diff --git a/devices/hololens/hololens-encryption.md b/devices/hololens/hololens-encryption.md
index bbb59099b1..8a223c0745 100644
--- a/devices/hololens/hololens-encryption.md
+++ b/devices/hololens/hololens-encryption.md
@@ -8,12 +8,12 @@ author: jdeckerms
 ms.author: jdecker
 ms.topic: article
 ms.localizationpriority: medium
-ms.date: 12/20/2017
+ms.date: 01/26/2019
 ---
 
 # Enable encryption for HoloLens
 
-You can enable [Bitlocker device encryption](https://docs.microsoft.com/windows/device-security/bitlocker/bitlocker-overview) to protect files and information stored on the HoloLens. Device encryption helps protect your data by encrypting it using AES-CBC 128 encryption method, which is equivalent to [EncryptionMethodByDriveType method 3](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype) in the BitLocker configuration service provider (CSP). Only someone with the right encryption key (such as a password) can decrypt it or perform a data recovery.
+You can enable [BitLocker device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) to protect files and information stored on the HoloLens. Device encryption helps protect your data by encrypting it using AES-CBC 128 encryption method, which is equivalent to [EncryptionMethodByDriveType method 3](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp#encryptionmethodbydrivetype) in the BitLocker configuration service provider (CSP). Only someone with the right encryption key (such as a password) can decrypt it or perform a data recovery.
 
 
 
@@ -100,6 +100,6 @@ Provisioning packages are files created by the Windows Configuration Designer to
 
 Encryption is silent on HoloLens. To verify the device encryption status:
  
--	On HoloLens, go to **Settings** > **System** > **About**. **Bitlocker** is **enabled** if the device is encrypted. 
+-	On HoloLens, go to **Settings** > **System** > **About**. **BitLocker** is **enabled** if the device is encrypted. 
 
-![About screen showing Bitlocker enabled](images/about-encryption.png)
+![About screen showing BitLocker enabled](images/about-encryption.png)
diff --git a/windows/client-management/mdm/index.md b/windows/client-management/mdm/index.md
index eb70f310ec..c4cf3cf9b6 100644
--- a/windows/client-management/mdm/index.md
+++ b/windows/client-management/mdm/index.md
@@ -10,7 +10,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: jdeckerms
-ms.date: 10/09/2018
+ms.date: 01/25/2019
 ---
 
 # Mobile device management
diff --git a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
index c50d59e7fa..52c8272547 100644
--- a/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
+++ b/windows/client-management/mdm/new-in-windows-mdm-enrollment-management.md
@@ -22,32 +22,50 @@ For details about Microsoft mobile device management protocols for Windows 10 s
 
 ## In this section
 
--   [What's new in Windows 10, version 1511](#whatsnew)
--   [What's new in Windows 10, version 1607](#whatsnew1607)
--   [What's new in Windows 10, version 1703](#whatsnew10)
--   [What's new in Windows 10, version 1709](#whatsnew1709)
--   [What's new in Windows 10, version 1803](#whatsnew1803)
--   [What's new in Windows 10, version 1809](#whatsnew1809)
--   [Change history in MDM documentation](#change-history-in-mdm-documentation)
--   [Breaking changes and known issues](#breaking-changes-and-known-issues)
-    -   [Get command inside an atomic command is not supported](#getcommand)
-    -   [Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10](#notification)
-    -   [Apps installed using WMI classes are not removed](#appsnotremoved)
-    -   [Passing CDATA in SyncML does not work](#cdata)
-    -   [SSL settings in IIS server for SCEP must be set to "Ignore"](#sslsettings)
-    -   [MDM enrollment fails on the mobile device when traffic is going through proxy](#enrollmentviaproxy)
-    -   [Server-initiated unenroll failure](#unenrollment)
-    -   [Certificates causing issues with Wi-Fi and VPN](#certissues)
-    -   [Version information for mobile devices](#versioninformation)
-    -   [Upgrading Windows Phone 8.1 devices with app whitelisting using ApplicationRestriction policy has issues](#whitelist)
-    -   [Apps dependent on Microsoft Frameworks may get blocked](#frameworks)
-    -   [Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile](#wificertissue)
-    -   [Remote PIN reset not supported in Azure Active Directory joined mobile devices](#remote)
-    -   [MDM client will immediately check-in with the MDM server after client renews WNS channel URI](#renewwns)
-    -   [User provisioning failure in Azure Active Directory joined Windows 10 PC](#userprovisioning)
-    -   [Requirements to note for VPN certificates also used for Kerberos Authentication](#kerberos)
-    -   [Device management agent for the push-button reset is not working](#pushbuttonreset)
--   [FAQ](#faq)
+- [What's new in MDM enrollment and management](#whats-new-in-mdm-enrollment-and-management)
+  - [In this section](#in-this-section)
+  - [<a href="" id="whatsnew"></a>What's new in Windows 10, version 1511](#a-href%22%22-id%22whatsnew%22awhats-new-in-windows-10-version-1511)
+  - [<a href="" id="whatsnew1607"></a>What's new in Windows 10, version 1607](#a-href%22%22-id%22whatsnew1607%22awhats-new-in-windows-10-version-1607)
+  - [<a href="" id="whatsnew10"></a>What's new in Windows 10, version 1703](#a-href%22%22-id%22whatsnew10%22awhats-new-in-windows-10-version-1703)
+  - [<a href="" id="whatsnew1709"></a>What's new in Windows 10, version 1709](#a-href%22%22-id%22whatsnew1709%22awhats-new-in-windows-10-version-1709)
+  - [<a href="" id="whatsnew1803"></a>What's new in Windows 10, version 1803](#a-href%22%22-id%22whatsnew1803%22awhats-new-in-windows-10-version-1803)
+  - [<a href="" id="whatsnew1809"></a>What's new in Windows 10, version 1809](#a-href%22%22-id%22whatsnew1809%22awhats-new-in-windows-10-version-1809)
+  - [Breaking changes and known issues](#breaking-changes-and-known-issues)
+    - [<a href="" id="getcommand"></a>Get command inside an atomic command is not supported](#a-href%22%22-id%22getcommand%22aget-command-inside-an-atomic-command-is-not-supported)
+    - [<a href="" id="notification"></a>Notification channel URI not preserved during upgrade from Windows 8.1 to Windows 10](#a-href%22%22-id%22notification%22anotification-channel-uri-not-preserved-during-upgrade-from-windows-81-to-windows-10)
+    - [<a href="" id="appsnotremoved"></a>Apps installed using WMI classes are not removed](#a-href%22%22-id%22appsnotremoved%22aapps-installed-using-wmi-classes-are-not-removed)
+    - [<a href="" id="cdata"></a>Passing CDATA in SyncML does not work](#a-href%22%22-id%22cdata%22apassing-cdata-in-syncml-does-not-work)
+    - [<a href="" id="sslsettings"></a>SSL settings in IIS server for SCEP must be set to "Ignore"](#a-href%22%22-id%22sslsettings%22assl-settings-in-iis-server-for-scep-must-be-set-to-%22ignore%22)
+    - [<a href="" id="enrollmentviaproxy"></a>MDM enrollment fails on the mobile device when traffic is going through proxy](#a-href%22%22-id%22enrollmentviaproxy%22amdm-enrollment-fails-on-the-mobile-device-when-traffic-is-going-through-proxy)
+    - [<a href="" id="unenrollment"></a>Server-initiated unenrollment failure](#a-href%22%22-id%22unenrollment%22aserver-initiated-unenrollment-failure)
+    - [<a href="" id="certissues"></a>Certificates causing issues with Wi-Fi and VPN](#a-href%22%22-id%22certissues%22acertificates-causing-issues-with-wi-fi-and-vpn)
+    - [<a href="" id="versioninformation"></a>Version information for mobile devices](#a-href%22%22-id%22versioninformation%22aversion-information-for-mobile-devices)
+    - [<a href="" id="whitelist"></a>Upgrading Windows Phone 8.1 devices with app whitelisting using ApplicationRestriction policy has issues](#a-href%22%22-id%22whitelist%22aupgrading-windows-phone-81-devices-with-app-whitelisting-using-applicationrestriction-policy-has-issues)
+    - [<a href="" id="frameworks"></a>Apps dependent on Microsoft Frameworks may get blocked in phones prior to build 10586.218](#a-href%22%22-id%22frameworks%22aapps-dependent-on-microsoft-frameworks-may-get-blocked-in-phones-prior-to-build-10586218)
+    - [<a href="" id="wificertissue"></a>Multiple certificates might cause Wi-Fi connection instabilities in Windows 10 Mobile](#a-href%22%22-id%22wificertissue%22amultiple-certificates-might-cause-wi-fi-connection-instabilities-in-windows-10-mobile)
+    - [<a href="" id="remote"></a>Remote PIN reset not supported in Azure Active Directory joined mobile devices](#a-href%22%22-id%22remote%22aremote-pin-reset-not-supported-in-azure-active-directory-joined-mobile-devices)
+    - [<a href="" id="renewwns"></a>MDM client will immediately check-in with the MDM server after client renews WNS channel URI](#a-href%22%22-id%22renewwns%22amdm-client-will-immediately-check-in-with-the-mdm-server-after-client-renews-wns-channel-uri)
+    - [<a href="" id="userprovisioning"></a>User provisioning failure in Azure Active Directory joined Windows 10 PC](#a-href%22%22-id%22userprovisioning%22auser-provisioning-failure-in-azure-active-directory-joined-windows-10-pc)
+    - [<a href="" id="kerberos"></a>Requirements to note for VPN certificates also used for Kerberos Authentication](#a-href%22%22-id%22kerberos%22arequirements-to-note-for-vpn-certificates-also-used-for-kerberos-authentication)
+    - [<a href="" id="pushbuttonreset"></a>Device management agent for the push-button reset is not working](#a-href%22%22-id%22pushbuttonreset%22adevice-management-agent-for-the-push-button-reset-is-not-working)
+  - [Change history in MDM documentation](#change-history-in-mdm-documentation)
+    - [January 2019](#january-2019)
+    - [December 2018](#december-2018)
+    - [September 2018](#september-2018)
+    - [August 2018](#august-2018)
+    - [July 2018](#july-2018)
+    - [June 2018](#june-2018)
+    - [May 2018](#may-2018)
+    - [April 2018](#april-2018)
+    - [March 2018](#march-2018)
+    - [February 2018](#february-2018)
+    - [January 2018](#january-2018)
+    - [December 2017](#december-2017)
+    - [November 2017](#november-2017)
+    - [October 2017](#october-2017)
+    - [September 2017](#september-2017)
+    - [August 2017](#august-2017)
+  - [FAQ](#faq)
 
 ## <a href="" id="whatsnew"></a>What's new in Windows 10, version 1511
 
@@ -1766,6 +1784,7 @@ The DM agent for [push-button reset](https://msdn.microsoft.com/windows/hardware
 |--- | ---|
 |[Policy CSP - Storage](policy-csp-storage.md)|Added the following new policies: AllowStorageSenseGlobal, ConfigStorageSenseGlobalCadence, AllowStorageSenseTemporaryFilesCleanup, ConfigStorageSenseRecycleBinCleanupThreshold, ConfigStorageSenseDownloadsCleanupThreshold, and ConfigStorageSenseCloudContentCleanupThreshold.|
 |[SharedPC CSP](sharedpc-csp.md)|Updated values and supported operations.|
+|[Mobile device management](index.md)|Updated information about MDM Security Baseline.|
 
 ### December 2018
 
diff --git a/windows/client-management/mdm/policy-csp-dataprotection.md b/windows/client-management/mdm/policy-csp-dataprotection.md
index a03fac3671..aabd7f1845 100644
--- a/windows/client-management/mdm/policy-csp-dataprotection.md
+++ b/windows/client-management/mdm/policy-csp-dataprotection.md
@@ -6,7 +6,7 @@ ms.topic: article
 ms.prod: w10
 ms.technology: windows
 author: MariciaAlforque
-ms.date: 05/14/2018
+ms.date: 01/26/2019
 ---
 
 # Policy CSP - DataProtection
@@ -66,7 +66,7 @@ ms.date: 05/14/2018
 
 <!--/Scope-->
 <!--Description-->
-This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when BitLocker or device encryption is enabled.
+This policy setting allows you to block direct memory access (DMA) for all hot pluggable PCI downstream ports until a user logs into Windows. Once a user logs in, Windows will enumerate the PCI devices connected to the host plug PCI ports. Every time the user locks the machine, DMA will be blocked on hot plug PCI ports with no children devices until the user logs in again. Devices which were already enumerated when the machine was unlocked will continue to function until unplugged. This policy setting is only enforced when [BitLocker Device Encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) is enabled.
 
 Most restricted value is 0.
 
diff --git a/windows/client-management/mdm/policy-csp-security.md b/windows/client-management/mdm/policy-csp-security.md
index 15119bff73..ec1d131e0d 100644
--- a/windows/client-management/mdm/policy-csp-security.md
+++ b/windows/client-management/mdm/policy-csp-security.md
@@ -148,7 +148,7 @@ The following list shows the supported values:
 > This policy is only enforced in Windows 10 for desktop and not supported in Windows 10 Mobile.
 
 
-Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
+Specifies whether to allow automatic [device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined.
 
 <!--/Description-->
 <!--SupportedValues-->
@@ -479,7 +479,7 @@ The following list shows the supported values:
 
 Added in Windows 10, version 1607 to replace the deprecated policy **Security/AllowAutomaticDeviceEncryptionForAzureADJoinedDevices**.
 
-Specifies whether to allow automatic device encryption during OOBE when the device is Azure AD joined.
+Specifies whether to allow automatic [device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) during OOBE when the device is Azure AD joined.
 
 <!--/Description-->
 <!--SupportedValues-->
diff --git a/windows/client-management/windows-10-mobile-and-mdm.md b/windows/client-management/windows-10-mobile-and-mdm.md
index 95e731061d..efb64966cc 100644
--- a/windows/client-management/windows-10-mobile-and-mdm.md
+++ b/windows/client-management/windows-10-mobile-and-mdm.md
@@ -9,7 +9,7 @@ ms.sitesec: library
 ms.pagetype: mobile, devices, security
 ms.localizationpriority: medium
 author: AMeeus
-ms.date: 09/21/2017
+ms.date: 01/26/2019
 ---
 
 # Windows 10 Mobile deployment and management guide
@@ -460,7 +460,7 @@ Some device-wide settings for managing VPN connections can help you manage VPNs
 
 *Applies to: Corporate and personal devices*
 
-Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage. The device encryption in Windows 10 Mobile helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device.
+Protecting the apps and data stored on a device is critical to device security. One method for helping protect your apps and data is to encrypt internal device storage. The [device encryption](https://docs.microsoft.com/windows/security/information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10#bitlocker-device-encryption) in Windows 10 Mobile helps protect corporate data against unauthorized access, even when an unauthorized user has physical possession of the device.
 
 Windows 10 Mobile also has the ability to install apps on a secure digital (SD) card. The operating system stores apps on a partition specifically designated for that purpose. This feature is always on so you don’t need to set a policy explicitly to enable it.
 
diff --git a/windows/deployment/deploy-whats-new.md b/windows/deployment/deploy-whats-new.md
index d5093e7e10..8abf7f283d 100644
--- a/windows/deployment/deploy-whats-new.md
+++ b/windows/deployment/deploy-whats-new.md
@@ -7,7 +7,6 @@ ms.localizationpriority: medium
 ms.prod: w10
 ms.sitesec: library
 ms.pagetype: deploy
-ms.date: 12/18/2018
 author: greg-lindsay
 ---
 
diff --git a/windows/deployment/windows-autopilot/TOC.md b/windows/deployment/windows-autopilot/TOC.md
index 0911105dfa..32da345a29 100644
--- a/windows/deployment/windows-autopilot/TOC.md
+++ b/windows/deployment/windows-autopilot/TOC.md
@@ -24,6 +24,7 @@
 ### [Administering Autopilot via Microsoft 365 Business & Office 365 Admin portal](https://support.office.com/article/Create-and-edit-Autopilot-profiles-5cf7139e-cfa1-4765-8aad-001af1c74faa)
 ## Getting started
 ### [Demonstrate Autopilot deployment on a VM](demonstrate-deployment-on-vm.md)
+## [Customer consent](registration-auth.md)
 ## [Troubleshooting](troubleshooting.md)
 ## [FAQ](autopilot-faq.md)
-## [Support](autopilot-support.md)
\ No newline at end of file
+## [Support](autopilot-support.md)
diff --git a/windows/deployment/windows-autopilot/add-devices.md b/windows/deployment/windows-autopilot/add-devices.md
index a10eb72607..db20123f7a 100644
--- a/windows/deployment/windows-autopilot/add-devices.md
+++ b/windows/deployment/windows-autopilot/add-devices.md
@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 12/12/2018
 ---
 
 # Adding devices to Windows Autopilot
diff --git a/windows/deployment/windows-autopilot/configure-autopilot.md b/windows/deployment/windows-autopilot/configure-autopilot.md
index 1913e60393..2a35ccf721 100644
--- a/windows/deployment/windows-autopilot/configure-autopilot.md
+++ b/windows/deployment/windows-autopilot/configure-autopilot.md
@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
 
 # Configure Autopilot deployment
@@ -32,4 +31,4 @@ When deploying new devices using Windows Autopilot, a common set of steps are re
 
 ## Related topics
 
-[Windows Autopilot scenarios](windows-autopilot-scenarios.md)
\ No newline at end of file
+[Windows Autopilot scenarios](windows-autopilot-scenarios.md)
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 6a8c2d3e3d..f47603c201 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
 
 # Demonstrate Autopilot deployment on a VM
diff --git a/windows/deployment/windows-autopilot/enrollment-status.md b/windows/deployment/windows-autopilot/enrollment-status.md
index e5f113b83c..01a31ebad9 100644
--- a/windows/deployment/windows-autopilot/enrollment-status.md
+++ b/windows/deployment/windows-autopilot/enrollment-status.md
@@ -10,7 +10,6 @@ ms.pagetype: deploy
 ms.localizationpriority: medium
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 12/13/2018
 ---
 
 # Windows Autopilot Enrollment Status page
@@ -63,6 +62,4 @@ For more information on configuring the Enrollment Status page, see the [Microso
 For details about the underlying implementation, see the [FirstSyncStatus details in the DMClient CSP docuementation](https://docs.microsoft.com/windows/client-management/mdm/dmclient-csp).<br>
 For more information about blocking for app installation:
 - [Blocking for app installation using Enrollment Status Page](https://blogs.technet.microsoft.com/mniehaus/2018/12/06/blocking-for-app-installation-using-enrollment-status-page/).
-- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514).
-
-
+- [Support Tip: Office C2R installation is now tracked during ESP](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Office-C2R-installation-is-now-tracked-during-ESP/ba-p/295514).
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/images/csp1.png b/windows/deployment/windows-autopilot/images/csp1.png
new file mode 100644
index 0000000000..81e59080c8
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/csp1.png differ
diff --git a/windows/deployment/windows-autopilot/images/csp2.png b/windows/deployment/windows-autopilot/images/csp2.png
new file mode 100644
index 0000000000..cf095b831c
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/csp2.png differ
diff --git a/windows/deployment/windows-autopilot/images/csp3.png b/windows/deployment/windows-autopilot/images/csp3.png
new file mode 100644
index 0000000000..8b0647e4b4
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/csp3.png differ
diff --git a/windows/deployment/windows-autopilot/images/csp4.png b/windows/deployment/windows-autopilot/images/csp4.png
new file mode 100644
index 0000000000..608128e5ab
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/csp4.png differ
diff --git a/windows/deployment/windows-autopilot/images/csp5.png b/windows/deployment/windows-autopilot/images/csp5.png
new file mode 100644
index 0000000000..f43097c62b
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/csp5.png differ
diff --git a/windows/deployment/windows-autopilot/images/csp6.png b/windows/deployment/windows-autopilot/images/csp6.png
new file mode 100644
index 0000000000..8b0647e4b4
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/csp6.png differ
diff --git a/windows/deployment/windows-autopilot/images/csp7.png b/windows/deployment/windows-autopilot/images/csp7.png
new file mode 100644
index 0000000000..608128e5ab
Binary files /dev/null and b/windows/deployment/windows-autopilot/images/csp7.png differ
diff --git a/windows/deployment/windows-autopilot/profiles.md b/windows/deployment/windows-autopilot/profiles.md
index dd9f40aa1a..32455a34ad 100644
--- a/windows/deployment/windows-autopilot/profiles.md
+++ b/windows/deployment/windows-autopilot/profiles.md
@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 12/13/2018
 ---
 
 # Configure Autopilot profiles
@@ -58,4 +57,4 @@ The following profile settings are available:
 
 ## Related topics
 
-[Configure Autopilot deployment](configure-autopilot.md)
\ No newline at end of file
+[Configure Autopilot deployment](configure-autopilot.md)
diff --git a/windows/deployment/windows-autopilot/registration-auth.md b/windows/deployment/windows-autopilot/registration-auth.md
new file mode 100644
index 0000000000..17a9875fb0
--- /dev/null
+++ b/windows/deployment/windows-autopilot/registration-auth.md
@@ -0,0 +1,75 @@
+---
+title: Windows Autopilot customer consent
+description: Support information for Windows Autopilot
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, csp, OEM
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: low
+ms.sitesec: library
+ms.pagetype: deploy
+author: greg-lindsay
+ms.author: greg-lindsay
+---
+
+# Windows Autopilot customer consent
+
+**Applies to: Windows 10**
+
+This article describes how a cloud service provider (CSP) partner (direct bill, indirect provider, or indirect reseller) or an OEM can get customer authorization to register Windows Autopilot devices on the customer’s behalf.
+
+## CSP authorization
+
+CSP partners can get customer authorization to register Windows Autopilot devices on the customer’s behalf per the following restrictions:
+
+<table>
+<tr><td>Direct CSP<td>Gets direct authorization from the customer to register devices.
+<tr><td>Indirect CSP Provider<td>Gets implicit permission to register devices through the relationship their CSP Reseller partner has with the customer.  Indirect CSP Providers register devices through Microsoft Partner Center.
+<tr><td>Indirect CSP Reseller<td>Gets direct authorization from the customer to register devices.  At the same time, their indirect CSP Provider partner also gets authorization, which mean that either the Indirect Provider or the Indirect Reseller can register devices for the customer.  However, the Indirect CSP Reseller must register devices through the MPC UI (manually uploading CSV file), whereas the Indirect CSP Provider has the option to register devices using the MPC APIs.
+</table>
+
+### Steps
+
+For a CSP to register Windows Autopilot devices on behalf of a customer, the customer must first grant that CSP partner permission using the following process:
+
+1.	CSP sends link to customer requesting authorization/consent to register/manage devices on their behalf.  To do so:
+    - CSP logs into Microsoft Partner Center
+    - Click **Dashboard** on the top menu
+    - Click **Customer** on the side menu
+    - Click the **Request a reseller relationship** link:
+    ![Request a reseller relationship](images/csp1.png)
+    - Select the checkbox indicating whether or not you want delegated admin rights:
+    ![Delegated rights](images/csp2.png)
+    - Send the template above to the customer via email.
+2. Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link in the body of the email once they receive it from the CSP, which takes them directly to the following MSfB page:
+
+    ![Global admin](images/csp3.png)
+
+    NOTE: A user without global admin privileges who clicks the link will see a message similar to the following:
+
+    ![Not global admin](images/csp4.png)
+
+3.	Customer selects the **Yes** checkbox, followed by the **Accept** button. Authorization happens instantaneously.
+4.	The CSP will know that this consent/authorization request has been completed because the customer will show up in the CSP’s MPC account under their **customers** list, for example:
+
+![Customers](images/csp5.png)
+
+## OEM authorization
+
+Each OEM has a unique link to provide to their respective customers, which the OEM can request from Microsoft via msoemops@microsoft.com.
+
+1.	OEM emails link to their customer.
+2.	Customer with global administrator privileges in Microsoft Store for Business (MSfB) clicks the link once they receive it from the OEM, which takes them directly to the following MSfB page:
+
+    ![Global admin](images/csp6.png)
+
+    NOTE: A user without global admin privileges who clicks the link will see a message similar to the following:
+
+    ![Not global admin](images/csp7.png)
+3.	Customer selects the **Yes** checkbox, followed by the **Accept** button, and they’re done.  Authorization happens instantaneously.
+
+4.	The OEM can use the Validate Device Submission Data API to verify the consent has completed.  This API is discussed in the latest version of the API Whitepaper, p. 14ff (https://devicepartner.microsoft.com/en-gb/assets/detail/windows-autopilot-integration-with-oem-api-design-whitepaper-docx). **Note**: this link is only accessible by Microsoft Device Partners. As discussed in this whitepaper, it’s a best practice recommendation for OEM partners to run the API check to confirm they’ve received customer consent before attempting to register devices, thus avoiding errors in the registration process.
+
+## Summary
+
+At this stage of the process, Microsoft is no longer involved; the consent exchange happens directly between the OEM and the customer.  And, it all happens instantaneously - as quickly as buttons are clicked.
+
diff --git a/windows/deployment/windows-autopilot/rip-and-replace.md b/windows/deployment/windows-autopilot/rip-and-replace.md
new file mode 100644
index 0000000000..b75fced878
--- /dev/null
+++ b/windows/deployment/windows-autopilot/rip-and-replace.md
@@ -0,0 +1,19 @@
+---
+title: Rip and Replace
+description: Listing of Autopilot scenarios
+keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune
+ms.prod: w10
+ms.mktglfcycl: deploy
+ms.localizationpriority: high
+ms.sitesec: library
+ms.pagetype: deploy
+author: coreyp-at-msft
+ms.author: coreyp
+ms.date: 06/01/2018
+---
+
+# Rip and replace
+
+**Applies to: Windows 10**
+
+DO NOT PUBLISH.  Just a placeholder for now, coming with 1809.
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/self-deploying.md b/windows/deployment/windows-autopilot/self-deploying.md
index b4e8171fa3..697dc354e7 100644
--- a/windows/deployment/windows-autopilot/self-deploying.md
+++ b/windows/deployment/windows-autopilot/self-deploying.md
@@ -10,7 +10,6 @@ ms.pagetype:
 ms.localizationpriority: medium
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
 
 # Windows Autopilot Self-Deploying mode (Preview)
diff --git a/windows/deployment/windows-autopilot/troubleshooting.md b/windows/deployment/windows-autopilot/troubleshooting.md
index 8d39c2b0a0..8a248dbf27 100644
--- a/windows/deployment/windows-autopilot/troubleshooting.md
+++ b/windows/deployment/windows-autopilot/troubleshooting.md
@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
 
 # Troubleshooting Windows Autopilot
diff --git a/windows/deployment/windows-autopilot/user-driven-aad.md b/windows/deployment/windows-autopilot/user-driven-aad.md
index b63517060d..50dd79e58e 100644
--- a/windows/deployment/windows-autopilot/user-driven-aad.md
+++ b/windows/deployment/windows-autopilot/user-driven-aad.md
@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 11/07/2018
 ---
 
 # Windows Autopilot user-driven mode for Azure Active Directory join
@@ -32,4 +31,4 @@ For each device that will be deployed using user-driven deployment, these additi
     -   If using Intune and Azure Active Directory static device groups, manually add the device to the device group.
     -   If using other methods (e.g. Microsoft Store for Business or Partner Center), manually assign an Autopilot profile to the device.
 
-Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. 
+Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic.
\ No newline at end of file
diff --git a/windows/deployment/windows-autopilot/user-driven-hybrid.md b/windows/deployment/windows-autopilot/user-driven-hybrid.md
index a5fa678ff4..895992424d 100644
--- a/windows/deployment/windows-autopilot/user-driven-hybrid.md
+++ b/windows/deployment/windows-autopilot/user-driven-hybrid.md
@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 11/12/2018
 ---
 
 
@@ -37,4 +36,4 @@ To perform a user-driven hybrid AAD joined deployment using Windows Autopilot:
 
 See [Deploy hybrid Azure AD joined devices using Intune and Windows Autopilot](https://docs.microsoft.com/intune/windows-autopilot-hybrid).
 
-Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. 
\ No newline at end of file
+Also see the **Validation** section in the [Windows Autopilot user-driven mode](user-driven.md) topic. 
diff --git a/windows/deployment/windows-autopilot/user-driven.md b/windows/deployment/windows-autopilot/user-driven.md
index 4fd86ef3b5..efe36198a5 100644
--- a/windows/deployment/windows-autopilot/user-driven.md
+++ b/windows/deployment/windows-autopilot/user-driven.md
@@ -10,7 +10,6 @@ ms.pagetype: deploy
 author: greg-lindsay
 ms.date: 11/07/2018
 ms.author: greg-lindsay
-ms.date: 11/07/2018
 ---
 
 # Windows Autopilot user-driven mode
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md
index d71d8e0a81..ed91b71732 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-configuration.md
@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
 
 # Windows Autopilot configuration requirements
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md
index e7df24a12c..ce596226f3 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-licensing.md
@@ -9,10 +9,8 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
-ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
+
 # Windows Autopilot licensing requirements
 
 **Applies to: Windows 10**
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md
index 5474e7fb94..ff491c2f9d 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements-network.md
@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
 
 # Windows Autopilot networking requirements
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
index e2dc975086..52a620b6cd 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-requirements.md
@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 12/13/2018
 ---
 
 # Windows Autopilot requirements
@@ -28,4 +27,4 @@ There are no additional hardware requirements to use Windows 10 Autopilot, beyon
 
 ## Related topics
 
-[Configure Autopilot deployment](configure-autopilot.md)
\ No newline at end of file
+[Configure Autopilot deployment](configure-autopilot.md)
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
index c97d79add8..59ee22ba1a 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-local.md
@@ -10,7 +10,6 @@ ms.pagetype:
 ms.localizationpriority: medium
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
 
 # Reset devices with local Windows Autopilot Reset 
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
index 1f7cca216f..991d7dd424 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset-remote.md
@@ -10,7 +10,6 @@ ms.pagetype:
 ms.localizationpriority: medium
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
 
 # Reset devices with remote Windows Autopilot Reset (Preview)
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-reset.md b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
index 9e83d32bbb..05d45ae57a 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-reset.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-reset.md
@@ -10,7 +10,6 @@ ms.pagetype:
 ms.localizationpriority: medium
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 10/02/2018
 ---
 
 # Windows Autopilot Reset
diff --git a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
index 8dc1b58886..e59b199a77 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot-scenarios.md
@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 12/13/2018
 ---
 
 # Windows Autopilot scenarios
diff --git a/windows/deployment/windows-autopilot/windows-autopilot.md b/windows/deployment/windows-autopilot/windows-autopilot.md
index 0cf15ed303..e9043c8a72 100644
--- a/windows/deployment/windows-autopilot/windows-autopilot.md
+++ b/windows/deployment/windows-autopilot/windows-autopilot.md
@@ -9,7 +9,6 @@ ms.sitesec: library
 ms.pagetype: deploy
 author: greg-lindsay
 ms.author: greg-lindsay
-ms.date: 01/03/2018
 ---
 
 # Overview of Windows Autopilot
@@ -71,4 +70,4 @@ See [Windows Autopilot scenarios](https://docs.microsoft.com/en-us/windows/deplo
 
 ## Related topics
 
-[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/en-us/intune/enrollment-autopilot)
\ No newline at end of file
+[Enroll Windows devices in Intune by using Windows Autopilot](https://docs.microsoft.com/en-us/intune/enrollment-autopilot)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index 41a434f60a..3a6301c3fc 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -8,7 +8,7 @@ ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
 author: brianlic-msft
-ms.date: 09/17/2018
+ms.date: 01/26/2019
 ---
 
 # BitLocker Management for Enterprises
@@ -25,11 +25,11 @@ Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](h
 
 ## Managing devices joined to Azure Active Directory
 
-Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as [Microsoft Intune](https://www.microsoft.com/cloud-platform/microsoft-intune). BitLocker Device Encryption status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
+Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access) to services like Exchange Online and SharePoint Online.
 
 Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) or the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 Business or Enterprise editions and on Windows Phones.
 
-For hardware that is compliant with Modern Standby and HSTI, when using either of these features, BitLocker Device Encryption is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
+For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](https://docs.microsoft.com/windows/client-management/mdm/bitlocker-csp) to trigger encryption and store the recovery key in Azure AD.
 
 
 ## Managing workplace-joined PCs and phones