From 60b1a6c0a34e36445dc4096a475c5497b0a16cf1 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Fri, 21 Jun 2019 18:20:33 +0500
Subject: [PATCH 01/42] Vote or Suggetion link updated

The link was pointing to the old un-available document. A link has been updated to point to Windows feedback hub.

Problem: https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4028
---
 mdop/mbam-v25/about-mbam-25.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mdop/mbam-v25/about-mbam-25.md b/mdop/mbam-v25/about-mbam-25.md
index e379ef1ec5..dcd5231852 100644
--- a/mdop/mbam-v25/about-mbam-25.md
+++ b/mdop/mbam-v25/about-mbam-25.md
@@ -358,7 +358,7 @@ MBAM is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part o
 For more information and late-breaking news that is not included in this documentation, see [Release Notes for MBAM 2.5](release-notes-for-mbam-25.md).
 
 ## Got a suggestion for MBAM?
-- Add or vote on suggestions [here](http://mbam.uservoice.com/forums/268571-microsoft-bitlocker-administration-and-monitoring). 
+- Add or vote on suggestions [here](https://support.microsoft.com/en-us/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics

From d6ebb11a6169c81f6aa0f258fd7658c656c25c05 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Mon, 24 Jun 2019 09:34:41 +0500
Subject: [PATCH 02/42] updated the redirected URL to direct URL

Updated the redirected URL to updated URL for Windows Analytics blog.
---
 windows/deployment/upgrade/upgrade-readiness-get-started.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/deployment/upgrade/upgrade-readiness-get-started.md b/windows/deployment/upgrade/upgrade-readiness-get-started.md
index a75f7d866b..3cfb3be1df 100644
--- a/windows/deployment/upgrade/upgrade-readiness-get-started.md
+++ b/windows/deployment/upgrade/upgrade-readiness-get-started.md
@@ -26,7 +26,7 @@ You can use Upgrade Readiness to plan and manage your upgrade project end-to-end
 
 Before you begin, consider reviewing the following helpful information:<BR>
     - [Upgrade Readiness requirements](upgrade-readiness-requirements.md): Provides detailed requirements to use Upgrade Readiness.<BR>
-    - [Upgrade Readiness blog](https://aka.ms/blog/WindowsAnalytics): Contains announcements of new features and provides helpful tips for using Upgrade Readiness.
+    - [Upgrade Readiness blog](https://techcommunity.microsoft.com/t5/Windows-Analytics-Blog/bg-p/WindowsAnalyticsBlog): Contains announcements of new features and provides helpful tips for using Upgrade Readiness.
 
 >If you are using System Center Configuration Manager, also check out information about how to integrate Upgrade Readiness with Configuration Manager: [Integrate Upgrade Readiness with System Center Configuration Manager](https://docs.microsoft.com/sccm/core/clients/manage/upgrade/upgrade-analytics).
 

From 20eb2b0ccf39461f50e3c64bf5a3f5bf8f7e28c8 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Tue, 25 Jun 2019 09:22:43 +0500
Subject: [PATCH 03/42] Update mdop/mbam-v25/about-mbam-25.md

Co-Authored-By: JohanFreelancer9 <48568725+JohanFreelancer9@users.noreply.github.com>
---
 mdop/mbam-v25/about-mbam-25.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mdop/mbam-v25/about-mbam-25.md b/mdop/mbam-v25/about-mbam-25.md
index dcd5231852..d9e5e9dc21 100644
--- a/mdop/mbam-v25/about-mbam-25.md
+++ b/mdop/mbam-v25/about-mbam-25.md
@@ -358,7 +358,7 @@ MBAM is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part o
 For more information and late-breaking news that is not included in this documentation, see [Release Notes for MBAM 2.5](release-notes-for-mbam-25.md).
 
 ## Got a suggestion for MBAM?
-- Add or vote on suggestions [here](https://support.microsoft.com/en-us/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub). 
+- Add or vote on suggestions [here](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics

From 8c5bd25dfbd4ef34800ae471ea8e61e84e8769a2 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Tue, 25 Jun 2019 19:36:02 +0500
Subject: [PATCH 04/42] Update mdop/mbam-v25/about-mbam-25.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>
---
 mdop/mbam-v25/about-mbam-25.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mdop/mbam-v25/about-mbam-25.md b/mdop/mbam-v25/about-mbam-25.md
index d9e5e9dc21..7afb0c3d9f 100644
--- a/mdop/mbam-v25/about-mbam-25.md
+++ b/mdop/mbam-v25/about-mbam-25.md
@@ -358,7 +358,7 @@ MBAM is a part of the Microsoft Desktop Optimization Pack (MDOP). MDOP is part o
 For more information and late-breaking news that is not included in this documentation, see [Release Notes for MBAM 2.5](release-notes-for-mbam-25.md).
 
 ## Got a suggestion for MBAM?
-- Add or vote on suggestions [here](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub). 
+- Send your feedback [here](https://support.microsoft.com/help/4021566/windows-10-send-feedback-to-microsoft-with-feedback-hub). 
 - For MBAM issues, use the [MBAM TechNet Forum](https://social.technet.microsoft.com/Forums/home?forum=mdopmbam).
 
 ## Related topics

From 95e0e621bfc366cca2370c2f21c8ee700efd61a0 Mon Sep 17 00:00:00 2001
From: HarshithaCMurthy <52260858+HarshithaCMurthy@users.noreply.github.com>
Date: Wed, 26 Jun 2019 14:54:40 -0700
Subject: [PATCH 05/42] Updating aka link to SDT4B

---
 .../surface/surface-diagnostic-toolkit-for-business-intro.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
index 26bac290b4..83613f4a36 100644
--- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
+++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
@@ -28,7 +28,7 @@ Before you run the diagnostic tool, make sure you have the latest Windows update
 
 **To run the Surface Diagnostic Toolkit for Business:**
 
-1. Download the [Surface Diagnostic Toolkit for Business](https://aka.ms/checkmysurface).
+1. Download the [Surface Diagnostic Toolkit for Business](https://aka.ms/SDT4B).
 2. Select Run and follow the on-screen instructions.
 
 The diagnosis and repair time averages 15 minutes but could take an hour or longer, depending on internet connection speed and the number of updates or repairs required. For more detailed information on Surface Diagnostic Toolkit for Business, refer to [Deploy Surface Diagnostic Toolkit for Business](https://docs.microsoft.com/surface/surface-diagnostic-toolkit-business).

From 0ee3105d2103b3635a48a66a79ece18962bec489 Mon Sep 17 00:00:00 2001
From: Jose Ortega <jortega928@yahoo.com>
Date: Thu, 27 Jun 2019 01:29:21 -0500
Subject: [PATCH 06/42] Solving #4073 New PR substitutes PR #4244

---
 windows/client-management/mdm/policy-csp-authentication.md | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index 71ca1629b3..eb9f2cb7aa 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -358,6 +358,9 @@ The following list shows the supported values:
 
 This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
 
+> [!Important]
+> Pre-configured candidate local accounts: Means any **local account** (preconfigured or added) that you could have in the device.
+
 Value type is integer. Supported values:
 
 - 0 - (default) The feature defaults to the existing SKU and device capabilities.

From 05ff7d589afa6b9b415ccac781f67982b3bd01c6 Mon Sep 17 00:00:00 2001
From: Jose Ortega <jortega928@yahoo.com>
Date: Thu, 27 Jun 2019 01:48:26 -0500
Subject: [PATCH 07/42] Taskbar customization

---
 ...indows-10-start-screens-by-using-mobile-device-management.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
index f01c3b9f44..790bccec58 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -30,7 +30,7 @@ In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can us
 >[!NOTE]
 >Support for applying a customized taskbar using MDM is added in Windows 10, version 1703.
 
-**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions.
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions. This preparation also works for taskbar customization.
 
 >[!WARNING]
 >When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.

From 6ae818f0fb440424909bdef7875d88791bb3123c Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Thu, 27 Jun 2019 22:33:14 +0530
Subject: [PATCH 08/42] I  adjusted  the  bottom line

because of this issue #4278.

i corrected  second issue here
---
 .../windows-defender-exploit-guard/event-views-exploit-guard.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
index 7d3b72d249..10fd0029ce 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
@@ -179,6 +179,4 @@ Controlled folder access | Windows Defender (Operational) | 1127 | Blocked Contr
 Controlled folder access | Windows Defender (Operational) | 1128 | Audited Controlled folder access sector write block event
 Attack surface reduction | Windows Defender (Operational) | 5007 | Event when settings are changed
 Attack surface reduction | Windows Defender (Operational) | 1122 | Event when rule fires in Audit-mode 
-
-
 Attack surface reduction | Windows Defender (Operational) | 1121 | Event when rule fires in Block-mode 

From 644b670d6b852be6246a1efca7d1997e6a6e4f39 Mon Sep 17 00:00:00 2001
From: Jose Gabriel Ortega Castro <jortega@faboit.com>
Date: Fri, 28 Jun 2019 12:13:47 -0500
Subject: [PATCH 09/42] Update
 windows/client-management/mdm/policy-csp-authentication.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>
---
 windows/client-management/mdm/policy-csp-authentication.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/client-management/mdm/policy-csp-authentication.md b/windows/client-management/mdm/policy-csp-authentication.md
index eb9f2cb7aa..3b5cfe28d0 100644
--- a/windows/client-management/mdm/policy-csp-authentication.md
+++ b/windows/client-management/mdm/policy-csp-authentication.md
@@ -359,7 +359,7 @@ The following list shows the supported values:
 This policy is intended for use on Shared PCs to enable a quick first sign-in experience for a user. It works by automatically connecting new non-admin Azure Active Directory (Azure AD) accounts to the pre-configured candidate local accounts.
 
 > [!Important]
-> Pre-configured candidate local accounts: Means any **local account** (preconfigured or added) that you could have in the device.
+> Pre-configured candidate local accounts are any local accounts (pre-configured or added) in your device.
 
 Value type is integer. Supported values:
 

From 7960f2f408a2f97875360fc054d0839b48b8efb6 Mon Sep 17 00:00:00 2001
From: Jose Gabriel Ortega Castro <jortega@faboit.com>
Date: Fri, 28 Jun 2019 12:15:07 -0500
Subject: [PATCH 10/42] Update
 windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>
---
 ...indows-10-start-screens-by-using-mobile-device-management.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
index 790bccec58..bda947c233 100644
--- a/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
+++ b/windows/configuration/customize-windows-10-start-screens-by-using-mobile-device-management.md
@@ -30,7 +30,7 @@ In Windows 10 Pro, Windows 10 Enterprise, and Windows 10 Education, you can us
 >[!NOTE]
 >Support for applying a customized taskbar using MDM is added in Windows 10, version 1703.
 
-**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions. This preparation also works for taskbar customization.
+**Before you begin**: [Customize and export Start layout](customize-and-export-start-layout.md) for desktop editions (also works for taskbar customization).
 
 >[!WARNING]
 >When a full Start layout is applied with this method, the users cannot pin, unpin, or uninstall apps from Start. Users can view and open all apps in the **All Apps** view, but they cannot pin any apps to Start. When a partial Start layout is applied, the contents of the specified tile groups cannot be changed, but users can move those groups, and can also create and customize their own groups.

From 6c6d1bb7ea1e7956ed517f9939c4d7f579c4c9f0 Mon Sep 17 00:00:00 2001
From: damabe <v-damabe@microsoft.com>
Date: Fri, 28 Jun 2019 12:46:56 -0700
Subject: [PATCH 11/42] Fix link and md headings for User Story 1562968

---
 devices/hololens/hololens-kiosk.md | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/devices/hololens/hololens-kiosk.md b/devices/hololens/hololens-kiosk.md
index 01dcda9e51..37362f8958 100644
--- a/devices/hololens/hololens-kiosk.md
+++ b/devices/hololens/hololens-kiosk.md
@@ -46,7 +46,6 @@ For HoloLens devices running Windows 10, version 1803, there are three methods t
 
 For HoloLens devices running Windows 10, version 1607, you can [use the Windows Device Portal](#portal-kiosk) to configure single-app kiosks.
 
-<span id="start-kiosk"/>
 ## Start layout for HoloLens 
 
 If you use [MDM, Microsoft Intune](#intune-kiosk), or a [provisioning package](#ppkg-kiosk) to configure a multi-app kiosk, the procedure requires a Start layout. Start layout customization isn't supported in Holographic for Business, so you'll need to use a placeholder Start layout. 
@@ -54,7 +53,6 @@ If you use [MDM, Microsoft Intune](#intune-kiosk), or a [provisioning package](#
 >[!NOTE]
 >Because a single-app kiosk launches the kiosk app when a user signs in, there is no Start screen displayed.
 
-<span id="start-layout-file-for-intune" />
 ### Start layout file for MDM (Intune and others)
 
 Save the following sample as an XML file. You will select this file when you configure the kiosk in Microsoft Intune (or in another MDM service that provides a kiosk profile).
@@ -102,7 +100,6 @@ You will [create an XML file](#ppkg-kiosk) to define the kiosk configuration to
             <!-- This section is required for parity with Desktop Assigned Access. It is not currently used on HoloLens -->
 ``` 
 
-<span id="intune-kiosk"/>
 ## Set up kiosk mode using Microsoft Intune or MDM (Windows 10, version 1803)
 
 For HoloLens devices that are managed by Microsoft Intune, you [create a device profile](https://docs.microsoft.com/intune/device-profile-create) and configure the [Kiosk settings](https://docs.microsoft.com/intune/kiosk-settings).
@@ -110,8 +107,6 @@ For HoloLens devices that are managed by Microsoft Intune, you [create a device
 For other MDM services, check your provider's documentation for instructions. If you need to use a custom setting and full XML configuration to set up a kiosk in your MDM service, [create an XML file that defines the kiosk configuration](#create-xml-file), and make sure to include the [Start layout](#start-layout-for-a-provisioning-package) in the XML file.  
 
 
-
-<span id="ppkg-kiosk"/>
 ## Setup kiosk mode using a provisioning package (Windows 10, version 1803)
 
 Process:
@@ -119,7 +114,6 @@ Process:
 2. [Add the XML file to a provisioning package.](#add-xml)
 3. [Apply the provisioning package to HoloLens.](#apply-ppkg)
 
-<span id="create-xml-file"/>
 ### Create a kiosk configuration XML file
 
 Follow [the instructions for creating a kiosk configuration XML file for desktop](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configure-a-kiosk-using-a-provisioning-package), with the following exceptions:
@@ -127,7 +121,6 @@ Follow [the instructions for creating a kiosk configuration XML file for desktop
 - Do not include Classic Windows applications (Win32) since they aren't supported on HoloLens.
 - Use the [placeholder Start XML](#start-kiosk) for HoloLens.
 
-<span id="guest" />
 #### Add guest access to the kiosk configuration (optional)
 
 In the [Configs section of the XML file](https://docs.microsoft.com/windows/configuration/lock-down-windows-10-to-specific-apps#configs), you can configure a special group named **Visitor** to allow guests to use the kiosk. When the kiosk is configured with the **Visitor** special group, a "**Guest**" option is added to the sign-in page. The **Guest** account does not require a password, and any data associated with the account is deleted when the account signs out.
@@ -143,8 +136,6 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest*
 </Configs> 
 ```
 
-
-<span id="add-xml"/>
 ### Add the kiosk configuration XML file to a provisioning package
 
 1. Open [Windows Configuration Designer](https://www.microsoft.com/store/apps/9nblggh4tx22).
@@ -174,8 +165,6 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest*
 16. Click **Build** to start building the package. The provisioning package doesn't take long to build. The project information is displayed in the build page and the progress bar indicates the build status.
 
     
-
-<span id="apply-ppkg"/>
 ### Apply the provisioning package to HoloLens
 
 1. Connect HoloLens via USB to a PC and start the device, but do not continue past the **Fit** page of OOBE (the first page with the blue box).
@@ -191,7 +180,6 @@ Use the following snippet in your kiosk configuration XML to enable the **Guest*
 7. You will see whether the package was applied successfully or not. If it failed, you can fix your package and try again. If it succeeded, proceed with OOBE.
 
 
-<span id="portal-kiosk"/>
 ## Set up kiosk mode using the Windows Device Portal (Windows 10, version 1607 and version 1803) 
 
 1. [Set up the HoloLens to use the Windows Device Portal](https://developer.microsoft.com/windows/mixed-reality/using_the_windows_device_portal#setting_up_hololens_to_use_windows_device_portal). The Device Portal is a web server on your HoloLens that you can connect to from a web browser on your PC. 

From 5931cb9c89021511b9ffa642df213d6e7d3f3a25 Mon Sep 17 00:00:00 2001
From: Richard Zhang <zhangrupo2003@hotmail.com>
Date: Fri, 28 Jun 2019 13:07:09 -0700
Subject: [PATCH 12/42] add new support for SQL server 2016 sp2 and SQL 2017

this is Richard from Microsoft AppV team, we have complete the test for the latest SQL servers, and update the tech doc now.
---
 .../app-v-51-supported-configurations.md      | 24 +++++++++++++++++--
 1 file changed, 22 insertions(+), 2 deletions(-)

diff --git a/mdop/appv-v5/app-v-51-supported-configurations.md b/mdop/appv-v5/app-v-51-supported-configurations.md
index 8b83ac6fad..63e4f12d3c 100644
--- a/mdop/appv-v5/app-v-51-supported-configurations.md
+++ b/mdop/appv-v5/app-v-51-supported-configurations.md
@@ -118,11 +118,21 @@ The following table lists the SQL Server versions that are supported for the App
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Microsoft SQL Server 2014</p></td>
+<td align="left"><p>Microsoft SQL Server 2017</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>32-bit or 64-bit</p></td>
 </tr>
 <tr class="even">
+<td align="left"><p>Microsoft SQL Server 2016</p></td>
+<td align="left"><p>SP2</p></td>
+<td align="left"><p>32-bit or 64-bit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft SQL Server 2014</p></td>
+<td align="left"><p>SP2</p></td>
+<td align="left"><p>32-bit or 64-bit</p></td>
+</tr>
+<tr class="even">
 <td align="left"><p>Microsoft SQL Server 2012</p></td>
 <td align="left"><p>SP2</p></td>
 <td align="left"><p>32-bit or 64-bit</p></td>
@@ -262,11 +272,21 @@ The following table lists the SQL Server versions that are supported for the App
 </thead>
 <tbody>
 <tr class="odd">
-<td align="left"><p>Microsoft SQL Server 2014</p></td>
+<td align="left"><p>Microsoft SQL Server 2017</p></td>
 <td align="left"><p></p></td>
 <td align="left"><p>32-bit or 64-bit</p></td>
 </tr>
 <tr class="even">
+<td align="left"><p>Microsoft SQL Server 2016</p></td>
+<td align="left"><p>SP2</p></td>
+<td align="left"><p>32-bit or 64-bit</p></td>
+</tr>
+<tr class="odd">
+<td align="left"><p>Microsoft SQL Server 2014</p></td>
+<td align="left"><p>SP2</p></td>
+<td align="left"><p>32-bit or 64-bit</p></td>
+</tr>
+<tr class="even">
 <td align="left"><p>Microsoft SQL Server 2012</p></td>
 <td align="left"><p>SP2</p></td>
 <td align="left"><p>32-bit or 64-bit</p></td>

From eba43cbddd76a9b2b85bdc2c31f4dd8ee710c095 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Mon, 1 Jul 2019 11:37:24 +0500
Subject: [PATCH 13/42] Correction of link and redirection to blog

There was confusion in the blog content at NSCI topic. I have removed the confusing part and updated the content. Additionally added the correct URL.
---
 ...ws-operating-system-components-to-microsoft-services.md | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 6130327341..5092e95a38 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -69,7 +69,8 @@ The following table lists management options for each setting, beginning with Wi
 | [11. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) |
 | [12. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
 | [13. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [14. Network Connection Status Indicator](#bkmk-ncsi) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
+| [14. Network Connection Status Indicator](#bkmk-
+) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [15. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [17. Preinstalled apps](#bkmk-preinstalledapps) | ![Check mark](images/checkmark.png) | | | 
@@ -604,9 +605,9 @@ For a complete list of the Microsoft Edge policies, see [Available policies for
 
 ### <a href="" id="bkmk-ncsi"></a>14. Network Connection Status Indicator
 
-Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. For more info about NCSI, see [The Network Connection Status Icon](https://techcommunity.microsoft.com/t5/Networking-Blog/bg-p/NetworkingBlog).
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. [See Microsoft Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/bg-p/NetworkingBlog) to learn more about networking.
 
-In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was `http://www.msftncsi.com`.
+In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was `http://www.msftncsi.com/ncsi.txt`.
 
 You can turn off NCSI by doing one of the following:
 

From 01485a499fcc81ca773c69b8a56092f882564a73 Mon Sep 17 00:00:00 2001
From: Joyce Y <47188252+mypil@users.noreply.github.com>
Date: Mon, 1 Jul 2019 19:38:16 +0800
Subject: [PATCH 14/42] Updated metadata to new doc author/manager info

This is based on https://github.com/MicrosoftDocs/windows-itpro-docs/issues/3388#issuecomment-506835838
---
 .../windows-information-protection/wip-learning.md          | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/information-protection/windows-information-protection/wip-learning.md b/windows/security/information-protection/windows-information-protection/wip-learning.md
index 5e113928fe..6edaaf0f7d 100644
--- a/windows/security/information-protection/windows-information-protection/wip-learning.md
+++ b/windows/security/information-protection/windows-information-protection/wip-learning.md
@@ -10,9 +10,9 @@ ms.mktglfcycl:
 ms.sitesec: library
 ms.pagetype: security
 ms.localizationpriority: medium
-author: dulcemontemayor
-ms.author: dolmont
-manager: dansimp
+author: stephow-MSFT
+ms.author: stephow
+manager: laurawi
 audience: ITPro
 ms.collection: M365-security-compliance
 ms.topic: conceptual

From e426e710bec905b0964825eff1f98c2561c202c1 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Mon, 1 Jul 2019 19:05:09 +0500
Subject: [PATCH 15/42] Broken Link Updated

The link was broken and has been updated.
---
 ...windows-operating-system-components-to-microsoft-services.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 5092e95a38..2fd8253502 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -69,7 +69,7 @@ The following table lists management options for each setting, beginning with Wi
 | [11. Mail synchronization](#bkmk-mailsync) | ![Check mark](images/checkmark.png) | | ![Check mark](images/checkmark.png) |
 | [12. Microsoft Account](#bkmk-microsoft-account) | | ![Check mark](images/checkmark.png) |  ![Check mark](images/checkmark.png) |
 | [13. Microsoft Edge](#bkmk-edge) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
-| [14. Network Connection Status Indicator](#bkmk-
+| [14. Network Connection Status Indicator](#bkmk-ncsi)
 ) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [15. Offline maps](#bkmk-offlinemaps) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |
 | [16. OneDrive](#bkmk-onedrive) | | ![Check mark](images/checkmark.png) | ![Check mark](images/checkmark.png) |

From a59dfba76a35c9dd74d0a114ee25d6b7b8814077 Mon Sep 17 00:00:00 2001
From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com>
Date: Mon, 1 Jul 2019 11:43:08 -0500
Subject: [PATCH 16/42] Update
 network-security-configure-encryption-types-allowed-for-kerberos.md

---
 ...re-encryption-types-allowed-for-kerberos.md | 18 +++++++++---------
 1 file changed, 9 insertions(+), 9 deletions(-)

diff --git a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
index 5201ac7cf1..3f0b69a5f9 100644
--- a/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
+++ b/windows/security/threat-protection/security-policy-settings/network-security-configure-encryption-types-allowed-for-kerberos.md
@@ -32,11 +32,11 @@ The following table lists and explains the allowed encryption types.
 
 | Encryption type | Description and version support |
 | - | - |
-| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function<br/>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES| by default.
-| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function<br/>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7 and Windows Server 2008 R2 operating systems do not support DES by default. |
-| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function<br/>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2.|
-| AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).<br/>Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. |
-| AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).<br/>Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. |
+| DES_CBC_CRC | Data Encryption Standard with Cipher Block Chaining using the Cyclic Redundancy Check function<br/>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10 and Windows Server 2008 R2 operating systems do not support DES| by default.
+| DES_CBC_MD5| Data Encryption Standard with Cipher Block Chaining using the Message-Digest algorithm 5 checksum function<br/>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The Windows 7, Windows 10 and Windows Server 2008 R2 operating systems do not support DES by default. |
+| RC4_HMAC_MD5| Rivest Cipher 4 with Hashed Message Authentication Code using the Message-Digest algorithm 5 checksum function<br/>Supported in Windows 2000 Server, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2.|
+| AES128_HMAC_SHA1| Advanced Encryption Standard in 128 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).<br/>Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2. |
+| AES256_HMAC_SHA1| Advanced Encryption Standard in 256 bit cipher block with Hashed Message Authentication Code using the Secure Hash Algorithm (1).<br/>Not supported in Windows 2000 Server, Windows XP, or Windows Server 2003. Supported in Windows Vista, Windows Server 2008, Windows 7, Windows 10 and Windows Server 2008 R2. |
 | Future encryption types| Reserved by Microsoft for additional encryption types that might be implemented.|
  
 ### Possible values
@@ -77,16 +77,16 @@ This section describes how an attacker might exploit a feature or its configurat
 
 ### Vulnerability
 
-Windows Server 2008 R2 and Windows 7 do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running
-Windows Server 2008 R2 and Windows 7. You can also disable DES for your computers running Windows Vista and Windows Server 2008.
+Windows Server 2008 R2, Windows 7 and Windows 10, do not support the DES cryptographic suites because stronger ones are available. To enable Kerberos interoperability with non-Windows versions of the Kerberos protocol, these suites can be enabled. However, doing so might open attack vectors on computers running
+Windows Server 2008 R2, Windows 7 and Windows 10. You can also disable DES for your computers running Windows Vista and Windows Server 2008.
 
 ### Countermeasure
 
-Do not configure this policy. This will force the computers running Windows Server 2008 R2 and Windows 7 to use the AES or RC4 cryptographic suites.
+Do not configure this policy. This will force the computers running Windows Server 2008 R2, Windows 7 and Windows 10 to use the AES or RC4 cryptographic suites.
 
 ### Potential impact
 
-If you do not select any of the encryption types, computers running Windows Server 2008 R2 and Windows 7 might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol.
+If you do not select any of the encryption types, computers running Windows Server 2008 R2, Windows 7 and Windows 10, might have Kerberos authentication failures when connecting with computers running non-Windows versions of the Kerberos protocol.
 
 If you do select any encryption type, you will lower the effectiveness of encryption for Kerberos authentication but you will improve interoperability with computers running older versions of Windows.
 Contemporary non-Windows implementations of the Kerberos protocol support RC4 and AES 128-bit and AES 256-bit encryption. Most implementations, including the MIT Kerberos protocol and the Windows Kerberos protocol, are deprecating DES encryption.

From 7024b1f3890bfe381d473041b881f8e0259222c1 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Mon, 1 Jul 2019 21:45:19 +0500
Subject: [PATCH 17/42] Update
 windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>
---
 ...windows-operating-system-components-to-microsoft-services.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 2fd8253502..141cd87503 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -607,7 +607,7 @@ For a complete list of the Microsoft Edge policies, see [Available policies for
 
 Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. [See Microsoft Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/bg-p/NetworkingBlog) to learn more about networking.
 
-In versions of Windows 10 prior to Windows 10, version 1607 and Windows Server 2016, the URL was `http://www.msftncsi.com/ncsi.txt`.
+In versions of Windows 10 prior to version 1607 and Windows Server 2016, the URL was `http://www.msftncsi.com/ncsi.txt`.
 
 You can turn off NCSI by doing one of the following:
 

From be6c166504f4a25b860eecd39a46ac435505233a Mon Sep 17 00:00:00 2001
From: VARADHARAJAN K <3296790+RAJU2529@users.noreply.github.com>
Date: Mon, 1 Jul 2019 22:16:09 +0530
Subject: [PATCH 18/42] replaced  1702  to 1703

Windows 10  v1702 is not available, so i changed to 1703.
this request is a minor change .
Thanking you
---
 .../hello-for-business/hello-adequate-domain-controllers.md     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
index 6b0c32bc57..57524af4a3 100644
--- a/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
+++ b/windows/security/identity-protection/hello-for-business/hello-adequate-domain-controllers.md
@@ -19,7 +19,7 @@ ms.reviewer:
 # Planning an adequate number of Windows Server 2019 Domain Controllers for Windows Hello for Business deployments
 
 **Applies to**
--   Windows 10, version 1702 or later
+-   Windows 10, version 1703 or later
 -   Windows Server, versions 2016 and 2019
 -   Hybrid or On-Premises deployment
 -   Key trust

From 2e1e1f48511cb82f1a9b0d5f9bfac895e0ddead0 Mon Sep 17 00:00:00 2001
From: Orlando Rodriguez <49177883+ojrb@users.noreply.github.com>
Date: Mon, 1 Jul 2019 12:43:09 -0500
Subject: [PATCH 19/42] Update hello-identity-verification.md

---
 .../hello-for-business/hello-identity-verification.md           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 672ad0f33f..7a43806e57 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -25,7 +25,7 @@ Windows Hello addresses the following problems with passwords:
 -   Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
 -   Server breaches can expose symmetric network credentials (passwords).
 -   Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
--   Users can inadvertently expose their passwords due to [phishing attacks](https://go.microsoft.com/fwlink/p/?LinkId=615674).
+-   Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/phishing).
 
 >[!div class="mx-tdBreakAll"]
 >| | | |

From 3f1c690d026f1a98b5eb1eba08b8ca23431ac1cd Mon Sep 17 00:00:00 2001
From: lindakup <51131560+lindakup@users.noreply.github.com>
Date: Mon, 1 Jul 2019 21:09:28 +0100
Subject: [PATCH 20/42] Update
 allow-com-object-registration-in-windows-defender-application-control-policy.md

Add KB's of shipping updates which backported this feature to other versions of windows 10
---
 ...ion-in-windows-defender-application-control-policy.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index c33eca6f6f..f968e5b456 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -26,6 +26,15 @@ The [Microsoft Component Object Model (COM)](https://docs.microsoft.com/windows/
 
 Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
 
+NOTE: To add this functionality to other versions of windows 10 you can install the following or later updates:
+
+- Windows 10, 1809 June 18, 2019—KB4501371 (OS Build 17763.592) (https://internal.support.services.microsoft.com/en-us/help/4501371/windows-10-update-kb4501371)
+- windows 10, 1803 June 18, 2019—KB4503288 (OS Build 17134.858) (https://internal.support.services.microsoft.com/en-us/help/4503288/windows-10-update-kb4503288)
+- Windows 10, 1709 June 18, 2019—KB4503281 (OS Build 16299.1237) (https://internal.support.services.microsoft.com/en-us/help/4503281/windows-10-update-kb4503281) 
+- windows 10, 1703 June 18, 2019—KB4503289 (OS Build 15063.1897) (https://internal.support.services.microsoft.com/en-us/help/4503289/windows-10-update-kb4503289
+- Windows 10, 1607 June 18, 2019—KB4503294 (OS Build 14393.3053) (https://internal.support.services.microsoft.com/en-us/help/4503294/windows-10-update-kb4503294)
+
+
 ### Get COM object GUID
 
 Get GUID of application to allow in one of the following ways:

From 4ef53a9f067b0db7c1f9ee3675db14f0ae6f4546 Mon Sep 17 00:00:00 2001
From: ImranHabib <47118050+joinimran@users.noreply.github.com>
Date: Tue, 2 Jul 2019 09:43:46 +0500
Subject: [PATCH 21/42] Update
 windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>
---
 ...windows-operating-system-components-to-microsoft-services.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
index 141cd87503..903c748516 100644
--- a/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
+++ b/windows/privacy/manage-connections-from-windows-operating-system-components-to-microsoft-services.md
@@ -605,7 +605,7 @@ For a complete list of the Microsoft Edge policies, see [Available policies for
 
 ### <a href="" id="bkmk-ncsi"></a>14. Network Connection Status Indicator
 
-Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. [See Microsoft Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/bg-p/NetworkingBlog) to learn more about networking.
+Network Connection Status Indicator (NCSI) detects Internet connectivity and corporate network connectivity status. NCSI sends a DNS request and HTTP query to http://www.msftconnecttest.com/connecttest.txt to determine if the device can communicate with the Internet. See the [Microsoft Networking Blog](https://techcommunity.microsoft.com/t5/Networking-Blog/bg-p/NetworkingBlog) to learn more.
 
 In versions of Windows 10 prior to version 1607 and Windows Server 2016, the URL was `http://www.msftncsi.com/ncsi.txt`.
 

From fd131d25428ac9c157a319435ab4a20131423d3a Mon Sep 17 00:00:00 2001
From: Justin Hall <Justinha@microsoft.com>
Date: Tue, 2 Jul 2019 05:57:01 -0700
Subject: [PATCH 22/42] copyedits

@lindakup
Thanks for contributing these backports links! I changed the URL to public version and removed /en-us locale. Also capitalized Windows. I'm submitting these copyedits directly to your contribution. Then I'll approve and merge. ETA to be live is within the next day.
---
 ...n-windows-defender-application-control-policy.md | 13 ++++++-------
 1 file changed, 6 insertions(+), 7 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
index f968e5b456..294b63f287 100644
--- a/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
+++ b/windows/security/threat-protection/windows-defender-application-control/allow-com-object-registration-in-windows-defender-application-control-policy.md
@@ -26,14 +26,13 @@ The [Microsoft Component Object Model (COM)](https://docs.microsoft.com/windows/
 
 Prior to the Windows 10 1903 update, Windows Defender Application Control (WDAC) enforced a built-in allow list for COM object registration. While this mechanism works for most common application usage scenarios, customers have provided feedback that there are cases where additional COM objects need to be allowed. The 1903 update to Windows 10 introduces the ability to specify allowed COM objects via their GUID in the WDAC policy.
 
-NOTE: To add this functionality to other versions of windows 10 you can install the following or later updates:
-
-- Windows 10, 1809 June 18, 2019—KB4501371 (OS Build 17763.592) (https://internal.support.services.microsoft.com/en-us/help/4501371/windows-10-update-kb4501371)
-- windows 10, 1803 June 18, 2019—KB4503288 (OS Build 17134.858) (https://internal.support.services.microsoft.com/en-us/help/4503288/windows-10-update-kb4503288)
-- Windows 10, 1709 June 18, 2019—KB4503281 (OS Build 16299.1237) (https://internal.support.services.microsoft.com/en-us/help/4503281/windows-10-update-kb4503281) 
-- windows 10, 1703 June 18, 2019—KB4503289 (OS Build 15063.1897) (https://internal.support.services.microsoft.com/en-us/help/4503289/windows-10-update-kb4503289
-- Windows 10, 1607 June 18, 2019—KB4503294 (OS Build 14393.3053) (https://internal.support.services.microsoft.com/en-us/help/4503294/windows-10-update-kb4503294)
+**NOTE**: To add this functionality to other versions of Windows 10, you can install the following or later updates:
 
+- Windows 10, 1809 June 18, 2019—KB4501371 (OS Build 17763.592) (https://support.microsoft.com/help/4501371/windows-10-update-kb4501371)
+- Windows 10, 1803 June 18, 2019—KB4503288 (OS Build 17134.858) (https://support.microsoft.com/help/4503288/windows-10-update-kb4503288)
+- Windows 10, 1709 June 18, 2019—KB4503281 (OS Build 16299.1237) (https://support.microsoft.com/help/4503281/windows-10-update-kb4503281) 
+- Windows 10, 1703 June 18, 2019—KB4503289 (OS Build 15063.1897) (https://support.microsoft.com/help/4503289/windows-10-update-kb4503289
+- Windows 10, 1607 June 18, 2019—KB4503294 (OS Build 14393.3053) (https://support.microsoft.com/help/4503294/windows-10-update-kb4503294)
 
 ### Get COM object GUID
 

From 1828475f7eacb7badcb504574554af274343c15d Mon Sep 17 00:00:00 2001
From: illfated <illfated@users.noreply.github.com>
Date: Fri, 28 Jun 2019 16:34:35 +0200
Subject: [PATCH 23/42] MarkDown page HTML cleanup, enable 2 headings

Description:
Leftover HTML tags disabled 2 section headings in this page.

Proposed changes:
Remove redundant HTML tags to re-enable the 2 headings:
- Enable Windows Mixed Reality in WSUS
- Block the Mixed Reality Portal

Closes #4286
---
 .../application-management/manage-windows-mixed-reality.md    | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/windows/application-management/manage-windows-mixed-reality.md b/windows/application-management/manage-windows-mixed-reality.md
index 5c0ec34d50..674be1f86a 100644
--- a/windows/application-management/manage-windows-mixed-reality.md
+++ b/windows/application-management/manage-windows-mixed-reality.md
@@ -24,8 +24,6 @@ ms.topic: article
 
 Organizations that use Windows Server Update Services (WSUS) must take action to [enable Windows Mixed Reality](#enable). Any organization that wants to prohibit use of Windows Mixed Reality can [block the installation of the Mixed Reality Portal](#block).
 
-
-<span id="enable" />
 ## Enable Windows Mixed Reality in WSUS
 
 1. [Check your version of Windows 10.](https://support.microsoft.com/help/13443/windows-which-operating-system)
@@ -52,8 +50,6 @@ Organizations that use Windows Server Update Services (WSUS) must take action to
 
 IT admins can also create [Side by side feature store (shared folder)](https://technet.microsoft.com/library/jj127275.aspx) to allow access to the Windows Mixed Reality FOD.
 
-
-<span id="block" />
 ## Block the Mixed Reality Portal
 
 You can use the [AppLocker configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/applocker-csp) to block the Mixed Reality software.

From f3a7361b590f9a7b964e0a64660c11cea57ed974 Mon Sep 17 00:00:00 2001
From: Daniel Simpson <dansimp@microsoft.com>
Date: Tue, 2 Jul 2019 10:00:13 -0700
Subject: [PATCH 24/42] Update hello-identity-verification.md

---
 .../hello-for-business/hello-identity-verification.md           | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index 7a43806e57..a2c73b5463 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -25,7 +25,7 @@ Windows Hello addresses the following problems with passwords:
 -   Strong passwords can be difficult to remember, and users often reuse passwords on multiple sites.
 -   Server breaches can expose symmetric network credentials (passwords).
 -   Passwords are subject to [replay attacks](https://go.microsoft.com/fwlink/p/?LinkId=615673).
--   Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/phishing).
+-   Users can inadvertently expose their passwords due to [phishing attacks](https://docs.microsoft.com/windows/security/threat-protection/intelligence/phishing).
 
 >[!div class="mx-tdBreakAll"]
 >| | | |

From 39a857ff9f7670b3be9b37ba8d7ada075cc14c62 Mon Sep 17 00:00:00 2001
From: Marty Hernandez Avedon <martyavedon@gmail.com>
Date: Tue, 2 Jul 2019 17:07:13 -0400
Subject: [PATCH 25/42] Fixes #4322; typo fix + linting

[From user](https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4322):

> "When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration" should read "When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration"

Also linted doc to make MarkdownLint happier.
---
 .../lock-down-windows-10-to-specific-apps.md  | 182 +++++++-----------
 1 file changed, 74 insertions(+), 108 deletions(-)

diff --git a/windows/configuration/lock-down-windows-10-to-specific-apps.md b/windows/configuration/lock-down-windows-10-to-specific-apps.md
index 2c861f7c13..a8d16003c6 100644
--- a/windows/configuration/lock-down-windows-10-to-specific-apps.md
+++ b/windows/configuration/lock-down-windows-10-to-specific-apps.md
@@ -18,16 +18,13 @@ ms.topic: article
 
 # Set up a multi-app kiosk
 
-
 **Applies to**
 
--   Windows 10 Pro, Enterprise, and Education
+- Windows 10 Pro, Enterprise, and Education
 
+A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access.
 
-A [kiosk device](set-up-a-kiosk-for-windows-10-for-desktop-editions.md) typically runs a single app, and users are prevented from accessing any features or functions on the device outside of the kiosk app. In Windows 10, version 1709, the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp) was expanded to make it easy for administrators to create kiosks that run more than one app. The benefit of a kiosk that runs only one or more specified apps is to provide an easy-to-understand experience for individuals by putting in front of them only the things they need to use, and removing from their view the things they don’t need to access. 
-
-The following table lists changes to multi-app kiosk in recent updates. 
-
+The following table lists changes to multi-app kiosk in recent updates.
 
 |                                                                                                                            New features and improvements                                                                                                                             |                                                                                                           In update                                                                                                           |
 |--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -39,21 +36,21 @@ The following table lists changes to multi-app kiosk in recent updates.
 
 You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provisioning package](#provision).
 
-
 >[!TIP]
 >Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
 
 <span id="intune"/>
-## Configure a kiosk in Microsoft Intune
 
+## Configure a kiosk in Microsoft Intune
 
 To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](https://docs.microsoft.com/intune/kiosk-settings). For explanations of the specific settings, see [Windows 10 and later device settings to run as a kiosk in Intune](https://docs.microsoft.com/intune/kiosk-settings-windows).
 
-
 <span id="provision" />
+
 ## Configure a kiosk using a provisioning package
 
 Process:
+
 1. [Create XML file](#create-xml-file)
 2. [Add XML file to provisioning package](#add-xml)
 3. [Apply provisioning package to device](#apply-ppkg)
@@ -70,19 +67,19 @@ If you don't want to use a provisioning package, you can deploy the configuratio
 - The kiosk device must be running Windows 10 (S, Pro, Enterprise, or Education), version 1709 or later
 
 >[!NOTE]
->For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk. 
+>For devices running versions of Windows 10 earlier than version 1709, you can [create AppLocker rules](lock-down-windows-10-applocker.md) to configure a multi-app kiosk.
 
 ### Create XML file
 
-Let's start by looking at the basic structure of the XML file. 
+Let's start by looking at the basic structure of the XML file.
 
-- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout. 
+- A configuration xml can define multiple *profiles*. Each profile has a unique **Id** and defines a set of applications that are allowed to run, whether the taskbar is visible, and can include a custom Start layout.
 
-- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**. 
+- A configuration xml can have multiple *config* sections. Each config section associates a non-admin user account to a default profile **Id**.
 
 - Multiple config sections can be associated to the same profile.
 
-- A profile has no effect if it’s not associated to a config section. 
+- A profile has no effect if it’s not associated to a config section.
 
     ![profile = app and config = account](images/profile-config.png)
 
@@ -90,7 +87,7 @@ You can start your file by pasting the following XML (or any other examples in t
 
 ```xml
 <?xml version="1.0" encoding="utf-8" ?>
-<AssignedAccessConfiguration 
+<AssignedAccessConfiguration
     xmlns="http://schemas.microsoft.com/AssignedAccess/2017/config"
     xmlns:rs5="http://schemas.microsoft.com/AssignedAccess/201810/config"
     >
@@ -98,7 +95,7 @@ You can start your file by pasting the following XML (or any other examples in t
         <Profile Id="">
             <AllAppsList>
                 <AllowedApps/>
-            </AllAppsList>         
+            </AllAppsList>
             <StartLayout/>
             <Taskbar/>
         </Profile>
@@ -119,11 +116,11 @@ There are two types of profiles that you can specify in the XML:
 - **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen.
 - **Kiosk profile**: New in Windows 10, version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode.
 
-A lockdown profile section in the XML has the following entries: 
+A lockdown profile section in the XML has the following entries:
 
-- [**Id**](#id) 
+- [**Id**](#id)
 
-- [**AllowedApps**](#allowedapps)  
+- [**AllowedApps**](#allowedapps)
 
 - [**FileExplorerNamespaceRestrictions**](#fileexplorernamespacerestrictions)
 
@@ -133,15 +130,13 @@ A lockdown profile section in the XML has the following entries:
 
 A kiosk profile in the XML has the following entries:
 
-- [**Id**](#id) 
+- [**Id**](#id)
 
 - [**KioskModeApp**](#kioskmodeapp)
 
-
-
 ##### Id
 
-The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file. 
+The profile **Id** is a GUID attribute to uniquely identify the profile. You can create a GUID using a GUID generator. The GUID just needs to be unique within this XML file.
 
 ```xml
 <Profiles>
@@ -151,30 +146,28 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can
 
 ##### AllowedApps
 
-**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. In Windows 10, version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in. 
+**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. In Windows 10, version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in.
 
-
-
-- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout). 
+- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](https://go.microsoft.com/fwlink/p/?LinkId=614867), or [get the AUMID from the Start Layout XML](#startlayout).
 - For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
-- If an app has a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both "C:\Program Files\internet explorer\iexplore.exe" and “C:\Program Files (x86)\Internet Explorer\iexplore.exe”. 
+- If an app has a dependency on another app, both must be included in the allowed apps list. For example, Internet Explorer 64-bit has a dependency on Internet Explorer 32-bit, so you must allow both "C:\Program Files\internet explorer\iexplore.exe" and “C:\Program Files (x86)\Internet Explorer\iexplore.exe”.
 - To configure a single app to launch automatically when the user signs in, include `rs5:AutoLaunch="true"` after the AUMID or path. You can also include arguments to be passed to the app. For an example, see [the AllowedApps sample XML](#apps-sample).
 
-When the mult-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:   
+When the multi-app kiosk configuration is applied to a device, AppLocker rules will be generated to allow the apps that are listed in the configuration. Here are the predefined assigned access AppLocker rules for **UWP apps**:
 
-1.  Default rule is to allow all users to launch the signed package apps. 
-2.  The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list. 
+1. Default rule is to allow all users to launch the signed package apps.
+2. The package app deny list is generated at runtime when the assigned access user signs in. Based on the installed/provisioned package apps available for the user account, assigned access generates the deny list. This list will exclude the default allowed inbox package apps which are critical for the system to function, and then exclude the allowed packages that enterprises defined in the assigned access configuration. If there are multiple apps within the same package, all these apps will be excluded. This deny list will be used to prevent the user from accessing the apps which are currently available for the user but not in the allowed list.
 
     >[!NOTE]
     >You cannot manage AppLocker rules that are generated by the multi-app kiosk configuration in [MMC snap-ins](https://technet.microsoft.com/library/hh994629.aspx#BKMK_Using_Snapins). Avoid creating AppLocker rules that conflict with AppLocker rules that are generated by the multi-app kiosk configuration.
     >
-    >Multi-app kiosk mode doesn’t block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list. 
+    >Multi-app kiosk mode doesn’t block the enterprise or the users from installing UWP apps. When a new UWP app is installed during the current assigned access user session, this app will not be in the deny list. When the user signs out and signs in again, the app will be included in the deny list. If this is an enterprise-deployed line-of-business app and you want to allow it to run, update the assigned access configuration to include it in the allowed app list.
 
 Here are the predefined assigned access AppLocker rules for **desktop apps**:
 
-1.  Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs. 
-2.  There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration. 
-3.  Enterprise-defined allowed desktop apps are added in the AppLocker allow list. 
+1. Default rule is to allow all users to launch the desktop programs signed with Microsoft Certificate in order for the system to boot and function. The rule also allows the admin user group to launch all desktop programs.
+2. There is a predefined inbox desktop app deny list for the assigned access user account, and this deny list is adjusted based on the desktop app allow list that you defined in the multi-app configuration.
+3. Enterprise-defined allowed desktop apps are added in the AppLocker allow list.
 
 The following example allows Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps to run on the device, with Notepad configured to automatically launch and create a file called `123.text` when the user signs in.
 
@@ -220,23 +213,23 @@ The following example shows how to allow user access to the Downloads folder in
                 ...
             </StartLayout>
             <Taskbar ShowTaskbar="true"/>
-        </Profile> 
+        </Profile>
     </Profiles>
 </AssignedAccessConfiguration>
 ```
 
 ##### StartLayout
 
-After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen. 
+After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen.
 
 The easiest way to create a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md).
 
 A few things to note here:
 
-- The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration. 
-- Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout. 
+- The test device on which you customize the Start layout should have the same OS version that is installed on the device where you plan to deploy the multi-app assigned access configuration.
+- Since the multi-app assigned access experience is intended for fixed-purpose devices, to ensure the device experiences are consistent and predictable, use the *full* Start layout option instead of the *partial* Start layout.
 - There are no apps pinned on the taskbar in the multi-app mode, and it is not supported to configure Taskbar layout using the `<CustomTaskbarLayoutCollection>` tag in a layout modification XML as part of the assigned access configuration.
-- The following example uses DesktopApplicationLinkPath to pin the desktop app to start. When the desktop app doesn’t have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files). 
+- The following example uses DesktopApplicationLinkPath to pin the desktop app to start. When the desktop app doesn’t have a shortcut link on the target device, [learn how to provision .lnk files using Windows Configuration Designer](#lnk-files).
 
 This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint, and Notepad apps on Start.
 
@@ -267,14 +260,13 @@ This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint,
 ```
 
 >[!NOTE]
->If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen. 
-
+>If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen.
 
 ![What the Start screen looks like when the XML sample is applied](images/sample-start.png)
 
 ##### Taskbar
 
-Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want. 
+Define whether you want to have the taskbar present in the kiosk device. For tablet-based or touch-enabled all-in-one kiosks, when you don’t attach a keyboard and mouse, you can hide the taskbar as part of the multi-app experience if you want.
 
 The following example exposes the taskbar to the end user:
 
@@ -289,9 +281,9 @@ The following example hides the taskbar:
 ```
 
 >[!NOTE]
->This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden. 
+>This is different from the **Automatically hide the taskbar** option in tablet mode, which shows the taskbar when swiping up from or moving the mouse pointer down to the bottom of the screen. Setting **ShowTaskbar** as **false** will always keep the taskbar hidden.
 
-##### KioskModeApp 
+##### KioskModeApp
 
 **KioskModeApp** is used for a [kiosk profile](#profile) only. Enter the AUMID for a single app. You can only specify one kiosk profile in the XML.
 
@@ -302,27 +294,25 @@ The following example hides the taskbar:
 >[!IMPORTANT]
 >The kiosk profile is designed for public-facing kiosk devices. We recommend that you use a local, non-administrator account. If the device is connected to your company network, using a domain or Azure Active Directory account could potentially compromise confidential information.  
 
-
 #### Configs
 
-Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience. 
+Under **Configs**, define which user account will be associated with the profile. When this user account signs in on the device, the associated assigned access profile will be enforced, including the allowed apps, Start layout, and taskbar configuration, as well as other local group policies or mobile device management (MDM) policies set as part of the multi-app experience.
 
-The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in. 
+The full multi-app assigned access experience can only work for non-admin users. It’s not supported to associate an admin user with the assigned access profile; doing this in the XML file will result in unexpected/unsupported experiences when this admin user signs in.
 
 You can assign:
 
 - [A local standard user account that signs in automatically](#config-for-autologon-account) (Applies to Windows 10, version 1803 only)
 - [An individual account, which can be local, domain, or Azure Active Directory (Azure AD)](#config-for-individual-accounts)
-- [A group account, which can be local, Active Directory (domain), or Azure AD](#config-for-group-accounts) (Applies to Windows 10, version 1803 only) 
+- [A group account, which can be local, Active Directory (domain), or Azure AD](#config-for-group-accounts) (Applies to Windows 10, version 1803 only).
 
 >[!NOTE]
->Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.  
+>Configs that specify group accounts cannot use a kiosk profile, only a lockdown profile. If a group is configured to a kiosk profile, the CSP will reject the request.
 
 ##### Config for AutoLogon Account
 
 When you use `<AutoLogonAccount>` and the configuration is applied to a device, the specified account (managed by Assigned Access) is created on the device as a local standard user account. The specified account is signed in automatically after restart.
 
-
 The following example shows how to specify an account to sign in automatically.
 
 ```xml
@@ -331,7 +321,7 @@ The following example shows how to specify an account to sign in automatically.
     <AutoLogonAccount/>
     <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
   </Config>
-</Configs> 
+</Configs>
 ```
 
 In Windows 10, version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World".
@@ -347,13 +337,12 @@ In Windows 10, version 1809, you can configure the display name that will be sho
 
 On domain-joined devices, local user accounts aren't shown on the sign-in screen by default. To show the **AutoLogonAccount** on the sign-in screen, enable the following Group Policy setting: **Computer Configuration > Administrative Templates > System > Logon > Enumerate local users on domain-joined computers**. (The corresponding MDM policy setting is [WindowsLogon/EnumerateLocalUsersOnDomainJoinedComputers in the Policy CSP](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-enumeratelocalusersondomainjoinedcomputers).)
 
-
 >[!IMPORTANT]
 >When Exchange Active Sync (EAS) password restrictions are active on the device, the autologon feature does not work. This behavior is by design. For more informations, see [How to turn on automatic logon in Windows](https://support.microsoft.com/help/324737/how-to-turn-on-automatic-logon-in-windows).
 
 ##### Config for individual accounts
 
-Individual accounts are specified using `<Account>`. 
+Individual accounts are specified using `<Account>`.
 
 - Local account can be entered as `machinename\account` or `.\account` or just `account`.
 - Domain account should be entered as `domain\account`.
@@ -362,58 +351,56 @@ Individual accounts are specified using `<Account>`.
 >[!WARNING]
 >Assigned access can be configured via WMI or CSP to run its applications under a domain user or service account, rather than a local account.  However, use of domain user or service accounts introduces risks that an attacker subverting the assigned access application might gain access to sensitive domain resources that have been inadvertently left accessible to any domain account. We recommend that customers proceed with caution when using domain accounts with assigned access, and consider the domain resources potentially exposed by the decision to do so.
 
-
 Before applying the multi-app configuration, make sure the specified user account is available on the device, otherwise it will fail.
 
 >[!NOTE]
 >For both domain and Azure AD accounts, it’s not required that target account is explicitly added to the device. As long as the device is AD-joined or Azure AD-joined, the account can be discovered in the domain forest or tenant that the device is joined to. For local accounts, it is required that the account exist before you configure the account for assigned access.
 
-
 ```xml
 <Configs>
   <Config>
     <Account>MultiAppKioskUser</Account>
     <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
   </Config>
-</Configs> 
+</Configs>
 ```
 
-
-
 ##### Config for group accounts
 
-Group accounts are specified using `<UserGroup>`. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in `<Config/>`, user A will not have the kiosk experience. 
+Group accounts are specified using `<UserGroup>`. Nested groups are not supported. For example, if user A is member of Group 1, Group 1 is member of Group 2, and Group 2 is used in `<Config/>`, user A will not have the kiosk experience.
 
 - Local group: Specify the group type as **LocalGroup** and put the group name in Name attribute. Any Azure AD accounts that are added to the local group will not have the kiosk settings applied.
 
   ```xml
-  <Config> 
-    <UserGroup Type="LocalGroup" Name="mygroup" /> 
-    <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> 
-  </Config> 
+  <Config>
+    <UserGroup Type="LocalGroup" Name="mygroup" />
+    <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
+  </Config>
   ```
+
 - Domain group: Both security and distribution groups are supported. Specify the group type as <strong>ActiveDirectoryGroup</strong>. Use the domain name as the prefix in the name attribute.
 
   ```xml
-  <Config> 
-    <UserGroup Type="ActiveDirectoryGroup" Name="mydomain\mygroup" /> 
-    <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> 
-  </Config> 
+  <Config>
+    <UserGroup Type="ActiveDirectoryGroup" Name="mydomain\mygroup" />
+    <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
+  </Config>
   ```
 
 - Azure AD group: Use the group object ID from the Azure portal to uniquely identify the group in the Name attribute. You can find the object ID on the overview page for the group in **Users and groups** > **All groups**. Specify the group type as **AzureActiveDirectoryGroup**. The kiosk device must have internet connectivity when users that belong to the group sign in.
 
   ```xml
-  <Config> 
-    <UserGroup Type="AzureActiveDirectoryGroup" Name="a8d36e43-4180-4ac5-a627-fb8149bba1ac" /> 
-    <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/> 
-  </Config> 
+  <Config>
+    <UserGroup Type="AzureActiveDirectoryGroup" Name="a8d36e43-4180-4ac5-a627-fb8149bba1ac" />
+    <DefaultProfile Id="{9A2A490F-10F6-4764-974A-43B19E722C23}"/>
+  </Config>
   ```
 
   >[!NOTE]
-  >If an Azure AD group is configured with a lockdown profile on a device, a user in the Azure AD group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out. 
+  >If an Azure AD group is configured with a lockdown profile on a device, a user in the Azure AD group must change their password (after the account has been created with default password on the portal) before they can sign in to this device. If the user uses the default password to sign in to the device, the user will be immediately signed out.
 
 <span id="add-xml" />
+
 ### Add XML file to provisioning package
 
 Before you add the XML file to a provisioning package, you can [validate your configuration XML against the XSD](kiosk-xml.md#xsd-for-assignedaccess-configuration-xml).
@@ -439,7 +426,7 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
    ![Screenshot of the MultiAppAssignedAccessSettings field in Windows Configuration Designer](images/multiappassignedaccesssettings.png)
 
-8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.   
+8. (**Optional**: If you want to apply the provisioning package after device initial setup and there is an admin user already available on the kiosk device, skip this step.) Create an admin user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Provide a **UserName** and **Password**, and select **UserGroup** as **Administrators**. With this account, you can view the provisioning status and logs if needed.
 
 9. (**Optional**: If you already have a non-admin account on the kiosk device, skip this step.) Create a local standard user account in **Runtime settings** &gt; **Accounts** &gt; **Users**. Make sure the **UserName** is the same as the account that you specify in the configuration XML. Select **UserGroup** as **Standard Users**.
 
@@ -451,9 +438,9 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
 13. Optional. In the **Provisioning package security** window, you can choose to encrypt the package and enable package signing.
 
-    -   **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
+    - **Enable package encryption** - If you select this option, an auto-generated password will be shown on the screen.
 
-    -   **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
+    - **Enable package signing** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by clicking **Browse** and choosing the certificate you want to use to sign the package.
 
 14. Click **Next** to specify the output location where you want the provisioning package to go when it's built. By default, Windows Imaging and Configuration Designer (ICD) uses the project folder as the output location.
 
@@ -469,12 +456,13 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
 
     If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
 
-    -   If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
-    -   If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+    - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+    - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
 
 18. Copy the provisioning package to the root directory of a USB drive.
 
 <span id="apply-ppkg" />
+
 ### Apply provisioning package to device
 
 Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
@@ -504,46 +492,28 @@ Provisioning packages can be applied to a device during the first-run experience
 
     ![Do you trust this package?](images/trust-package.png)
 
-
-
 #### After setup, from a USB drive, network folder, or SharePoint site
 
 1. Sign in with an admin account.
 2. Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
 
 >[!NOTE]
->if your provisioning package doesn’t include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device. 
+>if your provisioning package doesn’t include the assigned access user account creation, make sure the account you specified in the multi-app configuration XML exists on the device.
 
 ![add a package option](images/package.png)
 
-
-
-
 <span id="alternate-methods" />
-### Use MDM to deploy the multi-app configuration 
+### Use MDM to deploy the multi-app configuration
 
+Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML.
 
-Multi-app kiosk mode is enabled by the [AssignedAccess configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/assignedaccess-csp). Your MDM policy can contain the assigned access configuration XML. 
-
-If your device is enrolled with a MDM server which supports applying the assigned access configuration, you can use it to apply the setting remotely. 
+If your device is enrolled with a MDM server which supports applying the assigned access configuration, you can use it to apply the setting remotely.
 
 The OMA-URI for multi-app policy is `./Device/Vendor/MSFT/AssignedAccess/Configuration`.
 
-
-
-
-
-
-
-
-
-
-
-
 ## Considerations for Windows Mixed Reality immersive headsets
 
-
-With the advent of [mixed reality devices (video link)](https://www.youtube.com/watch?v=u0jqNioU2Lo), you might want to create a kiosk that can run mixed reality apps. 
+With the advent of [mixed reality devices (video link)](https://www.youtube.com/watch?v=u0jqNioU2Lo), you might want to create a kiosk that can run mixed reality apps.
 
 To create a multi-app kiosk that can run mixed reality apps, you must include the following apps in the [AllowedApps list](#allowedapps):
 
@@ -561,14 +531,12 @@ After the admin has completed setup, the kiosk account can sign in and repeat th
 
 There is a difference between the mixed reality experiences for a kiosk user and other users. Typically, when a user connects a mixed reality device, they begin in the [Mixed Reality home](https://developer.microsoft.com/windows/mixed-reality/navigating_the_windows_mixed_reality_home). The Mixed Reality home is a shell that runs in "silent" mode when the PC is configured as a kiosk. When a kiosk user connects a mixed reality device, they will see only a blank display in the device, and will not have access to the features and functionality available in the home. To run a mixed reality app, the kiosk user must launch the app from the PC Start screen.
 
-
 ## Policies set by multi-app kiosk configuration
 
 It is not recommended to set policies enforced in assigned access multi-app mode to different values using other channels, as the multi-app mode has been optimized to provide a locked-down experience.
 
 When the multi-app assigned access configuration is applied on the device, certain policies are enforced system-wide, and will impact other users on the device.
 
-
 ### Group Policy
 
 The following local policies affect all **non-administrator** users on the system, regardless whether the user is configured as an assigned access user or not.  This includes local users, domain users, and Azure Active Directory users.
@@ -605,11 +573,8 @@ Prevent access to drives from My Computer    |  Enabled - Restrict all drivers
 >[!NOTE]
 >When **Prevent access to drives from My Computer** is enabled, users can browse the directory structure in File Explorer, but they cannot open folders and access the contents. Also, they cannot use the **Run** dialog box or the **Map Network Drive** dialog box to view the directories on these drives. The icons representing the specified drives still appear in File Explorer, but if users double-click the icons, a message appears explaining that a setting prevents the action. This setting does not prevent users from using programs to access local and network drives. It does not prevent users from using the Disk Management snap-in to view and change drive characteristics.
 
-
-
 ### MDM policy
 
-
 Some of the MDM policies based on the [Policy configuration service provider (CSP)](https://docs.microsoft.com/windows/client-management/mdm/policy-configuration-service-provider) affect all users on the system (i.e. system-wide).
 
 Setting |   Value   | System-wide
@@ -633,13 +598,14 @@ Start/DisableContextMenus | 1 - Context menus are hidden for Start apps | No
 [WindowsLogon/DontDisplayNetworkSelectionUI](https://docs.microsoft.com/windows/client-management/mdm/policy-csp-windowslogon#windowslogon-dontdisplaynetworkselectionui)   |   &lt;Enabled/&gt;    |   Yes
 
 <span id="lnk-files" />
+
 ## Provision .lnk files using Windows Configuration Designer
 
 First, create your desktop app's shortcut file by installing the app on a test device, using the default installation location. Right-click the installed application, and choose **Send to** > **Desktop (create shortcut)**. Rename the shortcut to `<appName>.lnk`
 
-Next, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install. 
+Next, create a batch file with two commands. If the desktop app is already installed on the target device, skip the first command for MSI install.
 
-```
+```PowerShell
 msiexec /I "<appName>.msi" /qn /norestart
 copy <appName>.lnk "%AllUsersProfile%\Microsoft\Windows\Start Menu\Programs\<appName>.lnk"
 ```

From 8519d5db51573f563d665249066e0c8735f0739d Mon Sep 17 00:00:00 2001
From: HarshithaCMurthy <52260858+HarshithaCMurthy@users.noreply.github.com>
Date: Tue, 2 Jul 2019 17:05:24 -0700
Subject: [PATCH 26/42] Changing SDT4B link

---
 .../surface/surface-diagnostic-toolkit-for-business-intro.md    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
index 26bac290b4..83613f4a36 100644
--- a/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
+++ b/devices/surface/surface-diagnostic-toolkit-for-business-intro.md
@@ -28,7 +28,7 @@ Before you run the diagnostic tool, make sure you have the latest Windows update
 
 **To run the Surface Diagnostic Toolkit for Business:**
 
-1. Download the [Surface Diagnostic Toolkit for Business](https://aka.ms/checkmysurface).
+1. Download the [Surface Diagnostic Toolkit for Business](https://aka.ms/SDT4B).
 2. Select Run and follow the on-screen instructions.
 
 The diagnosis and repair time averages 15 minutes but could take an hour or longer, depending on internet connection speed and the number of updates or repairs required. For more detailed information on Surface Diagnostic Toolkit for Business, refer to [Deploy Surface Diagnostic Toolkit for Business](https://docs.microsoft.com/surface/surface-diagnostic-toolkit-business).

From ba9fbaedc677450936fcae5f8ff26689f28d1fd7 Mon Sep 17 00:00:00 2001
From: Lindsay <45809756+lindspea@users.noreply.github.com>
Date: Wed, 3 Jul 2019 09:45:20 +0200
Subject: [PATCH 27/42] Update event-error-codes.md

Added info under action for 29.
---
 .../microsoft-defender-atp/event-error-codes.md                 | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
index 4a19677915..080111bee7 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/event-error-codes.md
@@ -216,7 +216,7 @@ See <a href="configure-endpoints.md" data-raw-source="[Onboard Windows 10 machin
 <td>29</td>
 <td>Failed to read the offboarding parameters. Error type: %1, Error code: %2, Description: %3 </td>
 <td>This event occurs when the system can&#39;t read the offboarding parameters.</td>
-<td>Ensure the machine has Internet access, then run the entire offboarding process again.</td>
+<td>Ensure the machine has Internet access, then run the entire offboarding process again. Ensure the offboarding package has not expired.</td>
 </tr>
 <tr>
 <td>30</td>

From e31211667c164f1243b5c53f55e0e6d310377982 Mon Sep 17 00:00:00 2001
From: Lindsay <45809756+lindspea@users.noreply.github.com>
Date: Wed, 3 Jul 2019 11:19:34 +0200
Subject: [PATCH 28/42] Update portal-overview.md

Added note about devices with scaling issues.
---
 .../microsoft-defender-atp/portal-overview.md                  | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
index be5e22d9d9..a99265db4c 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
@@ -66,6 +66,9 @@ Area | Description
 **(2) Main portal** | Main area where you will see the different views such as the Dashboards, Alerts queue, and Machines list.
 **(3) Community center, Localization,  Help and support, Feedback** | **Community center** -Access the Community center to learn, collaborate, and share experiences about the product. </br></br>  **Time settings** - Gives you access to the configuration settings where you can set time zones and view license information. </br></br>  **Help and support** - Gives you access to the Microsoft Defender ATP guide, Microsoft support, and Premier support.</br></br> **Feedback** - Access the feedback button to provide comments about the portal. 
 
+> [!NOTE]
+> For devices with high resolution DPI scaling issues, please see here for possible solutions - [Windows scaling issues for high-DPI devices](https://support.microsoft.com/help/3025083/windows-scaling-issues-for-high-dpi-devices)
+
 ## Microsoft Defender ATP icons
 The following table provides information on the icons used all throughout the portal:
 

From d34ec782c672e5b19b5360fe6ae9750884f8ec0c Mon Sep 17 00:00:00 2001
From: Lindsay <45809756+lindspea@users.noreply.github.com>
Date: Wed, 3 Jul 2019 13:52:25 +0200
Subject: [PATCH 29/42] Update configure-server-endpoints.md

Changed info about onboarding.
---
 .../microsoft-defender-atp/configure-server-endpoints.md      | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
index 69993debe0..ad8b37b921 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-server-endpoints.md
@@ -137,7 +137,7 @@ Agent Resource    |    Ports
 
 
 ## Windows Server, version 1803 and Windows Server 2019
-To onboard Windows Server, version 1803 or Windows Server 2019, use the same method used when onboarding Windows 10 machines.
+To onboard Windows Server, version 1803 or Windows Server 2019, please refer to the supported methods and versions below.
 
 Supported tools include:
 - Local script
@@ -245,4 +245,4 @@ To offboard the server, you can use either of the following methods:
 - [Onboard non-Windows machines](configure-endpoints-non-windows.md)
 - [Configure proxy and Internet connectivity settings](configure-proxy-internet.md)
 - [Run a detection test on a newly onboarded Microsoft Defender ATP machine](run-detection-test.md)
-- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)
\ No newline at end of file
+- [Troubleshooting Microsoft Defender Advanced Threat Protection onboarding issues](troubleshoot-onboarding.md)

From c8ee57c5f036a1d7f20a75ce00dd556b823c8393 Mon Sep 17 00:00:00 2001
From: Andres Mariano Gorzelany <36666927+get-itips@users.noreply.github.com>
Date: Wed, 3 Jul 2019 06:16:02 -0600
Subject: [PATCH 30/42] Corrected SubmitSamplesConsent to match Win10

---
 .../enable-cloud-protection-windows-defender-antivirus.md       | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
index 4bbfd25108..83abf9cc69 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/enable-cloud-protection-windows-defender-antivirus.md
@@ -92,7 +92,7 @@ Use the following cmdlets to enable cloud-delivered protection:
 
 ```PowerShell
 Set-MpPreference -MAPSReporting Advanced
-Set-MpPreference -SubmitSamplesConsent Always
+Set-MpPreference -SubmitSamplesConsent AlwaysPrompt
 ```
 
 >[!NOTE]

From 283450e9b9367cd8db7e29a6ed3d08de4d4806af Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Wed, 3 Jul 2019 17:50:44 +0500
Subject: [PATCH 31/42] Update whats-new-in-microsoft-defender-atp.md

---
 .../whats-new-in-microsoft-defender-atp.md                      | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
index 44b4dab75d..994b79b7b6 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/whats-new-in-microsoft-defender-atp.md
@@ -41,7 +41,7 @@ For more information preview features, see [Preview features](https://docs.micro
 
 - [Microsoft Threat Experts](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/microsoft-threat-experts)<BR> Microsoft Threat Experts is the new managed threat hunting service in Microsoft Defender ATP that provides proactive hunting, prioritization, and additional context and insights that further empower security operations centers (SOCs) to identify and respond to threats quickly and accurately. It provides additional layer of expertise and optics that Microsoft customers can utilize to augment security operation capabilities as part of Microsoft 365.  
 
-- [Indicators](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/ti-indicator) <BR> APIs for indicators are now generally available. 
+- [Indicators](https://docs.microsoft.com/windows/security/threat-protection/microsoft-defender-atp/ti-indicator) <BR> APIs for indicators are now generally available. 
 
 
 - [Interoperability](https://docs.microsoft.com/windows/security/threat-protection/windows-defender-atp/partner-applications) <BR> Microsoft Defender ATP supports third-party applications to help enhance the detection, investigation, and threat intelligence capabilities of the platform.

From 930f65a158583659619ed80effca1334a9f0bb0d Mon Sep 17 00:00:00 2001
From: brianreidc7 <31985319+brianreidc7@users.noreply.github.com>
Date: Wed, 3 Jul 2019 15:50:27 +0100
Subject: [PATCH 32/42] UX Name Changes

The GPO ADMX file still references the product as Windows Defender ATP. ADMX file downloaded July 3rd 2019. Therefore have updated the docs so that it refers to the correct name. When the ADMX file is updated, refresh this content.
Also updated the "Immediate Task" name to "Immediate Task (At least Windows 7)" as that is what appears in the UX.
The user account the task needs to run as is NT AUTHORITY\SYSTEM and not BUILTIN\SYSTEM (again, this is what appears when typing SYSTEM into the Task Scheduler UX. In Task Scheduler history later is shows BUILTIN\SYSTEM but that is not what the admin needs to enter to set up the scheduled task.
---
 .../microsoft-defender-atp/configure-endpoints-gp.md        | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
index d16c45de90..54f60b64f4 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/configure-endpoints-gp.md
@@ -52,9 +52,9 @@ ms.date: 04/24/2018
 
 4. In the **Group Policy Management Editor**, go to **Computer configuration**, then **Preferences**, and then **Control panel settings**.
 
-5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate task**.
+5. Right-click **Scheduled tasks**, point to **New**, and then click **Immediate Task (At least Windows 7)**.
 
-6. In the **Task** window that opens, go to the **General** tab. Choose the local SYSTEM user account (BUILTIN\SYSTEM) under **Security options**.
+6. In the **Task** window that opens, go to the **General** tab. Under **Security options** click **Change User or Group** and type SYSTEM and then click **Check Names** then **OK**. NT AUTHORITY\SYSTEM appears as the user account the task will run as.
 
 7. Select **Run whether user is logged on or not** and check the **Run with highest privileges** check box.
 
@@ -84,7 +84,7 @@ You can use Group Policy (GP) to configure settings, such as settings for the sa
 
 4.  Click **Policies**, then **Administrative templates**.
 
-5.  Click **Windows components** and then **Microsoft Defender ATP**.
+5.  Click **Windows components** and then **Windows Defender ATP**.
 
 6.  Choose to enable or disable sample sharing from your machines.
 

From 640de797b3584e4e8be5e52c4c9c780852e780c7 Mon Sep 17 00:00:00 2001
From: Marty Hernandez Avedon <martyavedon@gmail.com>
Date: Wed, 3 Jul 2019 13:20:32 -0400
Subject: [PATCH 33/42] minor typo: "allow or block", not "block or allow"

---
 .../microsoft-defender-atp/advanced-features.md                | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
index a49b614738..22f1392737 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/advanced-features.md
@@ -39,6 +39,7 @@ When you enable this feature, users with the appropriate permissions can initiat
 For more information on role assignments see, [Create and manage roles](user-roles.md).
 
 ## Live response unsigned script execution
+
 Enabling this feature allows you to run unsigned scripts in a live response session.
 
 ## Auto-resolve remediated alerts
@@ -58,7 +59,7 @@ Blocking is only available if your organization uses Windows Defender Antivirus
 
 This feature enables you to block potentially malicious files in your network. Blocking a file will prevent it from being read, written, or executed on machines in your organization.
 
-To turn **Block or allow** files on:
+To turn **Allow or block** files on:
 
 1. In the navigation pane, select **Settings** > **Advanced features** > **Allow or block file**.
 

From fd30897a218cdbfd47d4ff8e4a8a069af665ffa2 Mon Sep 17 00:00:00 2001
From: Nazmus Sakib <mdsakib@microsoft.com>
Date: Wed, 3 Jul 2019 14:15:36 -0700
Subject: [PATCH 34/42] Update
 deploy-multiple-windows-defender-application-control-policies.md

---
 ...indows-defender-application-control-policies.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
index 059828dc17..abc8820fab 100644
--- a/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
+++ b/windows/security/threat-protection/windows-defender-application-control/deploy-multiple-windows-defender-application-control-policies.md
@@ -77,3 +77,17 @@ Note that "ResetPolicyId" reverts a supplemental policy to a base policy, and re
 
 When merging, the policy type and ID of the leftmost/first policy specified is used. If the leftmost is a base policy with ID \<ID>, then regardless of what the GUIDS and types are for any subsequent policies, the merged policy will be a base policy with ID \<ID>.
 
+### Deploying policies
+
+In order to deploy policies using the new multiple policy format you will need to:
+
+1. Ensure policies are copied to the right location
+   - Policies must be copied to this directory: C:\Windows\System32\CodeIntegrity\CiPolicies\Active
+2. Binary policy files must have the correct name which takes the format {PolicyGUID}.cip
+   - Ensure that the name of the binary policy file is exactly the same as the PolicyID in the policy
+   - For example if the policy XML had the ID as <PolicyID>{A6D7FBBF-9F6B-4072-BF37-693741E1D745}</PolicyID> the correct name for the binary policy file would be {A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip
+3. Reboot the system or use WMI to rebootlessly refresh the policy
+
+```powershell
+Invoke-CimMethod -Namespace root\Microsoft\Windows\CI -ClassName PS_UpdateAndCompareCIPolicy -MethodName Update -Arguments @{FilePath = 'C:\Windows\System32\CodeIntegrity\CiPolicies\Active\{A6D7FBBF-9F6B-4072-BF37-693741E1D745}.cip'}
+```

From a0291dbdc95a7c8f0b85f1cab0e7b11475254508 Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Thu, 4 Jul 2019 08:39:56 +0500
Subject: [PATCH 35/42] Update
 manage-protection-updates-windows-defender-antivirus.md

---
 .../manage-protection-updates-windows-defender-antivirus.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
index cb39ebc506..a76cb6ae4a 100644
--- a/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
+++ b/windows/security/threat-protection/windows-defender-antivirus/manage-protection-updates-windows-defender-antivirus.md
@@ -119,11 +119,11 @@ Use the following PowerShell cmdlets to set the update order.
 
 ```PowerShell
 Set-MpPreference -SignatureFallbackOrder {LOCATION|LOCATION|LOCATION|LOCATION}
-Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce {\\UNC SHARE PATH|\\UNC SHARE PATH}
+Set-MpPreference -SignatureDefinitionUpdateFileSharesSource {\\UNC SHARE PATH|\\UNC SHARE PATH}
 ```
 See the following for more information:
 - [Set-MpPreference -SignatureFallbackOrder](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturefallbackorder)
-- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSouce](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources)
+- [Set-MpPreference -SignatureDefinitionUpdateFileSharesSource](https://technet.microsoft.com/itpro/powershell/windows/defender/set-mppreference#-signaturedefinitionupdatefilesharessources)
 - [Use PowerShell cmdlets to configure and run Windows Defender Antivirus](use-powershell-cmdlets-windows-defender-antivirus.md)
 - [Defender cmdlets](https://technet.microsoft.com/library/dn433280.aspx)
 
@@ -133,7 +133,7 @@ Use the [**Set** method of the **MSFT_MpPreference**](https://msdn.microsoft.com
 
 ```WMI
 SignatureFallbackOrder
-SignatureDefinitionUpdateFileSharesSouce
+SignatureDefinitionUpdateFileSharesSource
 ```
 
 See the following for more information:

From 3b690d880a9673dcab2e72a828d7cffb82916f59 Mon Sep 17 00:00:00 2001
From: Lindsay <45809756+lindspea@users.noreply.github.com>
Date: Thu, 4 Jul 2019 07:07:46 +0200
Subject: [PATCH 36/42] Update
 windows/security/threat-protection/microsoft-defender-atp/portal-overview.md

Co-Authored-By: Nicole Turner <39884432+nenonix@users.noreply.github.com>
---
 .../threat-protection/microsoft-defender-atp/portal-overview.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
index a99265db4c..84cf299759 100644
--- a/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
+++ b/windows/security/threat-protection/microsoft-defender-atp/portal-overview.md
@@ -67,7 +67,7 @@ Area | Description
 **(3) Community center, Localization,  Help and support, Feedback** | **Community center** -Access the Community center to learn, collaborate, and share experiences about the product. </br></br>  **Time settings** - Gives you access to the configuration settings where you can set time zones and view license information. </br></br>  **Help and support** - Gives you access to the Microsoft Defender ATP guide, Microsoft support, and Premier support.</br></br> **Feedback** - Access the feedback button to provide comments about the portal. 
 
 > [!NOTE]
-> For devices with high resolution DPI scaling issues, please see here for possible solutions - [Windows scaling issues for high-DPI devices](https://support.microsoft.com/help/3025083/windows-scaling-issues-for-high-dpi-devices)
+> For devices with high resolution DPI scaling issues, please see [Windows scaling issues for high-DPI devices](https://support.microsoft.com/help/3025083/windows-scaling-issues-for-high-dpi-devices) for possible solutions.
 
 ## Microsoft Defender ATP icons
 The following table provides information on the icons used all throughout the portal:

From 078cc0f266b932de3e5f63cdbd89d710b04215fa Mon Sep 17 00:00:00 2001
From: MaratMussabekov <48041687+MaratMussabekov@users.noreply.github.com>
Date: Thu, 4 Jul 2019 17:41:22 +0500
Subject: [PATCH 37/42] Update event-views-exploit-guard.md

---
 .../windows-defender-exploit-guard/event-views-exploit-guard.md  | 1 +
 1 file changed, 1 insertion(+)

diff --git a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
index 7d3b72d249..1077307317 100644
--- a/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
+++ b/windows/security/threat-protection/windows-defender-exploit-guard/event-views-exploit-guard.md
@@ -1,3 +1,4 @@
+---
 ms.reviewer: 
 title: Import custom views to see attack surface reduction events
 description: Use Windows Event Viewer to import individual views for each of the features.

From bf133f94abce30fabbe6d8f077c43cb373780159 Mon Sep 17 00:00:00 2001
From: Reece Peacock <49645174+Reeced40@users.noreply.github.com>
Date: Thu, 4 Jul 2019 15:37:30 +0200
Subject: [PATCH 38/42] Update event-4768.md

Changed failure coding.
---
 windows/security/threat-protection/auditing/event-4768.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md
index 41c866e704..74e6e22b45 100644
--- a/windows/security/threat-protection/auditing/event-4768.md
+++ b/windows/security/threat-protection/auditing/event-4768.md
@@ -219,7 +219,7 @@ The most common values:
 | 0x18                                                       | KDC\_ERR\_PREAUTH\_FAILED              | Pre-authentication information was invalid                                  | The wrong password was provided.<br>This error code cannot occur in event “[4768](event-4768.md). A Kerberos authentication ticket (TGT) was requested”. It occurs in “[4771](event-4771.md). Kerberos pre-authentication failed” event.                                                                                                                                                                                                                                                                                                                                                     |
 | 0x19                                                       | KDC\_ERR\_PREAUTH\_REQUIRED            | Additional pre-authentication required                                      | This error often occurs in UNIX interoperability scenarios. MIT-Kerberos clients do not request pre-authentication when they send a KRB\_AS\_REQ message. If pre-authentication is required (the default), Windows systems will send this error. Most MIT-Kerberos clients will respond to this error by giving the pre-authentication, in which case the error can be ignored, but some clients might not respond in this way.                                                                                                                                                                                              |
 | 0x1A                                                       | KDC\_ERR\_SERVER\_NOMATCH              | KDC does not know about the requested server                                | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
-| 0x1B                                                       | KDC\_ERR\_SVC\_UNAVAILABLE             | KDC is unavailable                                                          | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
+| 0x1D                                                       | KDC\_ERR\_SVC\_UNAVAILABLE             | KDC is unavailable                                                          | No information.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
 | 0x1F                                                       | KRB\_AP\_ERR\_BAD\_INTEGRITY           | Integrity check on decrypted field failed                                   | The authenticator was encrypted with something other than the session key. The result is that the client cannot decrypt the resulting message. The modification of the message could be the result of an attack or it could be because of network noise.                                                                                                                                                                                                                                                                                                                                                                     |
 | 0x20                                                       | KRB\_AP\_ERR\_TKT\_EXPIRED             | The ticket has expired                                                      | The smaller the value for the “Maximum lifetime for user ticket” Kerberos policy setting, the more likely it is that this error will occur. Because ticket renewal is automatic, you should not have to do anything if you get this message.                                                                                                                                                                                                                                                                                                                                                                                 |
 | 0x21                                                       | KRB\_AP\_ERR\_TKT\_NYV                 | The ticket is not yet valid                                                 | The ticket presented to the server is not yet valid (in relationship to the server time). The most probable cause is that the clocks on the KDC and the client are not synchronized.<br>If cross-realm Kerberos authentication is being attempted, then you should verify time synchronization between the KDC in the target realm and the KDC in the client realm, as well.                                                                                                                                                                                                                                           |

From 4d109d045e612c1e014342112f5ceecb5acbb5a6 Mon Sep 17 00:00:00 2001
From: Nick Reilingh <nreiling@bard.edu>
Date: Fri, 5 Jul 2019 09:23:34 -0400
Subject: [PATCH 39/42] fixed markdown headers that needed preceding line break

---
 windows/configuration/customize-and-export-start-layout.md | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index 53cd1f9039..25049499b9 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -46,8 +46,8 @@ You can deploy the resulting .xml file to devices using one of the following met
 -   [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
 
 <span id="bkmkcustomizestartscreen" />
-## Customize the Start screen on your test computer
 
+## Customize the Start screen on your test computer
 
 To prepare a Start layout for export, you simply customize the Start layout on a test computer.
 
@@ -58,6 +58,7 @@ To prepare a Start layout for export, you simply customize the Start layout on a
 2.  Create a new user account that you will use to customize the Start layout.
 
 <a href="" id="bmk-customize-start"></a>
+
 **To customize Start**
 
 1.  Sign in to your test computer with the user account that you created.
@@ -82,8 +83,8 @@ To prepare a Start layout for export, you simply customize the Start layout on a
 >In earlier versions of Windows 10, no tile would be pinned.
 
 <span id="bmk-exportstartscreenlayout" />
-## Export the Start layout
 
+## Export the Start layout
 
 When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell to export the Start layout to an .xml file. Start layout is located by default at C:\Users\username\AppData\Local\Microsoft\Windows\Shell\
 

From 24767e2db0023f42c4eaff8646ac761d66fabb85 Mon Sep 17 00:00:00 2001
From: Nick Reilingh <nreiling@bard.edu>
Date: Sat, 6 Jul 2019 16:56:33 -0400
Subject: [PATCH 40/42] Apply suggestions from code review

Co-Authored-By: Trond B. Krokli <38162891+illfated@users.noreply.github.com>
---
 windows/configuration/customize-and-export-start-layout.md | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index 25049499b9..dcf05e2b96 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -45,8 +45,6 @@ You can deploy the resulting .xml file to devices using one of the following met
 
 -   [Mobile device management (MDM)](customize-windows-10-start-screens-by-using-mobile-device-management.md)
 
-<span id="bkmkcustomizestartscreen" />
-
 ## Customize the Start screen on your test computer
 
 To prepare a Start layout for export, you simply customize the Start layout on a test computer.
@@ -57,8 +55,6 @@ To prepare a Start layout for export, you simply customize the Start layout on a
 
 2.  Create a new user account that you will use to customize the Start layout.
 
-<a href="" id="bmk-customize-start"></a>
-
 **To customize Start**
 
 1.  Sign in to your test computer with the user account that you created.

From 8988a615585c77e481558aa17470bdc21a3e99a5 Mon Sep 17 00:00:00 2001
From: Nick Reilingh <nreiling@bard.edu>
Date: Sat, 6 Jul 2019 16:59:20 -0400
Subject: [PATCH 41/42] removed extraneous span tag

---
 windows/configuration/customize-and-export-start-layout.md | 2 --
 1 file changed, 2 deletions(-)

diff --git a/windows/configuration/customize-and-export-start-layout.md b/windows/configuration/customize-and-export-start-layout.md
index dcf05e2b96..60108ae542 100644
--- a/windows/configuration/customize-and-export-start-layout.md
+++ b/windows/configuration/customize-and-export-start-layout.md
@@ -78,8 +78,6 @@ To prepare a Start layout for export, you simply customize the Start layout on a
 >
 >In earlier versions of Windows 10, no tile would be pinned.
 
-<span id="bmk-exportstartscreenlayout" />
-
 ## Export the Start layout
 
 When you have the Start layout that you want your users to see, use the [Export-StartLayout](https://docs.microsoft.com/powershell/module/startlayout/export-startlayout?view=win10-ps) cmdlet in Windows PowerShell to export the Start layout to an .xml file. Start layout is located by default at C:\Users\username\AppData\Local\Microsoft\Windows\Shell\

From ef1894a4ecafd3ae7587c3d821687bf04eec3de1 Mon Sep 17 00:00:00 2001
From: "Gov Maharaj (ORANGE)" <52670031+GovM-MSFT@users.noreply.github.com>
Date: Mon, 8 Jul 2019 09:03:42 -0700
Subject: [PATCH 42/42] Update kiosk-single-app.md

Update documentation to reflect that copy and paste is no longer possible for kiosk apps.
---
 windows/configuration/kiosk-single-app.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/windows/configuration/kiosk-single-app.md b/windows/configuration/kiosk-single-app.md
index 89c720dbc9..fec62e33fd 100644
--- a/windows/configuration/kiosk-single-app.md
+++ b/windows/configuration/kiosk-single-app.md
@@ -31,7 +31,7 @@ A single-app kiosk uses the Assigned Access feature to run a single app above th
 >[!IMPORTANT]
 >[User account control (UAC)](https://docs.microsoft.com/windows/security/identity-protection/user-account-control/user-account-control-overview) must be turned on to enable kiosk mode.
 >
->Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk.
+>Kiosk mode is not supported over a remote desktop connection. Your kiosk users must sign in on the physical device that is set up as a kiosk. Apps that run in kiosk mode cannot use copy and paste.
 
 You have several options for configuring your single-app kiosk.