-in.png)
+   ![Add Certificate Templates snap-in.](images/vsc-03-add-certificate-templates-snap-in.png)
 
 4. Certificate Templates is now located under **Console Root** in the MMC. Double-click it to view all the available certificate templates.
 
 5. Right-click the **Smartcard Logon** template, and click **Duplicate Template**.
 
-   ![Duplicating the Smartcard Logon template](images/vsc-04-right-click-smartcard-logon-template.png)
+   ![Duplicating the Smartcard Logon template.](images/vsc-04-right-click-smartcard-logon-template.png)
 
 6. On the **Compatibility** tab, under **Certification Authority**, review the selection, and change it if needed.
 
-   ![Compatibility tab, certification authority setting](images/vsc-05-certificate-template-compatibility.png)
+   ![Compatibility tab, certification authority setting.](images/vsc-05-certificate-template-compatibility.png)
 
 7. On the **General** tab:
 
@@ -102,23 +102,23 @@ On your domain server, you need to create a template for the certificate that yo
 
 12. Select **File**, then click **Add/Remove Snap-in** to add the Certification Authority snap-in to your MMC console. When asked which computer you want to manage, select the computer on which the CA is located, probably **Local Computer**.
 
-    ![Add Certification Authority snap-in](images/vsc-06-add-certification-authority-snap-in.png)
+    ![Add Certification Authority snap-in.](images/vsc-06-add-certification-authority-snap-in.png)
 
 13. In the left pane of the MMC, expand **Certification Authority (Local)**, and then expand your CA within the Certification Authority list.
 
 14. Right-click **Certificate Templates**, click **New**, and then click **Certificate Template to Issue**.
 
-    ![Right-click menu for Certificate Templates](images/vsc-07-right-click-certificate-templates.png)
+    ![Right-click menu for Certificate Templates.](images/vsc-07-right-click-certificate-templates.png)
 
 15. From the list, select the new template that you just created (**TPM Virtual Smart Card Logon**), and then click **OK**.
 
     > **Note**&nbsp;&nbsp;It can take some time for your template to replicate to all servers and become available in this list.
 
-    ![Selecting a certificate template](images/vsc-08-enable-certificate-template.png)
+    ![Selecting a certificate template.](images/vsc-08-enable-certificate-template.png)
 
 16. After the template replicates, in the MMC, right-click in the Certification Authority list, click **All Tasks**, and then click **Stop Service**. Then, right-click the name of the CA again, click **All Tasks**, and then click **Start Service**.
 
-    ![Stopping and starting the service](images/vsc-09-stop-service-start-service.png)
+    ![Stopping and starting the service.](images/vsc-09-stop-service-start-service.png)
 
 ## Step 2: Create the TPM virtual smart card
 
@@ -128,7 +128,7 @@ In this step, you will create the virtual smart card on the client computer by u
 
 1.  On a domain-joined computer, open a Command Prompt window with Administrative credentials.
 
-    ![Cmd prompt, Run as administrator](images/vsc-10-cmd-run-as-administrator.png)
+    ![Cmd prompt, Run as administrator.](images/vsc-10-cmd-run-as-administrator.png)
 
 2.  At the command prompt, type the following, and then press ENTER:
 
@@ -150,11 +150,11 @@ The virtual smart card must be provisioned with a sign-in certificate for it to
 
 2.  Right-click **Personal**, click **All Tasks**, and then click **Request New Certificate**.
 
-    ![Request New Certificate](images/vsc-11-certificates-request-new-certificate.png)
+    ![Request New Certificate.](images/vsc-11-certificates-request-new-certificate.png)
 
 3.  Follow the prompts and when offered a list of templates, select the **TPM Virtual Smart Card Logon** check box (or whatever you named the template in Step 1).
 
-    ![Certificate enrollment, select certificate](images/vsc-12-certificate-enrollment-select-certificate.png)
+    ![Certificate enrollment, select certificate.](images/vsc-12-certificate-enrollment-select-certificate.png)
 
 4.  If prompted for a device, select the Microsoft virtual smart card that corresponds to the one you created in the previous section. It displays as **Identity Device (Microsoft Profile)**.
 
diff --git a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
index 789da743aa..4d3f59ff0a 100644
--- a/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+++ b/windows/security/identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
@@ -74,7 +74,7 @@ For more information about these Windows APIs, see:
 
 To help users visually distinguish a Trusted Platform Module (TPM)-based virtual smart card from physical smart cards, the virtual smart card has a different icon. The following icon is displayed during sign in, and on other screens that require the user to enter the PIN for a virtual smart card.
 
-![Icon for a virtual smart card](images/vsc-virtual-smart-card-icon.png)
+![Icon for a virtual smart card.](images/vsc-virtual-smart-card-icon.png)
 
 A TPM-based virtual smart card is labeled **Security Device** in the user interface.
 
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index 9665848076..2c0a581e8d 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -51,7 +51,7 @@ See [EAP configuration](/windows/client-management/mdm/eap-configuration) for EA
 
 The following image shows the field for EAP XML in a Microsoft Intune VPN profile. The EAP XML field only appears when you select a built-in connection type (automatic, IKEv2, L2TP, PPTP).
 
-![EAP XML configuration in Intune profile](images/vpn-eap-xml.png)
+![EAP XML configuration in Intune profile.](images/vpn-eap-xml.png)
 
 ## Related topics
 
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 2c1405d9e0..44b05da541 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -89,11 +89,11 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
 
 The following image shows associating an app to a VPN connection in a VPN Profile configuration policy using Microsoft Intune.
 
-![Add an app for the VPN connection](images/vpn-app-trigger.png)
+![Add an app for the VPN connection.](images/vpn-app-trigger.png)
 
 After you add an associated app, if you select the **Only these apps can use this VPN connection (per-app VPN)** checkbox, the app becomes available in **Corporate Boundaries**, where you can configure rules for the app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details. 
 
-![Configure rules for the app](images/vpn-app-rules.png)
+![Configure rules for the app.](images/vpn-app-rules.png)
 
 ## Related topics
 
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index 393bf3b90b..66baa88e46 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -87,7 +87,7 @@ Two client-side configuration service providers are leveraged for VPN device com
 The VPN client side connection flow works as follows:
 
 > [!div class="mx-imgBorder"]
-> ![Device compliance workflow when VPN client attempts to connect](images/vpn-device-compliance.png)
+> ![Device compliance workflow when VPN client attempts to connect.](images/vpn-device-compliance.png)
  
 When a VPNv2 Profile is configured with \<DeviceCompliance> \<Enabled>true<\/Enabled> the VPN client uses this connection flow:
 
diff --git a/windows/security/identity-protection/vpn/vpn-connection-type.md b/windows/security/identity-protection/vpn/vpn-connection-type.md
index e65b9b6d8b..465f79924f 100644
--- a/windows/security/identity-protection/vpn/vpn-connection-type.md
+++ b/windows/security/identity-protection/vpn/vpn-connection-type.md
@@ -23,7 +23,7 @@ Virtual private networks (VPNs) are point-to-point connections across a private
 
 There are many options for VPN clients. In Windows 10, the built-in plug-in and the Universal Windows Platform (UWP) VPN plug-in platform are built on top of the Windows VPN platform. This guide focuses on the Windows VPN platform clients and the features that can be configured. 
 
-![VPN connection types](images/vpn-connection.png)
+![VPN connection types.](images/vpn-connection.png)
 
 ## Built-in VPN client
 
@@ -67,12 +67,12 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
 The following image shows connection options in a VPN Profile configuration policy using Microsoft Intune:
 
 > [!div class="mx-imgBorder"]
-> ![Available connection types](images/vpn-connection-intune.png)
+> ![Available connection types.](images/vpn-connection-intune.png)
      
 In Intune, you can also include custom XML for third-party plug-in profiles:
 
 > [!div class="mx-imgBorder"]
-> ![Custom XML](images/vpn-custom-xml-intune.png)
+> ![Custom XML.](images/vpn-custom-xml-intune.png)
 
 
 ## Related topics
diff --git a/windows/security/identity-protection/vpn/vpn-name-resolution.md b/windows/security/identity-protection/vpn/vpn-name-resolution.md
index fcc360257b..70cec8d554 100644
--- a/windows/security/identity-protection/vpn/vpn-name-resolution.md
+++ b/windows/security/identity-protection/vpn/vpn-name-resolution.md
@@ -64,7 +64,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
 
 The following image shows name resolution options in a VPN Profile configuration policy using Microsoft Intune.
 
-![Add DNS rule](images/vpn-name-intune.png)
+![Add DNS rule.](images/vpn-name-intune.png)
 
 The fields in **Add or edit DNS rule** in the Intune profile correspond to the XML settings shown in the following table.
 
diff --git a/windows/security/identity-protection/vpn/vpn-profile-options.md b/windows/security/identity-protection/vpn/vpn-profile-options.md
index 69940276c8..96eae8c6ac 100644
--- a/windows/security/identity-protection/vpn/vpn-profile-options.md
+++ b/windows/security/identity-protection/vpn/vpn-profile-options.md
@@ -312,7 +312,7 @@ After you configure the settings that you want using ProfileXML, you can apply i
 10. Set Data type to **String (XML file)**.
 11. Upload the profile XML file.
 12. Click **OK**.
-    ![Custom VPN profile](images/custom-vpn-profile.png)
+    ![Custom VPN profile.](images/custom-vpn-profile.png)
 13. Click **OK**, then **Create**.
 14. Assign the profile.
 
diff --git a/windows/security/identity-protection/vpn/vpn-routing.md b/windows/security/identity-protection/vpn/vpn-routing.md
index a33e2b0f3f..ea0cb1c3ae 100644
--- a/windows/security/identity-protection/vpn/vpn-routing.md
+++ b/windows/security/identity-protection/vpn/vpn-routing.md
@@ -53,11 +53,11 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
 
 When you configure a VPN profile in Microsoft Intune, you select a checkbox to enable split tunnel configuration.
 
-![split tunnel](images/vpn-split.png)
+![split tunnel.](images/vpn-split.png)
 
 Next, in **Corporate Boundaries**, you add the routes that should use the VPN connection.   
   
-![add route for split tunnel](images/vpn-split-route.png)
+![add route for split tunnel.](images/vpn-split-route.png)
 
 
 ## Related topics
diff --git a/windows/security/identity-protection/vpn/vpn-security-features.md b/windows/security/identity-protection/vpn/vpn-security-features.md
index bd1a32dde4..c84ab32cb0 100644
--- a/windows/security/identity-protection/vpn/vpn-security-features.md
+++ b/windows/security/identity-protection/vpn/vpn-security-features.md
@@ -59,7 +59,7 @@ See [VPN profile options](vpn-profile-options.md) and [VPNv2 CSP](/windows/clien
 
 The following image shows the interface to configure traffic rules in a VPN Profile configuration policy, using Microsoft Intune.
 
-![Add a traffic rule](images/vpn-traffic-rules.png)
+![Add a traffic rule.](images/vpn-traffic-rules.png)
 
 
 ## LockDown VPN
diff --git a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
index 2c1a02b8db..62a4cf6cf0 100644
--- a/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+++ b/windows/security/identity-protection/windows-credential-theft-mitigation-guide-abstract.md
@@ -31,7 +31,7 @@ This guide explains how credential theft attacks occur and the strategies and co
 - Respond to suspicious activity
 - Recover from a breach
 
-![Security stages](images/security-stages.png)
+![Security stages.](images/security-stages.png)
 
 ## Attacks that steal credentials
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
index fc9b15fdef..23b9d93073 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-countermeasures.md
@@ -89,7 +89,7 @@ On computers with a compatible TPM, operating system drives that are BitLocker-p
 
 In the following Group Policy example, TPM + PIN is required to unlock an operating system drive:
 
-![Pre-boot authentication setting in Group Policy](images/pre-boot-authentication-group-policy.png)
+![Pre-boot authentication setting in Group Policy.](images/pre-boot-authentication-group-policy.png)
 
 Pre-boot authentication with a PIN can mitigate an attack vector for devices that use a bootable eDrive because an exposed eDrive bus can allow an attacker to capture the BitLocker encryption key during startup. 
 Pre-boot authentication with a PIN can also mitigate DMA port attacks during the window of time between when BitLocker unlocks the drive and Windows boots to the point that Windows can set any port-related policies that have been configured. 
@@ -110,7 +110,7 @@ This Kernel DMA Protection is available only for new systems beginning with Wind
 
 You can use the System Information desktop app (MSINFO32) to check if a device has kernel DMA protection enabled: 
 
-![Kernel DMA protection](images/kernel-dma-protection.png)
+![Kernel DMA protection.](images/kernel-dma-protection.png)
 
 If kernel DMA protection *not* enabled, follow these steps to protect Thunderbolt™ 3 enabled ports:
 
diff --git a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
index 4864bdf4d4..cd0b6543e6 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-deployment-comparison.md
@@ -34,31 +34,31 @@ This article depicts the BitLocker deployment comparison chart.
 |Supported domain-joined status     |     Microsoft Azure Active Directory (Azure AD) joined, hybrid Azure AD joined    |   Active Directory joined, hybrid Azure AD joined      |     Active Directory joined    |
 |Permissions required to manage policies     |    Endpoint security manager or custom     |   Full administrator or custom      |     Domain Admin or Delegated GPO access    |
 |Cloud or on premises      |     Cloud    |  On premises     |    On premises     |
-|Server components required?      |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
+|Server components required?      |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
 |Additional agent required?     |     No (device enrollment only)    |   Configuration Manager client      |     MBAM client    |
 |Administrative plane     | Microsoft Endpoint Manager admin center        |    Configuration Manager console     |    Group Policy Management Console and MBAM sites     |
-|Administrative portal installation required     |         |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |
-|Compliance reporting capabilities     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
-|Force encryption     |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::   |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::   | :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
-|Encryption for storage cards (mobile)      |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |         |
-|Allow recovery password      |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |
-|Manage startup authentication     |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |     :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |     :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |
-|Select cipher strength and algorithms for fixed drives      |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     | :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |
-|Select cipher strength and algorithms for removable drives     |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
-|Select cipher strength and algorithms for operating environment drives     |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |
+|Administrative portal installation required     |         |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
+|Compliance reporting capabilities     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+|Force encryption     |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::   |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::   | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+|Encryption for storage cards (mobile)      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |         |
+|Allow recovery password      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
+|Manage startup authentication     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |
+|Select cipher strength and algorithms for fixed drives      |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
+|Select cipher strength and algorithms for removable drives     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+|Select cipher strength and algorithms for operating environment drives     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
 |Standard recovery password storage location     |     Azure AD or Active Directory    |     Configuration Manager site database    |    MBAM database     |
 |Store recovery password for operating system and fixed drives to Azure AD or Active Directory     |    Yes (Active Directory and Azure AD)     | Yes (Active Directory only)      |   Yes (Active Directory only)      |
-|Customize preboot message and recovery link     | :::image type="content" source="images/yes-icon.png" alt-text="supported":::         | :::image type="content" source="images/yes-icon.png" alt-text="supported":::        |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |
-|Allow/deny key file creation     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::      |
-|Deny Write permission to unprotected drives     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
-|Can be administered outside company network     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |         |
-|Support for organization unique IDs     |         |      :::image type="content" source="images/yes-icon.png" alt-text="supported":::   |     :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |
-|Self-service recovery      |    Yes (through Azure AD or Company Portal app)     |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |
-|Recovery password rotation for fixed and operating environment drives     |   Yes (Windows 10, version 1909 and later)     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
-|Wait to complete encryption until recovery information is backed up to Azure AD      |     :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |       |        |
-|Wait to complete encryption until recovery information is backed up to Active Directory      |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     |
-|Allow or deny Data Recovery Agent     |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
-|Unlock a volume using certificate with custom object identifier     |         |   :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |     :::image type="content" source="images/yes-icon.png" alt-text="supported":::    |
-|Prevent memory overwrite on restart     |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported":::       |
-|Configure custom Trusted Platform Module Platform Configuration Register profiles     |         |       | :::image type="content" source="images/yes-icon.png" alt-text="supported":::        |
-|Manage auto-unlock functionality     |         |    :::image type="content" source="images/yes-icon.png" alt-text="supported":::     | :::image type="content" source="images/yes-icon.png" alt-text="supported":::        |
+|Customize preboot message and recovery link     | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::         | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::        |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
+|Allow/deny key file creation     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::      |
+|Deny Write permission to unprotected drives     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+|Can be administered outside company network     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |         |
+|Support for organization unique IDs     |         |      :::image type="content" source="images/yes-icon.png" alt-text="supported.":::   |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |
+|Self-service recovery      |    Yes (through Azure AD or Company Portal app)     |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
+|Recovery password rotation for fixed and operating environment drives     |   Yes (Windows 10, version 1909 and later)     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+|Wait to complete encryption until recovery information is backed up to Azure AD      |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |       |        |
+|Wait to complete encryption until recovery information is backed up to Active Directory      |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     |
+|Allow or deny Data Recovery Agent     |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+|Unlock a volume using certificate with custom object identifier     |         |   :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |     :::image type="content" source="images/yes-icon.png" alt-text="supported.":::    |
+|Prevent memory overwrite on restart     |         |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |  :::image type="content" source="images/yes-icon.png" alt-text="supported.":::       |
+|Configure custom Trusted Platform Module Platform Configuration Register profiles     |         |       | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::        |
+|Manage auto-unlock functionality     |         |    :::image type="content" source="images/yes-icon.png" alt-text="supported.":::     | :::image type="content" source="images/yes-icon.png" alt-text="supported.":::        |
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index eaccfb9c9f..a72324edf4 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -298,18 +298,18 @@ This policy can be configured using GPO under **Computer Configuration** > **Adm
 It can also be configured using Intune mobile device management (MDM) in the BitLocker CSP:
 *\<LocURI>./Device/Vendor/MSFT/BitLocker/SystemDrivesRecoveryMessage\</LocURI>*
 
-![Custom URL](./images/bl-intune-custom-url.png)
+![Custom URL.](./images/bl-intune-custom-url.png)
 
 Example of customized recovery screen:
 
-![Customized BitLocker Recovery Screen](./images/bl-password-hint1.png)
+![Customized BitLocker Recovery Screen.](./images/bl-password-hint1.png)
 
 
 ### BitLocker recovery key hints
 
 BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.
 
-![Customized BitLocker recovery screen](./images/bl-password-hint2.png)
+![Customized BitLocker recovery screen.](./images/bl-password-hint2.png)
 
 > [!IMPORTANT]
 > We don't recommend printing recovery keys or saving them to a file. Instead, use Active Directory backup or a cloud-based backup. Cloud-based backup includes Azure Active Directory (Azure AD) and Microsoft Account.
@@ -339,7 +339,7 @@ There are rules governing which hint is shown during the recovery (in order of p
 
 **Result:** The hint for the Microsoft Account and the custom URL are displayed.
 
-![Example 1 of Customized BitLocker recovery screen](./images/rp-example1.png)
+![Example 1 of Customized BitLocker recovery screen.](./images/rp-example1.png)
 
 
 #### Example 2 (single recovery key with single backup)
@@ -354,7 +354,7 @@ There are rules governing which hint is shown during the recovery (in order of p
 
 **Result:** Only the custom URL is displayed.
 
-![Example 2 of customized BitLocker recovery screen](./images/rp-example2.png)
+![Example 2 of customized BitLocker recovery screen.](./images/rp-example2.png)
 
 
 #### Example 3 (single recovery key with multiple backups)
@@ -369,7 +369,7 @@ There are rules governing which hint is shown during the recovery (in order of p
 
 **Result:** Only the Microsoft Account hint is displayed.
 
-![Example 3 of customized BitLocker recovery screen](./images/rp-example3.png)
+![Example 3 of customized BitLocker recovery screen.](./images/rp-example3.png)
 
 
 #### Example 4  (multiple recovery passwords)
@@ -399,7 +399,7 @@ There are rules governing which hint is shown during the recovery (in order of p
 
 **Result:** Only the hint for a successfully backed up key is displayed, even if it isn't the most recent key.
 
-![Example 4 of customized BitLocker recovery screen](./images/rp-example4.png)
+![Example 4 of customized BitLocker recovery screen.](./images/rp-example4.png)
 
 
 #### Example 5  (multiple recovery passwords)
@@ -429,7 +429,7 @@ There are rules governing which hint is shown during the recovery (in order of p
 
 **Result:** The hint for the most recent key is displayed.
 
-![Example 5 of customized BitLocker recovery screen](./images/rp-example5.png)
+![Example 5 of customized BitLocker recovery screen.](./images/rp-example5.png)
 
 
 ## <a href="" id="bkmk-usingaddrecovery"></a>Using additional recovery information
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index c6483a8057..e8045e225c 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -52,7 +52,7 @@ manage-bde -status
 ```
 This command returns the volumes on the target, current encryption status, encryption method, and volume type (operating system or data) for each volume:
 
-![Using manage-bde to check encryption status](images/manage-bde-status.png)
+![Using manage-bde to check encryption status.](images/manage-bde-status.png)
 
 The following example illustrates enabling BitLocker on a computer without a TPM chip. Before beginning the encryption process, you must create the startup key needed for BitLocker and save it to the USB drive. When BitLocker is enabled for the operating system volume, the BitLocker will need to access the USB flash drive to obtain the encryption key (in this example, the drive letter E represents the USB drive). You will be prompted to reboot to complete the encryption process.
 
diff --git a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
index 2a08e910d0..664fb40db0 100644
--- a/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/troubleshoot-bitlocker.md
@@ -58,7 +58,7 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in
 
    The output of such a command resembles the following.
 
-   ![Display of events that is produced by using Get-WinEvent and a BitLocker filter](./images/psget-winevent-1.png)
+   ![Display of events that is produced by using Get-WinEvent and a BitLocker filter.](./images/psget-winevent-1.png)
 
 - To export BitLocker-related information:
    ```ps
@@ -77,7 +77,7 @@ You can use Get-WinEvent in an elevated PowerShell window to display filtered in
 
    The output of such a command resembles the following.
 
-   ![Display of events that is produced by using Get-WinEvent and a TPM filter](./images/psget-winevent-2.png)
+   ![Display of events that is produced by using Get-WinEvent and a TPM filter.](./images/psget-winevent-2.png)
 
 > [!NOTE]
 > If you intend to contact Microsoft Support, we recommend that you export the logs listed in this section.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
index d41b2c7bf1..6268e09343 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
@@ -82,11 +82,11 @@ To verify that this issue has occurred, follow these steps:
 
 1. Copy this output, and use it as part of the [**ConvertFrom-SddlString**](/powershell/module/microsoft.powershell.utility/convertfrom-sddlstring?view=powershell-6) command in the PowerShell window, as follows.
 
-   ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE](./images/ts-bitlocker-usb-sddl.png)
+   ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\INTERACTIVE.](./images/ts-bitlocker-usb-sddl.png)
 
    If you see NT AUTHORITY\INTERACTIVE (as highlighted), in the output of this command, this is the cause of the issue. Under typical conditions, the output should resemble the following:
 
-   ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users](./images/ts-bitlocker-usb-default-sddl.png)
+   ![Output of the ConvertFrom-SddlString command, showing NT AUTHORITY\\Authenticated Users.](./images/ts-bitlocker-usb-default-sddl.png)
 
 > [!NOTE]
 > GPOs that change the security descriptors of services have been known to cause this issue.
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
index bab9c21e3e..1def746b1f 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
@@ -45,11 +45,11 @@ To install the tool, follow these steps:
 
 1. Accept the default installation path.
 
-   ![Specify Location page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-1.png)
+   ![Specify Location page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-1.png)
 
 1. Under **Select the features you want to install**, select **Windows Hardware Lab Kit&mdash;Controller + Studio**.
 
-   ![Select features page of the Windows Hardware Lab Kit installation wizard](./images/ts-tpm-2.png)
+   ![Select features page of the Windows Hardware Lab Kit installation wizard.](./images/ts-tpm-2.png)
 
 1. Finish the installation.
 
@@ -60,7 +60,7 @@ To use TBSLogGenerator, follow these steps:
 
    This folder contains the TBSLogGenerator.exe file.
 
-   ![Properties and location of the TBSLogGenerator.exe file](./images/ts-tpm-3.png)
+   ![Properties and location of the TBSLogGenerator.exe file.](./images/ts-tpm-3.png)
 
 1. Run the following command:
    ```cmd
@@ -78,19 +78,19 @@ To use TBSLogGenerator, follow these steps:
     TBSLogGenerator.exe -LF C:\MeasuredBoot\0000000005-0000000000.log > C:\MeasuredBoot\0000000005-0000000000.txt
     ```
 
-   ![Command Prompt window that shows an example of how to use TBSLogGenerator](./images/ts-tpm-4.png)
+   ![Command Prompt window that shows an example of how to use TBSLogGenerator.](./images/ts-tpm-4.png)
 
    The command produces a text file that uses the specified name. In the case of the example, the file is **0000000005-0000000000.txt**. The file is located in the same folder as the original .log file.
 
-   ![Windows Explorer window that shows the text file that TBSLogGenerator produces](./images/ts-tpm-5.png)
+   ![Windows Explorer window that shows the text file that TBSLogGenerator produces.](./images/ts-tpm-5.png)
 
 The content of this text file resembles the following.
 
-![Contents of the text file, as shown in NotePad](./images/ts-tpm-6.png)
+![Contents of the text file, as shown in NotePad.](./images/ts-tpm-6.png)
 
 To find the PCR information, go to the end of the file.
 
-   ![View of NotePad that shows the PCR information at the end of the text file](./images/ts-tpm-7.png)
+   ![View of NotePad that shows the PCR information at the end of the text file.](./images/ts-tpm-7.png)
 
 ## Use PCPTool to decode Measured Boot logs
 
@@ -114,4 +114,4 @@ where the variables represent the following values:
 
 The content of the XML file resembles the following.
 
-![Command Prompt window that shows an example of how to use PCPTool](./images/pcptool-output.jpg)
+![Command Prompt window that shows an example of how to use PCPTool.](./images/pcptool-output.jpg)
diff --git a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
index 60c34a7bb6..611dc64098 100644
--- a/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
+++ b/windows/security/information-protection/bitlocker/ts-bitlocker-intune-issues.md
@@ -20,7 +20,7 @@ ms.custom: bitlocker
 
 This article helps you troubleshoot issues that you may experience if you use Microsoft Intune policy to manage silent BitLocker encryption on devices. The Intune portal indicates whether BitLocker has failed to encrypt one or more managed devices.
 
-![The BitLocker status indictors on the Intune portal](./images/4509189-en-1.png)
+![The BitLocker status indictors on the Intune portal.](./images/4509189-en-1.png)
 
 To start narrowing down the cause of the problem, review the event logs as described in [Troubleshoot BitLocker](troubleshoot-bitlocker.md). Concentrate on the Management and Operations logs in the **Applications and Services logs\\Microsoft\\Windows\\BitLocker-API** folder. The following sections provide more information about how to resolve the indicated events and error messages:
 
@@ -43,7 +43,7 @@ For information about how to verify that Intune policies are enforcing BitLocker
 
 Event ID 853 can carry different error messages, depending on the context. In this case, the Event ID 853 error message indicates that the device does not appear to have a TPM. The event information resembles the following:
 
-![Details of event ID 853 (TPM is not available, cannot find TPM)](./images/4509190-en-1.png)
+![Details of event ID 853 (TPM is not available, cannot find TPM).](./images/4509190-en-1.png)
 
 ### Cause
 
@@ -64,7 +64,7 @@ For more information, see [Troubleshoot the TPM](../tpm/initialize-and-configure
 
 In this case, you see event ID 853, and the error message in the event indicates that bootable media is available to the device. The event information resembles the following.
 
-![Details of event ID 853 (TPM is not available, bootable media found)](./images/4509191-en-1.png)
+![Details of event ID 853 (TPM is not available, bootable media found).](./images/4509191-en-1.png)
 
 ### Cause
 
@@ -100,7 +100,7 @@ You can resolve this issue by verifying the configuration of the disk partitions
 
 The procedures described in this section depend on the default disk partitions that Windows configures during installation. Windows 10 automatically creates a recovery partition that contains the Winre.wim file. The partition configuration resembles the following.
 
-![Default disk partitions, including the recovery partition](./images/4509194-en-1.png)
+![Default disk partitions, including the recovery partition.](./images/4509194-en-1.png)
 
 To verify the configuration of the disk partitions, open an elevated Command Prompt window, and run the following commands:
 
@@ -108,11 +108,11 @@ To verify the configuration of the disk partitions, open an elevated Command Pro
 diskpart 
 list volume
 ```
-![Output of the list volume command in the Diskpart app](./images/4509195-en-1.png)
+![Output of the list volume command in the Diskpart app.](./images/4509195-en-1.png)
 
 If the status of any of the volumes is not healthy or if the recovery partition is missing, you may have to reinstall Windows. Before you do this, check the configuration of the Windows image that you are using for provisioning. Make sure that the image uses the correct disk configuration. The image configuration should resemble the following (this example is from Microsoft Endpoint Configuration Manager).
 
-![Windows image configuration in Microsoft Endpoint Configuration Manager](./images/configmgr-imageconfig.jpg)
+![Windows image configuration in Microsoft Endpoint Configuration Manager.](./images/configmgr-imageconfig.jpg)
 
 #### Step 2: Verify the status of WinRE
 
@@ -123,7 +123,7 @@ reagentc /info
 ```
 The output of this command resembles the following.
 
-![Output of the reagentc /info command](./images/4509193-en-1.png)
+![Output of the reagentc /info command.](./images/4509193-en-1.png)
 
 If the **Windows RE status** is not **Enabled**, run the following command to enable it:
 
@@ -141,7 +141,7 @@ bcdedit /enum all
 
 The output of this command resembles the following.
 
-![Output of the bcdedit /enum all command](./images/4509196-en-1.png)
+![Output of the bcdedit /enum all command.](./images/4509196-en-1.png)
 
 In the output, locate the **Windows Boot Loader** section that includes the line **identifier={current}**. In that section, locate the **recoverysequence** attribute. The value of this attribute should be a GUID value, not a string of zeros.
 
@@ -163,7 +163,7 @@ To verify the BIOS mode, use the System Information app. To do this, follow thes
 
 1. Select **Start**, and enter **msinfo32** in the **Search** box.
 1. Verify that the **BIOS Mode** setting is **UEFI** and not **Legacy**.  
-   ![System Information app, showing the BIOS Mode setting](./images/4509198-en-1.png)
+   ![System Information app, showing the BIOS Mode setting.](./images/4509198-en-1.png)
 1. If the **BIOS Mode** setting is **Legacy**, you have to switch the BIOS into **UEFI** or **EFI** mode. The steps for doing this are specific to the device.
    > [!NOTE]
    > If the device supports only Legacy mode, you cannot use Intune to manage BitLocker Device Encryption on the device.
@@ -192,11 +192,11 @@ Manage-bde -protectors -get %systemdrive%
 
 In the TPM section of the output of this command, verify that the **PCR Validation Profile** setting includes **7**, as follows.
 
-![Output of the manage-bde command](./images/4509199-en-1.png)
+![Output of the manage-bde command.](./images/4509199-en-1.png)
 
 If **PCR Validation Profile** doesn't include **7** (for example, the values include **0**, **2**, **4**, and **11**, but not **7**), then Secure Boot is not turned on.
 
-![Output of the manage-bde command when PCR 7 is not present](./images/4509200-en-1.png)
+![Output of the manage-bde command when PCR 7 is not present.](./images/4509200-en-1.png)
 
 #### 2. Verify the Secure Boot state
 
@@ -204,9 +204,9 @@ To verify the Secure Boot state, use the System Information app. To do this, fol
 
 1. Select **Start**, and enter **msinfo32** in the **Search** box.
 1. Verify that the **Secure Boot State** setting is **On**, as follows:  
-   ![System Information app, showing a supported Secure Boot State](./images/4509201-en-1.png)
+   ![System Information app, showing a supported Secure Boot State.](./images/4509201-en-1.png)
 1. If the **Secure Boot State** setting is **Unsupported**, you cannot use Silent BitLocker Encryption on this device.  
-   ![System Information app, showing a unsupported Secure Boot State](./images/4509202-en-1.png)
+   ![System Information app, showing a unsupported Secure Boot State.](./images/4509202-en-1.png)
 
 > [!NOTE]
 > You can also use the [Confirm-SecureBootUEFI](/powershell/module/secureboot/confirm-securebootuefi?view=win10-ps) cmdlet to verify the Secure Boot state. To do this, open an elevated PowerShell window and run the following command:
@@ -290,7 +290,7 @@ If your device runs Windows 10 version 1703 or later, supports Modern Standby (a
 
 If your device is HSTI-compliant but does not support Modern Standby, you have to configure an endpoint protection policy to enforce silent BitLocker Drive Encryption. The settings for this policy should resemble the following:
 
-![Intune policy settings](./images/4509186-en-1.png)
+![Intune policy settings.](./images/4509186-en-1.png)
 
 The OMA-URI references for these settings are as follows:
 
@@ -316,7 +316,7 @@ The Intune 1901 release provides settings that you can use to configure automati
 - Support Modern Standby
 - Use Windows 10 version 1803 or later
 
-![Intune policy setting](./images/4509188-en-1.png)
+![Intune policy setting.](./images/4509188-en-1.png)
 
 The OMA-URI references for these settings are as follows:
 
@@ -331,17 +331,17 @@ The OMA-URI references for these settings are as follows:
 
 During regular operations, BitLocker Drive Encryption generates events such as Event ID 796 and Event ID 845.
 
-![Event ID 796, as shown in Event Viewer](./images/4509203-en-1.png)
+![Event ID 796, as shown in Event Viewer.](./images/4509203-en-1.png)
 
-![Event ID 845, as shown in Event Viewer](./images/4509204-en-1.png)
+![Event ID 845, as shown in Event Viewer.](./images/4509204-en-1.png)
 
 You can also determine whether the BitLocker recovery password has been uploaded to Azure AD by checking the device details in the Azure AD Devices section.
 
-![BitLocker recovery information as viewed in Azure AD](./images/4509205-en-1.png)
+![BitLocker recovery information as viewed in Azure AD.](./images/4509205-en-1.png)
 
 On the device, check the Registry Editor to verify the policy settings on the device. Verify the entries under the following subkeys:
 
 - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device\\BitLocker**
 - **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager\\current\\device**  
 
-![Registry subkeys that relate to Intune policy](./images/4509206-en-1.png)
\ No newline at end of file
+![Registry subkeys that relate to Intune policy.](./images/4509206-en-1.png)
\ No newline at end of file
diff --git a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
index 31fc1097a4..768d8cdd75 100644
--- a/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
+++ b/windows/security/information-protection/kernel-dma-protection-for-thunderbolt.md
@@ -53,7 +53,7 @@ By default, peripherals with DMA Remapping incompatible drivers will be blocked
 
 ## User experience
 
-![Kernel DMA protection user experience](images/kernel-dma-protection-user-experience.png)
+![Kernel DMA protection user experience.](images/kernel-dma-protection-user-experience.png)
 
 By default, peripherals with DMA remapping compatible device drivers will be automatically enumerated and started. Peripherals with DMA Remapping incompatible drivers will be blocked from starting if the peripheral was plugged in before an authorized user logs in, or while the screen is locked. Once the system is unlocked, the peripheral driver will be started by the OS, and the peripheral will continue to function normally until the system is rebooted, or the peripheral is unplugged. 
 The peripheral will continue to function normally if the user locks the screen or logs out of the system.
@@ -77,7 +77,7 @@ Systems running Windows 10 version 1803 that do support Kernel DMA Protection do
 
 Beginning with Windows 10 version 1809, you can use Security Center to check if Kernel DMA Protection is enabled. Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation details** > **Memory access protection**.
 
-![Kernel DMA protection in Security Center](bitlocker/images/kernel-dma-protection-security-center.png)
+![Kernel DMA protection in Security Center.](bitlocker/images/kernel-dma-protection-security-center.png)
 
 ### Using System information
 
@@ -85,7 +85,7 @@ Beginning with Windows 10 version 1809, you can use Security Center to check if
 
 2. Check the value of **Kernel DMA Protection**.
 
-   ![Kernel DMA protection in System Information](bitlocker/images/kernel-dma-protection.png)
+   ![Kernel DMA protection in System Information.](bitlocker/images/kernel-dma-protection.png)
    
 3. If the current state of **Kernel DMA Protection** is OFF and **Hyper-V - Virtualization Enabled in Firmware** is NO:
 
@@ -113,11 +113,11 @@ No, Kernel DMA Protection only protects against drive-by DMA attacks after the O
 DMA-remapping is supported for specific device drivers, and is not universally supported by all devices and drivers on a platform. To check if a specific driver is opted into DMA-remapping, check the values corresponding to the DMA Remapping Policy property in the Details tab of a device in Device Manager*. A value of 0 or 1 means that the device driver does not support DMA-remapping. A value of 2 means that the device driver supports DMA-remapping. If the property is not available, then the policy is not set by the device driver (i.e. the device driver does not support DMA-remapping).
 Please check the driver instance for the device you are testing. Some drivers may have varying values depending on the location of the device (internal vs. external).
 
-![Kernel DMA protection user experience](images/device_details_tab_1903.png)
+![Kernel DMA protection user experience.](images/device_details_tab_1903.png)
 
 *For Windows 10 versions 1803 and 1809, the property field in Device Manager uses a GUID, as highlighted in the following image. 
 
-![Kernel DMA protection user experience](images/device-details-tab.png)
+![Kernel DMA protection user experience.](images/device-details-tab.png)
 
 ### What should I do if the drivers for my PCI or Thunderbolt™ 3 peripherals do not support DMA-remapping?
 
diff --git a/windows/security/information-protection/secure-the-windows-10-boot-process.md b/windows/security/information-protection/secure-the-windows-10-boot-process.md
index 721ae1e1e3..3d8754473d 100644
--- a/windows/security/information-protection/secure-the-windows-10-boot-process.md
+++ b/windows/security/information-protection/secure-the-windows-10-boot-process.md
@@ -55,7 +55,7 @@ Windows 10 supports four features to help prevent rootkits and bootkits from lo
 Figure 1 shows the Windows 10 startup process.
 
 
-![Windows 10 startup process](./images/dn168167.boot_process(en-us,MSDN.10).png)
+![Windows 10 startup process.](./images/dn168167.boot_process(en-us,MSDN.10).png)
 
 **Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at every stage**
 
@@ -115,7 +115,7 @@ Depending on the implementation and configuration, the server can now determine
 Figure 2 illustrates the Measured Boot and remote attestation process.
 
 
-![Measured Boot and remote attestation process](./images/dn168167.measure_boot(en-us,MSDN.10).png)
+![Measured Boot and remote attestation process.](./images/dn168167.measure_boot(en-us,MSDN.10).png)
 
 
 **Figure 2. Measured Boot proves the PC’s health to a remote server**
diff --git a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
index 06d8c54066..dd9e12558e 100644
--- a/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
+++ b/windows/security/information-protection/tpm/how-windows-uses-the-tpm.md
@@ -84,7 +84,7 @@ Identity providers have flexibility in how they provision credentials on client
 
 •	**Attestation identity key**. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority (CA) uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM. The identity CA issues attestation identity key certificates. More than one identity CA will generally see the same endorsement key certificate that can uniquely identify the TPM, but any number of attestation identity key certificates can be created to limit the information shared in other scenarios.
 
-![TPM Capabilities](images/tpm-capabilities.png)
+![TPM Capabilities.](images/tpm-capabilities.png)
 
 *Figure 1:  TPM Cryptographic Key Management*
 
@@ -126,7 +126,7 @@ The TPM provides the following way for scenarios to use the measurements recorde
 
 When new security features are added to Windows, Measured Boot adds security-relevant configuration information to the measurements recorded in the TPM. Measured Boot enables remote attestation scenarios that reflect the system firmware and the Windows initialization state.
 
-![Process to Create Evidence of Boot Software and Configuration Using TPM](images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png)
+![Process to Create Evidence of Boot Software and Configuration Using TPM.](images/process-to-create-evidence-of-boot-software-and-configuration-using-tpm.png)
 
 *Figure 2:  Process used to create evidence of boot software and configuration using a TPM*
 
diff --git a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
index 4a5ddd2df2..5a5e12feb9 100644
--- a/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+++ b/windows/security/information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
@@ -91,7 +91,7 @@ It's possible that you might revoke data from an unenrolled device only to later
 
    To start Robocopy in S mode, open Task Manager. Click **File** > **Run new task**, type the command, and click **Create this task with administrative privileges**.
    
-   ![Robocopy in S mode](images/robocopy-s-mode.png)
+   ![Robocopy in S mode.](images/robocopy-s-mode.png)
 
    If the employee performed a clean installation and there is no user profile, you need to recover the keys from the System Volume folder in each drive. Type: 
     
diff --git a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
index a605d96688..909073181d 100644
--- a/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
@@ -34,11 +34,11 @@ Follow these steps to associate your WIP policy with your organization's existin
 
 2. Open the Microsoft Intune mobile application management console, click **Device configuration**, and then click **Create Profile**.
 
-    ![Microsoft Intune, Create a new policy using the portal](images/wip-azure-vpn-device-policy.png)
+    ![Microsoft Intune, Create a new policy using the portal.](images/wip-azure-vpn-device-policy.png)
 
 3.  In the **Create Profile** blade, type a name for your profile, such as *Contoso_VPN_Win10*, into the **Name** box, add an optional description for your policy into the **Description** box, select **Windows 10 and later** from the **Platform** dropdown box, select **Custom** from the **Profile type** dropdown box, and then click **Configure**.
 
-    ![Microsoft Intune, Create a new policy using the Create Profile blade](images/wip-azure-vpn-configure-policy.png)
+    ![Microsoft Intune, Create a new policy using the Create Profile blade.](images/wip-azure-vpn-configure-policy.png)
 
 4. In the **Custom OMA-URI Settings** blade, click **Add**.
 
@@ -54,7 +54,7 @@ Follow these steps to associate your WIP policy with your organization's existin
     
     - **Value.** Type your fully-qualified domain that should be used by the OMA-URI setting. For example, _corp.contoso.com_.
 
-        ![Microsoft Intune, Add your OMA-URI settings](images/wip-azure-vpn-custom-omauri.png)
+        ![Microsoft Intune, Add your OMA-URI settings.](images/wip-azure-vpn-custom-omauri.png)
 
 6. Click **OK** to save your setting info in the **Add Row** blade, and then click **OK** in the **Custom OMA-URI Settings** blade to save the setting with your policy.
 
@@ -73,7 +73,7 @@ After you’ve created your VPN policy, you'll need to deploy it to the same gro
 
     The policy is deployed to the selected users' devices.
 
-    ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png)
+    ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed.](images/wip-azure-add-user-groups.png)
 
 >[!NOTE]
 >Help to make this topic better by providing us with edits, additions, and feedback. For info about how to contribute to this topic, see [Editing Windows IT professional documentation](https://github.com/Microsoft/windows-itpro-docs/blob/master/CONTRIBUTING.md).
\ No newline at end of file
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
index f13e30a044..32511b9cd5 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
@@ -36,12 +36,12 @@ After you've installed and set up Configuration Manager for your organization, y
 
 1.  Open the Configuration Manager console, click the **Assets and Compliance** node, expand the **Overview** node, expand the **Compliance Settings** node, and then expand the **Configuration Items** node.
 
-    ![Configuration Manager, Configuration Items screen](images/wip-configmgr-addpolicy.png)
+    ![Configuration Manager, Configuration Items screen.](images/wip-configmgr-addpolicy.png)
 
 2.  Click the **Create Configuration Item** button.<p>
 The **Create Configuration Item Wizard** starts.
 
-    ![Create Configuration Item wizard, define the configuration item and choose the configuration type](images/wip-configmgr-generalscreen.png)
+    ![Create Configuration Item wizard, define the configuration item and choose the configuration type.](images/wip-configmgr-generalscreen.png)
 
 3.  On the **General Information screen**, type a name (required) and an optional description for your policy into the **Name** and **Description** boxes.
 
@@ -55,11 +55,11 @@ The **Create Configuration Item Wizard** starts.
 
 5.  On the **Supported Platforms** screen, click the **Windows 10** box, and then click **Next**.
 
-    ![Create Configuration Item wizard, choose the supported platforms for the policy](images/wip-configmgr-supportedplat.png)
+    ![Create Configuration Item wizard, choose the supported platforms for the policy.](images/wip-configmgr-supportedplat.png)
 
 6.  On the **Device Settings** screen, click **Windows Information Protection**, and then click **Next**.
 
-    ![Create Configuration Item wizard, choose the Windows Information Protection settings](images/wip-configmgr-devicesettings.png)
+    ![Create Configuration Item wizard, choose the Windows Information Protection settings.](images/wip-configmgr-devicesettings.png)
 
 The **Configure Windows Information Protection settings** page appears, where you'll configure your policy for your organization.
 
@@ -81,7 +81,7 @@ For this example, we're going to add Microsoft OneNote, a store app, to the **Ap
 
     The **Add app rule** box appears.
 
-    ![Create Configuration Item wizard, add a universal store app](images/wip-configmgr-adduniversalapp.png)
+    ![Create Configuration Item wizard, add a universal store app.](images/wip-configmgr-adduniversalapp.png)
 
 2.  Add a friendly name for your app into the **Title** box. In this example, it's *Microsoft OneNote*.
 
@@ -141,7 +141,7 @@ For this example, we're going to add Internet Explorer, a desktop app, to the **
 
     The **Add app rule** box appears.
 
-    ![Create Configuration Item wizard, add a classic desktop app](images/wip-configmgr-adddesktopapp.png)
+    ![Create Configuration Item wizard, add a classic desktop app.](images/wip-configmgr-adddesktopapp.png)
 
 2.  Add a friendly name for your app into the **Title** box. In this example, it's *Internet Explorer*.
 
@@ -218,7 +218,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
 
 2.  In the left pane, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
 
-    ![Local security snap-in, showing the Packaged app Rules](images/intune-local-security-snapin.png)
+    ![Local security snap-in, showing the Packaged app Rules.](images/intune-local-security-snapin.png)
 
 3.  Right-click in the right-hand pane, and then click **Create New Rule**.
 
@@ -226,33 +226,33 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
 
 4. On the **Before You Begin** page, click **Next**.
 
-    ![Create a Packaged app Rules wizard and showing the Before You Begin page](images/intune-applocker-before-begin.png)
+    ![Create a Packaged app Rules wizard and showing the Before You Begin page.](images/intune-applocker-before-begin.png)
 
 5. On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
 
-    ![Create Packaged app Rules wizard, set action to Allow](images/intune-applocker-permissions.png)
+    ![Create Packaged app Rules wizard, set action to Allow.](images/intune-applocker-permissions.png)
 
 6.  On the **Publisher** page, click **Select** from the **Use an installed packaged app as a reference** area.
 
-    ![Create Packaged app Rules wizard, select use an installed packaged app](images/intune-applocker-publisher.png)
+    ![Create Packaged app Rules wizard, select use an installed packaged app.](images/intune-applocker-publisher.png)
 
 7. In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we're using Microsoft Photos.
 
-    ![Create Packaged app Rules wizard, select application and click ok](images/intune-applocker-select-apps.png)
+    ![Create Packaged app Rules wizard, select application and click ok.](images/intune-applocker-select-apps.png)
 
 8. On the updated **Publisher** page, click **Create**.
 
-    ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page](images/intune-applocker-publisher-with-app.png)
+    ![Create Packaged app Rules wizard, showing the Microsoft Photos on the Publisher page.](images/intune-applocker-publisher-with-app.png)
 
 9. Review the Local Security Policy snap-in to make sure your rule is correct.
 
-    ![Local security snap-in, showing the new rule](images/intune-local-security-snapin-updated.png)
+    ![Local security snap-in, showing the new rule.](images/intune-local-security-snapin-updated.png)
 
 10. In the left pane, right-click on **AppLocker**, and then click **Export policy**.
 
     The **Export policy** box opens, letting you export and save your new policy as XML.
 
-    ![Local security snap-in, showing the Export Policy option](images/intune-local-security-export.png)
+    ![Local security snap-in, showing the Export Policy option.](images/intune-local-security-export.png)
 
 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
 
@@ -286,7 +286,7 @@ For this example, we're going to add an AppLocker XML file to the **App Rules**
 
     The **Add app rule** box appears.
 
-    ![Create Configuration Item wizard, add an AppLocker policy](images/wip-configmgr-addapplockerfile.png)
+    ![Create Configuration Item wizard, add an AppLocker policy.](images/wip-configmgr-addapplockerfile.png)
 
 2.  Add a friendly name for your app into the **Title** box. In this example, it's *Allowed app list*.
 
@@ -353,7 +353,7 @@ You can specify multiple domains owned by your enterprise by separating them wit
 
 - Type the name of your corporate identity into the **Corporate identity** field. For example, `contoso.com` or `contoso.com|newcontoso.com`.
 
-    ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity](images/wip-configmgr-corp-identity.png)
+    ![Create Configuration Item wizard, Add the primary Internet domain for your enterprise identity.](images/wip-configmgr-corp-identity.png)
 
 ## Choose where apps can access enterprise data
 After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network.
@@ -372,7 +372,7 @@ There are no default locations included with WIP, you must add each of your netw
 
 2. Type a name for your corporate network element into the **Name** box, and then pick what type of network element it is, from the **Network element** drop-down box. This can include any of the options in the following table.
 
-   ![Add or edit corporate network definition box, Add your enterprise network locations](images/wip-configmgr-add-network-domain.png)
+   ![Add or edit corporate network definition box, Add your enterprise network locations.](images/wip-configmgr-add-network-domain.png)
 
    <table>
        <tr>
@@ -431,7 +431,7 @@ There are no default locations included with WIP, you must add each of your netw
 
 5. In the required **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
 
-   ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate](images/wip-configmgr-dra.png)
+   ![Create Configuration Item wizard, Add a data recovery agent (DRA) certificate.](images/wip-configmgr-dra.png)
 
    After you create and deploy your WIP policy to your employees, Windows will begin to encrypt your corporate data on the employees' local device drive. If somehow the employees' local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the DRA certificate lets Windows use an included public key to encrypt the local data, while you maintain the private key that can unencrypt the data. 
 
@@ -440,7 +440,7 @@ There are no default locations included with WIP, you must add each of your netw
 ## Choose your optional WIP-related settings
 After you've decided where your protected apps can access enterprise data on your network, you'll be asked to decide if you want to add any optional WIP settings.
 
-![Create Configuration Item wizard, Choose any additional, optional settings](images/wip-configmgr-additionalsettings.png)
+![Create Configuration Item wizard, Choose any additional, optional settings.](images/wip-configmgr-additionalsettings.png)
 
 **To set your optional settings**
 1.  Choose to set any or all of the optional settings:
@@ -467,7 +467,7 @@ After you've finished configuring your policy, you can review all of your info o
 **To view the Summary screen**
 - Click the **Summary** button to review your policy choices, and then click **Next** to finish and to save your policy.
 
-    ![Create Configuration Item wizard, Summary screen for all of your policy choices](images/wip-configmgr-summaryscreen.png)
+    ![Create Configuration Item wizard, Summary screen for all of your policy choices.](images/wip-configmgr-summaryscreen.png)
 
     A progress bar appears, showing you progress for your policy. After it's done, click **Close** to return to the **Configuration Items** page.
 
diff --git a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
index 17dcaff4f3..0442c3778a 100644
--- a/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
@@ -50,7 +50,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
 
 3. Click **Restore Default URLs** or enter the settings for MDM or MAM user scope and click **Save**:
 
-   ![Configure MDM or MAM provider](images/mobility-provider.png)
+   ![Configure MDM or MAM provider.](images/mobility-provider.png)
 
 ## Create a WIP policy
 
@@ -58,7 +58,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
 
 2. Open Microsoft Intune and click **Apps** > **App protection policies** > **Create policy**.
 
-   ![Open Client apps](images/create-app-protection-policy.png)
+   ![Open Client apps.](images/create-app-protection-policy.png)
 
 3. In the **App policy** screen, click **Add a policy**, and then fill out the fields:
 
@@ -70,11 +70,11 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
 
    - **Enrollment state.** Choose **Without enrollment** for MAM or **With enrollment** for MDM.
 
-   ![Add a mobile app policy](images/add-a-mobile-app-policy.png)
+   ![Add a mobile app policy.](images/add-a-mobile-app-policy.png)
 
 4. Click **Protected apps** and then click **Add apps**.
 
-   ![Add protected apps](images/add-protected-apps.png)
+   ![Add protected apps.](images/add-protected-apps.png)
 
    You can add these types of apps:
 
@@ -89,7 +89,7 @@ Before you can create a WIP policy using Intune, you need to configure an MDM or
 
 Select **Recommended apps** and select each app you want to access your enterprise data or select them all, and click **OK**.
 
-![Microsoft Intune management console: Recommended apps](images/recommended-apps.png)    
+![Microsoft Intune management console: Recommended apps.](images/recommended-apps.png)    
 
 ### Add Store apps 
 
@@ -99,7 +99,7 @@ Select **Store apps**, type the app product name and publisher, and click **OK**
 - **Publisher**: `CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US`
 - **Product Name**: `Microsoft.MicrosoftPowerBIForWindows`
 
-![Add Store app](images/add-a-protected-store-app.png)
+![Add Store app.](images/add-a-protected-store-app.png)
 
 To add multiple Store apps, click the ellipsis **…**. 
 
@@ -201,7 +201,7 @@ To add **Desktop apps**, complete the following fields, based on what results yo
 
 To add another Desktop app, click the ellipsis **…**. After you’ve entered the info into the fields, click **OK**.
 
-![Microsoft Intune management console: Adding Desktop app info](images/wip-azure-add-desktop-apps.png)
+![Microsoft Intune management console: Adding Desktop app info.](images/wip-azure-add-desktop-apps.png)
  
 If you’re unsure about what to include for the publisher, you can run this PowerShell command:
 
@@ -242,7 +242,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
     
 2. In the left blade, expand **Application Control Policies**, expand **AppLocker**, and then click **Packaged App Rules**.
 
-    ![Local security snap-in, showing the Packaged app Rules](images/wip-applocker-secpol-1.png)
+    ![Local security snap-in, showing the Packaged app Rules.](images/wip-applocker-secpol-1.png)
 
 3. Right-click in the right-hand blade, and then click **Create New Rule**.
 
@@ -250,7 +250,7 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
 
 4.  On the **Before You Begin** page, click **Next**.
 
-    ![Screenshot of the Before You Begin tab](images/wip-applocker-secpol-wizard-1.png)
+    ![Screenshot of the Before You Begin tab.](images/wip-applocker-secpol-wizard-1.png)
 
 5.  On the **Permissions** page, make sure the **Action** is set to **Allow** and the **User or group** is set to **Everyone**, and then click **Next**.
 
@@ -262,25 +262,25 @@ For more info about AppLocker, see the [AppLocker](../../threat-protection/windo
 
 7.  In the **Select applications** box, pick the app that you want to use as the reference for your rule, and then click **OK**. For this example, we’re using Microsoft Dynamics 365.
 
-    ![Screenshot of the Select applications list](images/wip-applocker-secpol-wizard-4.png)
+    ![Screenshot of the Select applications list.](images/wip-applocker-secpol-wizard-4.png)
 
 8.  On the updated **Publisher** page, click **Create**.
 
-    ![Screenshot of the Publisher tab](images/wip-applocker-secpol-wizard-5.png)
+    ![Screenshot of the Publisher tab.](images/wip-applocker-secpol-wizard-5.png)
 
 9.  Click **No** in the dialog box that appears, asking if you want to create the default rules. You must not create default rules for your WIP policy.
 
-    ![Screenshot of AppLocker warning](images/wip-applocker-default-rule-warning.png)
+    ![Screenshot of AppLocker warning.](images/wip-applocker-default-rule-warning.png)
 
 9.  Review the Local Security Policy snap-in to make sure your rule is correct.
 
-    ![Local security snap-in, showing the new rule](images/wip-applocker-secpol-create.png)
+    ![Local security snap-in, showing the new rule.](images/wip-applocker-secpol-create.png)
 
 10. In the left blade, right-click on **AppLocker**, and then click **Export policy**.
 
     The **Export policy** box opens, letting you export and save your new policy as XML.
 
-    ![Local security snap-in, showing the Export Policy option](images/wip-applocker-secpol-export.png)
+    ![Local security snap-in, showing the Export Policy option.](images/wip-applocker-secpol-export.png)
 
 11. In the **Export policy** box, browse to where the policy should be stored, give the policy a name, and then click **Save**.
 
@@ -320,7 +320,7 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
 
 3. Right-click **Executable Rules** > **Create New Rule**.
 
-   ![Local security snap-in, showing the Executable Rules](images/create-new-path-rule.png)
+   ![Local security snap-in, showing the Executable Rules.](images/create-new-path-rule.png)
 
 4. On the **Before You Begin** page, click **Next**.
 
@@ -328,11 +328,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
 
 6. On the **Conditions** page, click **Path** and then click **Next**.
 
-    ![Screenshot with Path conditions selected in the Create Executable Rules wizard](images/path-condition.png)
+    ![Screenshot with Path conditions selected in the Create Executable Rules wizard.](images/path-condition.png)
 
 7. Click **Browse Folders...** and select the path for the unsigned apps. For this example, we’re using "C:\Program Files".
 
-    ![Screenshot of the Path field of the Create Executable Rules wizard](images/select-path.png)
+    ![Screenshot of the Path field of the Create Executable Rules wizard.](images/select-path.png)
 
 8. On the **Exceptions** page, add any exceptions and then click **Next**.
 
@@ -351,11 +351,11 @@ The executable rule helps to create an AppLocker rule to sign any unsigned apps.
 
 1. In **Protected apps**, click **Import apps**.
 
-    ![Import protected apps](images/import-protected-apps.png)
+    ![Import protected apps.](images/import-protected-apps.png)
     
     Then import your file.
     
-    ![Microsoft Intune, Importing your AppLocker policy file using Intune](images/wip-azure-import-apps.png)
+    ![Microsoft Intune, Importing your AppLocker policy file using Intune.](images/wip-azure-import-apps.png)
 
 2. Browse to your exported AppLocker policy file, and then click **Open**.
 
@@ -366,7 +366,7 @@ If your app is incompatible with WIP, but still needs to be used with enterprise
 
 1. In **Client apps - App protection policies**, click **Exempt apps**.
     
-    ![Exempt apps](images/exempt-apps.png)
+    ![Exempt apps.](images/exempt-apps.png)
 
 2. In **Exempt apps**, click **Add apps**.
 
@@ -391,7 +391,7 @@ We recommend that you start with **Silent** or **Allow Overrides** while verifyi
 
 1. From the **App protection policy** blade, click the name of your policy, and then click **Required settings**.
 
-    ![Microsoft Intune, Required settings blade showing Windows Information Protection mode](images/wip-azure-required-settings-protection-mode.png)
+    ![Microsoft Intune, Required settings blade showing Windows Information Protection mode.](images/wip-azure-required-settings-protection-mode.png)
 
     |Mode |Description |
     |-----|------------|
@@ -413,11 +413,11 @@ Starting with Windows 10, version 1703, Intune automatically determines your cor
 
 2. If the auto-defined identity isn’t correct, you can change the info in the **Corporate identity** field. 
 
-   ![Microsoft Intune, Set your corporate identity for your organization](images/wip-azure-required-settings-corp-identity.png)
+   ![Microsoft Intune, Set your corporate identity for your organization.](images/wip-azure-required-settings-corp-identity.png)
 
 3. To add domains, such your email domain names, click **Configure Advanced settings** > **Add network boundary** and select **Protected domains**.
 
-   ![Add protected domains](images/add-protected-domains.png)
+   ![Add protected domains.](images/add-protected-domains.png)
 
 ## Choose where apps can access enterprise data
 After you've added a protection mode to your apps, you'll need to decide where those apps can access enterprise data on your network. Every WIP policy should include your enterprise network locations. 
@@ -426,7 +426,7 @@ There are no default locations included with WIP, you must add each of your netw
 
 To define the network boundaries, click **App policy** > the name of your policy > **Advanced settings** > **Add network boundary**.
 
-![Microsoft Intune, Set where your apps can access enterprise data on your network](images/wip-azure-advanced-settings-network.png)
+![Microsoft Intune, Set where your apps can access enterprise data on your network.](images/wip-azure-advanced-settings-network.png)
 
 Select the type of network boundary to add from the **Boundary type** box. Type a name for your boundary into the **Name** box, add your values to the **Value** box, based on the options covered in the following subsections, and then click **OK**.
 
@@ -558,7 +558,7 @@ Decide if you want Windows to look for additional network settings:
 
 - **Enterprise IP Ranges list is authoritative (do not auto-detect).** Turn on if you want Windows to treat the IP ranges you specified in the network boundary definition as the complete list of IP ranges available on your network. If you turn this off, Windows will search for additional IP ranges on any domain-joined devices connected to your network.
 
-![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise](images/wip-azure-advanced-settings-network-autodetect.png)
+![Microsoft Intune, Choose if you want Windows to search for additional proxy servers or IP ranges in your enterprise.](images/wip-azure-advanced-settings-network-autodetect.png)
 
 ## Upload your Data Recovery Agent (DRA) certificate
 After you create and deploy your WIP policy to your employees, Windows begins to encrypt your corporate data on the employees’ local device drive. If somehow the employees’ local encryption keys get lost or revoked, the encrypted data can become unrecoverable. To help avoid this possibility, the Data Recovery Agent (DRA) certificate lets Windows use an included public key to encrypt the local data while you maintain the private key that can unencrypt the data.
@@ -573,12 +573,12 @@ After you create and deploy your WIP policy to your employees, Windows begins to
 
 2.  In the **Upload a Data Recovery Agent (DRA) certificate to allow recovery of encrypted data** box, click **Browse** to add a data recovery certificate for your policy.
 
-    ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate](images/wip-azure-advanced-settings-efsdra.png)
+    ![Microsoft Intune, Upload your Data Recovery Agent (DRA) certificate.](images/wip-azure-advanced-settings-efsdra.png)
 
 ## Choose your optional WIP-related settings
 After you've decided where your protected apps can access enterprise data on your network, you can choose optional settings.
 
-![Advanced optional settings](images/wip-azure-advanced-settings-optional.png)
+![Advanced optional settings.](images/wip-azure-advanced-settings-optional.png)
    
 **Revoke encryption keys on unenroll.** Determines whether to revoke a user’s local encryption keys from a device when it’s unenrolled from Windows Information Protection. If the encryption keys are revoked, a user no longer has access to encrypted corporate data. The options are:
     
@@ -613,7 +613,7 @@ After you've decided where your protected apps can access enterprise data on you
 
 You can restrict which files are protected by WIP when they are downloaded from an SMB share within your enterprise network locations. If this setting is configured, only files with the extensions in the list will be encrypted. If this setting is not specified, the existing auto-encryption behavior is applied. 
 
-![WIP encrypted file extensions](images/wip-encrypted-file-extensions.png)
+![WIP encrypted file extensions.](images/wip-encrypted-file-extensions.png)
 
 ## Related topics
 
diff --git a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
index 524199cf73..8d929e1db4 100644
--- a/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+++ b/windows/security/information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
@@ -34,7 +34,7 @@ After you’ve created your Windows Information Protection (WIP) policy, you'll
 
    The policy is deployed to the selected users' devices.
 
-   ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed](images/wip-azure-add-user-groups.png)
+   ![Microsoft Intune: Pick your user groups that should get the policy when it's deployed.](images/wip-azure-add-user-groups.png)
 
 
 >[!NOTE]
diff --git a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
index b54cc7cbe1..dd3fb2529e 100644
--- a/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
+++ b/windows/security/information-protection/windows-information-protection/wip-app-enterprise-context.md
@@ -36,13 +36,13 @@ You need to add the Enterprise Context column to the **Details** tab of the Task
 
     The **Select columns** box appears.
 
-    ![Task Manager, Select column box with Enterprise Context option selected](images/wip-select-column.png)
+    ![Task Manager, Select column box with Enterprise Context option selected.](images/wip-select-column.png)
 
 3. Scroll down and check the **Enterprise Context** option, and then click **OK** to close the box.
 
     The **Enterprise Context** column should now be available in Task Manager.
 
-    ![Task Manager, Enterprise Context column highlighted](images/wip-taskmgr.png)
+    ![Task Manager, Enterprise Context column highlighted.](images/wip-taskmgr.png)
 
 ## Review the Enterprise Context
 The **Enterprise Context** column shows you what each app can do with your enterprise data:
diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index 1e97616ee8..e2f9ce0a1f 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -38,11 +38,11 @@ In the **Website learning report**, you can view a summary of the devices that h
 
 1. Click **Intune** > **Client apps** > **App protection status** > **Reports**.
 
-   ![Image showing the UI path to the WIP report](images/access-wip-learning-report.png) 
+   ![Image showing the UI path to the WIP report.](images/access-wip-learning-report.png) 
 
 1. Select either **App learning report for Windows Information Protection** or **Website learning report for Windows Information Protection**. 
 
-   ![Image showing the UI with for app and website learning reports](images/wip-learning-select-report.png) 
+   ![Image showing the UI with for app and website learning reports.](images/wip-learning-select-report.png) 
 
 Once you have the apps and websites showing up in the WIP Learning logging reports, you can decide whether to add them to your app protection policies. 
 
@@ -75,7 +75,7 @@ The information needed for the following steps can be found using Device Health,
 
 4. In the **Recommended apps** drop down menu, choose either **Store apps** or **Desktop apps**, depending on the app you've chosen (for example, an executable (EXE) is a desktop app). 
 
-    ![View of drop down menu for Store or desktop apps](images/wip-learning-choose-store-or-desktop-app.png)
+    ![View of drop down menu for Store or desktop apps.](images/wip-learning-choose-store-or-desktop-app.png)
 
 5. In **NAME** (optional), type the name of the app, and then in **PUBLISHER** (required), paste the publisher information that you copied in step 1 above.
 
@@ -87,7 +87,7 @@ The information needed for the following steps can be found using Device Health,
 
     `O=GOOGLE LLC, L=MOUNTAIN VIEW, S=CA, C=US`
 
-    ![View of Add Apps app info entry boxes](images/wip-learning-app-info.png)
+    ![View of Add Apps app info entry boxes.](images/wip-learning-app-info.png)
 
 6. Type the name of the product in **PRODUCT NAME** (required)  (this will probably be the same as what you typed for **NAME**).
 
diff --git a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
index 1ede3ef4ed..ea4b252a30 100644
--- a/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
@@ -58,7 +58,7 @@ Enabling in Intune requires using the Code Integrity node in the [AppLocker CSP]
 3. Double-click **Turn on Virtualization Based Security**.
 4. Click **Enabled** and under **Virtualization Based Protection of Code Integrity**, select **Enabled with UEFI lock** to ensure HVCI cannot be disabled remotely or select **Enabled without UEFI lock**.
 
-   ![Enable HVCI using Group Policy](../images/enable-hvci-gp.png)
+   ![Enable HVCI using Group Policy.](../images/enable-hvci-gp.png)
 
 5. Click **Ok** to close the editor.
 
@@ -279,7 +279,7 @@ This field lists the computer name. All valid values for computer name.
 
 Another method to determine the available and enabled Windows Defender Device Guard features is to run msinfo32.exe from an elevated PowerShell session. When you run this program, the Windows Defender Device Guard properties are displayed at the bottom of the **System Summary** section.
 
-![Windows Defender Device Guard properties in the System Summary](../images/dg-fig11-dgproperties.png)
+![Windows Defender Device Guard properties in the System Summary.](../images/dg-fig11-dgproperties.png)
 
 ## Troubleshooting
 
diff --git a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
index 6e6173e36d..def1ec0b93 100644
--- a/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
+++ b/windows/security/threat-protection/intelligence/coordinated-malware-eradication.md
@@ -17,7 +17,7 @@ ms.technology: mde
 ---
 # Coordinated Malware Eradication
 
-![coordinated-malware-eradication](images/CoordinatedMalware.png)
+![coordinated-malware-eradication.](images/CoordinatedMalware.png)
 
 Coordinated Malware Eradication (CME) aims to bring organizations in cybersecurity and in other industries together to change the game against malware. While the cybersecurity industry today is effective at disrupting malware families through individual efforts, those disruptions rarely lead to eradication since malware authors quickly adapt their tactics to survive.
 
diff --git a/windows/security/threat-protection/intelligence/fileless-threats.md b/windows/security/threat-protection/intelligence/fileless-threats.md
index e2029f3c2c..b125773d18 100644
--- a/windows/security/threat-protection/intelligence/fileless-threats.md
+++ b/windows/security/threat-protection/intelligence/fileless-threats.md
@@ -25,7 +25,7 @@ Attacks involve [several stages](https://attack.mitre.org/wiki/ATT&CK_Matrix) fo
 
 For clarity, fileless threats are grouped into different categories.
 
-![Comprehensive diagram of fileless malware](images/fileless-malware.png)<br>
+![Comprehensive diagram of fileless malware.](images/fileless-malware.png)<br>
 *Figure 1. Comprehensive diagram of fileless malware*
 
 Fileless threats can be classified by their entry point, which indicates how fileless malware can arrive on a machine. They can arrive via an exploit, through compromised hardware, or via regular execution of applications and scripts.
@@ -56,7 +56,7 @@ It’s possible to carry out such installation via command line without requirin
 
 Some malware can have a sort of fileless persistence, but not without using files to operate. An example for this scenario is Kovter, which creates a shell open verb handler in the registry for a random file extension. Opening a file with such extension will lead to the execution of a script through the legitimate tool mshta.exe.
 
-![Image of Kovter's registry key](images/kovter-reg-key.png)<br>
+![Image of Kovter's registry key.](images/kovter-reg-key.png)<br>
 *Figure 2. Kovter’s registry key*
 
 When the open verb is invoked, the associated command from the registry is launched, which results in the execution of a small script. This script reads data from a further registry key and executes it, in turn leading to the loading of the final payload. However, to trigger the open verb in the first place, Kovter has to drop a file with the same extension targeted by the verb (in the example above, the extension is .bbf5590fd). It also has to set an autorun key configured to open such file when the machine starts.
diff --git a/windows/security/threat-protection/intelligence/malware-naming.md b/windows/security/threat-protection/intelligence/malware-naming.md
index ef4a133061..3b37bdf391 100644
--- a/windows/security/threat-protection/intelligence/malware-naming.md
+++ b/windows/security/threat-protection/intelligence/malware-naming.md
@@ -20,7 +20,7 @@ ms.technology: mde
 
 We name the malware and unwanted software that we detect according to the Computer Antivirus Research Organization (CARO) malware naming scheme. The scheme uses the following format:
 
-![coordinated-malware-eradication](images/NamingMalware1.png)
+![coordinated-malware-eradication.](images/NamingMalware1.png)
 
 When our analysts research a particular threat, they'll determine what each of the components of the name will be.
 
diff --git a/windows/security/threat-protection/intelligence/phishing.md b/windows/security/threat-protection/intelligence/phishing.md
index 1f997dac95..01c216b8fe 100644
--- a/windows/security/threat-protection/intelligence/phishing.md
+++ b/windows/security/threat-protection/intelligence/phishing.md
@@ -35,7 +35,7 @@ Here are several telltale signs of a phishing scam:
 
 * The links or URLs provided in emails are **not pointing to the correct location** or are pointing to a third-party site not affiliated with the sender of the email. For example, in the image below the URL provided doesn't match the URL that you'll be taken to.
 
-    ![example of how exploit kits work](./images/URLhover.png)
+    ![example of how exploit kits work.](./images/URLhover.png)
 
 * There's a **request for personal information** such as social security numbers or bank or financial information. Official communications won't generally request personal information from you in the form of an email.
 
diff --git a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
index 00eafc82ce..ae7c0e8363 100644
--- a/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
+++ b/windows/security/threat-protection/intelligence/portal-submission-troubleshooting.md
@@ -33,7 +33,7 @@ This process requires a global or application admin in the tenant.
  2. Select **Grant admin consent for organization**.
  3. If you're able to do so, review the API permissions required for this application, as the following image shows. Provide consent for the tenant.
 
-    ![grant consent image](images/msi-grant-admin-consent.jpg)
+    ![grant consent image.](images/msi-grant-admin-consent.jpg)
 
   4. If the administrator receives an error while attempting to provide consent manually, try either [Option 1](#option-1-approve-enterprise-application-permissions-by-user-request) or [Option 2](#option-2-provide-admin-consent-by-authenticating-the-application-as-an-admin) as possible workarounds.
   
@@ -43,13 +43,13 @@ This process requires a global or application admin in the tenant.
 
 Azure Active Directory admins will need to allow for users to request admin consent to apps. Verify the setting is configured to **Yes** in [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/UserSettings/menuId/).
 
-![Enterprise applications user settings](images/msi-enterprise-app-user-setting.jpg)
+![Enterprise applications user settings.](images/msi-enterprise-app-user-setting.jpg)
 
 More information is available in [Configure Admin consent workflow](/azure/active-directory/manage-apps/configure-admin-consent-workflow).
 
 Once this setting is verified, users can go through the enterprise customer sign-in at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission), and submit a request for admin consent, including justification.
 
-![Contoso sign in flow](images/msi-contoso-approval-required.png)
+![Contoso sign in flow.](images/msi-contoso-approval-required.png)
 
 Admin will be able to review and approve the application permissions [Azure admin consent requests](https://portal.azure.com/#blade/Microsoft_AAD_IAM/StartboardApplicationsMenuBlade/AccessRequests/menuId/).
 
@@ -58,7 +58,7 @@ After providing consent, all users in the tenant will be able to use the applica
 ## Option 2 Provide admin consent by authenticating the application as an admin 
 This process requires that global admins go through the Enterprise customer sign-in flow at [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission).
 
-![Consent sign in flow](images/msi-microsoft-permission-required.jpg)
+![Consent sign in flow.](images/msi-microsoft-permission-required.jpg)
 
 Then, admins review the permissions and make sure to select **Consent on behalf of your organization**, and then select **Accept**.
 
@@ -70,20 +70,20 @@ If neither of these options resolve the issue, try the following steps (as an ad
 1. Remove previous configurations for the application. Go to [Enterprise applications](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Properties/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/982e94b2-fea9-4d1f-9fca-318cda92f90b)
 and select **delete**.
 
-   ![Delete app permissions](images/msi-properties.png)
+   ![Delete app permissions.](images/msi-properties.png)
 
 2. Capture TenantID from [Properties](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Properties).
 
 3. Replace {tenant-id} with the specific tenant that needs to grant consent to this application in the URL below. Copy this URL into browser. The rest of the parameters are already completed. 
 ``https://login.microsoftonline.com/{tenant-id}/v2.0/adminconsent?client_id=f0cf43e5-8a9b-451c-b2d5-7285c785684d&state=12345&redirect_uri=https%3a%2f%2fwww.microsoft.com%2fwdsi%2ffilesubmission&scope=openid+profile+email+offline_access``
 
-   ![Permissions needed](images/msi-microsoft-permission-requested-your-organization.png)
+   ![Permissions needed.](images/msi-microsoft-permission-requested-your-organization.png)
 
 4. Review the permissions required by the application, and then select **Accept**. 
 
 5. Confirm the permissions are applied in the [Azure portal](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ManagedAppMenuBlade/Permissions/appId/f0cf43e5-8a9b-451c-b2d5-7285c785684d/objectId/ce60a464-5fca-4819-8423-bcb46796b051).
 
-   ![Review that permissions are applied](images/msi-permissions.jpg)
+   ![Review that permissions are applied.](images/msi-permissions.jpg)
    
 6. Sign in to [Microsoft security intelligence](https://www.microsoft.com/wdsi/filesubmission) as an enterprise user with a non-admin account to see if you have access.
 
diff --git a/windows/security/threat-protection/intelligence/worms-malware.md b/windows/security/threat-protection/intelligence/worms-malware.md
index ed4e5aaf84..2aa32ed8f6 100644
--- a/windows/security/threat-protection/intelligence/worms-malware.md
+++ b/windows/security/threat-protection/intelligence/worms-malware.md
@@ -39,7 +39,7 @@ Both Bondat and Gamarue have clever ways of obscuring themselves to evade detect
 
 This image shows how a worm can quickly spread through a shared USB drive.
 
-![Worm example](./images/WormUSB-flight.png) 
+![Worm example.](./images/WormUSB-flight.png) 
 
 ### *Figure worm spreading from a shared USB drive*
 
diff --git a/windows/security/threat-protection/mbsa-removal-and-guidance.md b/windows/security/threat-protection/mbsa-removal-and-guidance.md
index f0c6938382..83a6f5e00b 100644
--- a/windows/security/threat-protection/mbsa-removal-and-guidance.md
+++ b/windows/security/threat-protection/mbsa-removal-and-guidance.md
@@ -29,8 +29,8 @@ For a PowerShell alternative, see [Using WUA to Scan for Updates Offline with Po
  
 For example:
  
-[![VBS script](images/vbs-example.png)](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) 
-[![PowerShell script](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) 
+[![VBS script.](images/vbs-example.png)](/windows/desktop/wua_sdk/using-wua-to-scan-for-updates-offline) 
+[![PowerShell script.](images/powershell-example.png)](https://www.powershellgallery.com/packages/Scan-UpdatesOffline/1.0) 
   
 The preceding scripts use the [WSUS offline scan file](https://support.microsoft.com/help/927745/detailed-information-for-developers-who-use-the-windows-update-offline) (wsusscn2.cab) to perform a scan and get the same information on missing updates as MBSA supplied. MBSA also relied on the wsusscn2.cab to determine which updates were missing from a given system without connecting to any online service or server. The wsusscn2.cab file is still available and there are currently no plans to remove or replace it.
 The wsusscn2.cab file contains the metadata of only security updates, update rollups and service packs available from Microsoft Update; it does not contain any information on non-security updates, tools or drivers.
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
index 994ade09de..3b18ab25d3 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/install-md-app-guard.md
@@ -45,7 +45,7 @@ Applies to:
 You and your security department can define your corporate boundaries by explicitly adding trusted domains and by customizing the Application Guard experience to meet and enforce your needs on employee devices. Enterprise-managed mode also automatically redirects any browser requests to add non-enterprise domain(s) in the container.
 
 The following diagram shows the flow between the host PC and the isolated container.
-![Flowchart for movement between Microsoft Edge and Application Guard](images/application-guard-container-v-host.png)
+![Flowchart for movement between Microsoft Edge and Application Guard.](images/application-guard-container-v-host.png)
 
 ## Install Application Guard
 
@@ -55,7 +55,7 @@ Application Guard functionality is turned off by default. However, you can quick
 
 1. Open the **Control Panel**, click **Programs,** and then click **Turn Windows features on or off**.
 
-    ![Windows Features, turning on Microsoft Defender Application Guard](images/turn-windows-features-on-off.png)
+    ![Windows Features, turning on Microsoft Defender Application Guard.](images/turn-windows-features-on-off.png)
 
 2. Select the check box next to **Microsoft Defender Application Guard** and then click **OK**.
 
@@ -86,7 +86,7 @@ Application Guard functionality is turned off by default. However, you can quick
 > [!IMPORTANT]
 > Make sure your organization's devices meet [requirements](reqs-md-app-guard.md) and are [enrolled in Intune](/mem/intune/enrollment/device-enrollment).
 
-:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune":::
+:::image type="content" source="images/MDAG-EndpointMgr-newprofile.jpg" alt-text="Enroll devices in Intune.":::
 
 1. Go to [https://endpoint.microsoft.com](https://endpoint.microsoft.com) and sign in.
 
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
index de798293db..4ad66674a9 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md
@@ -29,7 +29,7 @@ For Microsoft Edge, Application Guard helps to isolate enterprise-defined untrus
 For Microsoft Office, Application Guard helps prevents untrusted Word, PowerPoint and Excel files from accessing trusted resources. Application Guard opens untrusted files in an isolated Hyper-V-enabled container. The isolated Hyper-V container is separate from the host operating system. This container isolation means that if the untrusted site or file turns out to be malicious, the host device is protected, and the attacker can't get to your enterprise data. For example, this approach makes the isolated container anonymous, so an attacker can't get to your employee's enterprise credentials.
 
 
-![Hardware isolation diagram](images/appguard-hardware-isolation.png)
+![Hardware isolation diagram.](images/appguard-hardware-isolation.png)
 
 ### What types of devices should use Application Guard?
 
diff --git a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
index 74525211f8..d8ff39f397 100644
--- a/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
+++ b/windows/security/threat-protection/microsoft-defender-application-guard/test-scenarios-md-app-guard.md
@@ -33,7 +33,7 @@ You can see how an employee would use standalone mode with Application Guard.
 
 2. Restart the device, start Microsoft Edge, and then select **New Application Guard window** from the menu.
 
-    ![New Application Guard window setting option](images/appguard-new-window.png)
+    ![New Application Guard window setting option.](images/appguard-new-window.png)
 
 3. Wait for Application Guard to set up the isolated environment.
 
@@ -42,7 +42,7 @@ You can see how an employee would use standalone mode with Application Guard.
 
 4. Go to an untrusted, but safe URL (for this example, we used msn.com) and view the new Microsoft Edge window, making sure you see the Application Guard visual cues.
 
-    ![Untrusted website running in Application Guard](images/appguard-visual-cues.png)
+    ![Untrusted website running in Application Guard.](images/appguard-visual-cues.png)
 
 ## Application Guard in Enterprise-managed mode
 
@@ -64,19 +64,19 @@ Before you can use Application Guard in managed mode, you must install Windows 1
 
    c.  For the purposes of this scenario, type `.microsoft.com` into the **Enterprise cloud resources** box.
 
-   ![Group Policy editor with Enterprise cloud resources setting](images/appguard-gp-network-isolation.png)
+   ![Group Policy editor with Enterprise cloud resources setting.](images/appguard-gp-network-isolation.png)
 
    d. Go to the **Administrative Templates\Network\Network Isolation\Domains categorized as both work and personal** setting.
 
    e. For the purposes of this scenario, type `bing.com` into the **Neutral resources** box.
 
-   ![Group Policy editor with Neutral resources setting](images/appguard-gp-network-isolation-neutral.png)
+   ![Group Policy editor with Neutral resources setting.](images/appguard-gp-network-isolation-neutral.png)
 
 4. Go to the **Computer Configuration\Administrative Templates\Windows Components\Microsoft Defender Application Guard\Turn on Microsoft Defender Application Guard in Managed Mode** setting.
 
 5. Click **Enabled**, choose Option **1**, and click **OK**.
 
-   ![Group Policy editor with Turn On/Off setting](images/appguard-gp-turn-on.png)
+   ![Group Policy editor with Turn On/Off setting.](images/appguard-gp-turn-on.png)
 
    >[!NOTE]
    >Enabling this setting verifies that all the necessary settings are properly configured on your employee devices, including the network isolation settings set earlier in this scenario.
@@ -85,13 +85,13 @@ Before you can use Application Guard in managed mode, you must install Windows 1
 
     After you submit the URL, Application Guard determines the URL is trusted because it uses the domain you've marked as trusted and shows the site directly on the host PC instead of in Application Guard.
 
-    ![Trusted website running on Microsoft Edge](images/appguard-turned-on-with-trusted-site.png)
+    ![Trusted website running on Microsoft Edge.](images/appguard-turned-on-with-trusted-site.png)
 
 7. In the same Microsoft Edge browser, type any URL that isn't part of your trusted or neutral site lists.
 
    After you submit the URL, Application Guard determines the URL is untrusted and redirects the request to the hardware-isolated environment.
 
-   ![Untrusted website running in Application Guard](images/appguard-visual-cues.png)
+   ![Untrusted website running in Application Guard.](images/appguard-visual-cues.png)
 
 ### Customize Application Guard
 
@@ -118,7 +118,7 @@ You have the option to change each of these settings to work with your enterpris
 
 2. Click **Enabled** and click **OK**.
 
-    ![Group Policy editor clipboard options](images/appguard-gp-clipboard.png)
+    ![Group Policy editor clipboard options.](images/appguard-gp-clipboard.png)
 
 3. Choose how the clipboard works:
 
@@ -144,7 +144,7 @@ You have the option to change each of these settings to work with your enterpris
 
 2. Click **Enabled** and click **OK**.
 
-    ![Group Policy editor Print options](images/appguard-gp-print.png)
+    ![Group Policy editor Print options.](images/appguard-gp-print.png)
 
 3. Based on the list provided in the setting, choose the number that best represents what type of printing should be available to your employees. You can allow any combination of local, network, PDF, and XPS printing.
 
@@ -156,7 +156,7 @@ You have the option to change each of these settings to work with your enterpris
 
 2. Click **Enabled** and click **OK**.
 
-    ![Group Policy editor Data Persistence options](images/appguard-gp-persistence.png)
+    ![Group Policy editor Data Persistence options.](images/appguard-gp-persistence.png)
 
 3. Open Microsoft Edge and browse to an untrusted, but safe URL.
 
@@ -186,7 +186,7 @@ You have the option to change each of these settings to work with your enterpris
 
 2. Click **Enabled** and click **OK**.
 
-    ![Group Policy editor Download options](images/appguard-gp-download.png)
+    ![Group Policy editor Download options.](images/appguard-gp-download.png)
 
 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
 
@@ -200,7 +200,7 @@ You have the option to change each of these settings to work with your enterpris
 
 2. Click **Enabled** and click **OK**.
 
-    ![Group Policy editor hardware acceleration options](images/appguard-gp-vgpu.png)
+    ![Group Policy editor hardware acceleration options.](images/appguard-gp-vgpu.png)
 
 3. Once you have enabled this feature, open Microsoft Edge and browse to an untrusted, but safe URL with video, 3D, or other graphics-intensive content. The website opens in an isolated session.
 
@@ -217,7 +217,7 @@ You have the option to change each of these settings to work with your enterpris
 
 2. Click **Enabled**, set **Options** to 2, and click **OK**.
 
-    ![Group Policy editor File trust options](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png)
+    ![Group Policy editor File trust options.](images/appguard-gp-allow-users-to-trust-files-that-open-in-appguard.png)
 
 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
 
@@ -231,7 +231,7 @@ You have the option to change each of these settings to work with your enterpris
 
 2. Click **Enabled** and click **OK**.
 
-    ![Group Policy editor Camera and microphone options](images/appguard-gp-allow-camera-and-mic.png)
+    ![Group Policy editor Camera and microphone options.](images/appguard-gp-allow-camera-and-mic.png)
 
 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
 
@@ -245,7 +245,7 @@ You have the option to change each of these settings to work with your enterpris
 
 2. Click **Enabled**, copy the thumbprint of each certificate to share, separated by a comma, and click **OK**.
 
-    ![Group Policy editor Root certificate options](images/appguard-gp-allow-root-certificates.png)
+    ![Group Policy editor Root certificate options.](images/appguard-gp-allow-root-certificates.png)
 
 3. Log out and back on to your device, opening Microsoft Edge in Application Guard again.
 
@@ -258,10 +258,10 @@ Once a user has the extension and its companion app installed on their enterpris
 1. Open either Firefox or Chrome — whichever browser you have the extension installed on.
 
 2. Navigate to an enterprise website, i.e. an internal website maintained by your organization. You might see this evaluation page for an instant before the site is fully loaded.
-   ![The evaluation page displayed while the page is being loaded, explaining that the user must wait](images/app-guard-chrome-extension-evaluation-page.png)
+   ![The evaluation page displayed while the page is being loaded, explaining that the user must wait.](images/app-guard-chrome-extension-evaluation-page.png)
 
 3. Navigate to a non-enterprise, external website site, such as [www.bing.com](https://www.bing.com). The site should be redirected to Microsoft Defender Application Guard Edge.
-   ![A non-enterprise website being redirected to an Application Guard container -- the text displayed explains that the page is being opened in Application Guard for Microsoft Edge](images/app-guard-chrome-extension-launchIng-edge.png)
+   ![A non-enterprise website being redirected to an Application Guard container -- the text displayed explains that the page is being opened in Application Guard for Microsoft Edge.](images/app-guard-chrome-extension-launchIng-edge.png)
 
 4. Open a new Application Guard window, by select the Microsoft Defender Application Guard icon, then **New Application Guard Window**
    ![The "New Application Guard Window" option is highlighted in red](images/app-guard-chrome-extension-new-app-guard-page.png)
\ No newline at end of file
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
index 80486846fb..146b20c787 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
@@ -61,7 +61,7 @@ If you believe a warning or block was incorrectly shown for a file or applicatio
 
 When submitting Microsoft Defender SmartScreen products, make sure to select **Microsoft Defender SmartScreen** from the product menu.
 
-![Windows Security, Microsoft Defender SmartScreen controls](images/Microsoft-defender-smartscreen-submission.png)
+![Windows Security, Microsoft Defender SmartScreen controls.](images/Microsoft-defender-smartscreen-submission.png)
 
 ## Viewing Microsoft Defender SmartScreen anti-phishing events
 
diff --git a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
index 85c404a314..89c036958f 100644
--- a/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
+++ b/windows/security/threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
@@ -60,7 +60,7 @@ Starting with Windows 10, version 1703, users can use Windows Security to set up
         
      - **Off.** Turns off Microsoft Defender SmartScreen, so a user isn't alerted or stopped from visiting sites or from downloading potentially malicious apps and files.
 
-       ![Windows Security, Microsoft Defender SmartScreen controls](images/windows-defender-smartscreen-control-2020.png)
+       ![Windows Security, Microsoft Defender SmartScreen controls.](images/windows-defender-smartscreen-control-2020.png)
 
 ## How Microsoft Defender SmartScreen works when a user tries to run an app
 Microsoft Defender SmartScreen checks the reputation of any web-based app the first time it's run from the Internet, checking digital signatures and other factors against a Microsoft-maintained service. If an app has no reputation or is known to be malicious, Microsoft Defender SmartScreen can warn the user or block the app from running entirely, depending on how you've configured the feature to run in your organization.
diff --git a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
index c792222c8a..c2a1d31b98 100644
--- a/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
+++ b/windows/security/threat-protection/override-mitigation-options-for-app-related-security-policies.md
@@ -41,7 +41,7 @@ The following procedure describes how to use Group Policy to override individual
 
 1. Open your Group Policy editor and go to the **Administrative Templates\System\Mitigation Options\Process Mitigation Options** setting.
 
-    ![Group Policy editor: Process Mitigation Options with setting enabled and Show button active](images/gp-process-mitigation-options.png)
+    ![Group Policy editor: Process Mitigation Options with setting enabled and Show button active.](images/gp-process-mitigation-options.png)
 
 2. Click **Enabled**, and then in the **Options** area, click **Show** to open the **Show Contents** box, where you’ll be able to add your apps and the appropriate bit flag values, as shown in the [Setting the bit field](#setting-the-bit-field) and [Example](#example) sections of this topic.
 
@@ -52,12 +52,12 @@ The following procedure describes how to use Group Policy to override individual
     
        **Note**<br>Setting bit flags in positions not specified here to anything other than ? might cause undefined behavior.
 
-     ![Group Policy editor: Process Mitigation Options with Show Contents box and example text](images/gp-process-mitigation-options-show.png)
+     ![Group Policy editor: Process Mitigation Options with Show Contents box and example text.](images/gp-process-mitigation-options-show.png)
 
 ## Setting the bit field
 Here’s a visual representation of the bit flag locations for the various Process Mitigation Options settings:
 
-![Visual representation of the bit flag locations for the Process Mitigation Options settings](images/gp-process-mitigation-options-bit-flag-image.png)
+![Visual representation of the bit flag locations for the Process Mitigation Options settings.](images/gp-process-mitigation-options-bit-flag-image.png)
 
 Where the bit flags are read from right to left and are defined as:
 
diff --git a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
index f98634584d..0a9058b91d 100644
--- a/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
+++ b/windows/security/threat-protection/overview-of-threat-mitigations-in-windows-10.md
@@ -130,7 +130,7 @@ You can now see which processes have DEP enabled.
 
 <!-- This might be a good place to mention the cmdlet that lets you see the same kind of output. -->
 
-![Processes with DEP enabled in Windows 10](images/security-fig5-dep.png)
+![Processes with DEP enabled in Windows 10.](images/security-fig5-dep.png)
 
 *Figure 2.&nbsp;&nbsp;Processes on which DEP has been enabled in Windows 10*
 
@@ -168,7 +168,7 @@ One of the most common techniques used to gain access to a system is to find a v
 
 Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. Figure 3 illustrates how ASLR works by showing how the locations of different critical Windows components can change in memory between restarts.
 
-![ASLR at work](images/security-fig4-aslr.png)
+![ASLR at work.](images/security-fig4-aslr.png)
 
 **Figure 3.&nbsp;&nbsp;ASLR at work**
 
diff --git a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
index 220c774696..e24bb48367 100644
--- a/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
+++ b/windows/security/threat-protection/protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
@@ -56,13 +56,13 @@ Because mobile devices are increasingly being used to access corporate informati
 
 Devices that are used to access corporate resources must be trusted. An efficient end-to-end security approach is able to evaluate device health and use the current security state when granting access to a high-value asset.
 
-:::image type="content" alt-text="figure 1" source="images/hva-fig1-endtoend1.png":::
+:::image type="content" alt-text="figure 1." source="images/hva-fig1-endtoend1.png":::
 
 A robust design needs to establish the user’s identity, strengthen the authentication method if needed, and learn behavior like the network location the user regularly connects from. Also, a modern approach must be able to release sensitive content only if user devices are determined to be healthy and secure.
 
 The following figure shows a solution built to assess device health from the cloud. The device authenticates the user through a connection to an identity provider in the cloud. If the managed asset contains highly confidential information, the conditional access engine of the identity provider may elect to verify the security compliance of the mobile device before access is granted. The user’s device is able to prove its health status that can be sent at any time or when mobile device management (MDM) requests it.
 
-:::image type="content" alt-text="figure 2" source="images/hva-fig2-assessfromcloud2.png":::
+:::image type="content" alt-text="figure 2." source="images/hva-fig2-assessfromcloud2.png":::
 
 Windows devices can be protected from low-level rootkits and bootkits by using low-level hardware technologies such as Unified Extensible Firmware Interface (UEFI) Secure Boot.
 
@@ -94,7 +94,7 @@ In Windows 10, there are three pillars of investments:
 
 This section is an overview that describes different parts of the end-to-end security solution that helps protect high-value assets and information from attackers and malware.
 
-:::image type="content" alt-text="figure 3" source="images/hva-fig3-endtoendoverview3.png":::
+:::image type="content" alt-text="figure 3." source="images/hva-fig3-endtoendoverview3.png":::
 
 | Number | Part of the solution | Description |
 | - | - | - |
@@ -115,7 +115,7 @@ This section describes what Windows 10 offers in terms of security defenses and
 The most aggressive forms of malware try to insert themselves into the boot process as early as possible so that they can take control of the operating system early and prevent protection mechanisms and antimalware software from working. This type of malicious code is often called a rootkit or bootkit. The best way to avoid having to deal with low-level malware is to secure the boot process so that the device is protected from the very start.
 Windows 10 supports multiple layers of boot protection. Some of these features are available only if specific types of hardware are installed. For more information, see the [Hardware requirements](#hardware-req) section.
 
-:::image type="content" alt-text="figure 4" source="images/hva-fig4-hardware.png":::
+:::image type="content" alt-text="figure 4." source="images/hva-fig4-hardware.png":::
 
 Windows 10 supports features to help prevent sophisticated low-level malware like rootkits and bootkits from loading during the startup process:
 
@@ -230,7 +230,7 @@ The following Windows 10 services are protected with virtualization-based securi
 
 The schema below is a high-level view of Windows 10 with virtualization-based security.
 
-:::image type="content" alt-text="figure 5" source="images/hva-fig5-virtualbasedsecurity.png":::
+:::image type="content" alt-text="figure 5." source="images/hva-fig5-virtualbasedsecurity.png":::
 
 ### Credential Guard
 
@@ -425,11 +425,11 @@ The antimalware software can search to determine whether the boot sequence conta
 
 Health attestation logs the measurements in various TPM Platform Configuration Registers (PCRs) and TCG logs during the boot process.
 
-:::image type="content" alt-text="figure 6" source="images/hva-fig6-logs.png":::
+:::image type="content" alt-text="figure 6." source="images/hva-fig6-logs.png":::
 
 When starting a device equipped with TPM, a measurement of different components is performed. This includes firmware, UEFI drivers, CPU microcode, and also all the Windows 10 drivers whose type is Boot Start. The raw measurements are stored in the TPM PCR registers while the details of all events (executable path, authority certification, and so on) are available in the TCG log.
 
-:::image type="content" alt-text="figure 7" source="images/hva-fig7-measurement.png":::
+:::image type="content" alt-text="figure 7." source="images/hva-fig7-measurement.png":::
 
 The health attestation process works as follows:
 
@@ -459,7 +459,7 @@ The following process describes how health boot measurements are sent to the hea
 
 4.  The client stores the health encrypted blob in its local store. The device health token contains device health status, a device ID (the Windows AIK), and the boot counter.
 
-:::image type="content" alt-text="figure 8" source="images/hva-fig8a-healthattest8a.png":::
+:::image type="content" alt-text="figure 8." source="images/hva-fig8a-healthattest8a.png":::
 
 ### Device health attestation components
 
@@ -632,7 +632,7 @@ A solution that leverages MDM and the Health Attestation Service consists of thr
 2.  After this is enabled, and every boot thereafter, the device will send health measurements to the Health Attestation Service hosted by Microsoft, and it will receive a health attestation blob in return.
 3.  At any point after this, an MDM server can request the health attestation blob from the device and ask Health Attestation Service to decrypt the content and validate that it’s been attested.
 
-    :::image type="content" alt-text="figure 9" source="images/hva-fig8-evaldevicehealth8.png":::
+    :::image type="content" alt-text="figure 9." source="images/hva-fig8-evaldevicehealth8.png":::
 
 Interaction between a Windows 10-based device, the Health Attestation Service, and MDM can be performed as follows:
 
@@ -671,7 +671,7 @@ The remote device health attestation process uses measured boot data to verify t
 
 The figure below shows how the Health Attestation Service is expected to work with Microsoft’s cloud-based Intune MDM service.
 
-:::image type="content" alt-text="figure 10" source="images/hva-fig9-intune.png":::
+:::image type="content" alt-text="figure 10." source="images/hva-fig9-intune.png":::
 
 An MDM solution can then leverage health state statements and take them to the next level by coupling with client policies that will enable conditional access to be granted based on the device’s ability to prove that it’s malware free, its antimalware system is functional and up to date, the 
 firewall is running, and the devices patch state is compliant.
@@ -705,7 +705,7 @@ If the device is not registered, the user will get a message with instructions o
 
 **Azure AD** authenticates the user and the device, **MDM** manages the compliance and conditional access policies, and the **Health Attestation Service** reports about the health of the device in an attested way.
 
-:::image type="content" alt-text="figure 11" source="images/hva-fig10-conditionalaccesscontrol.png":::
+:::image type="content" alt-text="figure 11." source="images/hva-fig10-conditionalaccesscontrol.png":::
 
 ### <a href="" id="office-365-conditional-access-control-"></a>Office 365 conditional access control
 
@@ -725,7 +725,7 @@ The user will be denied access to services when sign-in credentials are changed,
 
 Depending on the type of email application that employees use to access Exchange online, the path to establish secured access to email can be slightly different. However, the key components: Azure AD, Office 365/Exchange Online, and Intune, are the same. The IT experience and end-user experience also are similar.
 
-:::image type="content" alt-text="figure 12" source="images/hva-fig11-office365.png":::
+:::image type="content" alt-text="figure 12." source="images/hva-fig11-office365.png":::
 
 Clients that attempt to access Office 365 will be evaluated for the following properties:
 
@@ -758,7 +758,7 @@ For on-premises applications there are two options to enable conditional access
 -   For on-premises applications that are published through the Azure AD Application Proxy, you can configure conditional access control policies as you would for cloud applications. For more details, see the [Azure AD Conditional Access preview updated: Now supports On-Premises and Custom LOB apps](https://go.microsoft.com/fwlink/p/?LinkId=691618) blog post.
 -   Additionally, Azure AD Connect will sync device compliance information from Azure AD to on-premises AD. ADFS on Windows Server 2016 will support conditional access control based on a device's compliance state. IT pros will configure conditional access control policies in ADFS that use the device's compliance state reported by a compatible MDM solution to secure on-premises applications.
 
-:::image type="content" alt-text="figure 13" source="images/hva-fig12-conditionalaccess12.png":::
+:::image type="content" alt-text="figure 13." source="images/hva-fig12-conditionalaccess12.png":::
 
 The following process describes how Azure AD conditional access works:
 
diff --git a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
index eb88a41772..ce251bc758 100644
--- a/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
+++ b/windows/security/threat-protection/security-policy-settings/interactive-logon-display-user-information-when-the-session-is-locked.md
@@ -36,7 +36,7 @@ Beginning with Windows 10 version 1607, new functionality was added to Windows 1
 This functionality is controlled by a new **Privacy** setting in **Settings** > **Accounts** > **Sign-in options**.
 The Privacy setting is off by default, which hides the details.
 
-![Privacy setting](images/privacy-setting-in-sign-in-options.png)
+![Privacy setting.](images/privacy-setting-in-sign-in-options.png)
 
 The **Interactive logon: Display user information when the session is locked** Group Policy setting controls the same functionality.
 
diff --git a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
index 426d291c10..7a58b942a4 100644
--- a/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
+++ b/windows/security/threat-protection/security-policy-settings/security-policy-settings.md
@@ -157,7 +157,7 @@ The following diagram shows Security Settings and related features.
 
 #### Security Settings Policies and Related Features
 
-![components related to security policies](images/secpol-components.gif)
+![components related to security policies.](images/secpol-components.gif)
 
 - **Scesrv.dll**
 
@@ -181,7 +181,7 @@ The Security Settings extension of the Local Group Policy Editor is part of the
 
 **Security Settings Architecture**
 
-![architecture of security policy settings](images/secpol-architecture.gif)
+![architecture of security policy settings.](images/secpol-architecture.gif)
 
 The security settings configuration and analysis tools include a security configuration engine, which provides local computer (non-domain member) and Group Policy−based configuration and analysis of security settings policies. The security configuration engine also supports the creation of security policy files. The primary features of the security configuration engine are scecli.dll and scesrv.dll.
 
@@ -321,7 +321,7 @@ In the context of Group Policy processing, security settings policy is processed
 
    **Multiple GPOs and Merging of Security Policy**
 
-   ![multiple gpos and merging of security policy](images/secpol-multigpomerge.gif)
+   ![multiple gpos and merging of security policy.](images/secpol-multigpomerge.gif)
 
 1. The resultant security policies are stored in secedit.sdb, the security settings database. The security engine gets the security template files and imports them to secedit.sdb.
 1. The security settings policies are applied to devices.
@@ -329,7 +329,7 @@ The following figure illustrates the security settings policy processing.
 
 **Security Settings Policy Processing**
 
-![process and interactions of security policy settings](images/secpol-processes.gif)
+![process and interactions of security policy settings.](images/secpol-processes.gif)
 
 ### Merging of security policies on domain controllers
 
diff --git a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
index 277bc347d1..a8362c5bda 100644
--- a/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+++ b/windows/security/threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
@@ -380,9 +380,9 @@ This can easily be extended to other Auto-Execution Start Points keys in the reg
 
 Use the following figures to see how you can configure those registry keys.
 
-![default acl for run key](images/runkey.png)
+![default acl for run key.](images/runkey.png)
 
-![default acl for runonce key](images/runoncekey.png)
+![default acl for runonce key.](images/runoncekey.png)
 
 ## <a href="" id="bkmk-appendixc"></a>Appendix C - Event channel settings (enable and channel access) methods
 
@@ -399,7 +399,7 @@ The following GPO snippet performs the following:
 -   Enables the **Microsoft-Windows-DriverFrameworks-UserMode/Operational** event channel.
 -   Sets the maximum file size for **Microsoft-Windows-DriverFrameworks-UserMode/Operational** to 50MB.
 
-![configure event channels](images/capi-gpo.png)
+![configure event channels.](images/capi-gpo.png)
 
 ## <a href="" id="bkmk-appendixd"></a>Appendix D - Minimum GPO for WEF Client configuration
 
@@ -409,7 +409,7 @@ Here are the minimum steps for WEF to operate:
 2.  Start the WinRM service.
 3.  Add the Network Service account to the built-in Event Log Readers security group. This allows reading from secured event channel, such as the security event channel.
 
-![configure the wef client](images/wef-client-config.png)
+![configure the wef client.](images/wef-client-config.png)
 
 ## <a href="" id="bkmk-appendixe"></a>Appendix E – Annotated baseline subscription event query
 
diff --git a/windows/security/threat-protection/windows-10-mobile-security-guide.md b/windows/security/threat-protection/windows-10-mobile-security-guide.md
index 9b1eb730a6..11b4c1a58b 100644
--- a/windows/security/threat-protection/windows-10-mobile-security-guide.md
+++ b/windows/security/threat-protection/windows-10-mobile-security-guide.md
@@ -299,7 +299,7 @@ One of the most common techniques used by attackers to gain access to a system i
 
 Address Space Layout Randomization (ASLR) makes that type of attack much more difficult because it randomizes how and where important data is stored in memory. With ASLR, it is more difficult for malware to find the specific location it needs to attack. The below diagram illustrates how ASLR works, showing how the locations of different critical Windows components can change in memory between restarts.
 
-![figure 3](images/mobile-security-guide-figure3.png)
+![figure 3.](images/mobile-security-guide-figure3.png)
 
 Microsoft has substantively improved the ASLR implementation in Windows 10 Mobile over previous versions, applying it across the entire system rather than only in specific apps. With 64bit system and application processes that can take advantage of a vastly increased memory space, it is even more difficult for malware to predict where Windows 10 Mobile stores vital data. When used on systems that have TPMs, ASLR memory randomization becomes increasingly unique across devices, adding additional degrees of difficulty for repurposing successful exploits to another system.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index ab40f94622..582297f71b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -37,7 +37,7 @@ Refer to the below video for an overview and brief demo.
 > [!VIDEO https://www.microsoft.com/videoplayer/embed/RE4mlcp]
 
 ## Policy Authorization Process
-![Policy Authorization](images/wdac-intune-policy-authorization.png)
+![Policy Authorization.](images/wdac-intune-policy-authorization.png)
 The general steps for expanding the S mode base policy on your Intune-managed devices are to generate a supplemental policy, sign that policy, and then upload the signed policy to Intune and assign it to user or device groups. Because you need access to WDAC PowerShell cmdlets to generate your supplemental policy, you should create and manage your policies on a non-S mode device. Once the policy has been uploaded to Intune, we recommend assigning it to a single test S-mode device to verify expected functioning before deploying the policy more broadly.
 
 1. Generate a supplemental policy with WDAC tooling
@@ -89,11 +89,11 @@ The general steps for expanding the S mode base policy on your Intune-managed de
 > When updating your supplemental policy, ensure that the new version number is strictly greater than the previous one. Using the same version number is not allowed by Intune. Refer to [Set-CIPolicyVersion](/powershell/module/configci/set-cipolicyversion?view=win10-ps&preserve-view=true) for information on setting the version number.
 
 ## Standard Process for Deploying Apps through Intune
-![Deploying Apps through Intune](images/wdac-intune-app-deployment.png)
+![Deploying Apps through Intune.](images/wdac-intune-app-deployment.png)
 Refer to [Intune Standalone - Win32 app management](/intune/apps-win32-app-management)  for guidance on the existing procedure of packaging signed catalogs and app deployment.
 
 ## Optional: Process for Deploying Apps using Catalogs
-![Deploying Apps using Catalogs](images/wdac-intune-app-catalogs.png)
+![Deploying Apps using Catalogs.](images/wdac-intune-app-catalogs.png)
 Your supplemental policy can be used to significantly relax the S mode base policy, but there are security trade-offs you must consider in doing so. For example, you can use a signer rule to trust an external signer, but that will authorize all apps signed by that certificate, which may include apps you don't want to allow as well.
 
 Instead of authorizing signers external to your organization, Intune has added new functionality to make it easier to authorize existing applications (without requiring repackaging or access to the source code) through the use of signed catalogs. This works for apps which may be unsigned or even signed apps when you don't want to trust all apps that may share the same signing certificate.
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
index f197b8f4b2..af49d0b081 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/plan-for-applocker-policy-management.md
@@ -61,7 +61,7 @@ AppLocker can be configured to display the default message but with a custom URL
 
 The following image shows an example of the error message for a blocked app. You can use the **Set a support web link** policy setting to customize the **More information** link.
 
-![applocker blocked application error message](images/blockedappmsg.gif)
+![applocker blocked application error message.](images/blockedappmsg.gif)
 
 For steps to display a custom URL for the message, see [Display a custom URL message when users try to run a blocked app](display-a-custom-url-message-when-users-try-to-run-a-blocked-application.md).
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
index 5350f5c843..9ffaf2b82c 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-applocker-rules-and-enforcement-setting-inheritance-in-group-policy.md
@@ -44,7 +44,7 @@ Because a computer's effective policy includes rules from each linked GPO, dupli
 
 The following figure demonstrates how AppLocker rule enforcement is applied through linked GPOs.
 
-![applocker rule enforcement inheritance chart](images/applocker-plan-inheritance.gif)
+![applocker rule enforcement inheritance chart.](images/applocker-plan-inheritance.gif)
 
 In the preceding illustration, note that all GPOs linked to Contoso are applied in order as configured. The rules that are not configured are also applied. For example, the result of the Contoso and Human Resources GPOs is 33 rules enforced, as shown in the client HR-Term1. The Human Resources GPO contains 10 non-configured rules. When the rule collection is configured for **Audit only**, no rules are enforced.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
index 0f909bdf3d..a51539d046 100644
--- a/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
+++ b/windows/security/threat-protection/windows-defender-application-control/applocker/understand-the-applocker-policy-deployment-process.md
@@ -30,7 +30,7 @@ To successfully deploy AppLocker policies, you need to identify your application
 
 The following diagram shows the main points in the design, planning, and deployment process for AppLocker.
 
-![applocker quick reference guide](images/applocker-plandeploy-quickreference.gif)
+![applocker quick reference guide.](images/applocker-plandeploy-quickreference.gif)
 
 ## Resources to support the deployment process
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
index bc1218b82c..671bd29bf1 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-and-enforce-windows-defender-application-control-policies.md
@@ -46,7 +46,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
 
    **Figure 1. Exceptions to the deployed WDAC policy** <br>
 
-   ![Event showing exception to WDAC policy](images/dg-fig23-exceptionstocode.png)
+   ![Event showing exception to WDAC policy.](images/dg-fig23-exceptionstocode.png)
 
 3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
index cb94565bff..706f2e6d6a 100644
--- a/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/audit-windows-defender-application-control-policies.md
@@ -45,7 +45,7 @@ To familiarize yourself with creating WDAC rules from audit events, follow these
 2. Review the **CodeIntegrity - Operational** and **AppLocker - MSI and Script** event logs to confirm events, like those shown in Figure 1, are generated related to the application. For information about the types of events you should see, refer to [Understanding Application Control events](event-id-explanations.md).
 
    **Figure 1. Exceptions to the deployed WDAC policy**
-   ![Event showing exception to WDAC policy](images/dg-fig23-exceptionstocode.png)
+   ![Event showing exception to WDAC policy.](images/dg-fig23-exceptionstocode.png)
 
 3. In an elevated PowerShell session, run the following commands to initialize variables used by this procedure. This procedure builds upon the **Lamna_FullyManagedClients_Audit.xml** policy introduced in [Create a WDAC policy for fully managed devices](create-wdac-policy-for-fully-managed-devices.md) and will produce a new policy called **EventsPolicy.xml**.
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
index b9ca84a296..761ea31822 100644
--- a/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/create-code-signing-cert-for-windows-defender-application-control.md
@@ -39,7 +39,7 @@ ECDSA is not supported.
 
 2.  When connected, right-click **Certificate Templates**, and then click **Manage** to open the Certification Templates Console.
 
-    ![CA snap-in showing Certificate Templates](images/dg-fig27-managecerttemp.png)
+    ![CA snap-in showing Certificate Templates.](images/dg-fig27-managecerttemp.png)
 
     Figure 1. Manage the certificate templates
 
@@ -55,7 +55,7 @@ ECDSA is not supported.
 
 8.  In the **Edit Basic Constraints Extension** dialog box, select **Enable this extension**, as shown in Figure 2.
 
-    ![Edit Basic Constraints Extension](images/dg-fig29-enableconstraints.png)
+    ![Edit Basic Constraints Extension.](images/dg-fig29-enableconstraints.png)
 
     Figure 2. Select constraints on the new template
 
@@ -71,7 +71,7 @@ When this certificate template has been created, you must publish it to the CA p
 
 1.  In the Certification Authority MMC snap-in, right-click **Certification Templates**, point to **New**, and then click **Certificate Template to Issue**, as shown in Figure 3.
 
-    ![Select Certificate Template to Issue](images/dg-fig30-selectnewcert.png)
+    ![Select Certificate Template to Issue.](images/dg-fig30-selectnewcert.png)
 
     Figure 3. Select the new certificate template to issue
 
@@ -89,7 +89,7 @@ Now that the template is available to be issued, you must request one from the c
 
 4.  In the **Request Certificate** list, select your newly created code signing certificate, and then select the blue text that requests additional information, as shown in Figure 4.
 
-    ![Request Certificates: more information required](images/dg-fig31-getmoreinfo.png)
+    ![Request Certificates: more information required.](images/dg-fig31-getmoreinfo.png)
 
     Figure 4. Get more information for your code signing certificate
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
index 52cac752d2..bdb0bb25f6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-catalog-files-to-support-windows-defender-application-control.md
@@ -142,7 +142,7 @@ To sign the existing catalog file, copy each of the following commands into an e
     
 4. Verify the catalog file digital signature. Right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with a **sha256** algorithm, as shown in Figure 1.
 
-   ![Digital Signature list in file Properties](images/dg-fig12-verifysigning.png)
+   ![Digital Signature list in file Properties.](images/dg-fig12-verifysigning.png)
 
    Figure 1. Verify that the signing certificate exists
 
@@ -182,7 +182,7 @@ To simplify the management of catalog files, you can use Group Policy preference
    > [!NOTE]
    > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate).
 
-   ![Group Policy Management, create a GPO](images/dg-fig13-createnewgpo.png)
+   ![Group Policy Management, create a GPO.](images/dg-fig13-createnewgpo.png)
 
    Figure 2. Create a new GPO
 
@@ -192,7 +192,7 @@ To simplify the management of catalog files, you can use Group Policy preference
 
 5. Within the selected GPO, navigate to Computer Configuration\\Preferences\\Windows Settings\\Files. Right-click **Files**, point to **New**, and then click **File**, as shown in Figure 3.
 
-   ![Group Policy Management Editor, New File](images/dg-fig14-createnewfile.png)
+   ![Group Policy Management Editor, New File.](images/dg-fig14-createnewfile.png)
 
    Figure 3. Create a new file
 
@@ -202,7 +202,7 @@ To simplify the management of catalog files, you can use Group Policy preference
 
 7. To keep versions consistent, in the **New File Properties** dialog box (Figure 4), select **Replace** from the **Action** list so that the newest version is always used.
 
-   ![File Properties, Replace option](images/dg-fig15-setnewfileprops.png)
+   ![File Properties, Replace option.](images/dg-fig15-setnewfileprops.png)
 
    Figure 4. Set the new file properties
 
@@ -235,7 +235,7 @@ As an alternative to Group Policy, you can use Configuration Manager to deploy c
 
 3.  Name the package, set your organization as the manufacturer, and select an appropriate version number.
 
-    ![Create Package and Program Wizard](images/dg-fig16-specifyinfo.png)
+    ![Create Package and Program Wizard.](images/dg-fig16-specifyinfo.png)
 
     Figure 5. Specify information about the new package
 
@@ -257,7 +257,7 @@ As an alternative to Group Policy, you can use Configuration Manager to deploy c
 
     -   From the **Drive mode** list, select **Runs with UNC name**.
 
-    ![Standard Program page of wizard](images/dg-fig17-specifyinfo.png)
+    ![Standard Program page of wizard.](images/dg-fig17-specifyinfo.png)
 
     Figure 6. Specify information about the standard program
 
@@ -285,7 +285,7 @@ After you create the deployment package, deploy it to a collection so that the c
 
     -   Select the **Commit changes at deadline or during a maintenance window (requires restarts)** check box.
 
-    ![Deploy Software Wizard, User Experience page](images/dg-fig18-specifyux.png)
+    ![Deploy Software Wizard, User Experience page.](images/dg-fig18-specifyux.png)
 
     Figure 7. Specify the user experience
 
@@ -310,13 +310,13 @@ When catalog files have been deployed to the computers within your environment,
 
 3.  Name the new policy, and under **Select and then configure the custom settings for client devices**, select the **Software Inventory** check box, as shown in Figure 8.
 
-    ![Create Custom Client Device Settings](images/dg-fig19-customsettings.png)
+    ![Create Custom Client Device Settings.](images/dg-fig19-customsettings.png)
 
     Figure 8. Select custom settings
 
 4.  In the navigation pane, click **Software Inventory**, and then click **Set Types**, as shown in Figure 9.
 
-    ![Software Inventory settings for devices](images/dg-fig20-setsoftwareinv.png)
+    ![Software Inventory settings for devices.](images/dg-fig20-setsoftwareinv.png)
 
     Figure 9. Set the software inventory
 
@@ -329,7 +329,7 @@ When catalog files have been deployed to the computers within your environment,
 
 7.  In the **Path Properties** dialog box, select **Variable or path name**, and then type **C:\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}** in the box, as shown in Figure 10.
 
-    ![Path Properties, specifying a path](images/dg-fig21-pathproperties.png)
+    ![Path Properties, specifying a path.](images/dg-fig21-pathproperties.png)
 
     Figure 10. Set the path properties
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
index d20e96958f..dea3b62b33 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-group-policy.md
@@ -43,7 +43,7 @@ To deploy and manage a WDAC policy with Group Policy:
    > [!NOTE]
    > You can use any OU name. Also, security group filtering is an option when you consider different ways of combining WDAC policies (or keeping them separate), as discussed in [Plan for Windows Defender Application Control policy management](plan-windows-defender-application-control-management.md).
 
-   ![Group Policy Management, create a GPO](images/dg-fig24-creategpo.png)
+   ![Group Policy Management, create a GPO.](images/dg-fig24-creategpo.png)
 
 3. Name the new GPO. You can choose any name.
 
@@ -51,7 +51,7 @@ To deploy and manage a WDAC policy with Group Policy:
 
 5. In the selected GPO, navigate to Computer Configuration\\Administrative Templates\\System\\Device Guard. Right-click **Deploy Windows Defender Application Control** and then click **Edit**.
 
-    ![Edit the Group Policy for Windows Defender Application Control](images/wdac-edit-gp.png)
+    ![Edit the Group Policy for Windows Defender Application Control.](images/wdac-edit-gp.png)
 
 6. In the **Deploy Windows Defender Application Control** dialog box, select the **Enabled** option, and then specify the WDAC policy deployment path.
 
@@ -60,7 +60,7 @@ To deploy and manage a WDAC policy with Group Policy:
     > [!NOTE]
     > This policy file does not need to be copied to every computer. You can instead copy the WDAC policies to a file share to which all computer accounts have access. Any policy selected here is converted to SIPolicy.p7b when it is deployed to the individual client computers.
 
-    ![Group Policy called Deploy Windows Defender Application Control](images/dg-fig26-enablecode.png)
+    ![Group Policy called Deploy Windows Defender Application Control.](images/dg-fig26-enablecode.png)
 
     > [!NOTE]
     > You may have noticed that the GPO setting references a .p7b file and this example uses a .bin file for the policy. Regardless of the type of policy you deploy (.bin, .p7b, or .p7), they are all converted to SIPolicy.p7b when dropped on the client computer running Windows 10. Give your WDAC policies friendly names and allow the system to convert the policy names for you to ensure that the policies are easily distinguishable when viewed in a share or any other central repository.
diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
index 250600e081..29fbbe9431 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-windows-defender-application-control-policies-using-intune.md
@@ -71,7 +71,7 @@ The steps to use Intune's custom OMA-URI functionality are:
     - **Certificate file**: upload your binary format policy file. You do not need to upload a Base64 file, as Intune will convert the uploaded .bin file to Base64 on your behalf.
 
     > [!div class="mx-imgBorder"]
-    > ![Configure custom WDAC](images/wdac-intune-custom-oma-uri.png)
+    > ![Configure custom WDAC.](images/wdac-intune-custom-oma-uri.png)
 
 > [!NOTE]
 > For the _Policy GUID_ value, do not include the curly brackets.
diff --git a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
index 848bfe1e62..0c319af7e6 100644
--- a/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
+++ b/windows/security/threat-protection/windows-defender-application-control/plan-windows-defender-application-control-management.md
@@ -45,7 +45,7 @@ Most WDAC policies will evolve over time and proceed through a set of identifiab
 6. Deploy the enforced mode policy to intended devices. We recommend using staged rollouts for enforced policies to detect and respond to issues before deploying the policy broadly.
 7. Repeat steps 1-6 anytime the desired "circle-of-trust" changes.  
 
-![Recommended WDAC policy deployment process](images/policyflow.png)
+![Recommended WDAC policy deployment process.](images/policyflow.png)
 
 ### Keep WDAC policies in a source control or document management solution
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
index 2c5382e43b..4915d3faea 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-base-policy.md
@@ -43,7 +43,7 @@ Each of the template policies has a unique set of policy allow list rules that w
 
 More information about the Default Windows Mode and Allow Microsoft Mode policies can be accessed through the [Example WDAC base policies article](example-wdac-base-policies.md). 
 
-![Selecting a base template for the policy](images/wdac-wizard-template-selection.png)
+![Selecting a base template for the policy.](images/wdac-wizard-template-selection.png)
 
 Once the base template is selected, give the policy a name and choose where to save the application control policy on disk.
 
@@ -69,7 +69,7 @@ A description of each policy rule, beginning with the left-most column, is provi
 | **User Mode Code Integrity** | WDAC policies restrict both kernel-mode and user-mode binaries. By default, only kernel-mode binaries are restricted. Enabling this rule option validates user mode executables and scripts. |
 
 > [!div class="mx-imgBorder"]
-> ![Rule options UI for Windows Allowed mode policy](images/wdac-wizard-rule-options-UI-advanced-collapsed.png)
+> ![Rule options UI for Windows Allowed mode policy.](images/wdac-wizard-rule-options-UI-advanced-collapsed.png)
 
 ### Advanced Policy Rules Description
 
@@ -84,7 +84,7 @@ Selecting the **+ Advanced Options** label will show another column of policy ru
 | **Invalidate EAs on Reboot** | When the Intelligent Security Graph option (14) is used, WDAC sets an extended file attribute that indicates that the file was authorized to run. This option will cause WDAC to periodically revalidate the reputation for files that were authorized by the ISG.| 
 | **Require EV Signers** | In addition to being WHQL signed, this rule requires that drivers must have been submitted by a partner that has an Extended Verification (EV) certificate. All Windows 10 and later drivers will meet this requirement. |
 
-![Rule options UI for Windows Allowed mode](images/wdac-wizard-rule-options-UI.png)
+![Rule options UI for Windows Allowed mode.](images/wdac-wizard-rule-options-UI.png)
 
 > [!NOTE]
 > We recommend that you **enable Audit Mode** initially because it allows you to test new WDAC policies before you enforce them. With audit mode, no application is blocked—instead the policy logs an event whenever an application outside the policy is started. For this reason, all templates have Audit Mode enabled by default. 
@@ -105,7 +105,7 @@ The Publisher file rule type uses properties in the code signing certificate cha
 | **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate as well as a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
 
 
-![Custom filepublisher file rule creation](images/wdac-wizard-custom-publisher-rule.png)
+![Custom filepublisher file rule creation.](images/wdac-wizard-custom-publisher-rule.png)
 
 ### Filepath Rules
 
@@ -123,7 +123,7 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c
 | **Internal name** | Specifies the internal name of the binary. |
 
 > [!div class="mx-imgBorder"]
-> ![Custom file attributes rule](images/wdac-wizard-custom-file-attribute-rule.png)
+> ![Custom file attributes rule.](images/wdac-wizard-custom-file-attribute-rule.png)
 
 ### File Hash Rules
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
index bca81708e6..5f96c11702 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-create-supplemental-policy.md
@@ -33,15 +33,15 @@ Prerequisite information about application control can be accessed through the [
 
 Once the Supplemental Policy type is chosen on the New Policy page, policy name and file dialog fields can be used to name and save the supplemental policy. The next step requires selecting a base policy to expand. To expand a base policy, the base must allow supplemental policies. The WDAC Wizard will verify if the base policy allows supplementals and will show the following confirmation. 
 
-![Base policy allows supplemental policies](images/wdac-wizard-supplemental-expandable.png)
+![Base policy allows supplemental policies.](images/wdac-wizard-supplemental-expandable.png)
 
 If the base policy is not configured for supplemental policies, the Wizard will attempt to convert the policy to one that can be supplemented. Once successful, the Wizard will show a dialog demonstrating that the addition of the Allow Supplemental Policy rule was completed.  
 
-![Wizard confirms modification of base policy](images/wdac-wizard-confirm-base-policy-modification.png)
+![Wizard confirms modification of base policy.](images/wdac-wizard-confirm-base-policy-modification.png)
 
 Policies that cannot be supplemented, for instance, a supplemental policy, will be detected by the Wizard and will show the following error. Only a base policy can be supplemented. More information on supplemental policies can be found on our [Multiple Policies article](deploy-multiple-windows-defender-application-control-policies.md).
 
-![Wizard detects a bad base policy](images/wdac-wizard-supplemental-not-base.png)
+![Wizard detects a bad base policy.](images/wdac-wizard-supplemental-not-base.png)
 
 ## Configuring Policy Rules
 
@@ -60,7 +60,7 @@ There are only three policy rules that can be configured by the supplemental pol
 | **Managed Installer** | Use this option to automatically allow applications installed by a software distribution solution, such as Microsoft Endpoint Configuration Manager, that has been defined as a managed installer. |
 | **Disable Runtime FilePath Rule Protection** | Disable default FilePath rule protection (apps and executables allowed based on file path rules must come from a file path that’s only writable by an administrator) for any FileRule that allows a file based on FilePath. |
 
-![Rule options UI for Windows Allowed mode](images/wdac-wizard-supplemental-policy-rule-options-UI.png)
+![Rule options UI for Windows Allowed mode.](images/wdac-wizard-supplemental-policy-rule-options-UI.png)
 
 ## Creating custom file rules
 
@@ -78,7 +78,7 @@ The Publisher file rule type uses properties in the code signing certificate cha
 | **File name** | FilePublisher | Most specific. Combination of the file name, publisher, and PCA certificate and a minimum version number. Files from the publisher with the specified name and greater or equal to the specified version are affected. |
 
 
-![Custom filepublisher file rule creation](images/wdac-wizard-custom-publisher-rule.png)
+![Custom filepublisher file rule creation.](images/wdac-wizard-custom-publisher-rule.png)
 
 ### Filepath Rules
 
@@ -96,7 +96,7 @@ The Wizard supports the creation of [file name rules](select-types-of-rules-to-c
 | **Internal name** | Specifies the internal name of the binary. |
 
 
-![Custom file attributes rule](images/wdac-wizard-custom-file-attribute-rule.png)
+![Custom file attributes rule.](images/wdac-wizard-custom-file-attribute-rule.png)
 
 ### File Hash Rules
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md
index 2b94c7f004..09c88d84aa 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-editing-policy.md
@@ -36,7 +36,7 @@ The WDAC Wizard makes editing and viewing WDAC policies easier than the PowerShe
 
 The `Policy Rules` page will load with the in-edit policy rules configured per the set rules. Selecting the `+ Advanced Options` button will reveal the advanced policy rule options panel. This grouping of rules contains additional policy rule options that are less common to the majority of users. To edit any of the rules, flip the corresponding policy rule state.  For instance, to disable Audit Mode and enable Enforcement Mode in the figure below, the button beside the `Audit Mode` label needs only to be pressed. Once the policy rules are configured, select the Next button to continue the next stage of editing: [Adding File Rules](#adding-file-rules).
 
-![Configuring the policy rules](images/wdac-wizard-edit-policy-rules.png)
+![Configuring the policy rules.](images/wdac-wizard-edit-policy-rules.png)
 
 A description of the policy rule is shown at the bottom of the page when the cursor is placed over the rule title. For a complete list of the policy rules and their capabilities, see the [Windows Defender Application Control policy rules table](select-types-of-rules-to-create.md#windows-defender-application-control-policy-rules).
 
@@ -50,7 +50,7 @@ Selecting the `+ Custom Rules` button will open the Custom Rules panel. For more
 
 The WDAC Wizard makes deleting file rules from an existing policy quick and easy. To remove any type of file rule: publisher rule, path rule, filename rule, or a hash rule, select the rule in the `Policy Signing Rules List` table on the left-hand side of the page. Selecting the rule will highlight the entire row. Once the row is highlighted, select the remove icon underneath the table. The Wizard will prompt for user confirmation before removing the file rule. Once removed, the rule will no longer appear in the policy or the table. 
 
-![Removing file rule from policy during edit](images/wdac-wizard-edit-remove-file-rule.png)
+![Removing file rule from policy during edit.](images/wdac-wizard-edit-remove-file-rule.png)
 
 **Note:** removing a publisher rule will also remove the associated File Attribute rules. For instance, in the xml block below, removing ID_SIGNER_CONTOSO_PUBLISHER would also remove the rules ID_FILEATTRIB_LOB_APP_1 and ID_FILEATTRIB_LOB_APP_2. 
 
diff --git a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md
index ec6e988048..66ad01329f 100644
--- a/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/wdac-wizard-merging-policies.md
@@ -30,4 +30,4 @@ Select the policies you wish to merge into one policy using the `+ Add Policy` b
 
 Lastly, select a filepath save location for the final merged policy using the `Browse` button. If a minimum of two policies are selected, and the save location is specified, select the `Next` button to build the policy. 
 
-![Merging WDAC policies into a final WDAC policy](images/wdac-wizard-merge.png)
+![Merging WDAC policies into a final WDAC policy.](images/wdac-wizard-merge.png)
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
index 6da28ad681..ed1a7fe460 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-account-protection.md
@@ -57,4 +57,4 @@ This can only be done in Group Policy.
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
\ No newline at end of file
+>![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
index 80d025f7ac..544e90142e 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-app-browser-control.md
@@ -76,4 +76,4 @@ This can only be done in Group Policy.
 > [!NOTE]
 > If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >
-> ![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
\ No newline at end of file
+> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
index 1bfddcc3f2..969d80c8bf 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-customize-contact-information.md
@@ -32,11 +32,11 @@ ms.technology: mde
 
 You can add information about your organization in a contact card to the Windows Security app. You can include a link to a support site, a phone number for a help desk, and an email address for email-based support.
 
-![The security center custom fly-out](images/security-center-custom-flyout.png)
+![The security center custom fly-out.](images/security-center-custom-flyout.png)
 
 This information will also be shown in some enterprise-specific notifications (including notifications for the [Block at first sight feature](/windows/threat-protection/microsoft-defender-antivirus/configure-block-at-first-sight-microsoft-defender-antivirus), and [potentially unwanted applications](/windows/threat-protection/microsoft-defender-antivirus/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus)).
 
-![A security center notification](images/security-center-custom-notif.png)
+![A security center notification.](images/security-center-custom-notif.png)
 
 Users can select the displayed information to initiate a support request:
 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
index 919f2cb7a2..13fce0f2d5 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-performance-health.md
@@ -56,4 +56,4 @@ This can only be done in Group Policy.
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
\ No newline at end of file
+>![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
index f0627d2869..f4d3053cd9 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-device-security.md
@@ -50,7 +50,7 @@ This can only be done in Group Policy.
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
+>![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
 
 ## Disable the Clear TPM button
 If you don't want users to be able to click the **Clear TPM** button in the Windows Security app, you can disable it.
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
index c7d0fb4944..274c66bd66 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-family-options.md
@@ -55,4 +55,4 @@ This can only be done in Group Policy.
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
\ No newline at end of file
+>![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
\ No newline at end of file
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
index 5cf74d9fdf..3a14dc7c26 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-firewall-network-protection.md
@@ -52,5 +52,5 @@ This can only be done in Group Policy.
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
+>![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
index 762e9c7402..87960171d1 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection.md
@@ -63,7 +63,7 @@ This can only be done in Group Policy.
 >[!NOTE]
 >If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >  
->![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
+>![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
 
 ## Hide the Ransomware protection area
 
diff --git a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
index 146bdcc78e..30cc06c3d0 100644
--- a/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
+++ b/windows/security/threat-protection/windows-defender-security-center/wdsc-windows-10-in-s-mode.md
@@ -34,7 +34,7 @@ Windows 10 in S mode is streamlined for tighter security and superior performanc
 
 The Windows Security interface is a little different in Windows 10 in S mode. The **Virus & threat protection** area has fewer options, because the built-in security of Windows 10 in S mode prevents viruses and other threats from running on devices in your organization. In addition, devices running Windows 10 in S mode receive security updates automatically.
 
-![Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png)
+![Screen shot of the Windows Security app Virus & threat protection area in Windows 10 in S mode.](images/security-center-virus-and-threat-protection-windows-10-in-s-mode.png)
 
 For more information about Windows 10 in S mode, including how to switch out of S mode, see [Windows 10 Pro/Enterprise in S mode](/windows/deployment/windows-10-pro-in-s-mode).
 
diff --git a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
index 17eb0a98fd..fe03727f33 100644
--- a/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
+++ b/windows/security/threat-protection/windows-defender-security-center/windows-defender-security-center.md
@@ -31,7 +31,7 @@ In Windows 10, version 1709 and later, the app also shows information from third
 
 In Windows 10, version 1803, the app has two new areas, **Account protection** and **Device security**.
 
-![Screenshot of the Windows Security app showing that the device is protected and five icons for each of the features](images/security-center-home.png)
+![Screenshot of the Windows Security app showing that the device is protected and five icons for each of the features.](images/security-center-home.png)
 
 > [!NOTE]
 > The Windows Security app is a client interface on Windows 10, version 1703 and later. It is not the Microsoft Defender Security Center web portal console that is used to review and manage [Microsoft Defender for Endpoint](/windows/threat-protection/windows-defender-atp/windows-defender-advanced-threat-protection).
@@ -55,19 +55,19 @@ You can find more information about each section, including options for configur
 > [!NOTE]
 > If you hide all sections then the app will show a restricted interface, as in the following screenshot:
 >
-> ![Windows Security app with all sections hidden by Group Policy](images/wdsc-all-hide.png)
+> ![Windows Security app with all sections hidden by Group Policy.](images/wdsc-all-hide.png)
 
 ## Open the Windows Security app
 
 - Click the icon in the notification area on the taskbar.
 
-    ![Screenshot of the icon for the Windows Security app on the Windows task bar](images/security-center-taskbar.png)
+    ![Screenshot of the icon for the Windows Security app on the Windows task bar.](images/security-center-taskbar.png)
 - Search the Start menu for **Windows Security**.
 
-    ![Screenshot of the Start menu showing the results of a search for the Windows Security app, the first option with a large shield symbol is selected](images/security-center-start-menu.png)
+    ![Screenshot of the Start menu showing the results of a search for the Windows Security app, the first option with a large shield symbol is selected.](images/security-center-start-menu.png)
 - Open an area from Windows **Settings**.
 
-    ![Screenshot of Windows Settings showing the different areas available in the Windows Security](images/settings-windows-defender-security-center-areas.png)
+    ![Screenshot of Windows Settings showing the different areas available in the Windows Security.](images/settings-windows-defender-security-center-areas.png)
 
 > [!NOTE]
 > Settings configured with management tools, such as Group Policy, Microsoft Intune, or Microsoft Endpoint Configuration Manager, will generally take precedence over the settings in the Windows Security. See the topics for each of the sections for links to configuring the associated features or products.
diff --git a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
index 8b55c05b3e..848345ef8b 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
@@ -52,7 +52,7 @@ DRTM lets the system freely boot into untrusted code initially, but shortly afte
 This has the benefit of allowing untrusted early UEFI code to boot the system, but then being able to securely transition into a trusted and measured state.
 
 
-![System Guard Secure Launch](images/system-guard-secure-launch.png)
+![System Guard Secure Launch.](images/system-guard-secure-launch.png)
 
 Secure Launch simplifies management of SRTM measurements because the launch code is now unrelated to a specific hardware configuration. This means the number of valid code measurements is small, and future updates can be deployed more widely and quickly. 
 
@@ -82,7 +82,7 @@ While Windows Defender System Guard provides advanced protection that will help
 As Windows 10 boots, a series of integrity measurements are taken by Windows Defender System Guard using the device’s Trusted Platform Module 2.0 (TPM 2.0). System Guard Secure Launch will not support earlier TPM versions, such as TPM 1.2. This process and data are hardware-isolated away from Windows to help ensure that the measurement data is not subject to the type of tampering that could happen if the platform was compromised. From here, the measurements can be used to determine the integrity of the device’s firmware, hardware configuration state, and Windows boot-related components, just to name a few. 
 
 
-![Boot time integrity](images/windows-defender-system-guard-boot-time-integrity.png)
+![Boot time integrity.](images/windows-defender-system-guard-boot-time-integrity.png)
 
 After the system boots, Windows Defender System Guard signs and seals these measurements using the TPM. Upon request, a management system like Intune or Microsoft Endpoint Configuration Manager can acquire them for remote analysis. If Windows Defender System Guard indicates that the device lacks integrity, the management system can take a series of actions, such as denying the device access to resources.
 
diff --git a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
index 14695d80d0..55321967df 100644
--- a/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+++ b/windows/security/threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
@@ -38,13 +38,13 @@ System Guard Secure Launch can be configured for Mobile Device Management (MDM)
 
 2. Click **Computer Configuration** > **Administrative Templates** > **System** > **Device Guard** > **Turn On Virtualization Based Security** > **Secure Launch Configuration**.
 
-    ![Secure Launch Configuration](images/secure-launch-group-policy.png)
+    ![Secure Launch Configuration.](images/secure-launch-group-policy.png)
 
 ### Windows Security Center
 
 Click **Start** > **Settings** > **Update & Security** > **Windows Security** > **Open Windows Security** > **Device security** > **Core isolation** > **Firmware protection**.
 
-  ![Windows Security Center](images/secure-launch-security-app.png)
+  ![Windows Security Center.](images/secure-launch-security-app.png)
   
 ### Registry
 
@@ -58,13 +58,13 @@ Click **Start** > **Settings** > **Update & Security** > **Windows Security** >
 
 5. Double-click **Enabled**, change the value to **1**, and click **OK**.
 
-    ![Secure Launch Registry](images/secure-launch-registry.png)
+    ![Secure Launch Registry.](images/secure-launch-registry.png)
 
 ## How to verify System Guard Secure Launch is configured and running
 
 To verify that Secure Launch is running, use System Information (MSInfo32). Click **Start**, search for **System Information**, and look under **Virtualization-based Security Services Running** and **Virtualization-based Security Services Configured**.
 
-![Verifying Secure Launch is running in the Windows Security Center](images/secure-launch-msinfo.png)
+![Verifying Secure Launch is running in the Windows Security Center.](images/secure-launch-msinfo.png)
 
 > [!NOTE]
 > To enable System Guard Secure launch, the platform must meet all the baseline requirements for [Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md), [Credential Guard](../../identity-protection/credential-guard/credential-guard-requirements.md), and [Virtualization Based Security](/windows-hardware/design/device-experiences/oem-vbs).
diff --git a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
index 71f0392376..5819f886fd 100644
--- a/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
+++ b/windows/security/threat-protection/windows-firewall/best-practices-configuring.md
@@ -38,7 +38,7 @@ type **WF.msc**, and then select **OK**. See also [Open Windows Firewall](./op
 
 When you open the Windows Defender Firewall for the first time, you can see the default settings applicable to the local computer. The Overview panel displays security settings for each type of network to which the device can connect.
 
-![Windows Defender Firewall with Advanced Security first time opening](images/fw01-profiles.png)
+![Windows Defender Firewall with Advanced Security first time opening.](images/fw01-profiles.png)
 
 *Figure 1: Windows Defender Firewall*
 
@@ -55,7 +55,7 @@ View detailed settings for each profile by right-clicking the top-level **Window
 Maintain the default settings in Windows Defender
 Firewall whenever possible. These settings have been designed to secure your device for use in most network scenarios. One key example is the default Block behavior for Inbound connections. 
 
-![A screenshot of a cell phone Description automatically generated](images/fw03-defaults.png)
+![A screenshot of a cell phone Description automatically generated.](images/fw03-defaults.png)
 
 *Figure 2: Default inbound/outbound settings*
 
@@ -70,7 +70,7 @@ In many cases, a next step for administrators will be to customize these profile
 
 This can be accomplished by right-clicking either **Inbound Rules** or **Outbound Rules**, and selecting **New Rule**. The interface for adding a new rule looks like this:
 
-![Rule creation wizard](images/fw02-createrule.png)
+![Rule creation wizard.](images/fw02-createrule.png)
 
 *Figure 3: Rule Creation Wizard*
 
@@ -131,7 +131,7 @@ To determine why some applications are blocked from communicating in the network
 
 Creation of application rules at runtime can also be prohibited by administrators using the Settings app or Group Policy.
 
-![Windows Firewall prompt](images/fw04-userquery.png)
+![Windows Firewall prompt.](images/fw04-userquery.png)
 
 *Figure 4: Dialog box to allow access*
 
@@ -148,7 +148,7 @@ Rule merging settings control how rules from different policy sources can be com
 
 The rule merging settings either allow or prevent local admins from creating their own firewall rules in addition to those obtained from Group Policy.
 
-![Customize settings](images/fw05-rulemerge.png)
+![Customize settings.](images/fw05-rulemerge.png)
 
 *Figure 5: Rule merging setting*
 
@@ -180,11 +180,11 @@ An important firewall feature you can use to mitigate damage during an active at
 Shields up can be achieved by checking **Block all
 incoming connections, including those in the list of allowed apps** setting found in either the Windows Settings app or the legacy file *firewall.cpl*.
 
-![Incoming connections](images/fw06-block.png)
+![Incoming connections.](images/fw06-block.png)
 
 *Figure 6: Windows settings App/Windows Security/Firewall Protection/Network Type*
 
-![Firewall cpl](images/fw07-legacy.png)
+![Firewall cpl.](images/fw07-legacy.png)
 
 *Figure 7: Legacy firewall.cpl*
 
diff --git a/windows/security/threat-protection/windows-firewall/boundary-zone.md b/windows/security/threat-protection/windows-firewall/boundary-zone.md
index 0e67454be2..37d7edb647 100644
--- a/windows/security/threat-protection/windows-firewall/boundary-zone.md
+++ b/windows/security/threat-protection/windows-firewall/boundary-zone.md
@@ -32,7 +32,7 @@ The GPOs you build for the boundary zone include IPsec or connection security ru
 
 Because these boundary zone devices can receive unsolicited inbound communications from untrusted devices that use plaintext, they must be carefully managed and secured in other ways. Mitigating this additional risk is an important part of deciding whether to add a device to the boundary zone. For example, completing a formal business justification process before adding each device to the boundary zone can help ensure that the additional risk is minimized. The following illustration shows a sample process that can help make such a decision.
 
-![design flowchart](images/wfas-designflowchart1.gif)
+![design flowchart.](images/wfas-designflowchart1.gif)
 
 The goal of this process is to determine whether the risk of adding a device to a boundary zone can be mitigated to a level that makes it acceptable to the organization. Ultimately, if the risk cannot be mitigated, membership must be denied.
 
diff --git a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
index bf9a3f7d47..479b2e67af 100644
--- a/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
+++ b/windows/security/threat-protection/windows-firewall/create-windows-firewall-rules-in-intune.md
@@ -28,7 +28,7 @@ ms.technology: mde
 To get started, open Device Configuration in Intune, then create a new profile. 
 Choose Windows 10 as the platform, and Endpoint Protection as the profile type. 
 Select Windows Defender Firewall.
-![Windows Defender Firewall in Intune](images/windows-firewall-intune.png)
+![Windows Defender Firewall in Intune.](images/windows-firewall-intune.png)
 
 >[!IMPORTANT]
 >A single Endpoint Protection profile may contain up to a maximum of 150 firewall rules. If a client device requires more than 150 rules, then multiple profiles must be assigned to it.
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
index 0e7f47576b..8f27c49ab5 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design-example.md
@@ -32,7 +32,7 @@ In addition to the basic protection provided by the firewall rules in the previo
 
 The following illustration shows the traffic protection needed for this design example.
 
-![domain isolation policy design](images/wfas-design2example1.gif)
+![domain isolation policy design.](images/wfas-design2example1.gif)
 
 1.  All devices on the Woodgrove Bank corporate network that are Active Directory domain members must authenticate inbound network traffic as coming from another computer that is a member of the domain. Unless otherwise specified in this section, Woodgrove Bank's devices reject all unsolicited inbound network traffic that is not authenticated. If the basic firewall design is also implemented, even authenticated inbound network traffic is dropped unless it matches an inbound firewall rule.
 
diff --git a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
index 6c13157e59..659827d1c6 100644
--- a/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/domain-isolation-policy-design.md
@@ -34,7 +34,7 @@ By using connection security rules based on IPsec, you provide a logical barrier
 
 The design is shown in the following illustration, with the arrows that show the permitted communication paths.
 
-![isolated domain boundary zone](images/wfasdomainisoboundary.gif)
+![isolated domain boundary zone.](images/wfasdomainisoboundary.gif)
 
 Characteristics of this design, as shown in the diagram, include the following:
 
diff --git a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
index 90d5fd2514..718505a9d7 100644
--- a/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
+++ b/windows/security/threat-protection/windows-firewall/filter-origin-documentation.md
@@ -22,7 +22,7 @@ Debugging packet drops is a continuous issue to Windows customers. In the past,
 
 Typically, when investigating packet drop events, a customer would use the field `Filter Run-Time ID` from Windows Filtering Platform (WFP) audits 5157 or 5152. 
 
-![Event properties](images/event-properties-5157.png)
+![Event properties.](images/event-properties-5157.png)
 
 The filter ID uniquely identifies the filter that caused the packet drop. The filter ID can be searched in the WFP state dump output to trace back to the Firewall rule where the filter originated from. 
 
@@ -73,7 +73,7 @@ To enable a specific audit event, run the corresponding command in an administra
 
 As the audit surfaces `Filter Origin` and `Interface Index`, the network admin can determine the root cause of the network packet drop and the interface it happened on.
 
-![Event audit](images/event-audit-5157.png)
+![Event audit.](images/event-audit-5157.png)
 
 The next sections are divided by `Filter Origin` type, the value is either a rule name or the name of one of the default block filters. If the filter origin is one of the default block filters, skip to the section, **Firewall default block filters**. Otherwise, continue to the section **Firewall rules**.
 
@@ -86,7 +86,7 @@ Get-NetFirewallRule -Name “<Filter Origin>”
 Get-NetFirewallRule -Name " {A549B7CF-0542-4B67-93F9-EEBCDD584377} "
 ```
 
-![Firewall rule](images/firewallrule.png)
+![Firewall rule.](images/firewallrule.png)
 
 After identifying the rule that caused the drop, the network admin can now modify/disable the rule to allow the traffic they want through command prompt or using the Windows Defender UI. The network admin can find the rule in the UI with the rule’s `DisplayName`.
 
@@ -118,7 +118,7 @@ Get-NetIPInterface –InterfaceIndex <Interface Index>
 Get-NetIPInterface –InterfaceIndex 5
 ```
 
-![Quarantine default block filter](images/quarantine-default-block-filter.png)
+![Quarantine default block filter.](images/quarantine-default-block-filter.png)
 
 To learn more about the quarantine feature, see [Quarantine behavior](quarantine.md).
 
@@ -139,7 +139,7 @@ To generate a list of all the query user block rules, you can run the following
 Get-NetFirewallRule | Where {$_.Name -like "*Query User*"}
 ```
 
-![Query user default block filter](images/query-user-default-block-filters.png)
+![Query user default block filter.](images/query-user-default-block-filters.png)
 
 The query user pop-up feature is enabled by default. 
 
diff --git a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
index 8c8fb36ee5..5a6acfea96 100644
--- a/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/firewall-policy-design-example.md
@@ -38,7 +38,7 @@ The network administrators want to implement Windows Defender Firewall with Adva
 
 The following illustration shows the traffic protection needs for this design example.
 
-![design example 1](images/wfas-designexample1.gif)
+![design example 1.](images/wfas-designexample1.gif)
 
 1.  The network infrastructure servers that are running services, such as Active Directory, DNS, DHCP, or WINS, can receive unsolicited inbound requests from network clients. The network clients can receive the responses from the infrastructure servers.
 
diff --git a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
index 7b95852c3d..265019f489 100644
--- a/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
+++ b/windows/security/threat-protection/windows-firewall/implementing-your-windows-firewall-with-advanced-security-design-plan.md
@@ -41,7 +41,7 @@ The following are important factors in the implementation of your Windows Defend
 
 The next step in implementing your design is to determine in what order each of the deployment steps must be performed. This guide uses checklists to help you accomplish the various deployment tasks that are required to implement your design plan. As the following diagram shows, checklists and subchecklists are used as necessary to provide the end-to-end procedure for deploying a design.
 
-![wfas implementation](images/wfas-implement.gif)
+![wfas implementation.](images/wfas-implement.gif)
 
 Use the following parent checklists in this section of the guide to become familiar with the deployment tasks for implementing your organization's Windows Defender Firewall with Advanced Security design.
 
diff --git a/windows/security/threat-protection/windows-firewall/quarantine.md b/windows/security/threat-protection/windows-firewall/quarantine.md
index 87bab115a6..bd087a2124 100644
--- a/windows/security/threat-protection/windows-firewall/quarantine.md
+++ b/windows/security/threat-protection/windows-firewall/quarantine.md
@@ -196,7 +196,7 @@ Auditpol /set /category:"System" /SubCategory:"Filtering Platform Connection" /s
 
 Sample drop audit with `filterOrigin` as `Quarantine Default`.
 
-![Quarantine default](images/quarantine-default1.png)
+![Quarantine default.](images/quarantine-default1.png)
 
 Once the drop’s filter origin has been identified as the quarantine default inbound block filter, the interface should be further investigated. To find the relevant interface, use the `InterfaceIndex` value from the `netEvent` or event audit in the following PowerShell command to generate more information about the interface:
 
@@ -205,7 +205,7 @@ Get-NetIPInterface –InterfaceIndex <Interface Index>
 Get-NetIPInterface –InterfaceIndex 5
 ```
 
-![Quarantine Interfaceindex](images/quarantine-interfaceindex1.png)
+![Quarantine Interfaceindex.](images/quarantine-interfaceindex1.png)
 
 Using the interface name, event viewer can be searched for any interface related changes. 
 
diff --git a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
index 81a548b4ee..8fbeb35412 100644
--- a/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
+++ b/windows/security/threat-protection/windows-firewall/require-encryption-when-accessing-sensitive-network-resources.md
@@ -30,7 +30,7 @@ For devices that share sensitive information over the network, Windows Defender
 
 The following illustration shows an encryption zone in an isolated domain. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory.
 
-![encryption zone in an isolated domain](images/wfas-domainisoencrypt.gif)
+![encryption zone in an isolated domain.](images/wfas-domainisoencrypt.gif)
 
 This goal provides the following benefits:
 
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
index a50232fe28..1a7c288575 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-specified-users-or-devices.md
@@ -34,7 +34,7 @@ You can restrict access by specifying either computer or user credentials.
 
 The following illustration shows an isolated server, and examples of devices that can and cannot communicate with it. Devices that are outside the Woodgrove corporate network, or computers that are in the isolated domain but are not members of the required NAG, cannot communicate with the isolated server.
 
-![isolated domain with network access groups](images/wfas-domainnag.gif)
+![isolated domain with network access groups.](images/wfas-domainnag.gif)
 
 This goal, which corresponds to [Server Isolation Policy Design](server-isolation-policy-design.md), provides the following features:
 
diff --git a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
index d7de7d8963..5285e56ad9 100644
--- a/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
+++ b/windows/security/threat-protection/windows-firewall/restrict-access-to-only-trusted-devices.md
@@ -35,7 +35,7 @@ The protection provided by domain isolation can help you comply with regulatory
 
 The following illustration shows an isolated domain, with one of the zones that are optionally part of the design. The rules that implement both the isolated domain and the different zones are deployed by using Group Policy and Active Directory.
 
-![domain isolation](images/wfas-domainiso.gif)
+![domain isolation.](images/wfas-domainiso.gif)
 
 These goals, which correspond to [Domain Isolation Policy Design](domain-isolation-policy-design.md) and [Certificate-based Isolation Policy Design](certificate-based-isolation-policy-design.md), provide the following benefits:
 
diff --git a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
index 4c6f3f4fb7..8cb2a35d50 100644
--- a/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
+++ b/windows/security/threat-protection/windows-firewall/securing-end-to-end-ipsec-connections-by-using-ikev2.md
@@ -59,7 +59,7 @@ These procedures assume that you already have a public key infrastructure (PKI)
 
 The following Windows PowerShell script establishes a connection security rule that uses IKEv2 for communication between two computers (CLIENT1 and SERVER1) that are joined to the corp.contoso.com domain as shown in Figure 1.
 
-![the contoso corporate network](images/corpnet.gif)
+![the contoso corporate network.](images/corpnet.gif)
 
 **Figure 1** The Contoso corporate network
 
@@ -77,7 +77,7 @@ This script does the following:
 
 -   Creates the IKEv2 connection security rule called **My IKEv2 Rule**.
 
-![powershell logo](images/powershelllogosmall.gif)**Windows PowerShell commands**
+![powershell logo.](images/powershelllogosmall.gif)**Windows PowerShell commands**
 
 Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
 
@@ -117,7 +117,7 @@ Use a Windows PowerShell script similar to the following to create a local IPsec
 
 >**Important:**  The certificate parameters that you specify for the certificate are case sensitive, so make sure that you type them exactly as specified in the certificate, and place the parameters in the exact order that you see in the following example. Failure to do so will result in connection errors.
 
-![powershell logo](images/powershelllogosmall.gif)**Windows PowerShell commands**
+![powershell logo.](images/powershelllogosmall.gif)**Windows PowerShell commands**
 
 Type each cmdlet on a single line, even though they may appear to wrap across several lines because of formatting constraints.
 
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
index 0e2b6ce11e..a0070cf114 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design-example.md
@@ -46,7 +46,7 @@ In addition to the protection provided by the firewall rules and domain isolatio
 
 The following illustration shows the traffic protection needs for this design example.
 
-![isolated server example](images/wfas-design3example1.gif)
+![isolated server example.](images/wfas-design3example1.gif)
 
 1.  Access to the SQL Server devices must be restricted to only those computer or user accounts that have a business requirement to access the data. This includes the service accounts that are used by the WGBank front-end servers, and administrators of the SQL Server devices. In addition, access is only granted when it is sent from an authorized computer. Authorization is determined by membership in a network access group (NAG).
 
diff --git a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
index f4d452b4cf..7d44e7c17c 100644
--- a/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
+++ b/windows/security/threat-protection/windows-firewall/server-isolation-policy-design.md
@@ -32,7 +32,7 @@ You can implement a server isolation design without using domain isolation. To d
 
 The design is shown in the following illustration, with arrows that show the permitted communication paths.
 
-![isolated domain with isolated server](images/wfas-domainisohighsec.gif)
+![isolated domain with isolated server.](images/wfas-domainisohighsec.gif)
 
 Characteristics of this design include the following:
 
diff --git a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
index 3e383743a4..bf70a3a3b7 100644
--- a/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
+++ b/windows/security/threat-protection/windows-firewall/windows-firewall-with-advanced-security-administration-with-windows-powershell.md
@@ -328,7 +328,7 @@ Windows PowerShell can create powerful, complex IPsec policies like in Netsh and
 
 In Netsh, the authentication and cryptographic sets were specified as a list of comma-separated tokens in a specific format. In Windows PowerShell, rather than using default settings, you first create your desired authentication or cryptographic proposal objects and bundle them into lists in your preferred order. Then, you create one or more IPsec rules that reference these sets. The benefit of this model is that programmatic access to the information in the rules is much easier. See the following sections for clarifying examples.
 
-![object model for creating a single ipsec rule](images/createipsecrule.gif)
+![object model for creating a single ipsec rule.](images/createipsecrule.gif)
 
 ### Create IPsec rules
 
@@ -353,7 +353,7 @@ If you want to create a custom set of quick-mode proposals that includes both AH
 
 You can then use the newly created custom quick-mode policies when you create IPsec rules. The cryptography set object is linked to an IPsec rule object.
 
-![crypto set object](images/qmcryptoset.gif)
+![crypto set object.](images/qmcryptoset.gif)
 
 In this example, we build on the previously created IPsec rule by specifying a custom quick-mode crypto set. The final IPsec rule requires outbound traffic to be authenticated by the specified cryptography method.
 
diff --git a/windows/security/threat-protection/windows-security-baselines.md b/windows/security/threat-protection/windows-security-baselines.md
index f18a5180db..8e719f1364 100644
--- a/windows/security/threat-protection/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-baselines.md
@@ -61,12 +61,12 @@ You can download the security baselines from the [Microsoft Download Center](htt
 
 The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. 
 
-[![Security Compliance Toolkit](images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) 
-[![Get Support](images/get-support.png)](get-support-for-security-baselines.md) 
+[![Security Compliance Toolkit.](images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) 
+[![Get Support.](images/get-support.png)](get-support-for-security-baselines.md) 
 
 ## Community
 
-[![Microsoft Security Guidance Blog](images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines) 
+[![Microsoft Security Guidance Blog.](images/community.png)](https://techcommunity.microsoft.com/t5/microsoft-security-baselines/bd-p/Security-Baselines) 
 
 ## Related Videos
 
diff --git a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
index cfb7427cbc..170918a4fa 100644
--- a/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+++ b/windows/security/threat-protection/windows-security-configuration-framework/windows-security-baselines.md
@@ -60,12 +60,12 @@ You can download the security baselines from the [Microsoft Download Center](htt
 
 The security baselines are included in the [Security Compliance Toolkit (SCT)](security-compliance-toolkit-10.md), which can be downloaded from the Microsoft Download Center. The SCT also includes tools to help admins manage the security baselines. 
 
-[![Security Compliance Toolkit](./../images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) 
-[![Get Support](./../images/get-support.png)](get-support-for-security-baselines.md) 
+[![Security Compliance Toolkit.](./../images/security-compliance-toolkit-1.png)](security-compliance-toolkit-10.md) 
+[![Get Support.](./../images/get-support.png)](get-support-for-security-baselines.md) 
 
 ## Community
 
-[![Microsoft Security Guidance Blog](./../images/community.png)](/archive/blogs/secguide/) 
+[![Microsoft Security Guidance Blog.](./../images/community.png)](/archive/blogs/secguide/) 
 
 ## Related Videos
 
diff --git a/windows/whats-new/contribute-to-a-topic.md b/windows/whats-new/contribute-to-a-topic.md
index 1387997652..b99b7a48ad 100644
--- a/windows/whats-new/contribute-to-a-topic.md
+++ b/windows/whats-new/contribute-to-a-topic.md
@@ -38,7 +38,7 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner
 
 1. Go to the article that you want to update, and then click **Edit**.
 
-    ![GitHub Web, showing the Edit link](images/contribute-link.png)
+    ![GitHub Web, showing the Edit link.](images/contribute-link.png)
 
 2. Sign into (or sign up for) a GitHub account.
     
@@ -46,7 +46,7 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner
 
 3. Click the **Pencil** icon (in the red box) to edit the content.
 
-    ![GitHub Web, showing the Pencil icon in the red box](images/pencil-icon.png)
+    ![GitHub Web, showing the Pencil icon in the red box.](images/pencil-icon.png)
 
 4. Using Markdown language, make your changes to the topic. For info about how to edit content using Markdown, see:
    - **If you're linked to the Microsoft organization in GitHub:** [Windows authoring guide](https://aka.ms/WindowsAuthoring)
@@ -55,11 +55,11 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner
 
 5. Make your suggested change, and then click **Preview Changes** to make sure it looks correct.
 
-      ![GitHub Web, showing the Preview Changes tab](images/preview-changes.png)
+      ![GitHub Web, showing the Preview Changes tab.](images/preview-changes.png)
 
 6. When you’re done editing the topic, scroll to the bottom of the page, and then click **Propose file change**.
 
-    ![GitHub Web, showing the Propose file change button](images/propose-file-change.png)
+    ![GitHub Web, showing the Propose file change button.](images/propose-file-change.png)
 
     The **Comparing changes** screen shows the changes between your version of the article and the original content.
 
@@ -67,7 +67,7 @@ Across the docs.microsoft.com site, if you see **Edit** in the right-hand corner
 
    If there are no problems, you’ll see the message, **Able to merge**.
 
-   ![GitHub Web, showing the Comparing changes screen](images/compare-changes.png)
+   ![GitHub Web, showing the Comparing changes screen.](images/compare-changes.png)
 
 8. Click **Create pull request**.
 
diff --git a/windows/whats-new/ltsc/whats-new-windows-10-2019.md b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
index 83e1c6b032..256dad7a3a 100644
--- a/windows/whats-new/ltsc/whats-new-windows-10-2019.md
+++ b/windows/whats-new/ltsc/whats-new-windows-10-2019.md
@@ -48,7 +48,7 @@ This version of Window 10 includes security improvements for threat protection,
 
 The [Microsoft Defender for Endpoint](/windows/security/threat-protection/index) platform includes the security pillars shown in the following diagram. In this version of Windows, Defender for Endpoint includes powerful analytics, security stack integration, and centralized management for better detection, prevention, investigation, response, and management. 
 
-![Microsoft Defender for Endpoint](../images/wdatp.png)
+![Microsoft Defender for Endpoint.](../images/wdatp.png)
 
 ##### Attack surface reduction 
 
@@ -275,7 +275,7 @@ The WSC service now requires antivirus products to run as a protected process to
 
 WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
 
-![Security at a glance](../images/defender.png "Windows Security Center")
+![Security at a glance.](../images/defender.png "Windows Security Center")
 
 #### Group Policy Security Options
 
@@ -288,7 +288,7 @@ A new security policy setting
 
 We’ve continued to work on the **Current threats** area in  [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: 
 
-![S mode settings](../images/virus-and-threat-protection.png "Virus & threat protection settings")
+![S mode settings.](../images/virus-and-threat-protection.png "Virus & threat protection settings")
 
 ## Deployment
 
@@ -387,7 +387,7 @@ If you have shared devices deployed in your work place, **Fast sign-in** enables
 
 3. Sign-in to a shared PC with your account. You'll notice the difference!
 
-   ![fast sign-in](../images/fastsignin.png "fast sign-in")
+   ![fast sign-in.](../images/fastsignin.png "fast sign-in")
 
 ### Web sign-in to Windows 10
 
@@ -402,7 +402,7 @@ Until now, Windows logon only supported the use of identities federated to ADFS
 3. On the lock screen, select web sign-in under sign-in options.
 4. Click the “Sign in” button to continue.
 
-![Sign-in option](../images/websignin.png "web sign-in")
+![Sign-in option.](../images/websignin.png "web sign-in")
 
 ## Windows Analytics
 
@@ -470,7 +470,7 @@ The OS uninstall period is a length of time that users are given when they can o
 
 Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
 
-![get bulk token action in wizard](../images/bulk-token.png)
+![get bulk token action in wizard.](../images/bulk-token.png)
 
 ### Windows Spotlight
 
@@ -636,7 +636,7 @@ If you have a device that has been updated to Windows 10 Enterprise LTSC 2019, t
 
 We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
 
-![Reg editor](../images/regeditor.png "Registry editor dropdown")
+![Reg editor.](../images/regeditor.png "Registry editor dropdown")
 
 ## Remote Desktop with Biometrics
 
@@ -650,9 +650,9 @@ To get started, sign into your device using Windows Hello for Business. Bring up
 
 See the following example:
 
-![Enter your credentials](../images/RDPwBioTime.png "Windows Hello")
-![Provide credentials](../images/RDPwBio2.png "Windows Hello personal")
-![Microsoft Hyper-V Server 2016](../images/hyper-v.png "Microsoft Hyper-V Server 2016")
+![Enter your credentials.](../images/RDPwBioTime.png "Windows Hello")
+![Provide credentials.](../images/RDPwBio2.png "Windows Hello personal")
+![Microsoft Hyper-V Server 2016.](../images/hyper-v.png "Microsoft Hyper-V Server 2016")
 
 ## See Also
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1703.md b/windows/whats-new/whats-new-windows-10-version-1703.md
index b05bba2289..48bf6b509b 100644
--- a/windows/whats-new/whats-new-windows-10-version-1703.md
+++ b/windows/whats-new/whats-new-windows-10-version-1703.md
@@ -31,11 +31,11 @@ Previously known as *Windows Imaging and Configuration Designer (ICD)*, the tool
 
 Windows Configuration Designer in Windows 10, version 1703, includes several new wizards to make it easier to create provisioning packages.
 
-![wizards for desktop, mobile, kiosk, Surface Hub](images/wcd-options.png)
+![wizards for desktop, mobile, kiosk, Surface Hub.](images/wcd-options.png)
 
 Both the desktop and kiosk wizards include an option to remove pre-installed software, based on the new [CleanPC configuration service provider (CSP)](/windows/client-management/mdm/cleanpc-csp).
 
-![remove pre-installed software option](images/wcd-cleanpc.png)
+![remove pre-installed software option.](images/wcd-cleanpc.png)
 
 [Learn more about Windows Configuration Designer.](/windows/configuration/provisioning-packages/provisioning-packages)
 
@@ -44,7 +44,7 @@ Both the desktop and kiosk wizards include an option to remove pre-installed sof
 
 Using the new wizards in Windows Configuration Designer, you can [create provisioning packages to enroll devices in Azure Active Directory](/windows/configuration/provisioning-packages/provisioning-packages#configuration-designer-wizards). Azure AD join in bulk is available in the desktop, mobile, kiosk, and Surface Hub wizards.
 
-![get bulk token action in wizard](images/bulk-token.png)
+![get bulk token action in wizard.](images/bulk-token.png)
 
 
 ### Windows Spotlight
@@ -279,7 +279,7 @@ Learn about the new Group Policies that were added in Windows 10, version 1703.
 
 The Lockdown Designer app helps you configure and create a lockdown XML file to apply to devices running Windows 10 Mobile, and includes a remote simulation to help you determine the layout for tiles on the Start screen. Using Lockdown Designer is easier than [manually creating a lockdown XML file](/windows/configuration/mobile-devices/lockdown-xml).
 
-![Lockdown Designer app in Store](images/ldstore.png)
+![Lockdown Designer app in Store.](images/ldstore.png)
 
 [Learn more about the Lockdown Designer app.](/windows/configuration/mobile-devices/mobile-lockdown-designer)
 
diff --git a/windows/whats-new/whats-new-windows-10-version-1809.md b/windows/whats-new/whats-new-windows-10-version-1809.md
index e73c5af9bc..6410248ff6 100644
--- a/windows/whats-new/whats-new-windows-10-version-1809.md
+++ b/windows/whats-new/whats-new-windows-10-version-1809.md
@@ -46,7 +46,7 @@ To learn more about Autopilot self-deploying mode and to see step-by-step instru
 We’ve continued to work on the **Current threats** area in  [Virus & threat protection](/windows/security/threat-protection/windows-defender-security-center/wdsc-virus-threat-protection), which now displays all threats that need action. You can quickly take action on threats from this screen: 
 
 > [!div class="mx-imgBorder"]
-> ![Virus & threat protection settings](images/virus-and-threat-protection.png "Virus & threat protection settings")
+> ![Virus & threat protection settings.](images/virus-and-threat-protection.png "Virus & threat protection settings")
 
 With controlled folder access you can help prevent ransomware and other destructive malware from changing your personal files. In some cases, apps that you normally use might be blocked from making changes to common folders like **Documents** and **Pictures**. We’ve made it easier for you to add apps that were recently blocked so you can keep using your device without turning off the feature altogether.
 
@@ -109,16 +109,16 @@ To try this:
 See the following example:
 
 > [!div class="mx-imgBorder"]
-> ![Security at a glance](images/1_AppBrowser.png "app and browser control")
+> ![Security at a glance.](images/1_AppBrowser.png "app and browser control")
 
 > [!div class="mx-imgBorder"]
-> ![Isolated browser](images/2_InstallWDAG.png "isolated browsing")
+> ![Isolated browser.](images/2_InstallWDAG.png "isolated browsing")
 
 > [!div class="mx-imgBorder"]
-> ![change WDAG settings](images/3_ChangeSettings.png "change settings")
+> ![change WDAG settings.](images/3_ChangeSettings.png "change settings")
 
 > [!div class="mx-imgBorder"]
-> ![view WDAG settings](images/4_ViewSettings.jpg "view settings")
+> ![view WDAG settings.](images/4_ViewSettings.jpg "view settings")
 
 ### Windows Security Center
 
@@ -130,7 +130,7 @@ The WSC service now requires antivirus products to run as a protected process to
 
 WSC now includes the Fluent Design System elements you know and love. You’ll also notice we’ve adjusted the spacing and padding around the app. It will now dynamically size the categories on the main page if more room is needed for extra info. We also updated the title bar so that it will use your accent color if you have enabled that option in **Color Settings**.
 
-![alt text](images/defender.png "Windows Security Center")
+![alt text.](images/defender.png "Windows Security Center")
 
 ### Windows Defender Firewall now supports Windows Subsystem for Linux (WSL) processes
 
@@ -195,7 +195,7 @@ We introduced a simplified assigned access configuration experience in **Setting
 
 To use this feature, go to **Settings**, search for **assigned access**, and open the **Set up a kiosk** page. 
 
-![set up a kiosk](images/kiosk-mode.png "set up a kiosk")
+![set up a kiosk.](images/kiosk-mode.png "set up a kiosk")
 
 Microsoft Edge kiosk mode running in single-app assigned access has two kiosk types.
 
@@ -203,7 +203,7 @@ Microsoft Edge kiosk mode running in single-app assigned access has two kiosk ty
 
 2. **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. Users cannot minimize, close, or open new Microsoft Edge windows or customize them using Microsoft Edge Settings. Users can clear browsing data and downloads, and restart Microsoft Edge by clicking **End session**. Administrators can configure Microsoft Edge to restart after a period of inactivity.
 
-![single app assigned access](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access")
+![single app assigned access.](images/SingleApp_contosoHotel_inFrame@2x.png "single app assigned access")
 
 Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk types. 
 
@@ -212,11 +212,11 @@ Microsoft Edge kiosk mode running in multi-app assigned access has two kiosk typ
 
 **Public browsing** supports multi-tab browsing and runs InPrivate mode with minimal features available. In this configuration, Microsoft Edge can be one of many apps available. Users can close and open multiple InPrivate mode windows.
 
-![multi-app assigned access](images/Multi-app_kiosk_inFrame.png "multi-app assigned access")
+![multi-app assigned access.](images/Multi-app_kiosk_inFrame.png "multi-app assigned access")
 
 **Normal mode** runs a full version of Microsoft Edge, although some features may not work depending on what apps are configured in assigned access. For example, if the Microsoft Store is not set up, users cannot get books.
 
-![normal mode](images/Normal_inFrame.png "normal mode")
+![normal mode.](images/Normal_inFrame.png "normal mode")
 
 Learn more about [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy).
 
@@ -224,7 +224,7 @@ Learn more about [Microsoft Edge kiosk mode](/microsoft-edge/deploy/microsoft-ed
 
 We added a dropdown that displays as you type to help complete the next part of the path. You can also press **Ctrl + Backspace** to delete the last word, and **Ctrl + Delete** to delete the next word.
 
-![Registry editor dropdown](images/regeditor.png "Registry editor dropdown")
+![Registry editor dropdown.](images/regeditor.png "Registry editor dropdown")
 
 ## Faster sign-in to a Windows 10 shared pc
 
@@ -237,7 +237,7 @@ Do you have shared devices deployed in your work place? **Fast sign-in** enables
 
 3. Sign-in to a shared PC with your account. You'll notice the difference!
 
-    ![fast sign-in](images/fastsignin.png "fast sign-in")
+    ![fast sign-in.](images/fastsignin.png "fast sign-in")
 
 >[!NOTE]
 >This is a private preview feature and therefore not meant or recommended for production purposes.
@@ -259,7 +259,7 @@ Until now, Windows logon only supported the use of identities federated to ADFS
 4. Click the **Sign in** button to continue.
 
    > [!div class="mx-imgBorder"]
-   > ![Web sign-in](images/websignin.png "web sign-in")
+   > ![Web sign-in.](images/websignin.png "web sign-in")
 
 >[!NOTE]
 >This is a private preview feature and therefore not meant or recommended for production purposes.
@@ -271,7 +271,7 @@ Android phone users, you can finally stop emailing yourself photos. With Your Ph
 For iPhone users, **Your Phone** app also helps you to link your phone to your PC. Surf the web on your phone, then send the webpage instantly to your computer to continue what you’re doing–-read, watch, or browse-- with all the benefits of a bigger screen. 
 
 > [!div class="mx-imgBorder"]
-> ![your phone](images/your-phone.png "your phone")
+> ![your phone.](images/your-phone.png "your phone")
 
 The desktop pin takes you directly to the **Your Phone** app for quicker access to your phone’s content. You can also go through the all apps list in Start, or use the Windows key and search for **Your Phone**. 
 
@@ -283,7 +283,7 @@ One of the things we’ve heard from you is that it’s hard to know when you’
 * Video mode increases the screen-to-screen latency to ensure the video on the big screen plays back smoothly
 * Productivity modes strikes a balance between game mode and video mode; the screen-to screen-latency is responsive enough that typing feels natural, while ensuring videos don’t glitch as often.
 
-![wireless projection banner](images/beaming.png "wireless projection banner")
+![wireless projection banner.](images/beaming.png "wireless projection banner")
 
 ## Remote Desktop with Biometrics
 
@@ -293,6 +293,6 @@ To get started, sign into your device using Windows Hello for Business. Bring up
 
 See the following example:
 
-![Enter your credentials](images/RDPwBioTime.png "Windows Hello")
-![Enter your credentials](images/RDPwBio2.png "Windows Hello personal")
-![Microsoft Hyper-V Server 2016](images/hyper-v.png "Microsoft Hyper-V Server 2016")
+![Enter your credentials.](images/RDPwBioTime.png "Windows Hello")
+![Enter your credentials.](images/RDPwBio2.png "Windows Hello personal")
+![Microsoft Hyper-V Server 2016.](images/hyper-v.png "Microsoft Hyper-V Server 2016")
diff --git a/windows/whats-new/whats-new-windows-10-version-1903.md b/windows/whats-new/whats-new-windows-10-version-1903.md
index 371bf97c95..74eb1725e2 100644
--- a/windows/whats-new/whats-new-windows-10-version-1903.md
+++ b/windows/whats-new/whats-new-windows-10-version-1903.md
@@ -125,7 +125,7 @@ The draft release of the [security configuration baseline settings](/archive/blo
 
 This new feature is displayed under the Device Security page with the string “Your device exceeds the requirements for enhanced hardware security” if configured properly:
 
-![System Guard](images/system-guard.png "SMM Firmware Measurement")
+![System Guard.](images/system-guard.png "SMM Firmware Measurement")
 
 ### Identity Protection
 
diff --git a/windows/whats-new/whats-new-windows-10-version-2004.md b/windows/whats-new/whats-new-windows-10-version-2004.md
index ac0d4984f2..692871b1c3 100644
--- a/windows/whats-new/whats-new-windows-10-version-2004.md
+++ b/windows/whats-new/whats-new-windows-10-version-2004.md
@@ -43,7 +43,7 @@ In this release,  [Windows Defender System Guard](/windows/security/threat-prote
 
 With this improvement, the OS can detect a higher level of SMM compliance, enabling devices to be even more hardened against SMM exploits and vulnerabilities. This feature is forward-looking and currently requires new hardware available soon.
 
- ![System Guard](images/system-guard2.png)
+ ![System Guard.](images/system-guard2.png)
 
 ### Windows Defender Application Guard
 

From ca465462b809b2af0da46e54cb1533d5e9ca6bfe Mon Sep 17 00:00:00 2001
From: Daniel Simpson <dansimp@microsoft.com>
Date: Mon, 30 Aug 2021 12:10:30 -0700
Subject: [PATCH 5/6] Update feature-availability.md

---
 .../feature-availability.md                               | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
index 16eb1e9257..8e813e308b 100644
--- a/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
+++ b/windows/security/threat-protection/windows-defender-application-control/feature-availability.md
@@ -1,5 +1,5 @@
 ---
-title: Feature Availability
+title:  Windows Defender Application Control Feature Availability
 description: Compare WDAC and AppLocker feature availability.
 keywords: security, malware
 ms.assetid: 8d6e0474-c475-411b-b095-1c61adb2bdbb
@@ -19,7 +19,7 @@ ms.custom: asr
 ms.technology: mde
 ---
 
-# WDAC and AppLocker feature availability
+# Windows Defender Application Control and AppLocker feature availability
 
 **Applies to:**
 
@@ -28,7 +28,7 @@ ms.technology: mde
 -   Windows Server 2016 and above
 
 >[!NOTE]
->Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
+>Some capabilities of Windows Defender Application Control are only available on specific Windows versions. See below to learn more.
 
 | Capability  | WDAC | AppLocker   |
 |-------------|------|-------------|
@@ -44,4 +44,4 @@ ms.technology: mde
 | Path-based rules                  | [Available on 1903+.](./select-types-of-rules-to-create.md#more-information-about-filepath-rules) Exclusions are not supported. Runtime user-writeability checks enforced by default.  | Available on Windows 8+. Exclusions are supported. No runtime user-writeability check. |
 | COM object configurability        | [Available on 1903+](./allow-com-object-registration-in-windows-defender-application-control-policy.md)  | Not available |
 | Packaged app rules                | [Available on RS5+](./manage-packaged-apps-with-windows-defender-application-control.md)  | Available on Windows 8+   |
-| Enforceable file types       | <ul><li>Driver files: .sys</li><li>Executable files: .exe and .com</li><li>DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>| <ul><li>Executable files: .exe and .com</li><li>[Optional] DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .bat, .cmd, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>|
\ No newline at end of file
+| Enforceable file types       | <ul><li>Driver files: .sys</li><li>Executable files: .exe and .com</li><li>DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>| <ul><li>Executable files: .exe and .com</li><li>[Optional] DLLs: .dll and .ocx</li><li>Windows Installer files: .msi, .mst, and .msp</li><li>Scripts: .ps1, .bat, .cmd, .vbs, and .js</li><li>Packaged apps and packaged app installers: .appx</li></ul>|

From 2da0babe15561e5e00b754ec8ed8358b0fb67645 Mon Sep 17 00:00:00 2001
From: Daniel Simpson <dansimp@microsoft.com>
Date: Tue, 31 Aug 2021 15:38:30 -0700
Subject: [PATCH 6/6] Update LOB-win32-apps-on-s.md

---
 .../LOB-win32-apps-on-s.md                                   | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
index 582297f71b..9c23deaecd 100644
--- a/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
+++ b/windows/security/threat-protection/windows-defender-application-control/LOB-win32-apps-on-s.md
@@ -24,12 +24,11 @@ ms.technology: mde
 
 -   Windows 10
 -   Windows 11
--   Windows Server 2016 and above
 
 >[!NOTE]
 >Some capabilities of Windows Defender Application Control are only available on specific Windows versions. Learn more about the [Defender App Guard feature availability](feature-availability.md).
 
-Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications and Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows 10 in S mode devices.
+Beginning with the Windows 10 November 2019 update (build 18363), Microsoft Intune enables customers to deploy and run business critical Win32 applications and Windows components that are normally blocked in S mode (ex. PowerShell.exe) on their Intune-managed Windows in S mode devices.
 
 With Intune, IT Pros can now configure their managed S mode devices using a Windows Defender Application Control (WDAC) supplemental policy that expands the S mode base policy to authorize the apps their business uses. This feature changes the S mode security posture from "every app is Microsoft-verified" to "every app is verified by Microsoft or your organization".
 
@@ -243,4 +242,4 @@ IT Pros also have the choice of deleting a supplemental policy through Intune.
 ```
 
 ## Errata
-If an S-mode device with a policy authorization token and supplemental policy is rolled back from the 1909 update to the 1903 build, it will not revert to locked-down S mode until the next policy refresh. To achieve an immediate change to a locked-down S mode state, IT Pros should delete any tokens in %SystemRoot%\System32\CI\Tokens\Active.
\ No newline at end of file
+If an S-mode device with a policy authorization token and supplemental policy is rolled back from the 1909 update to the 1903 build, it will not revert to locked-down S mode until the next policy refresh. To achieve an immediate change to a locked-down S mode state, IT Pros should delete any tokens in %SystemRoot%\System32\CI\Tokens\Active.