Merge remote-tracking branch 'refs/remotes/origin/master' into live

devices/surface-hub/manage-windows-updates-for-surface-hub.md

@@ -106,6 +106,7 @@ You can connect Surface Hub to your Windows Server Update Services (WSUS) server
 To connect Surface Hub to a WSUS server using MDM, set an appropriate [Update/UpdateServiceUrl](https://msdn.microsoft.com/en-us/library/windows/hardware/dn904962.aspx#Update_UpdateServiceUrl) policy.
 
 **If you use a proxy server or other method to block URLs**
+
 If you use a method other than WSUS to block specific URLs and prevent updates, you will need to add the following Windows update trusted site URLs to the “allow list”:
 - `http(s)://*.update.microsoft.com`
 - `http://download.windowsupdate.com` 

windows/deploy/usmt-overview.md

@@ -35,7 +35,7 @@ USMT provides the following benefits to businesses that are deploying Windows op
 -   Increases employee satisfaction with the migration experience.
 
 ## Limitations
-USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [Windows Easy Transfer](https://go.microsoft.com/fwlink/p/?LinkId=140248).
+USMT is intended for administrators who are performing large-scale automated deployments. If you are only migrating the user states of a few computers, you can use [PCmover Express](http://go.microsoft.com/fwlink/?linkid=620915). PCmover Express is a tool created by Microsoft's partner, Laplink.
 
 There are some scenarios in which the use of USMT is not recommended. These include:
 

windows/keep-secure/deploy-catalog-files-to-support-code-integrity-policies.md

@@ -124,8 +124,6 @@ To sign the existing catalog file, copy each of the following commands into an e
 
 After the catalog file is signed, add the signing certificate to a code integrity policy, as described in the following steps.
 
-<!-- All options below need to be confirmed. -->
-
 1.  If you have not already verified the catalog file digital signature, right-click the catalog file, and then click **Properties**. On the **Digital Signatures** tab, verify that your signing certificate exists with the algorithm you expect.
 
 2.  If you already have an XML policy file that you want to add the signing certificate to, skip to the next step. Otherwise, use [New-CIPolicy](https://technet.microsoft.com/library/mt634473.aspx) to create a code integrity policy that you will later merge into another policy (not deploy as-is). This example creates a policy called **CatalogSignatureOnly.xml** in the location **C:\\PolicyFolder**:
@@ -134,7 +132,7 @@ After the catalog file is signed, add the signing certificate to a code integrit
 
     > **Note**&nbsp;&nbsp;Include the **-UserPEs** parameter to ensure that the policy includes user mode code integrity.
 
-3.  Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add the signing certificate to the code integrity policy, filling in the correct path and filenames for *<policypath>* and *<certpath>*:
+3.  Use [Add-SignerRule](https://technet.microsoft.com/library/mt634479.aspx) to add the signing certificate to the code integrity policy, filling in the correct path and filenames for `<policypath>` and `<certpath>`:
 
     ` Add-SignerRule -FilePath <policypath> -CertificatePath <certpath> -User `
 

windows/manage/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

@@ -25,8 +25,9 @@ If you want to minimize connections from Windows to Microsoft services, or confi
 
 You can configure telemetry at the Security level, turn off Windows Defender telemetry and MSRT reporting, and turn off all other connections to Microsoft network endpoints as described in this article to help prevent Windows from sending any data to Microsoft. There are many reasons why these communications are enabled by default, such as updating malware definitions and maintain current certificate revocation lists, which is why we strongly recommend against this. This data helps us deliver a secure, reliable, and more delightful personalized experience.
 
-We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
+To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](../keep-secure/windows-security-baselines.md) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying. Applying this baseline is equivalent to applying the Windows 10 steps covered in this article.
 
+We are always striving to improve our documentation and welcome your feedback. You can provide feedback by contacting telmhelp@microsoft.com.
 
 ## What's new in Windows 10, version 1607 and Windows Server 2016
 
@@ -1359,5 +1360,3 @@ You can turn off automatic updates by doing one of the following. This is not re
     -   **5**. Turn off automatic updates.
 
 To learn more, see [Device update management](http://msdn.microsoft.com/library/windows/hardware/dn957432.aspx) and [Configure Automatic Updates by using Group Policy](http://technet.microsoft.com/library/cc720539.aspx).
-
-To help make it easier to deploy settings to restrict connections from Windows 10 to Microsoft, you can apply the [Windows Restricted Traffic Limited Functionality Baseline](https://go.microsoft.com/fwlink/?linkid=828887). This baseline was created in the same way as the [Windows security baselines](../keep-secure/windows-security-baselines.md) that are often used to efficiently configure Windows to a known secure state. Running the Windows Restricted Traffic Limited Functionality Baseline on devices in your organization will allow you to quickly configure all of the settings covered in this document. However, some of the settings reduce the functionality and security configuration of your device and are therefore not recommended. Make sure should you've chosen the right settings configuration for your environment before applying.